Real time monitoring of

network activity
Traffic Detection
Incident Identification Listens to data and
Motivation and Study Techniques to help Cisco
helps with
Response you learn, remember, and pass your
CISSP
Logging technical exams!
CEH
Network Based More coming soon...
Systems
Host Based
Also known as Knowledge based IDS Visit us www.mindcert.com
Low False Positives
Advantages
Understandable alarms Signature Based
Resource intensive
Disadvantages
New attacks go unnoticed Provides security services at the IP layer
Methodologies
Detects based on user patterns
Can dynamically adapt to new attacks A framework of services
Advantages
Not as OS dependant Behavior Based
Intrusion Detection Adds security to the upper
layers in the OSI model By Implementing a new set of headers
High false positives Definition
Disadvantages
Can affect user activity One SA is required per direction
SNMP Utilizes Security Associations (SA) A router to router IPsec VPN
Logging will use two SA's One in each direction
Syslog
Launch and attack
Actions Access Control is the
Block
Issue an SMS or E-mail
heart of security
Trace the connection Fundamental for providing CIA
Configure Alarms Prevent modification by unauthorized users
Interferes with legitimate traffic Why Control Access? Prevent unintentional modification by
Three Goals
Have to check Systems using HIDS for unauthorized users
performance problems Concerns Preserve internal and external data consistency
NIDS may lose packets due to System and network latency
bandwidth limitations Avoid
Preventative

As it states, Sign on Once Detective Identify

Users Love it
Deterrent Discourage
Novell NDS and Microsoft AD Controls may be
SSO Directory Services
Sign on once for access to all resources Fix or Repair
Corrective
Started as Project Athena
Recovery Restore
Currently in version 5
Introduced in Windows 2000 Policies
Uses Symmetric Key Cryptography
Procedures
Holds the Cryptographic Keys Administrative Controls
Key Distribution Centre (KDC) Training
Tickets Components Background checks
Ticket Granting Server (TGS) ACLs
Implementing Controls Logical/Technical Controls
Subject requests access to an object Encryption
Includes a session key derived from Gates
the users password Request goes via the KDC Guards
Kerberos Physical Controls
KDC Generates a ticket for the subject and object Fences
Kerberos Process
Subject validates the ticket came from the KDC Badges
Subject sends ticket to object "soft" policy procedures such as
Object validates the ticket Administrative background checks
Kerberized session is established Object grants access to subject
Encryption
Each piece of software must be Kerberized Single Sign on Preventative Technical Smart Cards
Requires synchronized time clocks Systems Biometrics
Relies on UDP Problems Examples
Badges
Weakness in v4 allowed password attacks Physical
Fences
KDC can be a SPOF Combinations
Job rotation
Secure European System for Applications in a Multivendor Environment
Control Types Administrative Supervision
Designed to extend Kerberos CISSP
Existing Violations
Uses Public Key and Symmetric Access Control
Cryptography IDS
Systems and Detective
Technical
Authenticates with a Privileged System Scanners
Attribute Certificate
Methodology
SESAME
One contains Authentication Motion Detectors
Uses two tickets Physical
One contains the access rights to the client CCTV

Only authenticates using the first All objects controlled at a central point
block of the message Very strict Access Control
Weaknesses
Initial exchange passed on password authentication Ease of Administration

IBM system like Kerberos Could be SPOF

Peer-to-Peer relationship between RADIUS

Client-Server KDC and parties KRYPTONIGHT Serves Dial In Users
Authentication through one way hash Incorporates an Authentication server
of users password stored on server Centralized Authentication and dynamic password
NETSP TACACS
Centralized and Decen‐
Password tralized Access Control Types Static password
PIN What you Know
TACACS+
Passphrase
Weak Passwords
Type 1 Authentication Supports token authentication
Reused
Strong Passwords
Written Down Issues Remote Authentication
Default passwords Decision is closer to the objects
Decentralized
Password Age More Administration Overhead
Different User Rights around the network
Tokens
Tickets What you Have Hybrid Model A Mixture of centralized and decentralized

OTP
More Expensive than Type 1 Subject person or process
Controlling access by a
May have to be combined with Type 1 Type 2 Authentication subject to an object
Object file or resource
More Complex
Issues
Can lock the user out if they lose token Involves Rule Creation
Can be copied or forged Assigns classification levels to objects
Again, total strength is in the PIN Subject must have equal or higher
Security Labels
security than the object
Physical Characteristics
Identification and May be assigned per user, or per group
Iris/Retina Scans
Authentication Mandatory Set of Rules
Fingerprinting
Biometrics Rule based Access Control
Voice Recognition
What you Are Data Owners have less freedom than DAC
Signature Mandatory Access
Access Granted on Rules or Security Labels
DNA, Blood Control (MAC)
More Secure (Government)
Cannot be lent or borrowed Control Models
Every Resource has a label, every user has a clearance
Lasts forever
Used by the military
Wrong rejections
False Rejection Rate (FRR) Embodies the concept of need to know
Turn down the sensitivity Type 3 Authentication Identity Based Access Control
VERY BAD
Discretionary Access Owner specifies access levels
Wrong acceptions Control (DAC)
False Acceptance Rate (FAR) Like UNIX and Windows
Turn Up the Sensitivity
Most common Access Control
False Rejection Rate (FRR) Issues
Access based on Job Description
The FRR and FAR combined gives you Role based Access Control
Lower CER is Always Better the Crossover Error Rate (CER) Good for high staff turnover
Non discretionary
Lattice based ACL Access based on the job role and the task
Expensive
Immature market
Bad user acceptance