Intrusion Detection/Prevention Systems

Loading...

Do curso por Google

IT Security: Defense against the digital dark arts

934 classificações

Google

IT Security: Defense against the digital dark arts

934 classificações

Curso 5 de 5 em Specialization Google IT Support Professional Certificate

This course covers a wide variety of IT security concepts, tools, and best practices. It introduces threats and attacks and the many ways they can show up. We’ll give you some background of encryption algorithms and how they’re used to safeguard data. Then, we’ll dive into the three As of information security: Authentication, authorization, and accounting. We’ll also cover network security solutions, ranging from firewalls to Wifi encryption options. The course is rounded out by putting all these elements together into a multi-layered, in-depth security architecture, followed by recommendations on how to integrate a culture of security into your organization or team. At the end of this course, you’ll understand: - how various encryption algorithms and techniques work and their benefits and limitations. - various authentication systems and types. - the difference between authentication and authorization. At the end of this course, you’ll be able to: - evaluate potential risks and recommend ways to reduce risk. - make recommendations on how best to secure a network. - help others to understand security concepts and protect themselves.

Na lição

Securing Your Networks

In the fourth week of this course, we'll learn about secure network architecture. It's important to know how to implement security measures on a network environment, so we'll show you some of the best practices to protect an organization's network. We'll learn about some of the risks of wireless networks and how to mitigate them. We'll also cover ways to monitor network traffic and read packet captures. By the end of this module, you'll understand how VPNs, proxies and reverse proxies work; why 802.1X is a super important for network protection; understand why WPA/WPA2 is better than WEP; and know how to use tcpdump to capture and analyze packets on a network. That's a lot of information, but well worth it for an IT Support Specialist to understand!

Sniffing the Network5:15

Wireshark and tcpdump6:45

Intrusion Detection/Prevention Systems6:45

Conheça os instrutores

Google

We covered Packet Capture and Analysis,

which is related to our next topic,

Intrusion Detection and Prevention Systems or IDS/IPS.

IDS or IPS systems operate by monitoring network traffic and analyzing it.

As an IT support specialist,

you may need to support the underlying platform that the IDS/IPS runs on.

You might also need to maintain the system itself,

ensuring that rules are updated,

and you may even need to respond to alerts.

So, what exactly do IDS and IPS systems do?

They look for matching behavior or characteristics that would indicate malicious traffic.

The difference between an IDS and an IPS system,

is that IDS is only a detection system.

It won't take action to block or prevent an attack,

when one is detected,

it will only log an alert.

But an IPS system can adjust firewall rules on the fly,

to block or drop the malicious traffic when it's detected.

IDS and IPS system guess an idea systems can either be host based or network based.

In the case of a Network Intrusion Detection System or NIDS,

the detection system would be deployed somewhere on a network,

where it can monitor traffic for a network segment or sub net.

A host based intrusion detection system would be a software

deployed on the host that monitors traffic to and from that host only.

It may also monitor system files for unauthorized changes.

NIDS systems resemble firewalls in a lot of ways.

But a firewall is designed to prevent intrusions by

blocking potentially malicious traffic coming from outside,

and enforce ackles between networks.

NIDS systems are meant to detect and alert on

potential malicious activity coming from within the network.

Plus, firewalls only have visibility of

traffic flowing between networks they've set up to protect.

They generally wouldn't have visibility of traffic between hosts inside the network.

So, the location of the NIDS must be considered carefully when you deploy a system.

It needs to be located in the network topology,

in a way that it has access to the traffic we'd like to monitor.

A good way that you can get access to network traffic is using

the port mirroring functionality found in many enterprise switches.

This allows all packets on a port, port range,

or entire VLAN to be mirrored to another port,

where NIDS host would be connected.

With this configuration, our NIDS machine would be able to see

all packets flowing in and out of hosts on the switch segment.

This lets us monitor host to host communications,

and traffic from hosts to external networks, like the internet.

The NIDS hosts would analyzed this traffic by

enabling promiscuous mode on the analysis port.

This is the network interface that's connected to the mirror port on our switch,

so it can see all packets being passed,

and perform an analysis on the traffic.

Since this interface is used for receiving

mirrored packets from the network we'd like to monitor,

a NIDS host must have at least two network interfaces.

One is for monitoring an analysis,

and a separate one is for connecting to

our network for management and administrative purposes.

Some popular NID or NIP systems are Snort, Suricata,

and Bro NIDS, which you can read about more in the supplementary readings.

Placement of a NIP system or Network Intrusion Prevention system,

would differ from a NIDS system.

This is because of a prevention system being able to

take action against a suspected malicious traffic.

In order for a NIPS device to block or drop traffic from a detected threat,

it must be placed in line with the traffic being monitored.

This means, that the traffic that's being monitored must pass through the NIPS device.

If it wasn't the case,

the NIPS host wouldn't be able to take action on suspected traffic.

Think of it this way,

a NIDS device is a passive observer that only watches the traffic,

and sends an alert if it sees something.

This is unlike a NIPS device,

which not only monitors traffic,

but can take action on the traffic it's monitoring,

usually by blocking or dropping the traffic.

The detection of threats or malicious traffic is

usually handled through signature based detection,

similar to how antivirus software detects malware.

As an IT Support Specialist,

you might be in charge of maintaining the IDS or IPS setup,

which would include ensuring that rules and signatures are up to date.

Signatures are unique characteristics of known malicious traffic.

They might be specific sequences of packets,

or packets with certain values encoded in the specific header field.

This allows Intrusion Detection and Prevention Systems from easily

and quickly recognizing known bad traffic from sources like botnets,

worms, and other common attack vectors on the internet.

But similar to antivirus,

less common are targeted attacks might not be detected by a signature based system,

since they're might not be signatures developed for these cases.

So, it's also possible to create

custom rules to match traffic that might be considered suspicious,

but not necessarily malicious.

This would allow investigators to look into

the traffic in more detail to determine the badness level.

If the traffic is found to be malicious,

a signature can be developed from the traffic,

and incorporate it into the system.

What actually happens when a NIDS system detects something malicious?

This is configurable, but usually the NIDS system would log

the detection event along with a full packet capture of the malicious traffic.

An alert would also usually be triggered to notify

the investigating team to look into that detected traffic.

Depending on the severity of the event,

the alert may just email a group,

or create a ticket to follow up on,

or it might page someone in the middle of the night if

it's determined to be a really high severity and urgent.

These alerts would usually also include

reference information linking to a known vulnerability,

or some more information about the nature of

the alert to help the investigator look into the event.

Well, we covered a lot of ground on securing your networks.

I hope you feel secure enough to move on.

If not, you can review any of these concepts that we've talked about.

Once you've done that, it's time for a peer review assessment,

to give you some hands on experience with packet sniffing analysis.

When you're finished, I'll see you in the next video,

where we'll cover defense in depth.

Explore nosso catálogo

Registre-se gratuitamente e obtenha recomendações, atualizações e ofertas personalizadas.

O Coursera proporciona acesso universal à melhor educação do mundo fazendo parcerias com as melhores universidades e organizações para oferecer cursos on-line.

© 2018 Coursera Inc. Todos os direitos reservados.

Baixar na App Store

Baixar no Google Play