CISSP CBK 2 Access Control

About This Presentation

Title:

CISSP CBK 2 Access Control

Description:

CISSP CBK #2 Access Control Access Control This Chapter presents the following material Identification Methods and technologies Authentication Methods DAC, MAC and ... – PowerPoint PPT presentation

Number of Views:1230

Avg rating:3.0/5.0

Slides: 132

Provided by: paladingr

Category:

more less

Transcript and Presenter's Notes

Title: CISSP CBK 2 Access Control

1
CISSP CBK 2 Access Control
2
Access Control

This Chapter presents the following material
Identification Methods and technologies
Authentication Methods
DAC, MAC and role based (non-DAC) models
Accountability, monitoring, and auditing
Unauthorized Disclosure of Information
Intrusion Detection Systems
Threats to access control practices and
technologies

3
Access Controls

Access controls are security features that
control how people can interact with systems, and
resources.
Goal is to protect from un-authorized access.

4
Access

Access is the data flow between an subject.
Subject is a person, process or program
Object is a resource (file, printer etc)

5
Access Control (157)

Access control should support the CIA triad!
Lets quickly go over the CIA triad again

6
Components of Access Control (158)

Quick overview details on each coming up
Identification who am I? (userid etc)
Authentication prove that I am who I say I
Authorization now what am I allowed to access
Auditing Big Brother can see what I accessed.

7
CISSP BUZZWORD

Logical (technical) access controls are used for
these 4 items.
Things like smart cards and biometrics, and
passwords, and audit system, and SELinux these
are all examples of logical

8
Identification (159 162)

Identifies a user uniquely (hopefully)
SSN, UID, SID, Username
Should Uniquely identify a user for
accountability (dont share)
Standard naming scheme should be used
Identifier should not indicate extra information
about user (like position)
DO NOT SHARE (NO group accounts)

9
Authentication (160)

Proving who you say you are, usually one of these
3
Something you know (password)
Something you have (smart card)
Something you are (biometrics)
What is wrong with just using one of these
methods?

10
Strong Authentication (161)

Strong Authentication is the combination of 2 or
more of these (also called multi-factor
authentication) and is encouraged!
Strong Authentication provides a higher level of
assurance

11
Authorization

What does this mean?
What are some type of authorization mechanism?
(ACLs, permissions)
We will go more indepth on this later
Authorization is a preventative control (we
will talk about controls later)

12
Auditing

What is the purpose of auditing?
Auditing is a detective control (we will talk
about this later)

13
Recap

Identification what is it?
Authentication how is this different from
identification
Authorization what does this mean?
Auditing whats the point?

14
Identity Management (162)

Identity management products are used to id,
authenticate and authorize users in an automated
means. Its a broad term.
These products may (or may not) include
User account management
Access controls
Password management
Single Sign on
Permissions

15
ID Management and the CISSP (164)

Know for the exam that ID management solutions
include
Directories
Web Access Management
Password Management
Single Sign On
Account Management
Profile update

16
Profiles updates

What is a profile (not a windows profile)
A profiles is the collection of data about a
Email
Home address
Phone
Start date
Certifications
etc

17
Profile updates (117)

IdM systems may have centralized tools to manage
profiles, may have self service portals where
users can update their own info.
Profiles are similar to digital Identity

18
Directories (165)

Information about the users and resources
LDAP (based on X.500)
Key concept is namespaces (like branches of a
tree) and DN (distinguished names) Can anyone
explain namespaces and DNs?
DNCN and multiple DCs can include OUs
Active Directory (an implementation of LDAP)
Legacy NT (flat directory structure)
Novell Netware (???)

19
Directories Role in ID management

Specialized database optimized for reading and
searching operations
Important because all resource info, users
attributes, authorization info, roles, policies
etc can be stored in this single place.
Directories allow for centralized management!
However these can be broken up and delegated.
(trees in a forest)

20
Meta and Virtual Directories (167)

Meta-directories allow for a centralized
directory if users information is in multiple
different directories (meta-directories
synchronizes its data against the other
databases)
Like meta-dirs, but instead of storing data, just
provide links or pointers to the data in the
alternate directory
Advantages and Disadvantages?

21
Web Access management (168)

Uses a webserver(s) to deliver resources
Users authentications against the web server
using whatever Auth scheme implemented
If authenticated requests and object
Web server verifies authorization
If so web server returns objects
Mainly used for external users/access
Very Web 2.0, you probably see a lot of this now
a days.

22
Password Management (171)

Allows for users to change their passwords,
May allow users to retrieve/reset password
automatically using special information
(challenge questions) or processes
Helpdesk assisted resets/retrievals (same as
above, but helpdesk people might ask questions
instead of automated)
May handle password synchronization

23
Single Sign On

Log in one time, and access resources many places
Not the same as password synchronization
SSO software handles the authorization to
multiple systems
What is a security problems with this?
What are advantages?

24
Account Management Software

Idea is to centrally manage user accounts rather
than to manually create/update them on multiple
systems
Often include workflow processes that allow
distributed authorization. I.e.. A manager can
put in a user request or authorize a request,
tickets might be generated for a Key card system
for their locations, Permissions might be created
for their specific needs etc.
Automates processes
Can includes records keeping/auditing functions
Can ensure all accesses/accounts are cleaned up
with users leave.

25
Federation (I hate this word) (178)

A Federation is multiple computing and/or network
providers agreeing upon standards of operation in
a collective fashion. (self governing entities
that agree on common grounds to easy access
between them)
A federated Identity is an identity and
entitlements that can be used across business
boundaries. (MS passport, Google checkout)

26
Identity Management Overview

Idea is to manage, identify and authorize users
in an automated fashion
Know for the exam that ID management solutions
include
Directories
Web Access Management
Password Management
Single Sign On
Account Management
Profile update

27
Who needs ID management (178)

Really everyone! (at least anyone that you will
probably deal with)
See table on Page 178

28
Break?
29
Biometrics (179)

Bio life, metrics - measure
Biometrics verifies (authenticates) an
individuals identity by analyzing unique personal
attribute (something they ARE)
Require enrollment before being used (what is
enrollment? Any ideas)
EXPENSIVE
COMPLEX

30
Biometrics (179)

Can be based on
behavior (signature dynamics) might change over
time
Physical attribute (fingerprints, iris, retina
scans)
We will talk about the different types of
biometrics later
Can give incorrect results
False negative Type 1 error (annoying)
False positive Type 2 error (very bad)

31
CER (179)

Crossover Error Rate (CER) is an important
metric that is stated as a percentage that
represents the point at which the false rejection
rate equals the false positive rate.
Lower number CER is better/more accurate. (3 is
better than an 4)
Also called Equal Error Rate
Use CER to compare vendors products objectively

32
Biometrics (180)

Systems can be calibrated, for example of you
adjust the sensitivity to decrease fall
positives, you probably will INCREASE false
negatives, this is where the CER come in.
Draw diagram on board
Some areas (like military) are more concerned
with one error than the other (ex. Would rather
deny a valid user than accept an invalid user)
Can you think of any situations for each case?

33
Biometric problems?

Expensive
Unwieldy
Intrusive
Can be slow (should not take more than 5-10
seconds)
Complex (enrollment)

34
Biometric Types Overview (182)

We will talk in more depth of each in the next
couple slides
Fingerprint
Palm Scan
Hand Geometry
Retina Scan
Iris Scan
Keyboard Dynamics
Voice Print
Facial Scan
Hand Topography

35
Fingerprint (182)

Measures ridge endings an bifurcations (changes
in the qualitative or topological structure) and
other details called minutiae
Full fingerprint is stored, the scanners just
compute specific features and values and sends
those for verification against the real
fingerprint.

36
Palm Scan

Creases, ridges, grooves
Can include fingerprints

37
Hand Geometry

Overall shape of hand
Length and width of fingers
This is significantly different between
individuals

38
Retina Scan

Reads blood vessel patterns on the back of the
eye.
Patterns are extremely unique

39
Iris Scan

Measures colors
Measures rifts
Measures rings
Measures furrow (wrinkle, rut or groove)
Most accurate of all biometric systems
IRIS remains constant through adulthood
Place scanner so sun does NOT shine through
aperture

40
Signature Dynamics

Most people sign in the same manner (really???)
Monitor the motions and the pressure while moving
(as opposed to a static signature)
Type I (what is type I again?) error high
Type II (what is type II again?) error low

41
Keyboard dynamics

Measure the speeds and motions as you type,
including timed difference between characters
typed. For a given phrase
This is more effective than a password believe it
or not, as it is hard to repeats someone's typing
style, where as its easy to get someone's
password.

42
Voice Print

Enrollment, you say several different phrases.
For authentication words are jumbled.
Measures speech patterns, inflection and
intonation (i.e.. pitch and tone)

43
Facial Scan

Geometric measurements of
Bone structure
Nose ridges
Eye width
Chin shape
Forehead size

44
Hand Topography

Peaks and valleys of hand along with overall
shape and curvature
This is opposed to size and width of the fingers
(hand geometry)
Camera on the side at an angle snaps a pictures
Not unique enough to stand on its own, but can
be used with hand geometry to add assurance

45
Biometrics wrap up

We covered a bunch of different biometrics
Understand some are behavioral based
Voice print
Keyboard dynamics
Can change over time
Some are physically based
Fingerprint
Iris scan

46
Biometrics wrap Up

Fingerprints are probably the most commonly used
and cheapest
Iris scanning provides the most assurance
Some methods are intrusive
Understand Type I and Type II errors
Be able to define CER, is a lower CER value
better or worse?

47
Passwords (184)

What is a password? (someone tell me because I
forgot)
Works on what you KNOW
Simplest form of authentication
Cheapest form of authentication
Oldest form of authentication
Most commonly used form of authentication
WEAKEST form of authentication

48
Problems with Passwords (184)

People write down passwords (bad)
People use weak passwords (bad)
People re-use passwords (bad)
If you make passwords to hard to remember people
often write them down
If you make them too easy they are easily cracked

49
How to make a good password

Dont use common words
Dont use names or birthdates
Use at least 8 characters
Combine numbers, symbols and case
Use a phrase and take attributes of a phrase,
transpose characters

50
Attacks on Password (185)

Sniffing (Electronic Monitoring)
Brute force attacks
Dictionary Attack
Social Engineering (what is social Engineering?)
Rainbow tables a table that contains passwords
in hash format for easy/quick comparison

51
Passwords and the OS (184)

The OS should enforce password requirements
Aging when a password expires
Reuse of old passwords
Minimum number of characters
Limit login attempts disable logins after a
certain number of failed attempts

52
System password protection

System should NOT store passwords in plaintext.
Use a hash (what is a hash?)
Can encrypt hashes
Passwords salts random values added to the
encryption/hash process to make it harder to
brute force (one password may hash/encrypt to
multiple different results)

53
Cognitive passwords (187)

Not really passwords, but facts that only a user
would know. Can be used to verify who you are
talking to without giving out password, or for
password reset challenges.
Not really secure, Im not a big fan.

54
One Time Password

Password is good only once then no longer valid
Used in high security environments
VERY secure
Not vulnerable to electronic eavesdropping, but
vulnerable to loss of token, (though must have
pin)
Require a token device to generate passwords.
(RSA SecureID key is an example)

55
One Time Password Token Type

One of 2 types
Synchronous uses time to synchronize between
token and authentication server
Clocks must be synchronized!
Can also use counter-sync which a button is
pushed that increments values on the token and
the server

56
OTP Token Types (189)

Asynchronous
Challenge response
Auth sends a challenge (a random value called a
nonce)
User enters nonce into token, along with PIN
Token encrypts nonce and returns value
Users inputs value into workstation
If server can decrypt then you are good.

57
Other Types of Authentication (190)

Digital Signature (talk about in more depth in
chapter 8).
Take a hash value of a message, encrypt hash with
your private key
Anyone with your public key can decrypt and
verify message is from you.

58
Passphrase (190)

Simply a phrase, application will probably make a
virtual password from the passphrase (etc a
hash)
Generally more secure than a password
Longer
Yet easier to remember

59
Memory Cards (191)

NOT a smart card
Holds information, does NOT process
A memory card holds authentication info, usually
youll want to pair this with a PIN WHY? You
tell me.
A credit card or ATM card is a type of memory
card, so is a key/swipe card
Usually insecure, easily copied.

60
Smart Card (193)

Much more secure than memory cards
Can actually process information
Includes a microprocessor and ICs
Can provide two factor authentication, as you the
card can store authentication protected by a pin.
(so you need the card, and you need to know
something)
Two type
Contact
contactless

61
Smart Card Attacks (193)

There are attacks against smart cards
Fault generation manipulate environmental
controls and measure errors in order to reverse
engineer logic etc.

62
Smart Card Attacks

Side Channel Attacks Measure the cards while
they work
Differential power analysis measure power
emissions
Electromagnetic analysis example frequencies
emitted

63
Smart Card Attacks

Micro probing - using needles to vibrations to
remove the outer protection on the cards
circuits. Then tap into ROMS if possible or die
ROMS to read data (use chemicals to stain ROMS
and determine values) (this is actually done
someone just reversed engineered the game boy
BIOS using this method)

64
OK enough authentication already
65
Authorization

Now that I am who I say I am, what can I do?
Both OSes and Applications can provide this
functionality.
Authorization can be provided based on user,
groups, roles, rules, physical location, time of
day (temporal isolation) or transaction type
(example a teller may be able to withdrawal small
amounts, but require manager for large
withdrawals)

66
Authorization principals (pg 197)

Default NO access (implicit deny)
Need to Know

67
Authorization Creep (197)

What is authorization creep? (permissions
accumulate over time even if you dont need them
anymore)
Auditing authorization can help mitigate this.
SOX requires yearly auditing.

68
Single Sign on (200)

Why is this section here? Its poorly located,
but anyway lets follow the flow of the book)

69
SSO

Idea
One identification/authentication instance for
all networks/systems/resources
Eases management
Makes things more secure (not written down
passwords hopefully)
Can focus budgets and time on securing one method
rather than many!
Makes things integrated

70
SSO downsides

Centralized point of failure
Can cause bottlenecks
All vendors have to play nicely (good luck)
Often very difficult to accomplish (golden ring
of network authentication)
One ring to bind them all! (wait...no) If you
can access once, you can access ALL!

71
SSO technologies

Kerberos (yeay!)
SESAME

72
Kerberos (201)

From MITs Athena project
Designed to eliminate transmitting passwords over
the network.
Scalable, reliable, secure, flexible
Uses Symmetric Key cryptology

73
Kerberos Components (201)

Key Distribution Center. (you CAN/SHOULD have
backups KDCs, though the exam states that this is
a central point of failure for Kerberos)
Principals (users, applications, and services)
each principal gets an account!
Tickets, generated by TGS on KDC
Important ticket is the Ticket Granting Ticket
Realm is the domain of all principals that a
Kerberos server provides tickets for.

74
Kerberos Process (202)

Go over process on page 202
Understand the different between a session key
and a secret key (pg 203)
Note Kerberos systems MUST be time synchronized

75
Kerberos Problems

Single point of failure (though this can be made
redundant)
KDC must be scalable
Secret keys are stored on the workstation, if you
can get these keys, you can break things
Same with session keys
Vulnerable to password guessing
Traffic is not encrypted if not enabled

76
SESAME

European technology, developed to extend Kerberos
and improve on its weaknesses
Sesame uses both symmetric and asymmetric
cryptography.
Uses Privileged Attribute Certificates rather
than tickets, PACS are digitally signed and
contain the subjects identity, access
capabilities for the object, access time period
and lifetime of the PAC.
PACS come from the Privileged Attribute Server.

77
SESAME procedure (205)

See page 206, note that SESAME uses
public/private keys for initial authentication.
(send an authenticator message, and a timestamp
or random number, sign this message)

78
Access Control Models (211)

A framework that dictates how subjects access
objects.
Uses access control technologies and security
mechanisms to enforce the rules
Business goals and culture of the organization
will prescribe which model it uses
Every OS has a security kernel/reference monitor
(talk about in another chapter) that enforces the
access control model.

79
Access Control Models

DAC
MAC
Roles based
Each will be discussed in upcoming slides

80
DAC

Discretionary Access Control
Owner or creator of resource specifies which
subjects have which access to a resource. Based
on the Discretion of the data owner
Common example is an ACL (what is an ACL?)
Commonly implemented in commercial products
(Windows, Linux, MacOS)

81
MAC

Mandatory Access Control
Data owners cannot grant access!
OS makes the decision based on a security label
system
Users and Data are given a clearance level
(confidential, secret, top secret etc)
Rules for access are configured by the security
officer and enforced by the OS.

82
MAC (212)

MAC is used where classification and
confidentiality is of utmost importance
military.
Generally you have to buy a specific MAC system,
DAC systems dont do MAC
SELinux
Trusted Solaris

83
MAC sensitivity labels

Again all objects in a MAC system have a security
label
Security labels can be defined the organization.
They also have categories to support need to
know _at_ a certain level.
Categories can be defined by the organization
If I have top secret clearance can I see all
projects in the secret level???

84
Role Based Access Control (214)

Also called non-discretionary.
Uses a set of controls to determine how subjects
and objects interact.
Allows you to be assigned a role, and your roles
dictates your access to a resources, rather than
your direct user.
This scales better than DAC methods
You dont have to continually change ACLs or
permissions per user, nor do you have to remember
what perms to set on a new user, just make them a
certain role
You can simulate this with groups in Windows
and Linux, especially with LDAP/AD.

85
Role based Access control

When to use
If you need centralized access
If you DONT need MAC )
If you have high turnover

86
Software and Hardware Guards

Allow the exchange of data between trusted and
less trusted systems. We will talk about this in
another chapter, lets not worry about it now.

87
Access Control technologies that support access
control models (217)

We will talk more in depth of each in the next
few slides.
Rule-based Access Control
Constrained User Interfaces
Access Control Matrix
Access Control Lists
Content-Dependant Access Control
Context-Dependant Access Control

88
Rule Based Access Control (217)

Uses specific rules that indicate what can and
cannot transpire between subject and object.
if x then y logic
Before a subject can access and object it must
meet a set of predefined rules.
ex. If a user has proper clearance, and its
between 9AM -5PM then allow access
However it does NOT have to deal specifically
with identity/authorization
Ex. May only accept email attachments 5M or less

89
Rules Based Access Control

Is considered a compulsory control because the
rules are strictly enforced and not modifiable by
users.
Routers and firewalls use Rule Based access
control heavily

90
Constrained User Interfaces (218)

Restrict user access by not allowing them see
certain data or have certain functionality
Views only allow access to certain data (canned
interfaces)
Restricted shell like a real shell but only
with certain commands. (like Cisco's non-enable
mode)
Menu similar but more gui
Physically constrained interface show only
certain keys on a keypad/touch screen. like an
ATM. (a modern type of menu) Difference is you
are physically constrained from accessing them.

91
Access Control Matrix (220)

Table of subjects and objects indicating what
actions individuals subjects can take on
individual objects
See page 220 (top)

92
Capability Table

Bound to subjects, lists what permissions a
subject has to each object
This is a row in the access matrix
(see 220 bottom)
NOT an ACL.. In fact the opposite

93
ACL

Lists what (and how) subjects may access a
certain object.
Its a column of an access matrix
See page 220

94
Content Dependant Access Controls (221)

Access is determined by the type of data.
Example, email filters that look for specific
things like confidential, SSN, images.
Web Proxy servers may be content based.

95
Context Dependant Access Control (221)

System reviews a Situation then makes a decision
on access.
A firewall is a great example of this, if session
is established, then allow
Another example, allow access to certain body
imagery if previous web sessions are referencing
medical data.

96
Review of Access Control Technology / Techniques

Constrained User Interfaces
view, shell, menu, physical
Access Control Matrix
Capability Tables
ACL
Content Dependant Access Control
Context Dependant Access Control
You should really know ALL of these and be able
to differential between similar types!

97
Centralized Access Control Administration (223)

What is it?
A centralized place for configuring and managing
access control
All the ones we will talk about (next) are AAA
protocols
Authentication
Authorization
Auditing

98
Centralized Access Control Technologies

We will talk about each of these in the upcoming
slides
Radius
TACACS, TACACS
Diameter

99
Radius (223)

Initially developed by Livingston to authenticate
modem users
Access Server sends credentials to Radius server.
Which sends back authorization and connection
parameters (IP address etc) (see diagram on 224)
Can use multiple authentication type (PAP, CHAP,
EAP)
Uses UDP port 1812 , and auditing 1813
Sends Attribute Value Pair (Ex. IP192.168.1.1)
Access server notifies Radius server on
disconnect (for auditing)

100
What is radius used for

Network access
Dial up
VLAN provisioning
IP address assignment

101
Radius benefits

Its been around, a lot of vendor support

102
Radius issues

Radius can share symmetric key between NAS and
Radius server, but does not encrypt attribute
value pairs, only user info. This could provide
info to people doing reconnaissance
PAP password go clear text from dial up user to
NAS

103
TACACS() (225)

TACACS uses fixed passwords
TACACS uses TCP or UDP port 49
TACACS is old (1990) TACACS replaces it
TACACS can support one time passwords
Provides the same functionality of Radius
TACACS uses TCP port 49

104
TACACS benefits

TCP? Is this a benefit? Discuss
Encrypts ALL traffic
TACACS separates each AAA function.
For example can use AD for authentication (radius
can actually do this too.. But you have to write
plug-ins)
Has more AVP pairs than Radius, more flexible

105
Diameter (229)

Builds upon Radius
Similar functionality to Radius and TACACS
NOT Backwards compatible with Radius (book is
wrong) but is similar and an upgrade path
Uses TCP, or STCP (stream TCP)

106
Diameter benefits

With Diameter the DS can connect to the NAS
(i.e.. Could say kick user off now). Radius
servers only respond to client requests.
Has a lot more AVP pairs (232 rather than 28)

107
Centralized Access Controls overview

Idea centralize access control
Radius, TACACS, diameter
Is Active Directory a type of Centralized Access
Control?
Decentralized is simply maintaining access
control on all nodes separately.

108
Controls and Control Types

STOP
Before we move on you need to understand the
definitions/terms that we are about to cover for
the exam. (controls and control types) They are
used ambiguously on the exam, so you need to
think about them. We will give an overview now,
but well keep seeing them again and again.

109
Controls and Control TypesNot directly in book

There are Controls and Control types, need to
understand these
Controls
Administrative
Physical
Technical
Now well talk about control types

110
Control types (241 skip ahead)

Types (can occur in each control category)
Deterrent intended to discourage attacks
Preventative intended to prevent incidents
Detective intended to detect incidents
Corrective intended to correct incidents
Recovery intended to bring controls back up to
normal operation
Compensative provides alternative controls to
other controls

111
Administrative Controls (back to 231)

Personnel HR practices
Supervisory Management practices (supervisor,
corrective actions)
Training thats pretty obvious
Testing not technical, and managements
responsibility to ensure it happens

112
Physical Controls (223)

Physical Network Segregation (not logical)
ensure certain networks segments are physically
restricted
Perimeter Security CCTV, fences, security
guards, badges
Computer Controls physical locks on computer
equipment, restrict USB access etc.

113
Physical Controls continued

Work Area Separation keep accountants out of
RD areas
Cabling shielding, Fiber
Control Zone break up office into logical areas
(lobby public, RD- Top Secret, Offices
secret)

114
Technical or Logical controls (235)

Using technology to protect
System Access Kerberos, PKI, radius
(specifically access to a system)
Network Architecture IP subnets, VLANS , DMZ
Network Access Routers, Switches and Firewalls
that control access
Encryption protect confidentiality, integrity
Auditing logging and notification systems.

115
Ok we went out of order.. Skip to 247

This is out of WAY out of order, but for the exam
you should know the table on 247 (Access control
practices) lets read it together.

116
Unauthorized Disclosure of Information

Sometimes things are disclosed un-intentionally.
In the next couple slides we will talk about
Object reuse
Emanation security

117
Object reuse (248)

Media may be re-used without cleaning off old
data!
Fix this
Destroy or wipe (destroy) old data
Why destroy?
What is degaussing?

118
Emanation Security (249)

All devices give off electrical / magnetic
signals. This can be used against you (weve all
seen Alias and 24?)
Hard/expensive to do often but not always.
A non-obvious example is reading info from a CRT
bouncing off something (weve seen CSI right?)
Tempest is a standard to develop countermeasures
to protect against this.
Lets talk about emanation countermeasures

119
Emanation Countermeasures

Faraday cage a metal mesh cage around an
object, it negates a lot of electrical/magnetic
fields.
White Noise a device that emits uniform
spectrum of random electronics signals. You can
buy sounds frequency white noise machines. (call
centers, doctors)
Control Zones protect sensitive devices in
special areas with special walls etc.

120
Intrusion detection (250)

IDS allow you to detect intrusion and
unauthorized access.
Different types (we will discuss), but usually
consist of
Sensors
Storage
Analysis engine
Management Console
(see diagram on 260)

121
NIDS

Network Based
Monitor network traffic ONLY
Can be of multiple types (discuss later)
Watch out for switches (use mirroring), and
subnets (use multiple sensors)

122
HIDS

Host based installed on computers
Monitor logs
Monitor system activity
Monitor configuration files
Could monitor network traffic to and from the
computer installed on only.
Multiple types discussed later

123
IDS types (251)

Signature based like a virus scanner, look for
known attack signature
MUST be updated with new signatures
Will not stop unknown attacks (0-day)
Relatively high rate of assurance
Commonly used

124
Statistical Anomaly Based IDS / heuristic

Based on what is normal behavior (builds a
profile)
Detects when thing are not normal
Very subjective -
Very high rate of false positives, may lead to
info being ignored.
Require high degree of knowledge and maintenance
to run -
Can possibly detect zero days

125
Protocol based IDS

What is a protocol? Anyone?
Understand the protocols its watching (like
HTTP, SMTP)
Looks for deviations from the normal protocol
traffic
Good to combined with other IDS types (signature
based, or statistical based)
A lot of protocols are open to interpretation
which can confuse protocol based IDS

126
Rules Based 255

Uses expert system/knowledge based systems.
These use a database of knowledge and an
inference engine) to try to mimic human
knowledge. Its like of a person was watching
data in real time and had knowledge of how
attacks work.

127
IDS review

Signature Based
Anomaly Based
Rule Based
When studding review the table on page 257

128
IPS

Like an IDS, but actively take steps to
neutralize attacks in real time. (doest require
IDS functionality)
Might reset TCP connections, might updates
firewall rules to block traffic.
Cool right?
May create problems in troubleshooting network
behavior/issues.

129
Honey Pots/ Honey Nets (263)

Computer or network setup to distract attackers
to this machine/net rather than the real
machines.
Can be restricted and monitored so you can see
whos trying to do what, and stop them.
Be weary of enticement vs. entrapment. Can anyone
explain the difference?

130
Threats to Access Control