Summary

Summary

IDSs are hardware or software systems used to detect intruders on your network. IDS systems differ according to where they’re installed: on the host or on the network, as well as how they detect intruders, misuse detection and anomaly detection. While different types of IDS systems exist, each type of IDS has its own benefits and drawbacks.

A host-based IDS consists of software installed on each host. The IDS software monitors the host and its log files looking for intrusive activity. If an attack is performed on the host, alarms are generated and sent to the management platform. The advantage to host-based IDS is its capability to record whether an attack was successful. The disadvantage to a host-based IDS is its inability to detect common reconnaissance attacks against the host or a range of hosts.

Network-based IDS relies on the use of network sensors strategically placed throughout the network. These probes monitor and analyze all network traffic traversing the local network. Network traffic is compared to a signature database or a defined profile to detect intrusive activity. If the monitored traffic matches a profile or signature, an alarm is generated. Additionally, sensors can be configured to take corrective action to stop an attack once it’s been detected. The advantage to a network-based IDS is its macro view of the network. A network-based IDS has the advantage of viewing the entire network and, therefore, isn’t limited to viewing only the traffic to a single host. The drawback to a network-based IDS is its cost. A network-based IDS relies on additional hardware in the form of network probes. Additional drawbacks to network-based IDS are the following:

  • IDS manipulation with fragmentation and TTL exploits

  • Encryption

  • Bandwidth

Although different types of IDS systems exist, each type must support at least one triggering mechanism. Triggering mechanisms are simply how an alarm is generated. There are two types of triggering mechanisms:

  • Anomaly based

  • Misuse based

Anomaly-based systems use profiles created by the IDS or the security administrator. These profiles are then used to detect an attack and generate an alarm. Traffic patterns or computer activity that doesn’t match a defined profile generates an alert. The advantage of anomaly detection is it has the capability to detect previously unknown attacks or new types of attacks. The drawback to anomaly detection is an alarm is generated any time traffic or activity deviates from the defined “normal” traffic patterns or activity. This means it’s up to the security administrator to discover why an alarm was generated. Anomaly-based systems have a higher rate of false positives because alarms are generated any time a deviation from normal occurs. Defining normal traffic and activity can be a difficult and time-consuming task.

Profile- or misuse-based IDSs rely on the use of a signature database to discover attacks and generate alarms. Signature files contained within the database are used exactly as virus-detection software uses signatures to discover computer viruses. These signature files are created by highly skilled engineers and are based on rules that match exploits and patterns of known intrusive activity. Once a signature is matched, an alarm is generated listing the type and ?severity of the attack, as well as the specific signature that was matched. Signature-based IDS have a lower occurrence of false positives that are common with anomaly detection. Unlike anomaly detection systems, signature-based systems contain a preconfigured signature database and, therefore, can begin protecting the network immediately. The drawback to signature-based systems is their inability to detect new or previously unknown attacks. If no signature exists to match an attack type, the new attack will go undetected. Therefore, keeping your signature database current is important.

Some vendors attempt to combine both host-based and network-based intrusion detections systems, while also combining anomaly and misuse triggering mechanisms into one overall IDS system. While these types of hybrid IDS provide the most benefits with the least drawbacks, they can be difficult to administer. Combining alarms and data from many different sources and types of sources into one manageable interface is a difficult task.

Questions

1.?

What is the purpose of an intrusion detection system (IDS)?

  1. To prevent unauthorized access to network resources

  2. To prevent users from accessing network resources

  3. To detect intrusions on the network

  4. To detect security flaws

 C. To detect intrusions on the network

2.?

What are the three phases of an attack?

  1. Reconnaissance, Attack, DoS

  2. DoS, Objective, Attack

  3. Attack, Reconnaissance, DoS

  4. Objective, Reconnaissance, Attack

 D. Objective, Reconnaissance, Attack

3.?

What are the three types of attacks?

  1. Attack, Reconnaissance, data manipulation

  2. DoS, Reconnaissance, Access

  3. Objective, Reconnaissance, Access

  4. Objective, Reconnaissance, Attack

B . DoS, Reconnaissance, Access

4.?

What is the difference between host-based and network-based intrusion detection?

  1. Host-based systems detect attacks on the hosts and network-based systems don’t

  2. Network-based systems detect attacks against the IDS and host-based systems only detect attacks against the host

  3. Host-based IDSs only determine if an attack was successful

  4. Network-based IDSs rely on the use of network probes, while host-based systems rely on software installed on each host

 D. Network-based IDSs rely on the use of network probes, while host-based systems rely on software installed on each host

5.?

What are the four types of security threats?

  1. Internal, external, secured, nonsecured

  2. External, Structured-internal, Unstructured-external, Internal

  3. Internal, Structured, Unstructured, External

  4. Internal-structured, External-structured, Internal-structured, Internal-unstructured

 C. Internal, Structured, Unstructured, External

6.?

What is a false negative?

  1. Results when an attack or an intrusion goes undetected

  2. An alert sent to an incorrect management station

  3. Results when the IDS system reports an alarm, although an actual intrusion doesn’t occur on the network

  4. There is no such thing as a false negative

 A. A false negative results when an attack or intrusion goes undetected

7.?

What type of triggering mechanism is most likely to create a false negative?

  1. Anomaly detection

  2. Misuse detection

  3. Profile based

  4. Network based

 B. Misuse detection

8.?

What is a false positive?

  1. A false positive results when an attack or intrusion causes an alarm to be generated

  2. A false positive is an alert sent to an incorrect management station

  3. A false positive results when the IDS system reports an alarm, although no actual intrusion occurs on the network

  4. There is no such thing as a false positive

 C. A false positive results when the IDS system reports an alarm, although no actual intrusion occurs on the network

9.?

What type of triggering mechanism is most likely to create a false positive?

  1. Anomaly detection

  2. Misuse detection

  3. Network based

  4. Host based

 A. Anomaly detection

10.?

Which of the following is a limitation to host-based intrusion detection?

  1. Unable to detect attacks launched from the system console

  2. Unable to detect attacks launched against the host from the network

  3. Unable to detect attacks against the host from multiple locations

  4. Unable to detect reconnaissance attacks

 D. Unable to detect reconnaissance attacks

11.?

Which of the following is a benefit of host-based intrusion detection?

  1. Easier to manage

  2. Can detect if an attack is successful

  3. Detect more intrusions

  4. Administrators have a higher degree of confidence in host-based IDSs

 B. Host-based systems can detect if an attack is successful

12.?

Which of the following is a limitation of network-based intrusion detection?

  1. Can only detect attacks performed over the network

  2. Can only detect attacks against the network infrastructure

  3. Can’t detect new attack methods

  4. Easy to manipulate

 A. Network-based intrusion detection can only detect attacks performed over the network

13.?

Which of the following is a benefit of network-based intrusion detection?

  1. Can determine if an attack was successful

  2. Have a lower occurrence of false positives

  3. Have a higher occurrence of false negatives

  4. Have a complete view of network traffic

 D. A network-based IDS has a complete view of network traffic

14.?

What are the two types of triggering mechanisms used by an IDS?

  1. Network based and host based

  2. Misuse and anomaly detection

  3. Signature and misuse detection

  4. Anomaly and profile-based detection

 B. Misuse and anomaly detection

15.?

What is the difference between anomaly detection and misuse detection?

  1. Anomaly detection uses profiles, while misuse detection uses signatures

  2. Misuse detection uses profiles, while anomaly uses signatures

  3. Anomaly detection uses network-based, while misuse detection uses
    host based

  4. No difference exists between misuse detection and anomaly detection

 A. Anomaly detection uses profiles, while misuse detection uses signatures

16.?

In the context of an IDS, what is an anomaly?

  1. A normal traffic pattern

  2. Any computer activity that matches a user profile

  3. Any traffic or activity that isn’t normal

  4. Any traffic pattern or activity that matches a signature in the signature database

 C. An anomaly is any traffic or activity that isn t normal

17.?

What is a signature and what is it used for?

  1. A definition of intrusive activity and is used to build user profiles

  2. A definition of intrusive activity and is used to detect intrusions

  3. A definition of normal activity and is used to distinguish normal activity from intrusive activity

  4. A set of rules describing intrusive activity and is used to build rule-based profiles

 B. A signature is a definition of intrusive activity and is used to detect intrusions

18.?

What are the three ways to build user profiles?

  1. Signatures, neural networks, rule based

  2. Rule based, neural networks, statistical sampling

  3. Host statistical sampling, network statistical sampling, neural networks

  4. Signatures, statistical sampling, neural networks

 B. Rule-based, neural networks, statistical sampling

19.?

Which of the following is a benefit of misuse detection?

  1. Lower occurrence of false negatives

  2. Easier to install and understand

  3. Can detect new attack methods

  4. Can be used for both network based and host based

 B. Easier to install and understand

20.?

Which of the following is a benefit of anomaly detection?

  1. Easier to understand

  2. Easier to configure

  3. Can be used to prevent intrusions

  4. Can be used to detect new attack methods

 D. Anomaly detection can be used to detect new attack methods

21.?

What is a major drawback to misuse detection?

  1. Unable to detect new attack methods

  2. Hard to understand and configure

  3. Results in too many false positives

  4. Can only be used with host-based IDSs

 A. Misuse detection is unable to detect new attack methods

22.?

What is a major drawback to anomaly detection?

  1. Results in a high number of false negatives

  2. Hackers are aware of what activity will generate an alert

  3. Relies on a defined profile defining normal activity

  4. Has no major drawbacks

 C. Anomaly detection relies on a defined profile defining normal activity

Answers

1.?

C. To detect intrusions on the network

2.?

D. Objective, Reconnaissance, Attack

3.?

B. DoS, Reconnaissance, Access

4.?

D. Network-based IDSs rely on the use of network probes, while host-based systems rely on software installed on each host

5.?

C. Internal, Structured, Unstructured, External

6.?

A. A false negative results when an attack or intrusion goes undetected

7.?

B. Misuse detection

8.?

C. A false positive results when the IDS system reports an alarm, although no actual intrusion occurs on the network

9.?

A. Anomaly detection

10.?

D. Unable to detect reconnaissance attacks

11.?

B. Host-based systems can detect if an attack is successful

12.?

A. Network-based intrusion detection can only detect attacks performed over the network

13.?

D. A network-based IDS has a complete view of network traffic

14.?

B. Misuse and anomaly detection

15.?

A. Anomaly detection uses profiles, while misuse detection uses signatures

16.?

C. An anomaly is any traffic or activity that isn’t normal

17.?

B. A signature is a definition of intrusive activity and is used to detect intrusions

18.?

B. Rule-based, neural networks, statistical sampling

19.?

B. Easier to install and understand

20.?

D. Anomaly detection can be used to detect new attack methods

21.?

A. Misuse detection is unable to detect new attack methods

22.?

C. Anomaly detection relies on a defined profile defining normal activity




Part III: Virtual Private Networks (VPNs)