Lab #10 - Assessment Worksheet Securing the Network with an Intrusion Detection

Question

Lab #10 - Assessment Worksheet

Securing the Network with an Intrusion Detection System (IDS)

Course Name and Number: ______________________________________________________________

Student Name: ________________________________________________________________

Instructor Name: ________________________________________________________________

Lab Due Date: ________________________________________________________________

Lab Assessment Questions & Answers

1. What is the difference between an IDS and an IPS?

2. Why is it important to perform a network traffic baseline definition analysis?

3. Why is a port scan detected from the same IP on a subnet an alarming alert to receive from your IDS?

4. If the Snort IDS captures the IP packets off the LAN segment for examination, is this an example of promiscuous mode operation? Are these packets saved or logged?

5. What is the difference between a host-based IDS and a network-based IDS?

6. How can you block attackers, who are performing reconnaissance and probing, with Nmap and Nessus port scanning and vulnerability assessment scanning tools?

7. Why is it a good idea to have host-based intrusion detection systems enabled on critical servers and workstations?

8. Where should you implement intrusion prevention systems in your IT infrastructure?

Explanation / Answer

1)Answer:

IDS:

An intrusion detection system (IDS) is a type of security software designed to automatically alert administrators when someone or something is trying to compromise information system through malicious activities or through security policy violations.

An IDS works by monitoring system activity through examining vulnerabilities in the system, the integrity of files and conducting an analysis of patterns based on already known attacks. It also automatically monitors the Internet to search for any of the latest threats which could result in a future attack.

IDS – as stated, it is a tool to detect intrusion of packets and determine which of the packets can be threat or not. It is only to detect not to block. It is a combined tool of hardware and software security system that deals with internal and external attacks and monitors network activity in real-time.

There are two types of IDS:

Host-Based Intrusion Detection System (HIDS)

Network-Based Intrusion Detection System

IPS:

An intrusion prevention system (IPS) is a system that monitors a network for malicious activities such as security threats or policy violations. The main function of an IPS is to identify suspicious activity, and then log information, attempt to block the activity, and then finally to report it.

Intrusion prevention systems are also known as intrusion detection prevention systems (IDPS).

IPS – this tool can make action and does not need administrators’ decision to make actions to prevent any packet of data that the IPS tool detects as a threat. IPS are also placed to actively analyse and take actions automatically to all packets that enter the network.

They can:

Two Detection Methods of IPS

Signature –Based detection (or Misuse Detection). This method uses significant identifiable patterns each kind of attacks. The signature can be Exploit-facing signature where they monitor packets by finding a match from their stored file of exploit attacks. There is also Vulnerability-facing signature where they recognize an attack as to which part of the system is vulnerable to this kind of attack.

Statistical Anomaly Detection. They use samples of network traffic at random and compares them with each other. They use bandwidth, protocols used, ports, and devices that connect each other.

DS’s are used to monitorpotential intrusions within the internal network, and IPS solutions are focusedon identifying and blocking attack traffic

2)Answer:

you can make sure that the presence, absence, amount, direction, andfrequency of traffic are flowing correctly before you implement rules.

Base lining provides the network administrator insight into expected behavioron the network and subsequently, the ability to notice changes to theenvironment

3)Answer:

It is alarming because all computers that belong to asubnet are addressed with a common, identical, most-significant bit-group intheir IP address. A port scan an attack that sends client requests to a range ofserver port addresses on a host, with the goal of finding an active port andexploiting a known vulnerability of that service.

4)Answer:

No, promiscuous mode means that all packets from the network are being sniffed by thescanner. Packets captured in this manner are logged.

5)Answer:

Network-based IDS’ will send alerts when an intruder accesses a certain network or section ofthe network that the IDS is employed in. A host-based IDS will only send an alert when the hostthat the IDS is running on encounters an unauthorized user. 6. How can you block attackers, whoare performing reconnaissance and probing, with Nmap and OpenVAS port scanning andvulnerability assessment scanning tools?Snort is an open source network intrusion prevention and detection system (IPS/IDS), capableof performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching, and can be used to detect a variety of attacks andprobes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprintingattempts, and much more.

Network –based IDSintrusion detection systemattempts to discoverunauthorized access to acomputer networkbyanalyzing trafficon thenetwork for signs of malicious activity and host-based IDS systems monitorsand analyzes the internals of a computing system as well as the networkpackets on its network interfaces.

6)Answer:

Identify the digital signatures of common reconnaissance and probing tools suchPING, scans performed by Nmap, Nessus®, etc. Program your IDS and IPSdevices to specifically alert and block reconnaissance and probing IP packets thatare commonly used by these attack tools. All of the normal hacking applicationsand tools that generate ICMP, IP, UDP, and TCP should also be identified andblocked on your external IDS/IPS device including DoS and DDoS digitalsignatures.

You can prevent attackers because they detect what operating systems and applicationversions are being run, what firewall and packet flitters are being used and otherinformation that is used to a hacker in planning an intrusion or attack and to a networkadministrator in defending against that same hack.

7)Answer:

To provide your network and security organization with real-time alerts andalarms pertaining to potential system compromise and/or unauthorized access.

With host-based IDS enabled it monitors all or parts of the dynamic behavior and the state of acomputer system

8)Answer:

IPS should be implemented at the point of ingress and egress for the networkinfrastructure. This is done to decrease the attack surface for an attack to utilize.If there was only IPS for critical resources, then an attacker could access thenetwork and spend more time to gain access to a user account that would allowthem authorized access to a critical resource. It could be useful to employ IPS atthe location of a critical resource however it would only be usefulin a multi-layered security plan where it was enabled on the host as well as the network.

Related Questions

Navigate

• Browse (All)
• Browse L
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.