--- title: "13-pen-testing-2" aliases: tags: - conp210 - lecture --- # Intrusion detection cont. ## Auditing a thorough prces of investiagtina nd analaysing aa system for vilnerabilities - e.g., pen testing - can also refer to logging (esp. in a databse context) ## Firewalls protect aginst network intrusions - built in or third party - built in - integration quality of control. ofen light convenince features maybe no GUI - black/whitelist - mandatory access control on routers - mandatory access control - e.g., block a netork port - block icmp packets (some sytems are vulnerable) - application level filtering for desktop systems - finer grained control for linking rules to applications themselves (processes) - router doesn't know about applications - may not trust an aplication to connect o a web server but do trust other. - dont have to block everything on that webserver - provide altering and logging (avoid crying wolf) - "end user alert fatigue" > northcutt and novak - network intrusion detection ## Intrustion detection systems - often bundled with commercial routers, network storage devices (NAS, SAN) - "cloud storage within organisation" - can also be host based (HIDS) "situated aroud network" - intrusion can be identified by know signatures (like pattern-based virus scanners) - can also be anomaly-based (using heuristics) ## other intrusion detection topics - file integrity checking - hash checking to detect changes - backup and recovery ## keeping up to date with vulnerabilites - CERT NZ - US-CERT - CVE at MITRE - NVD (us NIST national vulnerabilities database) - conferences such as DEF CON # Sting operations deliberately place sofware where it will interact with attacks, somewhat resembling a police sting operation. ## Honeypot - decoy service used to attact attackers - divert attackers from real service - identify attack origin - analyse attack - create countermeasures - honey-nets - co-ordiniated honeypots. - analyse malware infection behaviour (malware epidemiology) - bogus email address lists to hinder spammers - individual e-mail address can be used to gather and analyse spam smessages ## Tarpits - similar to honeypots but for *slowing* attack not diverting - often deployed as a proxy server in front of the real service