Download - 08-IDS IPS 2 [Compatibility Mode]
![Page 1: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/1.jpg)
IDS/IPS
Principles of IDS
• Intrusion Detection is based on :
•How to Detect an Intrusion?•How to Detect an Intrusion?
•What to Detect?
•Where to Detect?
![Page 2: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/2.jpg)
IDS/IPS
Principles of IDS
• The three “Detects” are also known as the Detect
Triangle.
ATTACK
How to Detect?
What to Detect?
Where to Detect?
DETECT TRIANGLE - PRINCIPLES OF IDS
![Page 3: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/3.jpg)
Concepts of IPS
• Intrusion Prevention is based on :
IDS/IPS
Principles of IDS
• Intrusion Prevention is based on :
• How to Detect an Intrusion?
• What to Detect?
• Where to Detect?
• When to Detect?
![Page 4: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/4.jpg)
HOW TO DETECT?
WHAT TO DETECT?
WHERE TO DETECT?
IDS/IPS
Principles of IDS
ATTACK
WHAT TO DETECT?
WHERE TO DETECT?
WHEN TO DETECT?
![Page 5: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/5.jpg)
•Symptoms of an attack
• Unexpected changes in network performance and
IDS/IPS
Principles of IDS
• Unexpected changes in network performance and
irregular Network Traffic
• Poor system performance
• repeated or multiple occurrence of a specific
event(s)
• Threshold values controls
![Page 6: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/6.jpg)
•Symptoms of an attack
• Time intervals between the events
IDS/IPS
Principles of IDS
• Time intervals between the events
• Invalid commands or requests for non-existing
web components.
• Un-authorized scans and probes
• Digital fingerprints
• User and System parameters
![Page 7: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/7.jpg)
•Symptoms of an attack
• Passing of Network packets with invalid
IDS/IPS
Principles of IDS
• Passing of Network packets with invalid
parameters
• Un-expected internet addresses
• Default values and information
• Date and Time Factor
• Location factor
![Page 8: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/8.jpg)
• Information Sources about Attacks
• Log files
IDS/IPS
Principles of IDS
• Log files
• Network traffic
• Information from the Attacker
• Information from end user
• External information sources
![Page 9: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/9.jpg)
• External Information Sources
• IRC Channels
IDS/IPS
Principles of IDS
• IRC Channels
• Mailing lists,
• Hacking resources on the internet
• Hacker magazines
• books
• Conferences and seminars
![Page 10: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/10.jpg)
IDS/IPS
IDS Architecture
• Tired Architecture – categorizes as three types:
• Single-tiered• Single-tiered
• Multi-tiered, and
• peer-to-peer architectures
![Page 11: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/11.jpg)
IDS/IPS
IDS Architecture
• Single-tiered architecture
• Simple form of architecture for IDS• Simple form of architecture for IDS
implementation
• a single component in an IDS collect and process
data themselves
• Example - host-based intrusion-detection
![Page 12: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/12.jpg)
IDS/IPS
IDS Architecture
• Single-tiered architecture - advantages
• simple and easy to install and configure,• simple and easy to install and configure,
• less maintenance, monitoring and administration
required
• low cost (lots of open source and freeware tools
are available),
• independent from other component
![Page 13: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/13.jpg)
IDS/IPS
IDS Architecture
• Single-tiered architecture – disadvantages
• Not ideal for medium sized to• Not ideal for medium sized to
• attacks the IDS can detect is very limited or low.
• It has components that are not aware of each
others, reducing the potential for efficiency and
sophisticated functionality.
• Easy to compromise a single tiered IDS when
compared to other architectures.
![Page 14: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/14.jpg)
IDS/IPS
IDS Architecture
Multi-tiered architecture
• Consists of 3 components:• Consists of 3 components:
•Sensors
•Analyzers or Agents, and
•Manager
![Page 15: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/15.jpg)
IDS/IPS
IDS Architecture
Sensors
• Collects data from:• Collects data from:
•Network interfaces
•System logs; and
• other information sources
•Most critical components of an IDS
•First point of intrusion detection
![Page 16: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/16.jpg)
IDS/IPS
IDS Architecture
Two types of Sensors
• Network based sensors• Network based sensors
• Host based sensors
![Page 17: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/17.jpg)
IDS/IPS
IDS Architecture
Network based sensors
• capture packets traversing the networks.• capture packets traversing the networks.
Advantage
• provide data to a large number of hosts.
• Cost effective
Disadvantage
• loss of valuable information if over-burdened
•Additional traffic generated if not properly configured
![Page 18: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/18.jpg)
IDS/IPS
IDS Architecture
Tools used in IDS as sensors:
• tcpdump• tcpdump
• http://www.tcpdump.org
• an application
• libpcap
• http://sourceforge.net/projects/libpcap/
• library
![Page 19: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/19.jpg)
IDS/IPS
IDS Architecture
Host based sensors:
• receive packets captured by network interface• receive packets captured by network interface
cards
• send the data to the concerned application /
process
• Difference - work in non-promiscuous mode
![Page 20: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/20.jpg)
IDS/IPS
IDS Architecture
Promiscuous mode
• configuration of a network card wherein a setting is• configuration of a network card wherein a setting is
enabled so that the card passes all traffic it receives
to the CPU rather than just packets addressed to it.
• done with the help of MAC address present inside
each packet
![Page 21: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/21.jpg)
IDS/IPS
IDS Architecture
Applications that use promiscuous mode
• KisMAC - wireless network discovery tool• KisMAC - wireless network discovery tool
• AirSnort – tool for decrypting WEP encryption
• Wireshark - protocol analyzer
• Tcpdump – packet capture tool
• PRTG - Paessler Router Traffic Grapher (PRTG)
• Kismet - network detector, packet sniffer
![Page 22: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/22.jpg)
IDS/IPS
IDS Architecture
Sensor deployment
• Sensors can be placed in three different patterns:• Sensors can be placed in three different patterns:
• Outside of exterior firewalls
• Inside the network protected by a firewall
• Both the above locations (outside and inside of
firewall protected network)
![Page 23: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/23.jpg)
IDS/IPS
IDS Architecture
Sensor deployment – Outside
•Record information about•Record information about
attacks that originate from the
internet
![Page 24: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/24.jpg)
IDS/IPS
IDS Architecture
Sensor deployment – Inside
• Record attacks originating• Record attacks originating
from internal network
• Records attacks from
internet that bypassed firewall
security.
![Page 25: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/25.jpg)
IDS/IPS
IDS Architecture
Sensor deployment – Both locations
• Used for highly secure• Used for highly secure
networks like defense
establishments, research
organizations etc where a high
degree of security and
monitoring is required
![Page 26: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/26.jpg)
IDS/IPS
IDS Architecture
Issues related to Sensor Deployment
• Administrative / Super user privileges• Administrative / Super user privileges
•Security Factor
•Disk Management
•Throughput rate
•Switched Network
![Page 27: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/27.jpg)
IDS/IPS
IDS Architecture
Issues related to Sensor Deployment
• Encrypted Traffic• Encrypted Traffic
• Secure Communication channel
• (Status) Monitoring
![Page 28: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/28.jpg)
IDS/IPS
IDS Architecture
Agents – Definition
• Group of processes that run independently of other• Group of processes that run independently of other
components and that are programmed to analyze
system behaviors or network events or both to detect
anomalous events and violations of an organization's
security policy.
![Page 29: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/29.jpg)
IDS/IPS
IDS Architecture
Agents
•Also known as analyzers•Also known as analyzers
•Information collected by the sensors are passed to
agents.
•Analyze the input provided by the sensors
• Responsible for monitoring the intrusive activity on
their assigned individual hosts.
![Page 30: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/30.jpg)
IDS/IPS
IDS Architecture
Agents
• Specialized to perform one and only one function• Specialized to perform one and only one function
• Each agent is independent of the others
• Agents can be added to or deleted from an IDS or
IPS as needed without affecting the performance of
the other agents
![Page 31: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/31.jpg)
IDS/IPS
IDS Architecture
Functions of an IDS Agents
• Provisioning of a communication interface• Provisioning of a communication interface
• Provisioning of a listener interface
• Provisioning of a sender interface
![Page 32: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/32.jpg)
IDS/IPS
IDS Architecture
Advantages of using an Agent
• Independence• Independence
• Scalability and adaptability
• Efficient
![Page 33: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/33.jpg)
IDS/IPS
IDS Architecture
Disadvantages of using an agent
• False Alarms• False Alarms
• Dedicated administration
• Resource consumption
![Page 34: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/34.jpg)
IDS/IPS
IDS Architecture
Issues Related to Agent Deployment
• Agent Security• Agent Security
• Dedicated system
• Encrypted traffic
![Page 35: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/35.jpg)
IDS/IPS
IDS Architecture
IDS Manager
• Also known as the server component• Also known as the server component
• Provide the master control capability for an IDS or
IPS
• When an agent identifies an attack, the related
information is transferred to the IDS manager
![Page 36: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/36.jpg)
IDS/IPS
IDS Architecture
Functions of an IDS Manager
• Providing a management console / user interface to• Providing a management console / user interface to
the IDS manager component
• Generating an alert as configured earlier
• Assembling and displaying alerts on a console /
user interface
• Event Correlation
![Page 37: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/37.jpg)
IDS/IPS
IDS Architecture
Functions of an IDS Manager
• Adding the information regarding the incident to a• Adding the information regarding the incident to a
database
• Policy Management
• Component Monitoring
• Retrieving additional information related to the
incident
![Page 38: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/38.jpg)
IDS/IPS
IDS Architecture
Functions of an IDS Manager
• Sending information / control instructions /• Sending information / control instructions /
commands to a system
• Sending commands to a firewall or router
![Page 39: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/39.jpg)
IDS/IPS
IDS Architecture
IDS Manager Deployment Considerations
• Security
• Physical Access• Physical Access
• Protected from DoS
• Dedicated Server
• Authentication
• Encryption
• Storage Space
• Alerting
![Page 40: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/40.jpg)
IDS/IPS
IDS Architecture
Multi-tiered Architecture Security
![Page 41: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/41.jpg)
IDS/IPS
IDS Architecture
IDS Manager Deployment Considerations
• Security
• Physical Access• Physical Access
• Protected from DoS
• Dedicated Server
• Authentication
• Encryption
• Storage Space
• Alerting
![Page 42: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/42.jpg)
IDS/IPS
IDS Architecture
Advantages of Multi-tiered IDS Architecture
• Greater efficiency• Greater efficiency
• In-depth analysis
![Page 43: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/43.jpg)
IDS/IPS
IDS Architecture
Disadvantages of Multi-tiered IDS Architecture
• Increased setup Cost• Increased setup Cost
• Complex architecture and require skilled manpower
to maintain the same.
• Requires continuous administration, monitoring and
troubleshooting
• Increased maintenance cost
![Page 44: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/44.jpg)
IDS/IPS
IDS Architecture
Peer-to-Peer Architecture
• More than one pair of IDS components in a peer-to-• More than one pair of IDS components in a peer-to-
peer structure
• Exchange ID and IP information between these
peer components
• None of the components acts as the central server
or master repository of information
![Page 45: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/45.jpg)
IDS/IPS
IDS Architecture
Advantages of a Peer-to-Peer Architecture
• Simple Architecture• Simple Architecture
• Any peer can participate
• Each participating peer can benefit from the
information supplied by the others.
![Page 46: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/46.jpg)
IDS/IPS
IDS Architecture
Disadvantages of Peer-to-Peer Architecture
• Lack of sophisticated functionality due to the• Lack of sophisticated functionality due to the
absence of specialized components.
• If a single peer is compromised by an attacker, he
can bring the whole network under his control by
sending false information to the compromised peer’s
components.
![Page 47: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/47.jpg)
IDS/IPS
IDS Architecture
Implementing IDS
• Difference between Hub and Switch• Difference between Hub and Switch
•Hub
• Work at the physical layer
• No concept of a connection
• Simply echoes every packet it receives to
every port on the hub, excluding only the port
the packet came in on
![Page 48: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/48.jpg)
IDS/IPS
IDS Architecture
• Switch
• based on connections• based on connections
• When a packet comes in, a temporary
connection in the switch is made to the
destination port, and the packets are
forwarded on
• To connect IDS – workaround is required
![Page 49: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/49.jpg)
IDS/IPS
IDS Architecture
Use one of the following:
• Spanning Ports• Spanning Ports
• Hubs, and
• Test Access Ports (TAPs)
![Page 50: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/50.jpg)
IDS/IPS
IDS Architecture
Spanning Ports
• configures the switch to behave like a hub for a• configures the switch to behave like a hub for a
specific port
![Page 51: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/51.jpg)
IDS/IPS
IDS Architecture
Disadvantages of Spanning Ports
• Not all switches support spanning port,• Not all switches support spanning port,
• Spanning port is not 100% reliable
• Monitoring or multiple machines is not possible -
switches only allow one port to be spanned at a time.
![Page 52: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/52.jpg)
IDS/IPS
IDS Architecture
Hubs
• Place a hub between the connections to be• Place a hub between the connections to be
monitored.
![Page 53: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/53.jpg)
IDS/IPS
IDS Architecture
Disadvantages of Using Hubs
• Like the span port, this is only suitable for a single• Like the span port, this is only suitable for a single
machine.
• Multiple machines on the hub would cause network
problems and remove the benefits and features of a
switched network.
• Setting up a fault tolerant hub would be a costly
affair.
![Page 54: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/54.jpg)
IDS/IPS
IDS Architecture
TAPS
• Used to create permanent access ports for passive• Used to create permanent access ports for passive
monitoring.
• Installed for monitoring the traffic between any two
network devices
• Function as an access port for any monitoring
device used to collect in-line data
![Page 55: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/55.jpg)
IDS/IPS
IDS Architecture
TAPS
• TAPs falls under the passive network devices• TAPs falls under the passive network devices
category as they do not act on network traffic
directly.
![Page 56: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/56.jpg)
IDS/IPS
Understanding TCP/IP for IDS
Introduction
• Designed to provide range of services• Designed to provide range of services
• Current version – IPv4
• Designed with little attention to security
![Page 57: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/57.jpg)
IDS/IPS
Understanding TCP/IP for IDS
Layered Approach
• Various HW & SW functions can be categorized as• Various HW & SW functions can be categorized as
a series of functional layers
• Each layer build on and depending on the proper
functioning of the layers above and below it.
• Gives applications a great deal of independence
![Page 58: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/58.jpg)
IDS/IPS
Understanding TCP/IP for IDS
Advantages of Layered Approach
• reduced complexity• reduced complexity
• improved teaching and learning
• modular engineering
• accelerated evolution
• interoperable technology
• standard interfaces
![Page 59: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/59.jpg)
IDS/IPS
Understanding TCP/IP for IDS
The Open Systems Interconnection Reference Model
• The ISO adopted the OSI model in 1977• The ISO adopted the OSI model in 1977
• Based on the layered approach concept
• Aim – to break down the task of data
communication into easily manageable steps.
• These steps are known as layers
![Page 60: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/60.jpg)
IDS/IPS
Understanding TCP/IP for IDS
The seven layers of the OSI Reference model are:
• Application Layer• Application Layer
• Presentation Layer
• Session Layer
• Transport Layer
• Network Layer
• Data-Link Layer
• Physical Layer
![Page 61: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/61.jpg)
IDS/IPS
Understanding TCP/IP for IDS
Purpose of OSI Layers:
• provide services to the next layer above it while• provide services to the next layer above it while
shielding the upper level from the complicacies of
the layer below it
![Page 62: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/62.jpg)
IDS/IPS
Understanding TCP/IP for IDS
Application Layer
• Layer 7 - Topmost layer• Layer 7 - Topmost layer
• Manage communication between the applications
and end-user processes
• Applications receive data and request data
• Eg: HTTP, Telnet, FTP, WWW browsers, NFS,
SMTP gateways, SNMP, X.400 mail, FTAM
![Page 63: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/63.jpg)
IDS/IPS
Understanding TCP/IP for IDS
Presentation Layer
• Layer 6• Layer 6
• Define data formats such as EBCDIC text, ASCII
text, binary, BCD, JPEG etc
• Adds structure to packets of data that is being
exchanged
![Page 64: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/64.jpg)
IDS/IPS
Understanding TCP/IP for IDS
Presentation Layer
• Ensures that the message gets transmitted in a• Ensures that the message gets transmitted in a
format or syntax that the receiving system is able to
understand
• Encryption is also defined at this layer.
![Page 65: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/65.jpg)
IDS/IPS
Understanding TCP/IP for IDS
Session Layer
• Layer 5• Layer 5
• defines
• How to start/establish a connection,
• How to use and control a connection and
• How to break down the connection when a
session is completed
![Page 66: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/66.jpg)
IDS/IPS
Understanding TCP/IP for IDS
Session Layer
• Controlling the "dialogs" during the communication• Controlling the "dialogs" during the communication
processes – by adding control headers
• Also checks for transmission errors once a
connection is established
• Ex: DECnet SCP, AppleTalk ASP, NetBIOS names,
SQL, NFS, RPC
![Page 67: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/67.jpg)
IDS/IPS
Understanding TCP/IP for IDS
Transport Layer
• Layer 4• Layer 4
• Includes the choice of protocols that either do or do
not provide error recovery.
• Multiplexing of incoming data for different types to
applications on the same host (TCP sockets)
![Page 68: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/68.jpg)
IDS/IPS
Understanding TCP/IP for IDS
Transport Layer
• Re-ordering of the incoming data stream when• Re-ordering of the incoming data stream when
packets arrive out of order
• Examples
• TCP
• UDP
• SPX
![Page 69: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/69.jpg)
IDS/IPS
Understanding TCP/IP for IDS
Network Layer
• Layer 3• Layer 3
• Defines logical addressing
• Route packets based on its logical address
• Defines the end-to-end delivery of packets
• Defines how the routing of packets work and the
how the routes are learned
![Page 70: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/70.jpg)
IDS/IPS
Understanding TCP/IP for IDS
Network Layer
• Fragmenting and re-assembling of packets• Fragmenting and re-assembling of packets
• Examples:
• Internet Protocol (IP),
• IPX,
• AppleTalk,
• DDP
• ICMP
![Page 71: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/71.jpg)
IDS/IPS
Understanding TCP/IP for IDS
Data Link Layer
• Layer 2• Layer 2
• Prepare the data for final delivery to the network
• Concerned with getting data across one particular
link or medium
• Packets are encapsulated into frames
• Protocols help in addressing and error detection
![Page 72: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/72.jpg)
IDS/IPS
Understanding TCP/IP for IDS
Data Link Layer
• Consists of two sub layers:• Consists of two sub layers:
• Logical Link Control (LLC) sub layer
• Media Access Control (MAC) sub layer
• LLC - functions as the interface between Network
layer protocols and the media access methods such
as Ethernet or Token ring
![Page 73: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/73.jpg)
IDS/IPS
Understanding TCP/IP for IDS
Data Link Layer
• MAC - handling the connection to the physical• MAC - handling the connection to the physical
medium such as twisted-pair or coaxial cabling.
• Examples:
• IEEE 802.3/802.2,
• HDLC,
• Frame Relay,
• PPP, FDDI, ATM, IEEE, 802.5/802.2, etc
![Page 74: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/74.jpg)
IDS/IPS
Understanding TCP/IP for IDS
Physical Layer
• Layer 1• Layer 1
• To determine how the bits of data send and
received move along the network's communication
medium
• The physical layer specifications are basically
standards from other organizations that are referred
to by OSI reference model
![Page 75: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/75.jpg)
IDS/IPS
Understanding TCP/IP for IDS
Physical Layer
• Electrical currents, connectors, pins, user of pins,• Electrical currents, connectors, pins, user of pins,
encoding and light modulation are all part of different
physical layer specifications
• Examples - EIA/TIA-232, V.35, EIA/TIA-449, V.24,
RJ45, Ethernet, 802.3, 802.5, FDDI, NRZI, NRZ,
B8ZS
![Page 76: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/76.jpg)
IDS/IPS
OSI Reference Model
Control is passed from
one layer to the next,
starting at the
application layer in one
system, and proceeding
to the bottom layer, over
the stack to the next
system and back up the
hierarchy
![Page 77: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/77.jpg)
IDS/IPS
OSI Reference Model
Data type at each
layer of OSI Model
![Page 78: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/78.jpg)
IDS/IPS
Understanding TCP/IP for IDS
Mnemonics to remember
• From Top to Bottom• From Top to Bottom
• All People Seem To Need Data Processing
• From Bottom to Top
• Please Do Not Take Sales Persons’ Advice
![Page 79: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/79.jpg)
IDS/IPS
Understanding TCP/IP for IDS
TCP/IP Model
• It is an open system• It is an open system
• Allows system of all sizes, from many different
system vendors, running totally different operating
systems, to communicate and exchange data with
each other.
•The TCP/IP model was developed independently of
OSI reference model.
![Page 80: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/80.jpg)
IDS/IPS
Understanding TCP/IP for IDS
TCP/IP Model
• Consists of four layer system• Consists of four layer system
• Application Layer
• Transport Layer
• Network Layer
• Link Layer
![Page 81: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/81.jpg)
IDS/IPS
Understanding TCP/IP for IDS
Application Layer
• Deals with the details of a particular application• Deals with the details of a particular application
• Provides the services that user applications use to
communicate over the network
• Examples:
• SMTP, FTP, Telnet, TFTP etc
![Page 82: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/82.jpg)
IDS/IPS
Understanding TCP/IP for IDS
Transport Layer
• TCP and UDP operates at this layer• TCP and UDP operates at this layer
• Reliable flow of data between two hosts on a
network
• UDP does not provide any reliability features
![Page 83: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/83.jpg)
IDS/IPS
Understanding TCP/IP for IDS
Network Layer
• Also known as Internet Layer• Also known as Internet Layer
• Movement of packets across the network
• Routing and delivery responsibility for the network
packets
• The internet protocol works at the network layer
![Page 84: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/84.jpg)
IDS/IPS
Understanding TCP/IP for IDS
Link Layer
• Also known as Data link / Network Interface layer• Also known as Data link / Network Interface layer
• Consists of the device driver in the operating
system and the corresponding network interface
card in the system
• Corresponding to the OSI reference model's
physical and data-link layers
![Page 85: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/85.jpg)
IDS/IPS
Understanding TCP/IP for IDS
OSI Ref Model
![Page 86: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/86.jpg)
IDS/IPS
Understanding TCP/IP for IDS
Best effort delivery / service
• A network service in which the network does not• A network service in which the network does not
provide full reliability or any special features that
recover lost or corrupted packets during a
communication process.
• It generally performs some type of error control but
does not provide guarantee for the data delivery.
![Page 87: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/87.jpg)
IDS/IPS
Understanding TCP/IP for IDS
Best effort delivery / service
• In the TCP/IP protocol suite, TCP is responsible for• In the TCP/IP protocol suite, TCP is responsible for
providing guaranteed services while the IP provides
the best-effort delivery.
![Page 88: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/88.jpg)
IDS/IPS
Understanding TCP/IP for IDS
Encapsulation
• Data is sent down the stack through each layer.• Data is sent down the stack through each layer.
• Layer-specific information is added through
headers and trailers.
• At the destination, the process is reversed.
![Page 89: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/89.jpg)
IDS/IPS
Understanding TCP/IP for IDS
Encapsulation
![Page 90: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/90.jpg)
IDS/IPS
Understanding TCP/IP for IDS
Internet Protocol
• basic framework for the transport of traffic from a• basic framework for the transport of traffic from a
source system to a destination system on the
internet / intranet.
• All TCP, UDP, ICMP and IGMP data packets get
transmitted as IP datagram
• The workhorse protocol of the TCP/IP protocol
suite
![Page 91: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/91.jpg)
IDS/IPS
Understanding TCP/IP for IDS
Internet Protocol
• Provide an unreliable, connectionless datagram• Provide an unreliable, connectionless datagram
delivery service.
• IP provides a best effort service
• A TCP/IP tutorial (RFC 1180 – TCP/IP Tutorial)
http://www.faqs.org/rfcs/rfc1180.html
![Page 92: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/92.jpg)
IDS/IPS
Understanding TCP/IP for IDS
The IP Header
• Defined in RFC 791• Defined in RFC 791
• http://www.faqs.org/rfcs/rfc791.html
• The normal size of the IP Header is 20 bytes - max
60 bytes
• Embedded in the data portion of the IP Packet is
the protocol-specific packet (such as a TCP or UDP
packet) data
![Page 93: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/93.jpg)
IDS/IPS
Understanding TCP/IP for IDS
The IP Header
![Page 94: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/94.jpg)
IDS/IPS
Understanding TCP/IP for IDS
Transmission Control Protocol (TCP)
• Reliable delivery of data• Reliable delivery of data
Four distinct elements that uniquely identify a TCP
connection
•IP address of the sender
•IP address of the receiver
•TCP Port of the sender
•TCP port of the receiver
![Page 95: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/95.jpg)
IDS/IPS
Understanding TCP/IP for IDS
Basic Features of TCP
•Data Transfer•Data Transfer
•Reliability
•Connections
•Flow control
•precedence and security
•Multiplexing
![Page 96: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/96.jpg)
IDS/IPS
Understanding TCP/IP for IDS
Port Numbers
• Uses a 16-bit port number• Uses a 16-bit port number
• Range from 0 through 65536
Ports are divided into two ranges:
• Well Known Port Numbers
• Ephemeral Ports - 1024 to 65,535
![Page 97: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/97.jpg)
IDS/IPS
Understanding TCP/IP for IDS
Well Known Port Numbers
• Range from 0 to 1023• Range from 0 to 1023
• Also known as registered port numbers
• Used by well-known services
• Administered by IANA
![Page 98: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/98.jpg)
IDS/IPS
Understanding TCP/IP for IDS
Ephemeral Ports
• Also known as transient port numbers• Also known as transient port numbers
• Port range from 1024 to 65,535
• Used by user programs to provide services or used
as client port for establishing connections.
![Page 99: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/99.jpg)
IDS/IPS
Understanding TCP/IP for IDS
Three Way Handshake
• Two scenarios where 3 way handshake will occur:• Two scenarios where 3 way handshake will occur:
• Establishing a connection (an active open)
•Terminating a connection (an active close)
![Page 100: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/100.jpg)
IDS/IPS
Understanding TCP/IP for IDS
Three Way Handshake
• Steps in connection establishment• Steps in connection establishment
• Client: sends a message with the SYN flag on
• Server: replies to the client with a message that
has SYN and ACK flags on
• Client: replies to the server’s SYN/ACK
message with an ACK message
![Page 101: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/101.jpg)
IDS/IPS
Understanding TCP/IP for IDS
Three Way HandshakeCLIENT SERVER
Client State Server StateClient State Server State
CLOSED
Wait for Server
Active Open:
Send SYN
SYN-SENT
ESTABLISHED
Wait for ACK
to SYN
Receive SYN+ACK
Send ACK
CLOSED
LISTEN
SYN-RECEIVED
ESTABLISHED
Passive Open:
Create TCB
Wait for Client
Receive SYN
Send SYN+ACK
Wait for ACK
to SYN
Receive ACK
# 1
# 2
# 3
TCP “Three-Way Handshake” Connection Establishment Procedure
![Page 102: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/102.jpg)
IDS/IPS
Understanding TCP/IP for IDS
Three Way Handshake
• Steps in connection Closing• Steps in connection Closing
• Client: sends a FIN/ACk
• Server: replies to the client with an ACK and
FIN
• Client: replies with an ACK message
• Either party sending a RST/ACK packet will cause
the connection to be immediately closed
![Page 103: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/103.jpg)
IDS/IPS
Understanding TCP/IP for IDS
TCP Header
• defined in RFC 791• defined in RFC 791
• http://www.faqs.org/rfcs/rfc791.html
![Page 104: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/104.jpg)
IDS/IPS
Understanding TCP/IP for IDS
UDP
• Used at the Transport layer• Used at the Transport layer
• Connectionless, non-guaranteed communication
• UDP is given the Internet protocol number of 17
• Defined in RFC 768
• www.faqs.org/ rfcs/rfc768.html
• Uses 16-bit port numbers similar to TCP
![Page 105: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/105.jpg)
IDS/IPS
Understanding TCP/IP for IDS
UDP Header
![Page 106: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/106.jpg)
IDS/IPS
Understanding TCP/IP for IDS
ICMP
• Documented in RFC 792• Documented in RFC 792
• http://www.faqs.org/rfcs/rfc792.html
•Some of the functions of ICMP are:
• Announce network errors;
• Announce Network Congestion
• Assist Troubleshooting
• Announce Timeouts
![Page 107: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/107.jpg)
IDS/IPS
Understanding TCP/IP for IDS
ICMP Header
• The protocol identifier number assigned to ICMP in the• The protocol identifier number assigned to ICMP in the
standard IP packet is 1
![Page 108: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/108.jpg)
IDS/IPS
Understanding TCP/IP for IDS
ARP
• Mechanism for IP based devices to locate the• Mechanism for IP based devices to locate the
hardware specific addresses of other devices on the
same subnet or local network
• Mandatory for IP enabled systems to communicate
with each other
• ARP is defined in RFC 826
![Page 109: 08-IDS IPS 2 [Compatibility Mode]](https://reader031.vdocument.in/reader031/viewer/2022013110/547f69ca5906b508298b45ae/html5/thumbnails/109.jpg)
IDS/IPS
Understanding TCP/IP for IDS
ARP Header