3.1.16 Evaluate the advantages and disadvantages of a variety of methods for network security.
  • Intrusion Detection System (IDS)

    • security system detecting malicious activity
    • 2 types
      • 1) host based (HIDS)
        • on individual system (can’t look further)
      • 2) network-based (NIDS)
        • on network → sees traffic (can’t look into individual systems)
    • logic components:
      • traffic collector/sensor
        • collects activities/events
          • HIDS: e.g. log files, audit logs, traffic
          • NIDS: e.g. copies traffic (sniffer)
      • analysis engine
        • examines collected and compares to known patterns from signature database
      • signature database
        • patterns/definitions of known malicious activity
      • User interface (& reporting)
        • alerts for human
    • Connection to the OSI & TCP/IP Model
      • operates on Layers 3-6
        • Layer 6: Presentation (configures data)
          • HIDS can examine encrypted data
        • Layer 5: Session
          • intercepts communication of malicious activity detected
        • Layer 4: Transport
          • detects invalid TCP packets
        • Layer 3: Network
          • packets created → detects invalid TCP packets



Advantages
Disadvantages
  • easy to install
  • not much extra
  • needs frequent updating of signature database, as software only identifies known attacks happening in a specific way
  • administrator needed to investigate attack and patch exploit
  • don’t report whether attack successful or failed
HIDS
NIDS
HIDS
NIDS
  • can examine encrypted data
  • detects which users attacked
  • can handle switch-based networks
  • few devices needed
  • ‘cheap’
  • can be undetectable to hacker
  • needs network traffic of its own → can reduce performance
  • can be irritated by DoS attack
  • consumes resources of host
  • traffic on internal network not analysed
  • may miss attack during peak-time use
  • some can’t interpret encrypted data
  • inefficient for scanning switch-based networks



Web-Filters
  • searches for content that has to be blocked
  • web-data accesses the network, but before it is forwarded to the target devices the data packages are inspected by a filter
  • there are:
    • malicious activity web-filters
      • searches for package content or patterns of malicious actions
    • website blocking web-filters
      • schools, companies, etc can block specific websites or website “groups” (grouped by companies that sell those packages) for the various reasons


  • advantages are
    • that firewall aren't needed if web-filters are used, since they can be more advanced
      • they can do everything a firewall does and additionally inspects the packages for more advanced security
    • users can be protected from content: not letting those packages into the network
      • younger children can be protected from web content that should not be available for underage children
        • web-filters from parents available
      • companies and schools can block websites so that the students or workers don't get “off track” and work
  • disadvantages are
    • they can always be bypassed
      • for more advanced filters virtual private network tunnels can be used to bypass the filter with encrypted package content that can't be inspected
    • they cost a lot
      • schools and companies pay a lot to get those web-filters with the pre-blocked content for specific groups
        • must be kept secure and updated every month
    • it takes a lot of effort to keep the system updated and to still not cause a lot of trouble to blocking websites that are needed



MAC Address
A MAC address is an identifier which is assigned to network interfaces to communicate on the physical network segment. They are used as a Network Address for most network technologies including Ethernet and Wifi. It is applied in the submodel of the OSI layer Data Link. This sub-layer is also called Media Access Control layer. This address is given by the hardware producer. Changing this address causes security problems. MAC address spoofing is the craft of switching your address therefore causing security leaks.


ARP








Created By: Lucie Magister, Max Kossatz,
Last update: 29/04/2015

Sources: