13-Snort.pdf - Network Intrusion Detection System\u0000\b\u001d A case study through snort\u0000\b\u001d \u0000\b\u001d Security mechanisms attacks \u00a7\u202f In general three types \u2022\u202f

13-Snort.pdf - Network Intrusion Detection...

This preview shows page 1 - 12 out of 71 pages.

Network Intrusion Detection System A case study through snort
Image of page 1
Security mechanisms § In general, three types Prevention o Example: access control (e.g., firewall) Detection o Example: Auditing and intrusion detection (e.g., IDS, forensics) Tolerance o Example: intrusion tolerance (e.g., ITS) attacks Prevention Detection Response (Tolerance)
Image of page 2
IDS and Snort § Intrusion Detection System (IDS) IDS is software, hardware or combination of both used to detect intruder activity . § Snort is an open source IDS o It is a multi-mode packet analysis tool o Sniffer (Passive and Active Sniffer) » Port mirror sniffer, GW sniffer o Packet Logger o Data Analysis tool o Network Intrusion Detection System
Image of page 3
Sniffing and Sniffer
Image of page 4
Sniffing § Sniffing is a electronic form of eavesdropping on the communications that computers transmit across networks. § Sniffers (a powerful piece of software) place the hosting system’s network card into promiscuous mode to receive all the data it can see, not just packets addressed to it. § Sniffer peels away the layers of encapsulation and decoded the relevant information in the packet. § What protocols are vulnerable to sniffing? 5
Image of page 5
Active vs. Passive Sniffing § Passive sniffing is performed on a hub All traffic is sent to all ports. ANacker ( without injects packets ) just wait for someone on the same collision domain to start sending or receiving data. § Active sniffing is performed on a switched network Relies on injecting packets (probes ) into the network that causes traffic. It is required to bypass the segmentation that switches provided. 6
Image of page 6
Collision vs. Broadcast Domains § Collision domain A logical area of the network in which one or more data packets can collide with each other. found in the hub or other shared medium networks, e. g. wireless network such as Wi-­‑Fi. Modern wired networks use a switch to eliminate collisions. § Broadcast Domain a logical division of a network, in which all nodes can reach each other by broadcast at the data link layer. A broadcast domain can be within the same LAN segment or it can be bridged to other LAN segments. 7
Image of page 7
Protecting Against Sniffing § To protect wired/wireless users from sniffing is to utilize encrypted sessions wherever possible: SSL for e-mail connection SSH instead of Telnet SCP instead of FTP § To protect a network from being discovered with sniffing tools turn off any network identification broadcasts if possible, close down the network to any unauthorized users. 8
Image of page 8
Category of IDS
Image of page 9
Category of IDS (by functionality) § Network Intrusion Detection System (NIDS) Listens & analyses traffic in a network Capture data package Compare with database signatures (signature-­‑ based) Operate in promiscuous mode § Host-­‑based Intrusion Detection System (HIDS) Installed as an agent of a host Listens & analyses system logs 10
Image of page 10
Type of IDS (by detection) § Signature-­‑based IDS Captures and monitors packets in a network Compares them with pre-­‑configured and pre-­‑ determined aNack paNerns (signatures) § Anomaly-­‑based IDS
Image of page 11
Image of page 12

You've reached the end of your free preview.

Want to read all 71 pages?

  • Fall '15
  • Transmission Control Protocol, Intrusion prevention system, Network intrusion detection system, Intrusion detection system, Packet analyzer

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture