ImplementingIntrusionDetectionandPreventionChapter2:IntrusionDetectionandPreventionConceptsImplementingIntrusionDetectionandPreventionChapter2–2•IntrusionDetectionandPreventionConceptsThisChapterDiscusses:•Networkattackphasesanddetectionmethods;•JuniperIntrusionDetectionandPrevention(IDP)products;•IDPthree-tierarchitecture;and•CommonIDPdeploymentmodes.Copyright©2006JuniperNetworks,Inc.ProprietaryandConfidentialAftersuccessfullycompletingthischapter,youwillbeableto:•Describenetworkattackphasesanddetectionmethods•DescribetheJuniperNetworksIDPproducts•DescribetheIDPthree-tierarchitecture•DescribethecommonIDPdeploymentmodesImplementingIntrusionDetectionandPreventionIntrusionDetectionandPreventionConcepts•Chapter2–3NetworkAttackPhasesandDetectionTheslideliststhetopicswediscussinthischapter.Wediscussthehighlightedtopicfirst.Copyright©2006JuniperNetworks,Inc.ProprietaryandConfidentialÆNetworkAttackPhasesandDetectionJuniperNetworksIDPProductOfferingsJuniperNetworksIDPThree-TierArchitectureJuniperNetworksIDPDeploymentModesImplementingIntrusionDetectionandPreventionChapter2–4•IntrusionDetectionandPreventionConceptsProtectingNetworkAssetsAsanITsecurityprofessional,yourealizetheimportanceofprotectingyournetworkandinternalserversfromsecuritybreaches.Unpatchedoperatingsystems,misconfiguredWebserversorrouters,andinternalusersbringinginlaptopswithviruses,canallcausehavoconthecorporatenetwork.Yourjobistominimizenetworksecuritybreaches.Copyright©2006JuniperNetworks,Inc.ProprietaryandConfidential•Chapter2–5AttackPhasesTheattacklifecycleisawayofdescribingthestagesofanattackandhowsomeone,orsomething,mightgainandkeepaccesstoyoursystemsandnetwork.1.Reconnaissancephase—Attackersneedtounderstandthenetworktheyaretryingtoaccess,sotheyusedifferenttypesofnetwork,system,andapplicationdiscoverytoolstofigureoutthebestwaytoattackyoursystemandnetwork.Duringthisphase,attackersperformportscansagainsttargetserverstodeterminewhatservicesareavailable.Fingerprintingoftheoperatingsystemcanalsobeperformed.2.Attackphase—Attackergainaccesstoyoursystemornetwork.Examplesofthisphaseincludeexploitingconfigurationandimplementationmistakes,andexploitingvulnerabilities.3.Propagationphase—Attackersgainincreasedaccesstothesystemornetworkbyfurtherexploitation.Thisphaseincludesleavingbehindabackdoortogainaccessthroughasecretmeansaftertheoriginalexploithasbeenpatched.Copyright©2006JuniperNetworks,Inc.ProprietaryandConfidential•AAttackerscansforservertoexploit2.Exploitphase•OOncevulnerableserverfound,exploit(attack)islaunchedtogainadministrativeaccessonserver3.Propagationphase:•WWithadminaccessonserver,usestrustrelationshipwithotherback-endserverstotakethoseover.Attackercreatesatunnelbacktohimselftocontrolthetarget’snetworks.ImplementingIntrusionDetectionandPreventionChapter2–6•IntrusionDetectionandPreventionConceptsAttacksUseDifferentNetworkLayersDifferentTCP/IPprotocollayersdetectdifferentphasesofanattack;forexample:•Ingeneral,attacksinthereconnaissancephaseusenetworkscansandportscans.TheseattacksoccurattheTCP/IPnetworklayer.•Ingeneral,attacksintheexploitphaseusenetworkandapplicationlayers.•AttacksinthepropagationphasesenddatainboththeTCP/IPnetworklayerandtheTCP/IPapplicationlayer.Thus,inordertodetecttheseattacks,asecuritydevicemustexamineboththenetworkandapplicationlayers.Copyright©2006JuniperNetworks,Inc.ProprietaryandConfidential•Chapter2–7ExampleAttacksThechartontheslidelistsvariousattacksandthelayeroftheTCP/IPstackthatcorrespondstoeachattack.Copyright©2006JuniperNetworks,Inc.ProprietaryandConfidential–8•IntrusionDetectionandPreventionConceptsFirewallThefirewallprovidesthefirstlayerofdefensebyprovidingperimeterandboundaryprotectionusingdataencryption(VPNservices),authentication(identityverification),accesscontrol(firewall),andsomeattackdetectionandprevention(IntrusionPreventionSystem[IPS]).Whenthefirewallreceivestraffic,itlooksatthesetofrul