WEEK 7-8

SECURITY TECHNOLOGY:
INTRUSION DETECTION
PREVENTION SYSTEM AND
OTHER SECURITY TOOLS
IAS102 - INFORMATION ASSURANCE AND SECURITY
 • Discuss intrusion detection and prevention
• Understand different security tools
• Understand biometrics access control

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

 WEEK 7-8 – SECURITY TECHNOLOGY: INTRUSION DETECTION
PREVENTION SYSTEM AND OTHER SECURITY TOOLS
Intrusion Detection and
Prevention System, and Other
Security Tools
 Intrusion occurs when all attacker attempts to gain entry into or
disrupt the normal operations of an information
 Intrusion prevention consist of activities that deter an intrusion
Intrusion prevention activities
 Writing and implementing good enterprise information policy
 Planning and executing effective information security program
 installing and testing technology-based information system
 Conducting and measuring the effectiveness of employee training and
awareness activities

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

 WEEK 7-8 – SECURITY TECHNOLOGY: INTRUSION DETECTION
PREVENTION SYSTEM AND OTHER SECURITY TOOLS
Intrusion Detection and
Prevention System, and Other
Security Tools
 Intrusion detection
 Consist of procedure and system that identify system intrusion
 Intrusion reaction
 encompasses the action an organization takes when an intrusion is detected
 Intrusion correction
 activities finalize the restoration of operations to a normal state and seek to
identify the source and method of intrusion in order to ensure that the same
type of attack cannot occur again

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

 WEEK 7-8 – SECURITY TECHNOLOGY: INTRUSION DETECTION
PREVENTION SYSTEM AND OTHER SECURITY TOOLS
Intrusion Detection and
Prevention System, and Other
Security Tools
 Intrusion Detection System or IDS’s
 it detects a violation and activates an alarm, alarm can be audible and/or
visual or it can be silent
 Intrusion Prevention System or IPS’s
 detect an intrusion and also prevent that intrusion from successfully
attacking the organization by means of active response
 Intrusion Detection and Prevention System or IDPS’s
 used to describe current anti-intrusion technologies

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

 WEEK 7-8 – SECURITY TECHNOLOGY: INTRUSION DETECTION
PREVENTION SYSTEM AND OTHER SECURITY TOOLS
Intrusion Detection and
Prevention System, and Other
Security Tools
 IDPS Terminology
.
 Alert or Alarm
 Site Policy Awareness
 Evasion
 True Attack Stimulus
 False Attack Stimulus
 Tuning
 False Negative
 Confidence Value
 False Positive
 Alarm Filtering
 Noise
 Alarm Clustering
 Site Policy

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

IAS102 – INFORMATION ASSURANCE AND SECURITY 2
 WEEK 7-8 – SECURITY TECHNOLOGY: INTRUSION DETECTION
PREVENTION SYSTEM AND OTHER SECURITY TOOLS
Intrusion Detection and Prevention
System, and Other Security Tools
Why use an IDPS?
 To prevent problem behavior
 to detect attack and other security violations
 To detect and deal with the preambles to attack
 to document the existing threat to an organization
 To act as quality control for security design and administration
 To provide useful information about intrusions that do take place, allowing
improved diagnosis, recovery, and correction of causative factors

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

 WEEK 7-8 – SECURITY TECHNOLOGY: INTRUSION DETECTION
PREVENTION SYSTEM AND OTHER SECURITY TOOLS
Intrusion Detection and Prevention
System, and Other Security Tools
Types of IDPS
 Network-based IDPS
Two Specialized Subtypes
 Wireless IDPS
 Network Behavior Analysis
 Host-based IDPS
Figure 7-1 A host-based IDPS protect the server or host’s information assets,
it show in monitor both network connection activity and current
information states on host server

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

 WEEK 7-8 – SECURITY TECHNOLOGY: INTRUSION DETECTION
PREVENTION SYSTEM AND OTHER SECURITY TOOLS
Intrusion Detection and
Prevention System, and Other
Security
Network Based IDPS
Tools
 NIDPS
 Connected to a segment of an organization’s network
and monitors network traffic.
 Monitoring Port
 connection on network device that is capable of
viewing all of the traffic that moves through the entire
device
 Protocol Stack Verification Figure 7-2 Shows data from Snort Network IDPS engine.
 the NIDS’s look for invalid data packets In this case, the display is a sample screen from Snort, a
 Application Protocol Verification client that can manage Snort as well as display the alert
 examined for unexpected packet behavior or improper generated
use
IAS102 – INFORMATION ASSURANCE AND SECURITY 2
 WEEK 7-8 – SECURITY TECHNOLOGY: INTRUSION DETECTION
PREVENTION SYSTEM AND OTHER SECURITY TOOLS
Intrusion Detection and
Prevention System, and Other
NIDPSSecurity Tools
 Advantage of NIDPS include the
following
 NIDPS devices can enable an organization
to use a few devices to monitor a large
network
 NIDPS can be deployed into existing
networks with little or no disruption to
normal network operations
 NIDPS are not susceptible to direct attack,
may not be detectable by attackers
IAS102 – INFORMATION ASSURANCE AND SECURITY 2
 WEEK 7-8 – SECURITY TECHNOLOGY: INTRUSION DETECTION
PREVENTION SYSTEM AND OTHER SECURITY TOOLS
Intrusion Detection and Prevention
System, and Other Security Tools
NIDPS
 Disadvantage
A NIDPS can become overwhelmed by network volume and fail to recognize
attacks it might otherwise have detected.
 NIDPS’s require access to all traffic to be monitored
 NIDPS’s cannot analyze encrypted packets,
 NIDPS’s cannot reliably ascertain if an attack was successful or not
 NIDPS’s are particularly vulnerable to malformed packets and may become
unstable and stop functioning

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

 WEEK 7-8 – SECURITY TECHNOLOGY: INTRUSION DETECTION
PREVENTION SYSTEM AND OTHER SECURITY TOOLS
Intrusion Detection and Prevention
System, and Other Security Tools
Wireless NIDPS
 Wireless IDPS monitors and analyze wireless network traffic, looking
for potential problems with the wireless protocol
 Some issues associated with the implementation of wireless IDPS include
 Physical Security
 Sensor range
 Access Point and Wireless Switch Locations
 Wired Network Connections
 Cost

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

 WEEK 7-8 – SECURITY TECHNOLOGY: INTRUSION DETECTION
PREVENTION SYSTEM AND OTHER SECURITY TOOLS
Intrusion Detection and Prevention
System, and Other Security Tools
Wireless NIDPS
 In additional to the traditional types of intrusions detected by other
IDPSs, the wireless IDPS can also detect
Unauthorized WLAN and WLAN devices
Poorly secured WLAN devices
Unusual usage pattern
The use of wireless network scanners
Denial of service or dos attacks and conditions
Impersonation and man-in-the-middle attacks

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

 WEEK 7-8 – SECURITY TECHNOLOGY: INTRUSION DETECTION
PREVENTION SYSTEM AND OTHER SECURITY TOOLS
Intrusion Detection and Prevention
System, and Other Security Tools
Network Behavior Analysis System
 NBA system examine network traffic in order to identify problems related to the
flow of traffic.
 NBA IDPS typically monitor internal networks but occasionally monitor
connections between internal and external networks
 Data flow relevant to intrusion detection and prevention include are
source and destination ip address
source and destination tcp or udp ports or icmp types and codes
number of packets and bytes transmitted in the season
starting and ending timestamps for the session

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

 WEEK 7-8 – SECURITY TECHNOLOGY: INTRUSION DETECTION
PREVENTION SYSTEM AND OTHER SECURITY TOOLS
Intrusion Detection and
Prevention System, and Other
Security Tools
Network Behavior Analysis System
 Passive sensors
 That are performing direct network monitoring should be placed so that they can monitor key
network locations
 inline sensors
 Are typically intended for networks perimeter use, so they would be deployed in close
proximity to the perimeter
 Types of events most commonly detected are:
 dos attacks –including DDOS attacks
 scanning
 worms
 unexpected applicant service
 policy violations
IAS102 – INFORMATION ASSURANCE AND SECURITY 2
 WEEK 7-8 – SECURITY TECHNOLOGY: INTRUSION DETECTION
PREVENTION SYSTEM AND OTHER SECURITY TOOLS
Intrusion Detection and
Prevention System, and Other
Security
Network Tools
Behavior Analysis System
 NBA sensors offer various intrusion prevention capabilities, including
the following (grouped by sensor type):
 Passive only
 Ending the current TCP session
 Inline only
 Performing inline firewalling
 Both passive and inline
 Reconfiguring other network security devices
 Running a third party program or script

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

 WEEK 7-8 – SECURITY TECHNOLOGY: INTRUSION DETECTION
PREVENTION SYSTEM AND OTHER SECURITY TOOLS
Intrusion Detection and
Prevention System, and Other
Security
Host-Based IDPS
Tools
 Host-based IDPS or HIDPS resides
on a particular computer or server
 also known as System Integrity
Verifies
 Benchmark and monitor the status
of key system files
 Detect when an intruder creates,
modifies or deletes monitored files
IAS102 – INFORMATION ASSURANCE AND SECURITY 2
 WEEK 7-8 – SECURITY TECHNOLOGY: INTRUSION DETECTION
PREVENTION SYSTEM AND OTHER SECURITY TOOLS
Intrusion Detection and Prevention
System, and Other Security Tools
Network Behavior Analysis System
 Advantage of HIDPS
 Can detect local events on host system and also detect attacks that may elude a network-
based IDPS
 Function on the host system, where encrypted traffic will have been decrypted and is
available for processing
 the use of switched networks protocol does not affect HIDPS
 Can detect inconsistencies in how application and system program were used monitored
host

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

 WEEK 7-8 – SECURITY TECHNOLOGY: INTRUSION DETECTION
PREVENTION SYSTEM AND OTHER SECURITY TOOLS
Intrusion Detection and
Prevention System, and Other
Security Tools
Network Behavior Analysis System
 Disadvantage of HIDPS
 Pose more management issues because they are configured and managed on each
monitored host
 Vulnerable both to direct attacks and to attack against the host operating system
 Not optimized to detect multi host scanning, nor it is able to detect the scanning of non-host
network devices
 is susceptible to some denial-of-service attacks
 Can use large amounts of disk space to retain the host OS audit logs
 Can inflict a performance overhead on its system

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

 WEEK 7-8 – SECURITY TECHNOLOGY: INTRUSION DETECTION
PREVENTION SYSTEM AND OTHER SECURITY TOOLS
Intrusion Detection and Prevention
System, and Other Security Tools
IDPS Detection Methods
 IDPSs use a variety of detection
methods to monitor and evaluate
network traffic
 Three methods dominate
 Signature-base approach
 Statistical-anomaly approach
 Stateful packet inspection
approach

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

 WEEK 7-8 – SECURITY TECHNOLOGY: INTRUSION DETECTION
PREVENTION SYSTEM AND OTHER SECURITY TOOLS
Intrusion Detection and
Prevention System, and Other
Security Tools
Signature-Based IDPS
 Sometimes called knowledge-
based or misuse-detection IDPS.
 It examines network traffic in
each of pattern that match known
signatures which preconfigured,
predetermined attack patterns

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

 WEEK 7-8 – SECURITY TECHNOLOGY: INTRUSION DETECTION
PREVENTION SYSTEM AND OTHER SECURITY TOOLS
Intrusion Detection and
Prevention System, and Other
Security
Statistical Anomaly-Based IDPS
Tools
 Also known as behavior-based IDPS which
collects statistical summaries by observing
traffic that is known to be normal
 Baseline data include variables such as
 host memory or CPU usage
 network packet types
Packet quantities
 it can detect new types of attack, since it
looks for abnormal activity

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

 WEEK 7-8 – SECURITY TECHNOLOGY: INTRUSION DETECTION
PREVENTION SYSTEM AND OTHER SECURITY TOOLS
Intrusion Detection and
Prevention System, and Other
Security Tools
Stateful Protocol Analysis IDPS
 Stateful protocol analysis a process
of comparing predefined profiles of
generally accepted definitions of
benign activity
 Deep packet inspection is process on
IDPS that can better detect
specialized multisession attacks

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

 WEEK 7-8 – SECURITY TECHNOLOGY: INTRUSION DETECTION
PREVENTION SYSTEM AND OTHER SECURITY TOOLS
Intrusion Detection and
Prevention System, and Other
Security Tools
Log File Monitors
 Using the Log File
Monitors the system
reviews the log files
generated by servers,
network devices and even
other IDPS

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

 WEEK 7-8 – SECURITY TECHNOLOGY: INTRUSION DETECTION
PREVENTION SYSTEM AND OTHER SECURITY TOOLS
Intrusion Detection and
Prevention System, and Other
Security Tools
IDPS Response Behavior
 Each IDPS respond to external stimulation in a different way
Active way
 collecting additional information about the intrusion, modifying the network environment or
even taking action against intrusion
 Passive way
 by setting off alarms or notification or collecting passive data through SNMP traps
 IDPS Response Options
 Reporting and Archiving Capabilities
 Failsafe Consideration for IDPS responses

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

 WEEK 7-8 – SECURITY TECHNOLOGY: INTRUSION DETECTION
PREVENTION SYSTEM AND OTHER SECURITY TOOLS
Intrusion Detection and
Prevention System, and Other
Security Tools
IDPS Response Options
 IDPS responses can be classified as active and passive
 Active Response
It is a definitive automatically initiated when certain types of alerts are
triggered and can include collecting additional information, changing or
modifying environment
 Passive Response
IDPS simply repost the information they have collected and wait for the
administrator to act

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

 WEEK 7-8 – SECURITY TECHNOLOGY: INTRUSION DETECTION
PREVENTION SYSTEM AND OTHER SECURITY TOOLS
Intrusion Detection and
Prevention System, and Other
Security Tools
IDPS Response Options
 The following list describe some of responses an IDPS can be configured to produce
 Audible/Visual Alarm
 SNMP traps and plug-ins
 E-mail message
 Page or phone message
 Log entry
 Evidentiary packet dump
 Take action against the intruder
 Launch program
 Reconfigure firewall
 Terminate session
 Terminate connection
IAS102 – INFORMATION ASSURANCE AND SECURITY 2
 WEEK 7-8 – SECURITY TECHNOLOGY: INTRUSION DETECTION
PREVENTION SYSTEM AND OTHER SECURITY TOOLS
Intrusion Detection and Prevention
System, and Other Security Tools
Reporting and Archiving Capabilities
 Many, if not all, commercial IDPSs can
generate routine reports and other
detailed information documents, such as
 reports of system events and intrusions
detected over a particular reporting period
provide statistics or logs in formats suitable
for inclusion in database systems or for use in
report generating packages.

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

 WEEK 7-8 – SECURITY TECHNOLOGY: INTRUSION DETECTION
PREVENTION SYSTEM AND OTHER SECURITY TOOLS
Intrusion Detection and
Prevention System, and Other
Security Tools
Failsafe Consideration for IDPS
Responses
 Failsafe features protect an IDPS
from being circumvented or defeated
by an attacker
 Encrypted tunnel or other
cryptographic measures that hide
and authenticate communication are
excellent way to secure and ensure
the reliability of the IDPS

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

 WEEK 7-8 – SECURITY TECHNOLOGY: INTRUSION DETECTION
PREVENTION SYSTEM AND OTHER SECURITY TOOLS
Intrusion Detection and
Prevention System, and Other
Security Tools
Selecting IDPS Approaches and Products and Technical and Policy
Considerations
 The following considerations and questions may help you prepare a
specification for acquiring and deploying an intrusion detection
product
 What is your system environment?
 What are your security goals and objectives?
 What is your existing security policy?

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

 WEEK 7-8 – SECURITY TECHNOLOGY: INTRUSION DETECTION
PREVENTION SYSTEM AND OTHER SECURITY TOOLS
Intrusion Detection and
Prevention System, and Other
Security Tools
Organizational Requirements and Constraints
 Operational goals, constraints and culture will affect the selection of IDPS and
other security tools and technologies to protect system. The requirements and
limitations
 What requirements are leveled from outside the organizations?
 What are your organizations resource constraints?

IDPS Product Features and Quality

 evaluate any IDPS product by considering the following questions
 Is the product sufficiently scalable for your environment?
 How has the product been tested?

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

 WEEK 7-8 – SECURITY TECHNOLOGY: INTRUSION DETECTION
PREVENTION SYSTEM AND OTHER SECURITY TOOLS
Intrusion Detection and Prevention
System, and Other Security Tools
IDPS Product Features and Quality
 Evaluate any IDPS product by considering the following questions
 What is the user level of expertise targeted by the product?
 Is the product designed to evolve as the organizations grows?
 What are the support provisions for the product?

Strength and Limitations of IDPS

 As you plan the security strategy for your organization’s system, it is important to
understand what IDPS should be trusted to do and what goals might better served
by other security mechanism
 Strength of intrusion detection and prevention system
 Limitations of intrusion detection and prevention system
IAS102 – INFORMATION ASSURANCE AND SECURITY 2
 WEEK 7-8 – SECURITY TECHNOLOGY: INTRUSION DETECTION
PREVENTION SYSTEM AND OTHER SECURITY TOOLS
Intrusion Detection and Prevention
System, and Other Security Tools
Deployment and implementation of an Figure 7-4 all IDPS
IDPS control functions
are implemented
 The strategy for deploying an IDPS and managed in a
should take into account a number of central location
factors, the foremost being how IDPS will represented with a
large square
managed and where it should be placed symbols labeled
 IDPS control strategies IDPS console
 Centralized control strategy
 Fully distributed control strategy
 Partially Distributed control strategy

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

 WEEK 7-8 – SECURITY TECHNOLOGY: INTRUSION DETECTION
PREVENTION SYSTEM AND OTHER SECURITY TOOLS
Intrusion Detection and
Prevention System, and Other
g
Security Tools
Figure 7-5 is the opposite of the
central strategy. All control function
are applied at the physical location of
each IDPS component

Figure 7-6 combines the best of the

other two strategies

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

 WEEK 7-8 – SECURITY TECHNOLOGY: INTRUSION DETECTION
PREVENTION SYSTEM AND OTHER SECURITY TOOLS
Intrusion Detection and Prevention
System, and Other Security Tools
IDPS Deployment
 IDPS are designed to detect, report
and even react to anomalous stimuli,
placing IDPS in an area where such
traffic is common can result in
excessive reporting
 Deploying Network-Based IDPSs
recommends the following locations
for NIDPS sensors.
IAS102 – INFORMATION ASSURANCE AND SECURITY 2
 WEEK 7-8 – SECURITY TECHNOLOGY: INTRUSION DETECTION
PREVENTION SYSTEM AND OTHER SECURITY TOOLS
Intrusion Detection and
Prevention System, and Other
Security Tools
IDPS Deployment
Location 1:
 Behind each external firewall, in the
network DMZ
 Location 2:
 Outside an external firewall
Location 3:
 On major network backbones
 Location 4:
 On critical subnets
IAS102 – INFORMATION ASSURANCE AND SECURITY 2
 WEEK 7-8 – SECURITY TECHNOLOGY: INTRUSION DETECTION
PREVENTION SYSTEM AND OTHER SECURITY TOOLS
Intrusion Detection and Prevention
System, and Other Security Tools
Measuring the Effectiveness of IDPS
 When selecting an IDPS one typically looks at the following four measures of
comparative effectiveness
 Threshold
 A threshold is a value that sets the limit between normal and abnormal behavior.
 Blacklist and Whitelist
 A blacklist is a list of discrete entities that have been associated with malicious activity
 Whitelist is a list of discrete entities that are known to benign and used on a granular basis

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

 WEEK 7-8 – SECURITY TECHNOLOGY: INTRUSION DETECTION
PREVENTION SYSTEM AND OTHER SECURITY TOOLS
Intrusion Detection and Prevention
System, and Other Security Tools
Measuring the Effectiveness of IDPS
 IDPS are evaluated using two dominant metrics
 first, administrator evaluated the number of attacks detected in a known collection of probes
 second, the administrator examine the level of use, commonly measured in megabits per
second of network traffic
 Most IDPS vendors provide testing mechanism that verify that their system are
performing as expected
 Record and retransmit packets from a real virus or worm scan
 Record and retransmit packets from a real virus or worm scan with incomplete TCP/IP
session connection
 Conduct a real virus or worm attack against a hardened or sacrificial system

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

 WEEK 7-8 – SECURITY TECHNOLOGY: INTRUSION DETECTION
PREVENTION SYSTEM AND OTHER SECURITY TOOLS
Honeypots, Honeynets, and
Padded Cell System
Honeypots, Honeynets, and Padded Cell System
 A class of powerful security tools that go beyond routine intrusion
detection
 Honeypots
 Are decoy system designed to lure potential attackers away from critical
system.
 Honeynets
 a collection of honeypots connects several honeypots system on a subnet
 Padded cell
 is a honeypot that has been protected so that it can easily compromised, or
hardened honeypots
IAS102 – INFORMATION ASSURANCE AND SECURITY 2
 WEEK 7-8 – SECURITY TECHNOLOGY: INTRUSION DETECTION
PREVENTION SYSTEM AND OTHER SECURITY TOOLS
Honeypots, Honeynets, and
Padded Cell System
Honeypots, Honeynets, and Padded Cell System
Honeypots are designed to do the following
 Divert an attack from critical system
 Collect information about the attacker’s activity
 Encourage the attacker to stay on the system long enough for administrators to
document the event and, perhaps, respond
 The advantage and disadvantage of using the honeypot or padded cell
approach are summarized below
 Advantage
 Attackers can be diverted to target that they cannot damage
 administrators have time to decide how to respond to an attacker
IAS102 – INFORMATION ASSURANCE AND SECURITY 2
 WEEK 7-8 – SECURITY TECHNOLOGY: INTRUSION DETECTION
PREVENTION SYSTEM AND OTHER SECURITY TOOLS
Honeypots, Honeynets, and
Padded Cell System
Honeypots, Honeynets, and
Padded Cell System
 Attacker actions can be easily and
more extensively monitored, and
the records can be used to refine
threat models and improve system
protections
 Honeypots may be effective at
Figure 7-8 Screenshot shows the
catching insiders who are snooping configuration of honeypot as it is waiting for
around a network an attack

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

 WEEK 7-8 – SECURITY TECHNOLOGY: INTRUSION DETECTION
PREVENTION SYSTEM AND OTHER SECURITY TOOLS
Honeypots, Honeynets, and
Padded Cell System
Honeypots, Honeynets, and Padded Cell System
 Disadvantages
 The legal implications of using such devices are not well understood
 Honeypots and padded cells have not yet been shown to be generally useful
security technologies
 An expert attacker, once diverted into a decoy system, may become angry
and launch a ,ore aggressive attack against an organization’s system
 Administrators and security managers need a high level of expertise to use
these system

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

 WEEK 7-8 – SECURITY TECHNOLOGY: INTRUSION DETECTION
PREVENTION SYSTEM AND OTHER SECURITY TOOLS
Honeypots, Honeynets, and
Padded Cell System
Trap-and-Trace System
 Trap-and-trace applications, these system use a combination of techniques
to detect an intrusion and then trace it back to its source.
 Trap
 Usually consist of a honeypot or padded cell and alarm
 intruders are distracted or trapped by what they perceived to be successful intrusion
 the system notifies the administrator of their presence
 Trace
 is an extension to honeypot or padded cell approach
 similar to caller ID, which the organization attempt to identify an entity discovered in
unauthorized areas of the network or system
IAS102 – INFORMATION ASSURANCE AND SECURITY 2
 WEEK 7-8 – SECURITY TECHNOLOGY: INTRUSION DETECTION
PREVENTION SYSTEM AND OTHER SECURITY TOOLS
Honeypots, Honeynets, and
Padded Cell System
Trap-and-Trace System
 When using honeypots and honeynets,
administrators should be careful not to
cross the line between enticement and
entrapment
 Enticement is the act of attracting attention
to a system by placing tantalizing information
in key location. It is legal and ethical
 entrapment is the act of luring an individual
into committing a crime to get conviction.
Not legal and unethical

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

 WEEK 7-8 – SECURITY TECHNOLOGY: INTRUSION DETECTION
PREVENTION SYSTEM AND OTHER SECURITY TOOLS
Scanning and Analysis Tools
Active Intrusion Prevention
 LaBrea
 Tool that provide active
intrusion prevention
 it is “sticky” honeypot
and IDPS and works by
taking up the unused IP
address space within a
network.

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

 WEEK 7-8 – SECURITY TECHNOLOGY: INTRUSION DETECTION
PREVENTION SYSTEM AND OTHER SECURITY TOOLS
Scanning and Analysis Tools
Scanning and Analysis Tools
 In order to secure a network, it is imperative that someone in the
organization knows exactly where the networks needs securing.
 to assess the risk within a computing environment, it must deploy
technical controls using a strategy of defense in depth which is likely
include
 Intrusion detection system
 Active vulnerability scanners
 Passive vulnerability scanners
 Automated log analyzer
 Protocol analyzer
IAS102 – INFORMATION ASSURANCE AND SECURITY 2
 WEEK 7-8 – SECURITY TECHNOLOGY: INTRUSION DETECTION
PREVENTION SYSTEM AND OTHER SECURITY TOOLS
Scanning and Analysis Tools
Scanning and Analysis Tools
 Attack protocol
 Is a series of steps or processes used by an attacker, in a logical sequence, to
launch an attack against a target system or network
 One of the preparatory parts of attack protocol is the collection of
publicly available information about potential target
 Footprinting
 is the organized research of the internet address owned or controlled by a
target organization
 View source
 option on most popular Web browsers allows the user to see the source Figure 7-9 Scanner which can be found in
code behind the graphics the program help file. It can also do a
 Fingerprinting host of other scans and probes
 a systematic survey of all the target organizations internet address which is
collected the footprinting phase
IAS102 – INFORMATION ASSURANCE AND SECURITY 2
 WEEK 7-8 – SECURITY TECHNOLOGY: INTRUSION DETECTION
PREVENTION SYSTEM AND OTHER SECURITY TOOLS
Scanning and Analysis Tools
Scanning and Analysis Tools
 Attack protocol
Is a series of steps or processes used by an attacker, in a
logical sequence, to launch an attack against a target system
or network
 Footprinting
 this process is a preparatory parts of the attack protocol
that collect of publicly available information about a potential
target.
Figure 7-9 Scanner which can be found in
 Fingerprinting the program help file. It can also do a
a systematic survey of all of the target organization’s internet host of other scans and probes
address which is collected during the footprinting phase;

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

 WEEK 7-8 – SECURITY TECHNOLOGY: INTRUSION DETECTION
PREVENTION SYSTEM AND OTHER SECURITY TOOLS
Biometric Access Controls
Biometric Access Controls
 Biometric access control is based on the use of some measurable
human characteristics or traits to authenticate the identity of a
proposed system user (a supplicant). it relies upon recognition
 Biometric authentication technologies include the following
 Fingerprint comparison of the supplicant’s actual fingerprint to a stored
fingerprint
 Palm print comparison of the supplicant’s actual palm print to a stored palm
print
 Hand geometry comparison of the supplicant’s actual hand to a stored
measurement
IAS102 – INFORMATION ASSURANCE AND SECURITY 2
 WEEK 7-8 – SECURITY TECHNOLOGY: INTRUSION DETECTION
PREVENTION SYSTEM AND OTHER SECURITY TOOLS
Biometric Access Controls
Biometric Access Controls
 Facial recognition using a photographic ID
card, in which a human security guard
compares the supplicant’s face to a photo
 Facial recognition using a digital camera, in
which a supplicant’s face is compared to a
stored image
 Retinal print comparison of the supplicant’s
actual retina to a stored image
 Iris pattern comparison of the supplicant’s Figure 7-20 Depicts some of these human
actual iris to a stored image recognition characteristics

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

 WEEK 7-8 – SECURITY TECHNOLOGY: INTRUSION DETECTION
PREVENTION SYSTEM AND OTHER SECURITY TOOLS
Biometric Access Controls
Biometric Access Controls
 Among all possible biometrics, only three
human characteristics are usually
considered truly unique. They are as
follows
 Fingerprints
 Retina of the eye (blood vessel pattern)
 iris of the eye (random pattern of features
found in the iris, including freckles, pits, Figure 7-20 Depicts some of these human
striations, vasculature, coronas, and crypts) recognition characteristics

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

 WEEK 7-8 – SECURITY TECHNOLOGY: INTRUSION DETECTION
PREVENTION SYSTEM AND OTHER SECURITY TOOLS
Biometric Access Controls
Biometric Access Controls
 Most of the technologies that scan human characteristics convert
these images to some form of minutiae
Minutiae are unique points of reference that are digitized and stored in an
encrypted format when the users system access credentials are created
 The problem with this method is that some human characteristics can
change over time
 Signature and voice recognition technologies are also considered to
be biometric access controls measures

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

 WEEK 7-8 – SECURITY TECHNOLOGY: INTRUSION DETECTION
PREVENTION SYSTEM AND OTHER SECURITY TOOLS
Biometric Access Controls
Effectiveness of Biometric
 Biometric technologies are evaluated on three basic criteria
 Effectiveness of Biometrics
 False Reject Rate
 the percentage of supplicant who are in fact authorized users but are denied access
 False Accept Rate
 the percentage of supplicant who are unauthorized users but are granted access
 Crossover Error Rate (CER)
 the level at which the number of false rejection equals the false acceptance

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

 WEEK 7-8 – SECURITY TECHNOLOGY: INTRUSION DETECTION
PREVENTION SYSTEM AND OTHER SECURITY TOOLS
Biometric Access Controls
Acceptability of Biometrics
 A balance must be struck between how
acceptable a security system is to its
users and how effective it is in
maintaining security.
 As a result, many information security
professionals, in an effort to avoid
confrontation and possible user boycott
of the biometric controls, don’t Table 7-3 shows how certain biometrics rank in terms of
implement them effectiveness and acceptance.
 the order of effectiveness is nearly
exactly opposite the order of acceptance
IAS102 – INFORMATION ASSURANCE AND SECURITY 2