M1 - Explain The Operation Of Different Intruder Detection Systems
Firewalls
Firewalls are designed to prevent unauthorised access to a computer or network. You can implement a firewall in both hardware and software, or a combination of both. A firewall will monitor data packets coming in and out of the network it is protecting and will enforce the company's network security policy. It filters out the packets that look suspicious and do not meet the specified security criteria. Most organisations use firewalls to protect their network from the Internet.
There are a few different types of firewall, these are:
Packet filtering was the first type of firewall to be created, a packet filtering firewall will control what data can flow into and out of a network. It will accept or reject packets of data based on a set of user-defined rules, these rules are called ACLs. ACLs are lines of text that the firewall will apply to each packet of data it receives, these lines of text provide specific information defining what packets can be accepted, and what packets must be denied. The main advantage of using a packet filtering firewall is that they are very flexible, you can easily customise the firewall and allow it to work with many different protocols and applications. Another advantage is that they are not application-dependant and they are capable of working at high speeds because they do not carry out extensive processing on the data packets. However, there are a few disadvantages of packet filtering firewalls. Due to the small number of variables used in access control decisions, they are susceptible to security breaches caused by improper configurations and they also cannot prevent attacks that employ application-specific vulnerabilities.
Stateful Firewalls
Stateful inspection packet filtering tracks each connection travelling across the network. The firewall is programmed to remove packets that come from an unknown connection, only the packets that come from a known, trusted connection will be allowed through the firewall. Stateful inspection firewalls will maintain a state table that will keep track of all the communication channels, filtering decisions are based not only on user-defined rules (as in packet filtering) but also on context that has been established by prior packets that have passed through the firewall.
Proxy Firewalls
Proxy firewalls are very secure, this does however come at the expense of speed and functionality. Proxy firewalls are secure because unlike other types of firewall, data packets don't pass through a proxy; instead, the proxy acts as a mirror and makes a new network connection based on the request. This prevents direct connections meaning it is harder for attackers to discover the location of the network. When the proxy firewall receives the request it first looks it over for suspicious information before allowing that data to reach the protected network. The advantages of using proxy firewalls are that it is the most secure type there is, they look at information within the packets up to the application layer and they also break the connection between trusted and untrusted systems. There are however a few disadvantages, proxy firewalls can only support a limited number of applications, they generally degrade traffic performance and slow the network down and the breaking of untrusted connections can be bad for functionality.
HoneyPots
This is a system where a server would be set up in the screened subnet or demilitarised zone in an attempt to lure attackers to it. This server would be set up separately from the actual server and will hold dummy information, this will trick the attacker into thinking they have found the organisations actual server. To make this server attractive to attackers the organisation would leave some ports open that are popular to attack. To help make the HoneyPot more realistic the server would contain some security software, this software will be easy enough to get through but will still reassure the attacker they have found the correct server.
While the attacker is trying to gain access to the dummy server the organisation can monitor what the attacker does so that they can prevent future attacks to the real server and improve overall security. Some administrators may even use detailed logs to gain the identity of the attacker and either attack back or notify the police.
Intrusion Detection System (IDS)
Intrusion detection systems are used to detect unauthorised entries and alert an administrator to respond. An IDS inspects all inbound and outbound network activity and identifies suspicious patterns that may indicate a network or system attack from someone attempting to compromise a system.
Network Based IDS (NIDS) & Host Based IDS (HIDS)
Network based systems work by separately analysing the packets that flow through the network, this helps to find malicious data packets that could otherwise get into your system due to them being overlooked by the firewall. Whereas in host based systems the IDS will watch over the activity's on each individual system or host.
Passive & Reactive IDS
Passive intrusion detection systems will look out for potential security threats and log all of this information, it will then signal alerts to the network administrator so that they can respond accordingly Reactive IDS will respond to the suspicious occurrences by logging the user being attacked off or by actively reprogramming the firewall to block all traffic from this source which will stop further contact with the untrusted source.
Knowledge Based IDS
The majority of intrusion detection systems that are widely used are knowledge based. A knowledge based IDS applies accumulated knowledge about specific attacks and system vulnerabilities. Since the IDS knows about the vulnerabilities it will look out for attempts to expose them, if an attempt is made an alarm will be triggered and the network administrator will be notified. An advantage of this type of IDS is that it has a low false alarm rate, meaning if the administrator is notified they know they need to respond straight away. There are however a few disadvantages, one being that it is difficult to gather information about known attacks and the system will need to be constantly kept up to date, this will take a large amount of time.
Behaviour Based IDS
This type of IDS will assume that an intrusion can be detected by monitoring unexpected activity and behaviour on the system. The system will compare current activity to previous behaviour, if an abnormality is discovered an alarm will be raised. The advantages of this type of IDS are that they detect attempts to exploit vulnerabilities, they are able to contribute to the discovery of new attacks and they also help detect 'abuse of privileges' attacks. The main disadvantage to this type of IDS is that there is a high false alarm rate.
Firewalls are designed to prevent unauthorised access to a computer or network. You can implement a firewall in both hardware and software, or a combination of both. A firewall will monitor data packets coming in and out of the network it is protecting and will enforce the company's network security policy. It filters out the packets that look suspicious and do not meet the specified security criteria. Most organisations use firewalls to protect their network from the Internet.
There are a few different types of firewall, these are:
- Packet Filtering Firewall
- Stateful Inspection Packet Filtering Firewall
- Proxy Firewall
Packet filtering was the first type of firewall to be created, a packet filtering firewall will control what data can flow into and out of a network. It will accept or reject packets of data based on a set of user-defined rules, these rules are called ACLs. ACLs are lines of text that the firewall will apply to each packet of data it receives, these lines of text provide specific information defining what packets can be accepted, and what packets must be denied. The main advantage of using a packet filtering firewall is that they are very flexible, you can easily customise the firewall and allow it to work with many different protocols and applications. Another advantage is that they are not application-dependant and they are capable of working at high speeds because they do not carry out extensive processing on the data packets. However, there are a few disadvantages of packet filtering firewalls. Due to the small number of variables used in access control decisions, they are susceptible to security breaches caused by improper configurations and they also cannot prevent attacks that employ application-specific vulnerabilities.
Stateful Firewalls
Stateful inspection packet filtering tracks each connection travelling across the network. The firewall is programmed to remove packets that come from an unknown connection, only the packets that come from a known, trusted connection will be allowed through the firewall. Stateful inspection firewalls will maintain a state table that will keep track of all the communication channels, filtering decisions are based not only on user-defined rules (as in packet filtering) but also on context that has been established by prior packets that have passed through the firewall.
Proxy Firewalls
Proxy firewalls are very secure, this does however come at the expense of speed and functionality. Proxy firewalls are secure because unlike other types of firewall, data packets don't pass through a proxy; instead, the proxy acts as a mirror and makes a new network connection based on the request. This prevents direct connections meaning it is harder for attackers to discover the location of the network. When the proxy firewall receives the request it first looks it over for suspicious information before allowing that data to reach the protected network. The advantages of using proxy firewalls are that it is the most secure type there is, they look at information within the packets up to the application layer and they also break the connection between trusted and untrusted systems. There are however a few disadvantages, proxy firewalls can only support a limited number of applications, they generally degrade traffic performance and slow the network down and the breaking of untrusted connections can be bad for functionality.
HoneyPots
This is a system where a server would be set up in the screened subnet or demilitarised zone in an attempt to lure attackers to it. This server would be set up separately from the actual server and will hold dummy information, this will trick the attacker into thinking they have found the organisations actual server. To make this server attractive to attackers the organisation would leave some ports open that are popular to attack. To help make the HoneyPot more realistic the server would contain some security software, this software will be easy enough to get through but will still reassure the attacker they have found the correct server.
While the attacker is trying to gain access to the dummy server the organisation can monitor what the attacker does so that they can prevent future attacks to the real server and improve overall security. Some administrators may even use detailed logs to gain the identity of the attacker and either attack back or notify the police.
Intrusion Detection System (IDS)
Intrusion detection systems are used to detect unauthorised entries and alert an administrator to respond. An IDS inspects all inbound and outbound network activity and identifies suspicious patterns that may indicate a network or system attack from someone attempting to compromise a system.
Network Based IDS (NIDS) & Host Based IDS (HIDS)
Network based systems work by separately analysing the packets that flow through the network, this helps to find malicious data packets that could otherwise get into your system due to them being overlooked by the firewall. Whereas in host based systems the IDS will watch over the activity's on each individual system or host.
Passive & Reactive IDS
Passive intrusion detection systems will look out for potential security threats and log all of this information, it will then signal alerts to the network administrator so that they can respond accordingly Reactive IDS will respond to the suspicious occurrences by logging the user being attacked off or by actively reprogramming the firewall to block all traffic from this source which will stop further contact with the untrusted source.
Knowledge Based IDS
The majority of intrusion detection systems that are widely used are knowledge based. A knowledge based IDS applies accumulated knowledge about specific attacks and system vulnerabilities. Since the IDS knows about the vulnerabilities it will look out for attempts to expose them, if an attempt is made an alarm will be triggered and the network administrator will be notified. An advantage of this type of IDS is that it has a low false alarm rate, meaning if the administrator is notified they know they need to respond straight away. There are however a few disadvantages, one being that it is difficult to gather information about known attacks and the system will need to be constantly kept up to date, this will take a large amount of time.
Behaviour Based IDS
This type of IDS will assume that an intrusion can be detected by monitoring unexpected activity and behaviour on the system. The system will compare current activity to previous behaviour, if an abnormality is discovered an alarm will be raised. The advantages of this type of IDS are that they detect attempts to exploit vulnerabilities, they are able to contribute to the discovery of new attacks and they also help detect 'abuse of privileges' attacks. The main disadvantage to this type of IDS is that there is a high false alarm rate.