What does a tarpit specifically do to detect and prevent intrusion into your network?
LabSim for Network Pro, Section 14.1.[netpro18v5_all_questions_en.exm *NP15_DETECTION_AND_PREVENTION_02][netpro18v5_all_questions_en.exm *NP15_DETECTION_AND_PREVENTION_02]Question 14:Question 14:CorrectCorrectWhat does a tarpit specifically do to detect and prevent intrusion into your network?What does a tarpit specifically do to detect and prevent intrusion into your network?Passively monitors and logs suspicious activity until it detects a known attack pattern,Passively monitors and logs suspicious activity until it detects a known attack pattern,then shuns the intruder by dropping their connection.then shuns the intruder by dropping their connection.Entices intruders by displaying a vulnerability, configuration flow, or data that appearsEntices intruders by displaying a vulnerability, configuration flow, or data that appearsto be of value.to be of value.Uses a packet sniffer to examine network traffic and identify known attack patterns,Uses a packet sniffer to examine network traffic and identify known attack patterns,then locks the attacker's connection to prevent any further intrusion activities.then locks the attacker's connection to prevent any further intrusion activities.Answers connection requests in such a way that the attacking computer is stuck for aAnswers connection requests in such a way that the attacking computer is stuck for aperiod of time.period of time.ExplanationExplanationA tarpit (also called a sticky honeypot) is a honeypot that answers connection requests in suchA tarpit (also called a sticky honeypot) is a honeypot that answers connection requests in sucha way that the attacking computer is stuck for a period of time.a way that the attacking computer is stuck for a period of time. Show
ReferencesReferencesLabSim for Network Pro, Section 14.1.LabSim for Network Pro, Section 14.1.[netpro18v5_all_questions_en.exm *NP15_DETECTION_AND_PREVENTION_03][netpro18v5_all_questions_en.exm *NP15_DETECTION_AND_PREVENTION_03] The first part of this series discussed the concept of Alerts, Consoles, False Negatives, and many other terms that are important for Intrusion Detection Systems (IDS). This second and final terminology article will continue in the same vein, starting with an explanation of the many different types of IDSs that exist today. IDS CategoriesAlthough we tend to talk about IDSs as though they are just one thing, there are actually many different types of IDS. The following is a list of the various types of IDS, and a brief explanation of what differentiates them. Entercept Web Server EditionConsoles -- see Consoles in Part One of this series. File Integrity Checkers Examples include Tripwire and Intact. Honeypots -- see Honeypot in Part One of this series Host-based IDS Hybrid IDS Some vendors refer to any IDS that fills more than one role as being a Hybrid IDS. However, I feel this is more out of marketing greed than genuine honesty. The term "Hybrid IDS" was flavor of the month circa mid-2000 and many vendors wanted to jump on the bandwagon. Network IDS (NIDS) Many Network IDS have the facility to respond to attacks, which was covered under Automated/Active Response in Part One of this document. Hype about how Network IDS had seen its day pass due to high speeds and switched networks raises it's head every so often, but some Network IDS can cope with gigabit speeds with minimal dropped packets, and switched networks can be overcome with spanning ports or TAPs such as those supplied by Shomiti. Examples of Network IDS include SecureNet Pro and Snort. Network Node IDS (NNIDS) Personal Firewall Examples include ZoneAlarm and Sygate. Target-Based IDS Network Intrusion Prevention System / Inline IDS Host Intrusion Prevention System Attack/DDOS Mitigation Tool
Application IDSs are aware of the intrusion signatures for specific applications, usually the more vulnerable applications such as Web servers, databases etc. However, many of the host-based IDSs that ordinarily look at operating systems are becoming more application-aware. One example of an application-specific IDS is . Additional IDS TerminologyIntrusion Detection Working Group (IDWG)The purpose of the Intrusion Detection Working Group is to define data formats and exchange procedures for sharing information of interest to intrusion detection systems and response systems, and to management systems which may need to interact with them. The Intrusion Detection Working Group will coordinate its efforts with other IETF working groups. Islanding Load Balancing Low and Slow OS Fingerprinting nmapPassive
Traditionally tools such as would be used by an attacker to scope a target prior to an attack; now they are used within IDS to ascertain the threat posed by an attack based on how susceptible a target is to the attack. For instance, a windows attack against a Linux box would be considered benign. Active fingerprinting is identifying the operating system of a remote host through stimulus - response. Different operating systems respond to certain packets in different ways, allowing the fingerprinter to identify not only the OS but often its patch level. Out Of Band (OOB) Promiscuous Routers Shunning Signatures Protocol Decode/Analysis Heuristic
Some signatures are based on Network Grepping, looking for a sequence of traffic that matches that within an attack. Pattern matching or grepping signatures are easier to create but are prone to reporting false positives. Anomaly/Behavioral Signatures Protocol anomaly
A statistical anomaly based IDS highlights deviation from the general rule by building a profile of the host or network activity over time. When an event occurs which is outside this profile the IDS will alarm. For example, this happens in a Host IDS when a user suddenly performs a highly privileged function when he/she hasn't done so previously. Or, in the case of a network IDS, a profile is built of the network traffic over time, as this traffic shouldn't vary significantly without good reason. The IDS will then alert when the traffic steps outside certain parameters. As well as fulfilling a valuable security function the information is often extremely valuable to network administrators. Stealth Mode Taps Tarpit Tuning Visualization SummaryIDS terminology continues to develop, and some terms have even changed since I started writing this article. I have tried, where possible to include the various meanings of the same term and hope I have covered them to your satisfaction. If further clarification is sought regarding the terms or if you wish to discuss or comment on the terms please do not hesitate to contact me.Andy Cuff is a computer security consultant who specializes in Intrusion Detection. He is currently responsible for deploying and maintaining various IDSs on a Global network of over 300,000 hosts. During the last two decades he has experienced a variety of different security roles ranging from cryptography to TEMPEST and from bug sweeping to pen testing. In his spare time he maintains the vendor independent Talisker Security Tools website which offers salient details on every known network security device. Andy is a regular contributor to many security-related mailing lists. This article originally appeared on SecurityFocus.com -- reproduction in whole or in part is not allowed without expressed written consent. What security mechanism can be used to detect attacks originating on the Internet?A signature-based intrusion detection system (SIDS) monitors all the packets traversing the network and compares them against a database of attack signatures or attributes of known malicious threats, much like antivirus software.
What does an IDS that uses signature recognition use to identify attacks?Signature-based IDS systems feature a database or collection of signatures or attributes demonstrated by recognized breach attacks or malicious threats incorporated into the system. These systems monitor all network traffic and are specific to any particular dangers using fingerprints.
Which of the following actions can intrusion systems take?Intrusion prevention systems are placed in-line and are able to actively prevent or block intrusions that are detected. IPS can take such actions as sending an alarm, dropping detected malicious packets, resetting a connection or blocking traffic from the offending IP address.
Which of the following intrusion detection and prevention systems uses fake resources to entice intruders?The definition of a honeypot
It's a sacrificial computer system that's intended to attract cyberattacks, like a decoy. It mimics a target for hackers, and uses their intrusion attempts to gain information about cybercriminals and the way they are operating or to distract them from other targets.
|