Deploying Intrusion Detection Systems

Course Overview

With the growing reliance on e-commerce, network-based services and the Internet, organisations are faced with an ever-increasing challenge to protect their systems from attacks. IDSs are the most powerful tools used for alerting the analyst to network- and host-based exploits.

In this course, you gain knowledge of how attackers break into networks, and how an IDS can play a key role in detecting and responding to these events. You learn to configure, deploy and tune an IDS to identify exploits occurring in your organisation.

Audience

This course is valuable for those involved in maintaining network and system information assurance. Course 468, " Introduction to System and Network Security ", or equivalent experience is assumed. Working knowledge of TCP/IP is also assumed.

Skills Gained

• Detect and respond to network- and host-based intruder attacks
• Integrate intrusion detection systems (IDS) into your current network topology
• Analyse IDS alerts using the latest tools and techniques
• Identify methods hackers use to attack systems
• Recognise detection avoidance schemes
• Stop attackers with Intrusion Prevention Systems (IPSs)

Course Outline

Introduction to Intrusion Detection

The role of an IDS

• Examining the impact of information assurance policies
• Classifying IDS by the attack timeline

Navigating the IDS landscape

• Investigating Snort and RealSecure alert databases
• Enhancing IDS with honeypots

Identifying IDS signatures

• Anomaly and misuse detection, stateful analysis and advanced string matching
• Selecting raw and smart signatures
• Improving signature quality for an exploit

Deploying an IDS

Monitoring attacks on the network

• Placing Network IDS (NIDS) sensors
• Operating sensors in a stealth mode
• Detecting intrusions in wireless networks with Snort-Wireless

Solutions for a switched network

• Sniffing switches with Switch Port Analyzer (SPAN) feature
• Detecting attacks on VLANs and trunks
• Monitoring multiple networks with one sensor
• Differentiating between hubs and Taps
• Combining outputs of a dual Tap
• Ensuring reliability with IDS load balancers

Detecting intrusions in the enterprise

• Designing a multi-layer IDS hierarchy
• Managing distributed IDS
• Consolidating with Security Management Systems

Discovering attacks with Host-IDS (HIDS)

• Deploying HIDS on critical servers
• Analysing Windows and Linux logs
• Detecting log tampering
• Querying logs with Microsoft Log Parser

Interpreting Alerts

Verifying IDS operation

• Generating attacks with Vulnerability Assessment (VA) and IDS testing tools
• Replaying traces of real attacks with tcpreplay
• Crafting IP packet attacks

Tuning the IDS

• Minimising false positives with dynamic tuning and attack relevancy
• Utilising event filtering, propagation, consolidation and parameter tuning
• Aggregating multiple events

Network security monitoring

• Validating IDS events
• Examining transcripts and sessions
• Resolving an attacker's identity

Recognising Attacks

Scanning for a low-hanging fruit

• Footprinting an organisation
• Comparing connect, ACK, SYN, FIN, Xmas, Null and UDP scans

Crafting buffer overflow (BO)

• Detecting remote BO attacks
• Mutating BO exploits
• Setting up DDoS (Distributed DoS) and DrDoS (Distributed Reflection DoS)

Evading IDS detection

• Hiding Web attacks via SSL and polymorphic mutation
• Overlapping IP and TCP fragments
• Slicing packets with fragroute

Stopping Intuders

Exploiting IDS active responses

• Snipping a TCP session
• Initiating a File Integrity Check (FIC)
• Controlling access with a firewall update
• Stopping hackers with Cisco IP Blocking

Differentiating between IPSs

• Halting packets with Gateway IDS (GIDS)
• Intercepting API calls with shims
• Self-inflicted denial-of-service (DoS)