3. AGENDA
INTRODUCTION
TYPES OF IDS
NETWORK INTRUSION DETECTION SYSTEM
HOW DOES IT PROTECT THE SENSITIVE SYSTEM
WORKING OF NIDS
DIFFERENCES BETWEEN NIDS AND FIREWALL
5. INTRODUCTION
An intrusion is somebody attempting to break into or
misuse your system.
An intrusion detection system (IDS) is a device (or
application) that monitors network and/or system
activities for malicious activities or policy violations.
6. TYPES OF INTRUSION DETECTION
SYSTEM
Intrusion Detection Systems are categorized into two
types
a) Network intrusion detection system(NIDS)
b) Host based intrusion detection system(HIDS)
7. NETWORK INTRUSION
DETECTION SYSTEM (NIDS)
A network-based IDS or NIDS resides on a computer or
appliance connected to a segment of an organization's
network and monitors network traffic on that network.
In a network-based intrusion-detection system
(NIDS), the sensors are located at choke points in
network to be monitored, often in the dematerialized
zone (DMZ) or at network borders.
8. HOW DOES NIDS PROTECT
SENSITIVE MATERIALS
A Network Intrusion Detection System (NIDS)
performs the same function as a sophisticated alarm
system.
NIDS observes and alerts. It will not affect network
performance. NIDS maintains a database – updated
daily – that contains a history, nearly a decade’s worth
of documented attack attempts, detecting similarities.
9. WORKING OF NIDS
HUBS:
The NIDS device connects to a network hub or a switch that
connects to the network router or Firewall. All traffic
passing to or from the customer is inspected by the NIDS
device.
10. TAP:
The network tap is another approach to
allowing the NIDS to see all the traffic on a
switched network.
A tap is similar in function to a phone tap.
The tap will typically look like 3-port switch.
Port 1 will attach to Switch 1 Port 2 will attach to
Switch 2 and Port 3 will attach to the NIDS.
11. SPAN PORT:
Another popular option for adding a sniffer of
any type to a network is the use of a span port
on the switch being monitored
A span port is a port that is configured to have
a copy of all packets sent to it
The major disadvantage of spanning ports is
that they can have a detrimental effect on other
traffic traversing the switch.
12. An inline NIDS looks essentially like a bridge.
The NIDS will be configured without an IP so
that it will not respond to any trafficThe final
option is an inline NIDS.
The IPS will simply accept traffic on one NIC
and pass it back out unchanged on a second NIC
like a bridge.
13. TYPES OF DETECTION METHODS:
Two types of detection methods are:
a) Anomaly Detection model
b) Signature detection model
ANOMALY DETECTION MODEL:
IDS methodology is an approach called anomaly
detection or behavior-based detection.
This model works by establishing accepted baselines
or rules and noting exceptional differences
14. If an ids looks only at network packet headers for
differences it is called as protocol anomaly detection.
This model triggers off when the following events occur
a) Unusual user account activity
b) Excessive file and object accesses
c) High cpu utilization
d) Inappropriate protocol use
e) Unusual login frequency
f) High number of sessions
g) Unusual content
16. Advantages:
Analyzes ongoing traffic, activity, transactions,
and behavior for anomalies.
Potential to detect previously unknown types of
attacks.
Catalogs the differences between baseline
behavior and ongoing activity.
Disadvantages:
Prone to false positives.
Heavy processing overhead.
Vulnerable to attack while creating time
consuming, statistically significant baselines.
17. Signature detection model:
The defined patterns of code are called as signatures
and often treated as a rule when included in ids.
Signature-based IDS use a database of traffic and
activity patterns related to known attacks. The patterns
are called attack signatures.
These signatures and rules can be collected together
into larger sets called signature databases or rule sets.
18. Advantages:
Examines ongoing activity and matches against patterns
of previously observed attacks.
Works extremely well against previously observed
attacks.
Disadvantages:
Signature databases must be constantly updated.
Must compare and match activities against large
collections of attack signatures.
Specific signature definitions may miss variations on
known attacks.
May impose noticeable performance drags on systems.
19. Misuse Detection:
Expert Systems
Keystroke monitoring
Model Based Intrusion Detection
20. NEW ARCHITECTURE
Mobile IDS Agents
The Local Audit Trial
The Local Intrusion Database ( LID )
The Secure Communication Module
The Anomaly Detection Modules ( ADM s
The Misuse Detection Modules ( MDM) s
Stationary Secure Database
21.
22. IMPLEMENTED APPROACHES
IEEE 802.11
a) Open System Authentication.
b) Shared Key Authentication.
Secure key generation and distribution
Mitigating Routing Misbehavior:( Sergio
Marti et al. [19])
23. ADVANTAGES:
Monitors an entire network with only a few well-placed
nodes
Mostly passive devices
Low Overhead and limited number of resources are used
even in the large network.
Easy to secure against attack
Mostly undetectable to attackers or intruders because
they are completely hidden in the network.
Easy to install
NIDS can be used in the present networks without
interrupting conventional network operations.
24. DISADVANTAGES:
May not be able to monitor and analyze all traffic on
large, busy networks
Vulnerable to attacks launched during peak traffic periods
on large busy networks
Not able to monitor switch-based (high-speed) networks
effectively
Typically unable to analyze encrypted data or not suitable
for encrypted traffic.
Does not always report success or failure of attempted
attacks
Require active manual involvement by network
administrators or security administrators.
25. CONCLUSION:
As NIDS technologies continue to evolve, they will more
closely resemble their real-world counterparts. In the
future, NIDS, firewalls, VPNs, and related security
technologies will all come to interoperate to a much higher
degree. The current generation of IDS (HIDS and NIDS) is
quite effective already; as they continue to improve they will
become the backbone of the more flexible security systems
we expect to see in the not-too-distant future.