Intrusion detection and prevention systems are the most reliable form of securing APT incidences and the overall security of the information infrastructure. This is because, unlike susceptibility and management systems and IT infrastructure support, they have the capacity to detect occurrences of APT and subsequently prevent damage to the computer systems. Firewalls are supposed to block illicit impound traffic, but in most instances, they do not succeed. Intrusion detection and prevention systems have the capability to detect and catch threats missed by the firewalls. Susceptibility management systems are used to identify, remediate and mitigate vulnerabilities in computer networks but are not always effective because attackers changer their tools and techniques in respect to exploiting the flaw. Even if, the organization analyze all the top threats by malware site and location, these parameters changes and new points of attacks are implemented.
DESIGN RATIONALES AND PRINCIPLES
The design and implementation of high-speed, reliable, and scalable network intrusion detection systems exhibit some weaknesses worth considering. The common and the most serious issue is that this system s do not have the knowledge of the network topology and operating systems running on the network hosts. Therefore, NIDS interpret the same traffic network differently. This vulnerability allows attackers to evade detections by sending attack traffic to a host that exhibit harmless features in the perspective of NIDS.
IN addition, NIDS do not have the necessary keys and resources to examine end-to-end encrypted traffic for individual hosts implying that the data send over their protocols such as SSL, and SSH cannot be centrally looked into providing attackers with another mechanism to evade detection.
In order to remedy these effects, a network mode IDS is favorable to detect and analyze traffic to a single host. Network Mode IDS unambiguously analyze network k data and gain access to the keys to examine encrypted data. Its implementation as kernel or application-level software’s has an effect of degrading other applications running on the host.
A dedicated attacker who manages to compromise the host may disable the NNIDS such that malicious activities go undetected.
These shortcomings are countered by implementing NNIDS on the network interface rather than on top of the host OS. It is recommended that having NNIDS run on a NIC with a network processor is more beneficial than a software NNIDS. The benefits include minimal performance impact on the host system and advanced protection for both the host and the IDS itself. Hardware NIDS is independent of the network operating system and can be made subversion-resistant to improve its redundancy and performance if the host is compromised. In this case, the attacker cannot disable the NNIDS even if he succeeds to penetrate the host. The controls flows to the network interference are highly restrictive making it desirable to install hardware NNIDS in critical systems or network nodes. The design can be scaled up to accommodate large and complex systems because NNIDS is set to run on affordable NIC an unambiguously checks only the traffic that is attached to a particular node.
Further, security policies that dictate network intrusion detection systems functions can be managed and enforced in a distributed environment. Event-sharing techniques and collaborative analysis techniques if incorporated detect distributed attacks and share the workload when required. This concept is not necessarily new to NNIDS but is available in other NIDS scenarios where load-balancing techniques are essential.
ANTIVIRUS PROGRAMS
FIREWALLS
The challenge of providing a secure computing environment lies in the interconnection of computers to provide economies of scale. Interconnecting computers to achieve shared resources services and knowledge gives illegitimate users easy access to vital information and resources no matter how far they are from the physical site. To secure the computing environment, firewalls are a vital component. A firewall is responsible for controlling access among devices such as computers, networks and servers. Firewalls are deployed between the safe zone and the unsafe zones such as the internet. Firewalls acts as filters for network traffic. Network connections traverse the firewall and unauthorized packets are stopped. The filtering mechanism is based on IP addresses and ports.
Advanced firewalls have been designed to address Network Address Translation which allows multiple computers to share resources in form of network addresses. It also provides service differentiation where certain traffic are accorded priority in a timely manner while others are not. VoiP is an example of an activity that needs differentiation to ensure proper operation.
Firewalls can also inspect the contents of the data packets to filter other packets, block packets that contain offensive information and block intrusion attempts.
Firewall policies are ordered lists of rules that comprise of a set of tuples and actions. Each tuple corresponds to a filed in a packet header including protocol, source address, source port, destination, and destination port. As packets pass through a firewall, their header information is compared to the fields of the rule. If packet header information is a subset of a rule, it is referred as a match and accepted or rejected to pass. If not, the packet is compared to the next sequential rule. The process of matching the first rule with the packet headers is known as first-match policy.
Firewalls are categorized into three classes, stateful firewalls, packet filters and application layer firewalls. Packet filters are used at the network and transport layers. The packet filter receives the packets, determine the appropriate activity based on the policy definition and perform the action on the filters. It only works on the IP address – layer two, port numbers – layer one, and transport protocol- layer three. All this information resides on the packet header and there is no need to inspect the payload.
Stateful firewalls maintain the state of the data arrived in addition into conducting the same operations as packet filter. This feature allows the creation of rules that monitor session given the server/client architecture of most communications. Finally, application layer firewalls filter traffic at the network, transport and application layer. Under this scenario, filtering at the application layers introduces proxies to inspect the contents of the packets thereby acting like intrusion detection systems.
Firewalls can be merged with other security devices to simplify management. Intrusion Prevention Systems is a combination of firewalls and IDS.
INTRUSION DETECTION SYSTEMS
The saying “no security plan is fool-proof” is almost true all the time and applies to most companies all the time. HIDS and NIDS deployment are the safest and protective mechanism that accords your organization better forensic data and security responses.
The goal of security administrators is to prevent unauthorized network and traffic access. Because security breaches occur all the time, it is important to monitor and log activities in a network.
Intrusion detection tools are classified into two; host intrusion detection and network intrusion detection systems. The principal roles of these tools are to provide round the clock monitoring and communication systems that detect, alert and block suspicious traffic on a critical network.
Host intrusion detection systems are security methods used in computers and network management. In HIDS, anti-threat applications such as spyware-detection programs, antivirus software’s and firewalls are installed on every networks computer. This is applicable in two-way access platforms such as the internet and gathers information from various sources and analyses it to identify possible areas of attacks. HIDS is, therefore, suitable for business critical hosts and servers in a DMZ that are compromised more frequently.
HIDS operates by utilizing a number of variables on the host system namely; CPU usage, system processes, file access and integrity checking and registry entries among others. Thus, it has the capability to utilize system properties such as logs, system services and registry events for detection and analysis. However, it has a disadvantage of utilizing much of the system resources since it runs on the host. In addition, by the time the HIDS systems detects an attack, the damage is already done.
NIDS are deployed as a dedicated component on a network segment and are usually deployed as a single or on multiple locations as per the user needs. It works by comparing the captured network data to a file of known malicious signatures and if it finds a match, NIDS sents an alert based on its security configuration.
NIDS is classified as signature based and anomaly-based. Signature based detection utilize valid network data and signatures to detect and analyze suspicious and unwanted traffic. Anomaly based systems filters and alerts when the network traffic is incorrect or abnormal. Our intrusion detection systems employ more than one signature in a NIDS library. This gathers for proprietary industrial controller data transmitted between discrete devices and often flagged in anomaly-based systems.
Network- based intrusion and detection systems have an advantage of wide coverage where the entire network can be covered using a single NIDS. In addition, it has minimal install/upgrade effects on the network and avoids DoS that has the capability of affecting the host. It also has the benefits of identifying network layer errors as well as the independent operating environment.
On the flip side, NIDS depend on the latest signature updates and most tools on the market fail to detect new or variations in the signature patterns used by the attackers. For this reason, our tools are frequently updated to detect new patterns in attack signatures thereby guaranteeing the safety of your systems.
It is understood that the deployment of HIDS and NIDS on critical devices and networks is a crucial step for your business or individual needs. A tailor-made and correct choice will provide you with the best protective and preventive measures for your organization to facilitate quicker response and better forensic data for your security purposes. We provide these solutions and services together with validated updates and signatures as part of dispatch subscription so that they can be implemented in the best method that suits your needs.
TACTICS FOR EVADING DETECTIONS
Threats can be grouped into structured and unstructured. Structured threats are concerned with quietly compromising a victim and maintaining unauthorized access while unstructured threats do not care if they are discovered or not. Once discovered, they move to the next ill-prepared victim. Structured attackers tend to conceal their actions for purposes of committing financial frauds, theft of intellectual properties and espionage. They use four major schemes to advance their agenda. In order of increasing sophistication, they include promoting anonymity, evade detection, appear normal of degrade and deny collection of evidence which complicates host-based investigation.
- Promoting anonymity
Network attacks are classified into interactive attacks where perpetrator is concerned with stealing information from another user of the network or non-interactive where a perpetrator uses malicious software to instill denial of service attacks on other members of the network.
The two most common methods of used by attackers include,
- Stepping stone chains
Stepping stone chains involves indirect connection of an intruder through a sequence of hosts known as stepping stones. Stepping stone attacks are as a result of intermediary hosts that were initially compromised and are available for further use.
This means that attackers launch the attacks from other computers apart from their own that they previously compromised to conceal their tricks. Intruders assemble a collection of accounts of compromised hosts and then conduct a new attack through logging in to a series of host before finally launching the assault on the target.
- IP-spoofing
Networks rely on the truth and without accurate information, they don’t work correctly. Attackers use lies to deceive networks and systems attached to a particular network thereby impacting their operation. Source address spoofing is a mechanism of lying about a packets return address.
Attackers have used source address spoofing to institute denial of service attacks against commercial servers and networks. Though the phenomenon is still widely misunderstood relevant measures have been undertaken to make the attacks unsuccessful. Users can become a victim of address spoofing and more worryingly a source of attacks based on source address spoofing unless the user understands how it works and take measures to prevent it.
In order to get spoof proof, ISP practice ingress filtering is applied to filter and drop any packets with spoofed source addresses. For instance Cisco Express Forwarding is an advanced IP switching technology that is designed for high performance layer 3 IP switching with optimum performance.
- Attack from a trusted host
IP spoofing is a means of IP address forgery where an attacker masquerades as a trusted host to conceal his identity. An attacker obtains the IP address of the legitimate host and alters packet headers so as to make it look like that of the source which is the legitimate host. A user who visits the sited is redirected to the spoofed content created by the attacker and as such the attacker gains access to sensitive information and network resources. Apart from this, the attacker could alter sensitive information, install malware and take control of the compromised computer in order to send out spam.
Such attacks can be minimized by administrators through implementation of hierarchical or one time password and data encryption techniques. Users and administrators can protect themselves and their networks by installing firewalls that block outgoing packets with source addresses that differ from the IP address of the user’s computer or its network.
- Attack from a familiar Netblock
A block or range of an IP address is known as a Netblock. Internet attacks and intrusions target net blocks given the time taken to scan the network.
These are attacks that target vulnerabilities in the client applications that interact with a malicious server or data. The client can initiate a connection that could result in an attack. The client has to interact with the server in order to be affected. A client running mere FTP does not fall vulnerable but interaction such as instant messaging applications exposes the client to such attacks because clients are automatically configured to log into the remote server.
An example of a client side attacks is a malicious web page targeting a specific browser and given that the attack is successful, would grant the malicious server complete control of the client system.
Encryption is a means of evading detection where the payload of every packet crossing a NIDS path is not interpreted correctly. An SSL, SSH, and IPsec encrypted tunnels prevent NIDS from interpreting the payload correctly.
Distributed internet attacks (DDoS) involve multiples of compromised systems attack on a single target consequently causing a denial of service for users of the system. Incoming messages are flooded to the target system thereby forcing it to shut down and deny other system users resources.
- Self inflicted problems in NSM
When a system is degraded or denies collection, people and resources that analyze alerts and traffic are attacked. The most successful means to advance this attack is to exploit the procedures they follow. For instance, a simple way to slip and attack past the intrusion system is to sound an attack threat and wait for the analyst to clear the decks. By the time the “all clear” alert is issued the attack is already advanced and the associated concerns with potential attacks underscores intrusion detection mechanisms of the system or analyst
INTRUSION PREVENTION METHODS
Intrusion prevention systems are more efficient than firewalls because they are configured with policies that allow them to make autonomous decisions as to how to deal with application level threats as well as port-level attacks and simple IP address.
They respond directly to incoming threats by automatically dropping suspicious packets, quarantining the intruder file and allowing legitimate packets to pass. Thus an IPS must have sophisticated discriminatory mechanisms to differentiate between the real threat and the one that do not look like it. Once the system detects an intruder, it must quickly notify the administrator so that appropriate action is conducted. IPS exists in many types. This includes network-based, host-based, content –based, and rate–based.
ANTI-MALWARE PROGRAMS
They are normally referred as anti-virus. They are programs designed to analyze files and programs for known patterns/nature of data that make up data or programs indicating malicious code. The signature scanning is achieved via multitiered approach where the entire hard drive of the computer is scanned sequentially during rest periods. Any file accessed is scanned immediately to control dormant code in a file that has not been scanned from becoming activated. A malicious code found is either quarantined or deleted or deleted from the system.
New or modified malwares may be undetected because signature based scanning does not have a signature for such a malware or anti-malware signatures may not be up to date. In this instance to counter the effects, sophisticated anti-malware programs have been developed to monitor known malicious behavioral patterns in addition to signature based scanning.
NETWORKED-BASED INTRUSION PREVENTION SYSTEMS
NIDS are designed to passively monitor traffic and raise alarms when suspicious traffic is detected while NIPS are designed to prevent the attack from succeeding. NIPS devices are inserted inline with the traffic it is monitoring. All packets are inspected and only allowed to pass if it does not trigger some sort of alert founded on signature match or anomaly threshold. Suspicious packages are discarded and an alert is generated.
HOST-BASED INTRUSION PREVENTION SYSTEMS
Host-based intrusion prevention systems utilize the same signature-based technology found in NIDS and NIPS in addition to being installed on the protected system to analyze and monitor what other processes on the system are doing at an advanced detailed level. The process involves observing system calls, interprocess communication, network traffic and other behavioral patterns for suspicious security.
Further, an advanced advantage of HIPS is that encrypted network traffic can be analyzed after decryption process to rule out a hidden attack that was not detected by NIDS and NIPS. HIPS can be used on a targeted fashion to complement NIPS and NIDS and function effectively.
ANNOTATED BIBLIOGRAPHY
Bejtlich, R. (2004). The Tao of Network Security Monitoring: Beyond Intrusion Detection. Pearson Education.
Park, C.-S. S.-S. (2010). A Study of Effect of Information Security Management System [ISMS] Certification on Organization Performance. JCSNS International Journal of Computer Science and Network Security, 10(3): 10-21.
This journal discusses information security management systems adopted by organizations to counter cyber crime such as hacking and malware instead of the sporadic security management practices. It outlines the ISMS certification systems effected in Korea from 2001and how certifications have increased over time.
Brian Caswell, J. B. (2008). Snort 2.1 Intrusion Detection, Second Edition. Syngress.
Kizza, J. M. (2009). A guide to computer network security. Springer.
Sandhu, R. H. (2009). Identification and Authentication. In Computer Security Handbook. John Wiley & Sons.
References
Bejtlich, R. (2004). The Tao of Network Security Monitoring: Beyond Intrusion Detection. Pearson Education.
Board, D. S. (2010). Report on DoD system intrusion presented to Congress. Washingdon DC.
Brian Caswell, J. B. (2008). Snort 2.1 Intrusion Detection, Second Edition. Syngress.
Ciampa, M. D. (2011). Security+ Guide to Network Security Fundamentals. Cengage Learning.
Kim, S. F.-h. (2007). IT Security Review: Privacy, Protection, Access Control, Assurance and System Security. International Journal of Multimedia and Ubiquitous Engineering, Vol.2 No.2 .
Kizza, J. M. (2009). A guide to computer network security. Springer.
Mansfield-Devine, S. (2011). DDoS: threats and mitigation. Network Security. Springer .
Nye, J. S. (2008, Decenber). Cyber insecurity. Project Sindicate.
Park, C.-S. S.-S. (2010). A Study of Effect of Information Security Management System [ISMS] Certification on Organization Performance. JCSNS International Journal of Computer Science and Network Security, 10(3): 10-21.
Sandhu, R. H. (2009). Identification and Authentication. In Computer Security Handbook. John Wiley & Sons.
