END POINT PROTECTION & MANAGEMENT ( Intrusion Detection System (IDS)…
END POINT PROTECTION & MANAGEMENT
Host-based IDS (HIDS)
2 types of HIDS architecture: centralized host-based architecture/ Distributed real-time host-based architecture
Advantages and disadvantages of HIDSs; detct broad range of decision support threats/ No requirement of dedicated hardware/ Maintenance is difficult due to distribution agents
Collect and analyze data, aggregating it
Host-based IDSs monitor the data in the system
Intrusion Prevention System (IPS)
Mempertahankan pelayan dan desktop sama sekali daripada pelbagai serangan yang dikenal pasti dan tidak dikenali
Mengenal pasti trafik menggunakan sensor, menghubungkan peristiwa menggunakan penganalisis yang berbeza dan melaporkan mengenal pasti ancaman.
Mengenal pasti serangan menggunakan positif palsu dan membenarkan penggunaan ciri tindak balas automatik tanpa mengganggu aplikasi kritikal
IPS Deployment Risk
Some of the risk related to IPS are:
Self-inflicted denial-of-service:Modifying the actual source address as a forged address is called spoofing.
Exploit defeat the attempted block: When there is any time gap between the IPS detecting the attack and ordering a change in access control lists
Session interception and IDS identification: Snort terminates TCP session when it detects an attack with the help of RST packet.
The following are the three different prevention strategies of IPS:
Gateway Intrusion Detection: Snort uses gateway ID to block the hostile traffic
Session Interception: Terminating a session by sending a reset (RST) packet
Host-based memory and process protection: This strategy tells that the IP system monitors the execution process
Application content is the key for making access control decisions
It is a device that employee access control for securing systems abuse:Via enhancement of the IDS.
An intrusion prevention system (IPS) can be any device that uses access control to guard systems from misuse of attackers
Intrusion Detection System (IDS)
Network-based IDS/Host-based IDS/ Distributes-based IDS/Protocols IDS
SecureHost: avoids attack by immediately halting the suspected app.
BlackICE: consits of an intrusion detection system the warns of attacks and resist threat against the system
Snort: snort is a NIDS based on libcap, performs packets sniffing, and works as a logger .
possesses built-in forensic and reporting capabilities
deal with large amount of data
It create a database of the jenis of attacks
Ciri2 of IDS
adaptability of systems with technologies
survives with system crash and must be fault tolerant
Runs constanly tnpa human supervision
IDS a concept: Goals
the 2 specific goals of IDS:
Response: it is an activity that is used to recognize the capability of an attack and take action to block that attack
Accountability: it is capability to link a given activity or an event which is responsibility for initiating it
the main goal of IDS is to identify abnormal behavior of network or misuse of resources.
IDS concept: Monitoring
The 4 different strategies of monitoring process are:
Target based monitor: create the data on its own
Application based monitor: gather data from application that are running
Network based monitor: collects the data from network packets which is done by using network devices that are running
Host based monitor: gather the data from network internally to a system manually at operating system level
monitoring refers to an action of gathering data from a data sources and passing it to an analysis engine.
IDS concept: Architecture
Host target separation:
Separating IDS host machine from target system will improve the security of IDS
Host target co-location
IDS usually protect the systems that are running under their control
2 Primary architectural components of IDS:
Host target co-location and separation
An IDS can be configured to block the intruder IP when an alert is generated in response to the activity of the same IP
The TCP/IP packets ae examined in a number of ways after they are confined
IDS gathers and analyzes the information regarding the misuse of a particular computer or total network
IDS memantau all inbound and outbound host activity and identifies suspicious patterns on network, that indicate an attack
Operating System Patches
Cross- platforms products installation
features: flexible modes of portion/ web-based administrators console for universal secure access- access to data views and configuration.
4 stages in working: systems addition & discovery/patch assessment or scanning/patch download and deployment/reporting
operating systems -windows and linux (Red & Debian) operating systems
secureCenter patchQuest : web-based patch management software that manages and distributes security patches, update, across various platforms
automatics updates -connects to the windows update site and determines whether the computer requires any updates
web-based update -determines whether new updates are required for the computer
Microsoft download center - searches for other software and update software fro microsoft.
Micosoft offices updates -Provides update, add ins, extras, converters, and viewers for
Mocrosoft windows update -Download updates hotfixes, services packs and identifies patches
Locations available for downloading services packs and hotfixes
Downloads patches or services pack files
Microsoft releases patches for updating Windows OS and Microsoft applications (Such patches membaiki problems, or bugs, in an OS or application and are shipped in 3 formats)
Service packs -An update to software version that fixes a bug
Roll-ups -Merges updates of several Hotfixes into a single update file
Hotfixes -A code that fixes(mmbaiki) a bug in a product
Apabila OS baru dipasang pada komputer, tetapan keselamatan semuanya ditetapkan pada default values. Dalam kebanyakan kes tahap keselamatan ini tidak mencukupi. Terdapat beberapa langkah mudah yang perlu diambil untuk kebanyakan OS
Sebarang perkhidmatan dan aplikasi yang tidak perlu harus dimatikan
Akses kepada sumber sistem harus terhad kepada individu yang diberi kuasa menggunakan sumber tersebut
Default username dan password perlu diubah dengan segera.
Patch yang direka dengan baik kadang-kadang boleh memperkenalkan masalah baru
Ini termasuk menetapkan kelemahan keselamatan dan bug lain dan meningkatkan kebolehgunaan atau prestasi
Patch adalah sekeping perisian yang direka untuk menyelesaikan masalah, atau mengemas kini program komputer atau data sokongannya