L2 ids

Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh

1

If a computer is on the Internet, or receives data from the Internet, including Web browsing or email, then security is a problem.

This is true for everyone, as automated scanners and worms do not make distinctions between targets.

Simply, if your system has vulnerabilities, it will be hit.

Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 2

Because security problems are ubiquitous, security solutions should be also.

To be effective, this security must follow a "defense in depth" strategy or a layered approach. This means that security is layered in hopes that if an attack passes through one layer, it is caught by the next, or the next.

Defense in depth combines network security and host-based security (especially antivirus software).

While each layer is important, no layer is sufficient on its own.

Many end users make the mistake of thinking that a firewall, by itself, constitutes network security.


With market penetration of firewalls reaching more than 95 percent, security problems still persist for organizations large and small.

simply allowing Web traffic allows all Web traffic, including that which is malicious.

The next step that many organizations have taken is to install intrusion detection systems (IDS), which can monitor traffic for attack signatures that represent hostile activity.


Intrusion detection (ID) is a type of security management system for computers and networks.

An ID system gathers and analyzes information from various areas within a computer or a network to identify possible security breaches, which include both › intrusions (attacks from outside the organization) and› misuse (attacks from within the organization).


ID uses vulnerability assessment (sometimes referred to as scanning), which is a technology developed to assess the security of a computer system or network.


Monitoring and analyzing both user and system activities

Analyzing system configurations and vulnerabilities

Assessing system and file integrity Ability to recognize patterns typical of attacks Analysis of abnormal activity patterns Tracking user policy violations


Typically, an ID system follows a two-step process.

The first procedures are host-based and are considered the passive component, › inspection of the system's configuration files to

detect inadvisable settings› inspection of the password files to detect inadvisable

passwords› inspection of other system areas to detect policy

violations.


The second procedures are network-based and are considered the active component

mechanisms are set in place to reenact known methods of attack and to record system responses.


Network based intrusion detection attempts to identify unauthorized, illicit, and anomalous behavior based solely on network traffic.

A network IDS, using either a network tap, span port, or hub collects packets that traverse a given network.

Using the captured data, the IDS system processes and flags any suspicious traffic.

The role of a network IDS is passive, only gathering, identifying, logging and alerting.


attempts to identify unauthorized, illicit, and anomalous behavior on a specific device.

HIDS generally involves an agent installed on each system, monitoring and alerting on local OS and application activity.

The installed agent uses a combination of signatures, rules, and heuristics to identify unauthorized activity.

The role of a host IDS is passive, only gathering, identifying, logging, and alerting.


A honeypot is a simply a system program or file that has absolutely no purpose in production.

Therefore, we can always assume that if the honeypot is accessed, it is for some reason unrelated to

Honeypots are probably one of the last security tools an organization should implement. This is primarily because of the concern that somebody may use the honeypot to attack other systems.


A honeypot can also be a computer on your network to look and act like a legitimate computer but actually is configured to interact with potential hackers

Honeypots are known also as a sacrificial lamb, decoy, or booby trap.

The more realistic the interaction, the longer the attacker will stay occupied on honeypot systems and away from your production systems.

The longer the hacker stays using the honeypot, the more will be disclosed about their techniques.

This information can be used to identify what they are after, what is their skill level, and what tools do they use.

All this information is then used to better prepare your network and host defenses.


Step 1: Node A transmits a frame to Node C. Step 2: The hub will broadcast this frame to each active port. Step 3: Node B will receive the frame and will examine the address

in the frame. After determining that it is not the intended host, it will discard the frame.

Step 4: Node C will also receive the frame and will examine the address. After determining that it is the intended host, it will process the frame further.


In order for a host to be used as a sniffing agent, the network interface must be set to 'promiscuous' mode.

Setting this mode requires root or administrator access. After this mode is set, the network interface will no longer drop

network frames which are addressed to other hosts. Rather, it will pass them up to the higher network layers with the

expectation that some software at a higher layer will process them.


Step 1: Node A transmits a frame to Node C. Step 2: The hub will broadcast this frame to each active port. Step 3: Node B will receive this frame and will accept it because the

network interface has been set to 'promiscuous' mode. This allows a network interface to accept any frames, regardless of the MAC (Media Access Control) address in the frame

Step 4: Node C will also receive the frame and will process it as expected. It has no way of knowing that another host has also processed the frame.


Step 1: Node A transmits a frame to Node C. Step 2: The switch will examine this frame and determine

what the intended host is. It will then set up a connection between Node A and Node C so that they have a 'private' connection.

Step 3: Node C will receive the frame and will examine the address. After determining that it is the intended host, it will process the frame further.


ARP Spoofing when Node A wants to communicate with Node C on the

network, it sends an ARP request. Node C will send an ARP reply which will include the MAC

address. Even in a switched environment, this initial ARP request is sent

in a broadcast manner. It is possible for Node B to craft and send an unsolicited, fake

ARP reply to Node A. This fake ARP reply will specify that Node B has the MAC

address of Node C. Node A will unwittingly send the traffic to Node B since it

professes to have the intended MAC address.


MAC Flooding On some switches, it is possible to bombard the

switch with bogus MAC address data. The switch, not knowing how to handle the

excess data, will 'fail open'. That is, it will revert to a hub and will broadcast

all network frames to all ports. At this point, one of the more generic network

sniffers will work. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 19

MAC Duplicating You reconfigure Node B to have the same MAC

address as the machine whose traffic you're trying to sniff.

This is easy to do on a Linux box if you have access to the 'ifconfig' command.

This differs from ARP Spoofing because, in ARP Spoofing, we are 'confusing' the host by poisoning it's ARP cache.

In a MAC Duplicating attack, we actually confuse the switch itself into thinking two ports have the same MAC address.


IP Filtering By enabling IP filtering on your switch, you directly specify which traffic is allowed to

flow to and from each port. This can be a monumental effort to put in place and manage, especially if your

environment is dynamic.

Port Security If your hub or switch has the ability to enable port security, this will help to protect

you from both the MAC Flood and MAC Spoofing attacks. These feature effectively prevents the hub or switch from recognizing more than 1

MAC address on a physical port.

Routing Security No workstations should be allowed to run a routing protocol as they may be

compromised. management of any of your network gear should be through a secure connection and

not through telnet which passes the administrative login/password in cleartext.


knowledge-based intrusion detection techniques apply the knowledge accumulated about specific attacks and system vulnerabilities.

IDS contains information about these vulnerabilities and looks for attempts to exploit these vulnerabilities.

When such an attempt is detected, an alarm is triggered.


In other words, any action that is not explicitly recognized as an attack is considered acceptable.

Therefore, the accuracy of knowledge-based intrusion detection systems is considered good.

However, their completeness (i.e. the fact that they detect all possible attacks) depends on the regular update of knowledge about attacks.


Advantages of the knowledge-based approaches are that they have the potential for very low false alarm rates


Behavior-based intrusion detection techniques assume that an intrusion can be detected by observing a deviation from normal or expected behavior of the system or the users.

The model of normal or valid behavior is extracted from reference information collected by various means.

The intrusion detection system later compares this model with the current activity.


When a deviation is observed, an alarm is generated.

In other words, anything that does not correspond to a previously learned behavior is considered intrusive.

Therefore, the intrusion detection system might be complete (i.e. all attacks should be caught), but its accuracy is a difficult issue (i.e. you get a lot of false alarms).


Advantages of behavior-based approaches are that they can detect attempts to exploit new and unforeseen vulnerabilities.

They can even contribute to the (partially) automatic discovery of these new attacks.

They also help detect 'abuse of privileges' types of attacks that do not actually involve exploiting any security vulnerability.

In short, this is the paranoid approach: Everything which has not been seen previously is dangerous.


The high false alarm rate is generally cited as the main drawback of behavior-based techniques because the entire scope of the behavior of an information system may not be covered during the learning phase.

Also, behavior can change over time, introducing the need for periodic online retraining of the behavior profile, resulting either in unavailability of the intrusion detection system or in additional false alarms.


The information system can undergo attacks at the same time the intrusion detection system is learning the behavior. As a result, the behavior profile contains intrusive behavior, which is not detected as anomalous.



L2 ids

Technology

fake arp reply

bangladeshrushdi

intrusion

rushdi shams

arp spoofing

identify unauthorized

active port

mac address