Network Security:

Network Security:

Attacks and Monitoring

Slide ke-3 Mata Kuliah: Keamanan Jaringan

Course Objectives

• Intrusion Detection System (IDS) • Penetration Testing

Network Monitoring

• Subject are held accountable for their actions while authenticated on a system.

• It is also, the process to detect unauthorized or abnormal activities on the system.

• The audit trails created by recording system to log can be used to evaluate a system’s health and performance.

• Log Event provide an audit trails for recreating a step by step history of an event, intrusion, and system failure.

Network Monitoring (Cont.)

recreating a step by step history of an event, intrusion, and system failure.

Intrusion Detection

primarily used to detect intrusion attempts, also, can be employed to detect system

failure and overall performance.

• IDS alert can be sent with an on screen

notification by playing a sound, sending an email notification, or recording information on a log file.

Intrusion Detection System

(IDS)

IDSs Response

• A response from ADS can be classified into three types:

– Active: Directly affects malicious activity in the network traffic.

– Passive: Doesn’t affects malicious activity, but

record the information about the issue and notifies the administrator.

– Hybrid: Stop unwanted activity, record information about the event, and notifies the administrator.

IDSs Response

• Typical IDS responses for several actions, including blocking port, blocking protocol, blocking source address, and disabling all communication over some specific cable segment.

• When IDS discovers abnormal behavior or violation of its security rule, it record a log detail of the issue then drop, discard, or delete suspected packet.

Host- and Network-based IDS

• Host-based IDS watches for questionable activity on a single computer system.

• Host-based IDS look at audit trails, event log, and application log.

• Network-based IDS watches for:

– Questionable activity on the network medium by inspecting packet and observing network traffic pattern.

Knowledge- and

Behavior-based Detection

• IDS can detect malicious behavior with 2 common types:

– Knowledge-based detection (also known as signature-based or pattern matching).

– Behavior-based detection, and commonly known as statistical intrusion detection, anomaly detection, and heuristic-based detection.

Knowledge-based Detection

attempts to match all monitored event to its content.

• If a match is made, the IDS assumes that an attacks are taking place.

• This method is only effective for known attack method or behavior.

• In different cases, it similar with antivirus application.

Knowledge-based Detection

(Cont.)

• Knowledge-based IDS lacks a learning model, that is, it is unable to recognize new attack pattern as they occur.

• Therefore, the administrator should consider an up-to-date and correct signature.

– As mentioned before, it is like an antivirus

application, need to be update over period of time.

Behavior-based Detection

• Basically, behavior-based detection learns about the normal activities and events on your system by watching and tracking

what it sees.

• Once it has accumulated enough data about normal activity, it can detect

abnormal and possibly malicious activities or events.

Behavior-based Detection

• A behavior-based IDS can be labeled an expert system or artificial intelligence

system because it can learn and make assumptions about events.

• In other words, the IDS can act like a

human expert by evaluating current events against known events.

IDS Related Tools

• These IDS-related tools expand the

usefulness and capabilities of IDSs and make them more efficient and less prone to false positives.

• These tools include

– honeypots,

– padded cells, and

Understanding Honeypots

created to serve as a trap for intruders. – Look and act like legitimate network, but

they are totally fake.

• Honeypots tempt intruders by presenting

un-patched and unprotected security vulnerabilities.

– Direct intruders into a restricted playground while keeping them away from the legitimate network and confidential resources.

Typical Honeypots

Deployment

Understanding Honeypots

(Cont.)

• Honeypots performing malicious activities long enough for the automated IDS to

detect the intrusion and gather as much information about the intruder as possible.

– Legitimated users never enter the Honeypots.

– Thus, when honeypots access is detected, it is must be an authorized intruder.

Understanding Honeypots

(Cont.)

• The use of honeypots raises the issue of

enticement vs. entrapment.

• A honeypot can be legally used as an

enticement device if the intruder discovers it through no outward efforts of the

honeypot owner.

Understanding Honeypots

(Cont.)

• Entrapment, which is illegal, occurs when the honeypot owner actively solicits

visitors to access the site and then

charges them with unauthorized intrusion. • In other words, it is considered to be

entrapment when you trick or encourage a perpetrator into performing an illegal or

Understanding Padded Cells

honeypot, but it performs intrusion isolation using a different approach.

– When an IDS detects an intruder, that intruder is automatically transferred to a padded cell. – Within the padded cell the intruder can neither

perform malicious activities nor access any confidential data.

Understanding

Vulnerabilities Scanner

• Vulnerability scanners are used to test a system for known security vulnerabilities and weaknesses.

– May recommend applying patches or making specific configuration or security setting

changes to improve or impose security.

• An extension to the concept of the IDS is the intrusion prevention system (IPS),

Understanding

Vulnerabilities Scanner (Cont.)

unauthorized connection attempts or illicit traffic patterns as they occur.

• In fact, the line between IDSs and IPSs can be quite blurry in that many self - professed IDSs have IPS capabilities.

Penetration Testing

• A penetration occurs when an attack is successful and an intruder is able to

breach the perimeter around your environment.

– It is common for organizations to hire external consultants to perform penetration testing.

– So testers are not informed to confidential elements of the environment’s security

configuration, network design, and other internal secrets.

Penetration Testing (Cont.)

tools such as Metasploit and Core IMPACT.

• To evaluate your system, benchmarking and testing tools are available for

Penetration Testing (Cont.)

vulnerabilities, exploits, and demands that careful, attentive security professionals

keep up with security bulletins.

– U.S. Computer Emergency Readiness Team at www.us-cert.gov/cas/bulletinsU.S.

Computer Emergency Readiness Team at www.us-cert.gov/cas/bulletins or those from the Common Vulnerabilities and Exposures database at http://cve.mitre.org.

Method of Attacks

(List. 1)

• The following are the most common or well-known access control attacks or

attack methodologies (these are listed in alphabetical order):

– Brute force and dictionary attack – Denial of Services

– Malware: viruses, worms, Trojans, spyware, etc.

Method of Attacks

(List. 2)

• The following are the most common or well-known access control attacks or

attack methodologies (these are listed in alphabetical order):

– Sniffing – Spamming

Brute Force and Dictionary

Attacks

• We discuss brute-force and dictionary

attacks together because they are waged against the same entity: passwords.

• A brute-force attack is an attempt to

discover passwords for user accounts by systematically attempting all possible

combinations of letters, numbers, and symbols.

Denial of Services

Attacks

• Denial-of-service (DoS) attacks are attacks that prevent a system from

processing or responding to legitimate traffic or requests for resources and

objects.

– The most common form of DoS is transmitting so many data packets to a server that it

cannot process them all.

– DoS can result in system crashes, system

reboots, data corruption, blockage of services, and more.

Denial of Services Attacks

Types

• Single attacking system flooding a single

victim with a steady stream of packets.

– This simple form of DoS is easy to terminate just by blocking packets from the source IP address.

• A distributed denial of service (DDoS)

occurs when the attacker compromises several systems and uses them as

launching platforms against one or more victims.

Spoofing Attacks

• Spoofing attacks consist of replacing a

valid source and/or destination IP address and node numbers with false ones.

– Art of pretending to be something you’re not. • Spoofing is employed when:

– Uses a stolen username and password.

– An attacker changes the source address in a malicious packet.

– An attacker assumes the identity of a client to fool a server into transmitting controlled data.

Man in The Middle Attacks

• A man-in-the-middle attack occurs when a malicious user is able to gain a position between the two endpoints of an ongoing communication.

– Sniffing the traffic between two parties; this is basically a sniffer attack.

– The other involves attackers positioning themselves in the line of communication

where they act as a store - and - forward or proxy mechanism.

Man in The Middle Attacks

(Cont. 2)

• A form of this attack, called hijack attack, a malicious user is positioned between a

client and server then interrupt the session and take it over.

Man in The Middle Attacks

(Cont. 3)

• Another type, a reply attack (playback attack).

– A malicious user records traffic between a client and server; then packets sent from the client to the server are played back or

retransmitted to that server with slight

variations in the time stamp and source IP address.

Sniffing Attacks

• A sniffer attack (also known as a

snooping attack) is any activity that results in a malicious user obtaining information about a network or the traffic over that network.

• A sniffer is some kind of packet-capturing program that dumps the contents of

packets traveling over a network medium into a file.

Spamming Attacks

• Spam: the term that describes unsolicited email, newsgroup, or discussion forum

messages.

– Spam can be as innocuous as an

advertisement from a well-meaning vendor or as malignant as floods of unrequested

messages with viruses or Trojan horses attached.

– Spamming attacks are directed floods of

unwanted messages to a victim’s email inbox or other messaging system.

Access Control Compensation

specify which objects a subject can access and what type of access is allowed or

denied.

• To specify countermeasures for each of these attacks, you can use certain

measures to help compensate for access control violations.

Access Control Compensation

(Cont. 1)

• Backups are the best means of

compensation against access control violations.

• Having backup communication routes, mirrored servers, clustered systems,

failover systems, and so on can provide instant automatic or quick manual

recovery in the event of an access control violation