Concepts of Network Security and Intrusion Detection

1
Concepts of Network Security and Intrusion
Detection

• Jianhua Yang
• Department of Math Computer Science
• University of Maryland Eastern Shore

2
Goals

• Network Security
• Intrusion Detection

3
3.1 What is Network Security?

• Security is a continuous process of protecting an
  object from attack.
• Object
• A person
• Organization, or
• A computer system or a file.

4
Computer System

• Its security involves all its resources
• Physical resources
• Reader, printers, CPU, monitor, memories,.
• Non-physical resources
• Data
• File information

5
Distributed computer system

• The protection covers
• Communication channels
• Network connectors
• Modems, bridges, switches, routers, servers
• Network file system

6
In General, security

• Means preventing unauthorized access, use,
  alteration, and theft or physical damage to the
  resources
• Involves three elements
• Confidentiality
• Integrity
• Availability

To prevent unauthorized disclosure of information
to third parties.
To prevent unauthorized modification of resources
and maintain the status
To prevent unauthorized withholding of system
resources from those who need them when they need
them
7
Some basic concepts and methods
Is the process of trying to stop intruders from
gaining access to the resources of the system

• Prevention
• Detection
• Response
• Firewalls
• Passwords

Occurs when the intruder has succeeded or is in
the process of gaining access of the system
Is an aftereffect mechanism that tries to respond
to the failure of prevention and detection
A firewall is hardware or software used to
isolate the sensitive portions of an information
system facility from the outside world and limit
the potential damage that can be done by a
malicious intruder.
A password is a string of usually six to eight
characters, with restrictions on length and start
character, to verify a user to an information
system facility, usually a computer system.
8
Security Services

• The prevention of unauthorized access to system
  resources is achieved through a number of
  security services.
• They include
• Access control
• Authentication
• Confidentiality
• Integrity
• Non-repudiation

9
Access control

• Hardware access control systems
• Access terminal
• Visual event monitoring
• Identification cards
• Biometric identification
• Video surveillance
• Software access control systems
• Point of access monitoring
• Remote monitoring

10
Authentication

• It is a service to identify a user, especially a
  remote user.
• It is a process whereby the system gathers and
  builds up information about the user to ensure
  the user is genuine.
• It is based on
• Username and password
• Retinal images
• face images
• Fingerprints
• Physical location
• Identity cards
• Typing mode

11
Authentication Techniques
It is a key management scheme that authenticates
unknown principals who want to communicate with
each other.

• Kerberos
• IPSec
• SSL (secure sockets layer)
• S/Key
• ANSI X9.9
• ISO 8730
• Indirect OTP (one time password)

It provides the capability to ensure security of
data in a communication network. It makes all the
Internet applications including client/server,
e-mail, file transfer, and web access secure.
It ends up with a secret key that both the client
and server use for sending encrypted messages.
It is a one-time password scheme based on a
one-way hash function.
It is a U.S. banking standard for authentication
of financial transaction.
12
Confidentiality

• It is a service to protect system data and
  information from unauthorized disclosure.
• Encryption protects the communication channel
  from sniffers.

Sniffers are programs written for and installed
on the communication channels to eavesdrop on
network traffic, examining all traffic on
selected network segments.
13
Integrity

• It is a service to protect data against active
  threats such as those that may alter it.
• Hashing algorithms

14
Non-repudiation

• It is a security service that provides proof of
  origin and delivery of service and/or
  information.
• Digital signature

15
Security Standards

• Security organizations
• Security standards

16
Security Organizations

• IETF Internet Engineering Task Force
• IEEE Institute of Electronic and Electric
  Engineer
• ISO International Standards Organization
• ITU International Telecommunications Union
• ECBS European Committee for Banking standards
• ECMA European Computer Manufacturers Association
• NIST National Institute of Standards and
  Technology
• W3C World Wide Web Consortium
• RSA Rivest, Shamir and Adleman

17
Security Standards-Organizations

• IETF IPSec, XML-Signature, Kerberos, S/MIME
• ISO OSI
• ITU X.2xx, X.5xx, X.7xx, X.80xx
• ECBS TR-40x
• ECMA ECMA-13x, ECMA-20x
• NIST X3, X9.xx Financial, X12.xx Electronic Data
  Exchange
• IEEE IEEE802.xx
• RSA Public Key Cryptographic Standard
• W3C XML Encryption, XML Signature, XKMS
  (exXensible Key Management Specification)

18
Security Standards -Services

• Internet security
• Digital signature and encryption
• Login and authentication
• Firewall and system security

19
Internet Security

• Network authentication
• Kerberos
• Secure TCP/IP communications over the Internet
• IPSec
• Privacy-enhanced electronic mail
• S/MIME, PGP
• Public key cryptography
• 3-DES, DSA, RSA, MD-5, SHA-1, PKCS
• Secure hypertext transfer protocol
• S-HTTP
• Security protocol for privacy on
  Internet/transport security
• SSL, TLS, SET

20
Digital Signature and Encryption

• Advanced Encryption Standards
• X509, DES, AES, DSS/DSA, SHA/SHS
• Digital certificates/XML digital signatures
• XMLDSIG, XMLENC, XKMS

21
Login and Authentication

• Authentication of users right to use system or
  network resources
• SAML
• Liberty Alliance
• FIPS 112

22
Firewall and system security

• Security of local, wide and metropolitan area
  networks
• Secure Data Exchange (SDE) for IEEE 802
• ISO/IEC 10164

23
3.2 Intrusion Detection and Prevention

• Definition of ID
• Intrusion Detection Systems (IDS)
• Types of IDS
• Response to System Intrusion
• Challenges to IDS
• Intrusion Prevention Systems (IPS)
• Intrusion Detection Tools

24
Definitions

• Intrusion Detection
• It is a technique of detecting unauthorized
  access to a computer system or a computer
  network.
• Intrusion Prevention
• It is the art of preventing an unauthorized
  access of a systems resources.

25
The Types of Intrusion

• Attempted break-ins
• Masquerade attacks
• Penetrations
• Denial of service
• Malicious use

26
System Intrusion Process

• Reconnaissance
• Information collection and weak points analysis
• Physical Intrusion
• Attack
• Denial of service (DoS) the intruder attempts to
  crash a service, overload network links, overload
  CPU, or fill up the disk.
• Common DoS
• Ping-of-Death
• SYN Flooding
• Land/Latierra
• WinNuke

27
Land/Latierra, WinNuke

• Land/Latierra
• Sends forged SYN packet with identical
  source/destination address/port so that the
  system goes into an infinite loop trying to
  complete the TCP connection.
• WinNuke
• Sends and URG data on a TCP connection to port
  139 (for NetBIOS session), which causes the
  Windows system to hang.

28
Intrusion Detection Systems

• What is an IDSs?
• An IDSs is a system used to detect unauthorized
  intrusions into computer systems and networks.

29
Three Models

• Anomaly-based detection
• Signature-based detection
• Hybrid detection

30
Anomaly detection

• Creating norms of activities
• Collecting current activity
• Comparing the current one with norm one
• Based on the comparison result to determine if
  there is an Intrusion

31
Problems

• Not efficient
• Easy to introduce false positive error

32
Misuse detection

• Signature-based detection
• Each intrusive activity is represented by a
  unique pattern or a signature
• New activity can be compared with existing pattern

33
Problems

• Cannot detect unknown attacks
• Easy to introduce false negative errors

34
Types of IDSs

• Network-based IDS (NIDSs)
• Host-based IDS (HIDS)

35
NIDSs

• They take the whole network as the monitoring
  scope
• They monitor the traffic on the network to detect
  intrusions
• They are mainly for outside attackers

36
Components of a NIDS

• Network sensor
• Analyzer
• Alert notifier
• Response system

37
Advantages of NIDSs

• The ability to detect attacks that a HIDS would
  miss because NIDS monitor network at a transport
  layer.
• Difficulty to remove evidence.
• Real-time detection and response.
• Ability to detect unsuccessful attacks and
  malicious intent.

38
Disadvantages

• Blind spots
• Encrypted data

39
HIDSs

• Detect intrusions based on the information of a
  single target computer
• The information includes system, event, and
  security logs on Windows and syslog in Unix
  environments
• Focus on inside attacks

40
Advantages

• Ability to verify success or failure of an attack
  quickly
• Efficiency
• Near real-time detection and response
• Ability to deal with encrypted environments

41
Disadvantages

• Limited view of the network
• It is not possible for large deployment

42
Stepping-stone intrusion
43
Intrusion Detection Tools

• Realsecure v3.0 (ISS)
• Net Perver 3.1 (Axent Technologies)
• Net Ranger v2.2 (CISCO)
• FlightRemohe v2.2 (NFR Network)
• Sessi-Wall-3 v4.0 (Computer Associates)
• Kane Security Monitor (Security Dynamics)

44
Summary

• Concepts of Network Security
• Basics of IDSs