Network Security: Attacks and Monitoring

  

Slide ke-3 Mata Kuliah: Keamanan Jaringan

Course Objectives

• Network Monitoring • Intrusion Detection System (IDS)
• Penetration Testing • Attack’s Method

  

Network Monitoring

accountable for their actions

• Subject are held while authenticated on a system.
• It is also, the process to detect unauthorized or abnormal activities on the system.
• The audit trails created by recording system to

  log can be used to evaluate a system’s health

  and performance.
• Log Event provide an audit trails for recreating

  Network Monitoring (Cont.)

• Log Event provide an audit trails for recreating a step by step history of an event, intrusion, and system failure.

Intrusion Detection

• Intrusion Detection System (IDS) is primarily used to detect intrusion attempts, also, can be employed to detect system failure and overall performance.
• IDS alert can be sent with an on screen notification by playing a sound, sending an email notification, or recording information

  (IDS)

  

IDSs Response

• A response from ADS can be classified into three types:

  Directly affects malicious activity in the

• – Active: network traffic.

  Doesn’t affects malicious activity, but

• – Passive:

  record the information about the issue and notifies the administrator.

  Stop unwanted activity, record information

• – Hybrid: about the event, and notifies the administrator.

IDSs Response

• Typical IDS responses for several actions, including blocking port, blocking protocol, blocking source address, and disabling all communication over some specific cable segment.
• When IDS discovers abnormal behavior or violation of its security rule, it record a log

  

Host- and Network-based IDS

• Host-based IDS

  watches for questionable activity on a single computer system.

• Host-based IDS look at audit trails, event log, and application
• Network-based IDS watches for:
• – Questionable activity on the network medium by inspecting packet and observing network traffic pattern.

  Network-based IDS based Detection

• IDS can detect malicious behavior with 2 common types:
• – Knowledge-based detection (also known as signature-based or pattern matching).

• – Behavior-based detection, and commonly

  known as statistical intrusion detection,

  anomaly detection, and heuristic-based

  detection.

Knowledge-based Detection

• Here, IDS use signature database and attempts to match all monitored event to its content.
• If a match is made, the IDS assumes that an attacks are taking place.
• This method is only effective for known attack method or behavior.

  (Cont.)

• Knowledge-based IDS lacks a learning model, that is, it is unable to recognize new attack pattern as they occur.
• Therefore, the administrator should consider an up-to-date and correct signature.

• – As mentioned before, it is like an antivirus

  application, need to be update over period of

Behavior-based Detection

• Basically, behavior-based detection learns about the normal activities and events on your system by watching and tracking what it sees.
• Once it has accumulated enough data about normal activity, it can detect abnormal and possibly malicious activities

Behavior-based Detection

• A behavior-based IDS can be labeled an expert system or artificial intelligence system because it can learn and make assumptions about events.
• In other words, the IDS can act like a human expert by evaluating current events against known events.

  IDS Related Tools

• These IDS-related tools expand the usefulness and capabilities of IDSs and make them more efficient and less prone to false positives.
• These tools include
• – honeypots,
• – padded cells, and

  

Understanding Honeypots

• Individual computers or entire networks created to serve as a trap for intruders.
• – Look and

  act like legitimate network , but they are totally fake .

  un- patched and unprotected security vulnerabilities.

• Honeypots tempt intruders by presenting
• – Direct intruders into a restricted playground while

  Deployment

  

(Cont.)

• Honeypots performing malicious activities long enough for the automated IDS to detect the intrusion and gather as much information about the intruder as possible.
• – Legitimated users never enter the Honeypots.
• – Thus, when honeypots access is detected, it is must be an authorized intruder.

  

(Cont.)

• The use of honeypots raises the issue of enticement vs. entrapment .
• A honeypot can be legally used as an enticement device if the intruder discovers it through no outward efforts of the honeypot owner.
• – It is known as Enticement .

  

(Cont.)

• Entrapment

  , which is illegal, occurs when the honeypot owner actively solicits

  visitors to access the site and then charges them with unauthorized intrusion.

• In other words, it is considered to be entrapment when you trick or encourage a

  perpetrator into performing an illegal or

  

Understanding Padded Cells

• A padded cell system is similar to a honeypot, but it performs intrusion isolation using a different approach.
• – When an IDS detects an intruder, that intruder is automatically transferred to a padded cell.
• – Within the padded cell the intruder can neither perform malicious activities nor access any confidential data.

  Vulnerabilities Scanner

• Vulnerability scanners are used to test a system for known security vulnerabilities and weaknesses.
• – May recommend applying patches or making

  specific configuration or security setting

  changes to improve or impose security.
• An extension to the concept of the IDS is the intrusion prevention system (IPS),

Vulnerabilities Scanner (Cont.)

• An IPS seeks to actively block unauthorized connection attempts or illicit traffic patterns as they occur.
• In fact, the line between IDSs and IPSs can be quite blurry in that many self - professed IDSs have IPS capabilities.

  

Penetration Testing

• A penetration occurs when an attack is

  successful and an intruder is able to breach the perimeter around your environment.

• – It is common for organizations to hire external consultants to perform penetration testing.
• – So testers are not informed to confidential elements of the environment’s security configuration, network design, and other

Penetration Testing (Cont.)

• There are open-source and commercial tools such as Metasploit and Core IMPACT.
• To evaluate your system, benchmarking and testing tools are available for download a .

  

Penetration Testing (Cont.)

• Keeping up with the latest attacks, vulnerabilities, exploits, and demands that careful, attentive security professionals keep up with security bulletins.
• – U.S. Computer Emergency Readiness Team at .

  (List. 1)

• The following are the most common or well-known access control attacks or attack methodologies (these are listed in alphabetical order):
• – Brute force and dictionary attack
• – Denial of Services – Malware: viruses, worms, Trojans, spyware, etc.

  (List. 2)

• The following are the most common or well-known access control attacks or attack methodologies (these are listed in alphabetical order):
• – Sniffing – Spamming – And Spoofing.

  Attacks

• We discuss brute-force and dictionary attacks together because they are waged against the same entity: passwords .
• A brute-force attack is an attempt to discover passwords for user accounts by systematically attempting all possible

  combinations of letters, numbers, and

  

Attacks

• • Denial-of-service (DoS) attacks are attacks

  that prevent a system from processing or

  responding to legitimate traffic or requests for resources and objects. transmitting

• – The most common form of DoS is

  so many data packets to a server that it cannot process them all.

• – DoS can result in system crashes, system

  

Types

• Single attacking system flooding a single victim with a steady stream of packets.
• – This simple form of DoS is easy to terminate just by blocking packets from the source IP address.

   occurs

• A distributed denial of service (DDoS)

  when the attacker compromises several systems and uses them as launching platforms against one or more victims.

  

Spoofing Attacks

• Spoofing attacks consist of replacing a valid source and/or destination IP address and node numbers with false ones.
• – Art of pretending to be something you’re not.
• Spoofing is employed when : – Uses a stolen username and password.
• – An attacker changes the source address in a malicious packet.

  

Man in The Middle Attacks

• A man-in-the-middle attack occurs when a malicious user is able to gain a position

  between the two endpoints of an ongoing

  communication.
• – Sniffing the traffic between two parties; this is basically a sniffer attack.
• – The other involves attackers positioning themselves in the line of communication where

  

(Cont. 2)

• A form of this attack, called hijack attack, a malicious user is positioned between a client and server then interrupt the session and take it over .

  (Cont. 3)

• Another type, a reply attack (playback attack).

• – A malicious user records traffic between a

  client and server; then packets sent from the client to the server are played back or retransmitted to that server with slight variations in the time stamp and source IP address.

Sniffing Attacks

• A sniffer attack (also known as a snooping attack) is any activity that results in a malicious user obtaining information about a network or the traffic over that network.
• A sniffer is some kind of packet-capturing program that dumps the contents of

  

Spamming Attacks

• Spam: the term that describes unsolicited email, newsgroup, or discussion forum messages.
• – Spam can be as innocuous as an advertisement from a well-meaning vendor or as malignant as floods of unrequested messages with viruses or Trojan horses attached.
• – Spamming attacks are directed floods of unwanted messages to a victim’s email inbox or

Access Control Compensation

• Access control is used to regulate or specify which objects a subject can access and what type of access is allowed or denied.
• To specify countermeasures for each of these attacks, you can use certain measures to help compensate for access

  

(Cont. 1)