IDS, Firewalls & Honeypots Flashcards
How IDS Detects Intrusion
Signature Recognition, Anomaly Detection, Protocol Anomaly Detection
Types of IDS
Network-Based , Host-Based
Types of IDS Alerts
True Positive (Attack - Alert) False Positive (No Attack - Alert) False Negative (Attack - No Alert) True Negative (No Attack - No Alert)
Firewall Technologies
Packet filtering, Circuit Level Gateways, Application Level Firewall, Stateful Multilayer inspection, Application proxies, VPN , NAT
Firewall Architecture
Bastion Host, Screened Subnet, Multi-homed Firewall
Type of Honeypots
Low-interaction Honeypot, Medium-interaction Honeypot, High-interaction Honeypots, Production Honeypot, Research Honeypots
Firewall
software- or hardware-based system located at the network gateway that protects the resources of a private network from unauthorized access of users on other networks. They are placed at the junction or gateway between the two networks, which is usually a private network and a public network such as the Internet. Firewalls examine all messages entering or leaving the Intranet and block those that do not meet the specified security criteria.
Honeypots
systems that are only partially secure and thus serve as lures to attackers. Recent research reveals that a honeypot can imitate all aspects of a network, including its webservers, mail servers, and clients. Honeypots are intentionally set up with low security to gain the attention of the DDoS attackers. Honeypots serve as a means for gaining information about attackers, attack techniques, and tools by storing a record of the system activities.
An intrusion detection system (IDS)
Security software or hardware device used to monitor, detect, and protect networks or system from malicious activities; it alerts the concern security personnel immediately upon detecting intrusions.
DeMilitarized zone (DMZ)
an area that hosts computer(s) or a small subnetwork placed as a neutral zone between a particular company’s internal network and untrusted external network to prevent outsider access to a company’s private data. The DMZ serves as a buffer between the secure internal network and the insecure Internet, as it adds a layer of security to the corporate LAN, thus preventing direct access to other parts of the network.
Port UDP 514
The syslog server gathers information sent over the network
Signature Recognition
Signature recognition, also known as misuse detection, tries to identify events that indicate an abuse of a system or network. This technique involves first creating models of possible intrusions and then comparing these models with incoming events to make a detection decision.
Anomaly Detection
Anomaly detection consists of a database of anomalies. An anomaly can be detected when an event occurs outside the tolerance threshold of normal traffic. Therefore, any deviation from regular use is an attack. Anomaly detection detects the intrusion based on the fixed behavioral characteristics of the users and components in a computer system. Creating a model of normal use is the most challenging task in creating an anomaly detector.
Protocol Anomaly Detection
Protocol anomaly detection depends on the anomalies specific to a protocol. It identifies particular flaws between how vendors deploy the TCP/IP protocol. Protocols designs according to RFC specifications, which dictate standard handshakes to permit universal communication. The protocol anomaly detector can identify new attacks.
Obfuscating
Obfuscating is an IDS evasion technique used by attackers to encode the attack packet payload in such a way that the destination host can only decode the packet but not the IDS. An attacker manipulates the path referenced in the signature to fool the HIDS. Using the Unicode character, an attacker could encode attack packets that the IDS would not recognize, but an IIS web server would decode.
