Definition of Security is to protect assets from threats.
The assets may include such information, hardware, software, support device, people, media communication, the ability of processing , or money (expressed in the form of such information when sold).
(Cooper, James Arlin, Computer and Communication Security Strategies for the 1990s, McGraw-Hill, 1989, page 11).
The term communication (communication) in question is a computer communications. Stream of data flowing from one computer to another or from your computer to other supporting devices such as printers.
Aspects of Computer Security
1. Authentication
In order for the recipient of information can ensure the authenticity of the information actually came from the sender.
2. Integrity
Information sent over the network is not modified by unauthorized people during a trip through the network
3. Non-repudiationThe assets may include such information, hardware, software, support device, people, media communication, the ability of processing , or money (expressed in the form of such information when sold).
(Cooper, James Arlin, Computer and Communication Security Strategies for the 1990s, McGraw-Hill, 1989, page 11).
The term communication (communication) in question is a computer communications. Stream of data flowing from one computer to another or from your computer to other supporting devices such as printers.
Aspects of Computer Security
1. Authentication
In order for the recipient of information can ensure the authenticity of the information actually came from the sender.
2. Integrity
Information sent over the network is not modified by unauthorized people during a trip through the network
The sender does not deny that it was he who sends the information
4. Authority
Information residing on the network can not be modified by unauthorized people
5. Confidentiality
Effort to keep the information can not be accessed by unauthorized people
6. Privacy
The data of personal nature
7. Availability
Availability of information when needed. OS is attacked may inhibit / eliminate access to the place of information is stored
8. Access Control
Setting up access to information. It deals with the problem of Authentication and Privacy. Access Control is done by using a UserId and password combination or by using other mechanisms.
Aspects of Security Threats
1. Interruption
A threat to the availability, because the information and data contained within the computer systems were damaged and removed so that when the required information and data become available.
2. Interception
A threat to confidentiality (secrecy) exist because information stored on computers or intercepted by unauthorized people.
3. Modification
A threat to the integrity because an unauthorized person could tap traffic information is being transmitted and modified according to the will of the tapper.
4. Fabrication
A threat to the integrity as there could be false information so that recipient information be fooled because she thought the information derived from actual sipengirim.
Detecting Attacks
1. Anomaly Detection (Detection Deviation)
Detecting unusual behaviors that occur within the host or network. The attack can be detected by the system being able to identify these differences. Anomaly Detection compile profiles representing normal user habits, host or network. Profile is built based on historical data collected in a period of normal operation. When found any irregularities conducted security by using a variety of steps.
2. Misuse Detection (Signaturesbased Detection)
The detector performed an analysis of system activity, looking for events that match the pattern of attack behavior (signatures)
• Network Monitoring (Network Monitoring System)
Used to monitor the security hole. Usually uses SNMP protocol (Simple Network Management Protocol). Example: SNMP Collector, Packetboy, Etherboy etc..
• IDS (Intrusion Detection System)
An inhibitor of all the attacks that will disrupt a network. IDS will warn Server Administrator in charge of a system when certain events occur that are not expected. In addition to providing IDS alerts are also able to track the types of activities that harm a system. IDS will track the packages that contain suspicious activity at the same time take precautionary action. There are two types of IDS:
• Host-Based IDS
work on the host that will be protected by means of detecting attacks directed at the host page. Excellence is the host-based security protection measures such as file conversion file or attempt to access to sensitive files.
• Network-Based IDS
the form of a special machine is used to monitor the entire segment of the network. Network-Based will collect yng data packets on the network and then analyze it to determine whether there is an attack that targeted the network.
The division of types of IDS based on some terms such as:
a. System Architecture
Differentiated according to the functional components of IDS
• 1. Host-Target Co-Location
IDS is running on a system that will be protected. The weakness of this system is if sipenyusup managed to obtain access to the system, then denagn sipenyusup can easily turn off this type of IDS.
• 2. Host-target Separation
IDS is placed on a different computer with a computer that will be protected.
b. Control Strategy
IDS distinguished based on how the control of existing IDS IDS-both on input and output.
• Centralized
The entire control of the IDS such as monitoring, detection, and reporting is controlled centrally.
• Distributed Partial
Monitoring and detection are controlled from the local node to the hierarchy of reporting on one or several central locations.
• Distributed Total
Monitoring and detection using agent-based approach, namely the response decision is made on code analysis.
c. Time
in question time here is the time between events, both monitoring and analysis.
1. Interval-Based (Batch Mode)
Information was collected first, after which an evaluation based on a predetermined time interval.
2. Realtime (Continues)
IDS acquire data continuously so that when an attack can be anticipated to occur sooner.
d. Source of Data
IDS is differentiated according to source of the data obtained.
1. Host-Based
IDS to obtain information from a computer system. The data in the form of host-based IDS logs generated by the file system monitor, event, and security on the Windows NT operating system and Syslog on UNIX OS. When there is a change in the log, and then analyzed to determine whether the pattern is similar to the existing pattern of attacks on the IDS database.
Technique often used is to check key system files and executable files with a checksum at a certain time interval to get the changes that are not expected (unexpected Changes).
In the case of detecting a Host-based attacks less quickly than Network-based. Host-based excess is more powerful forensic analysis, focusing on a single host. Another plus is:
• Testing the success or failure of the attack by using logs that contain events that have occurred.
• Monitor specific system activity such as mobnitoring user activity, access to files such as changing file attributes, trial installation of new executable files and attempts to access privileged services.
• Detect attacks that pass the Network-based such as searangan through the local system and not through the network.
• Suitable for network switches that utilize the facility and also encryption techniques in data communications systems.
• Does not require additional hardware for the host-base IDS resides in the existing network infrastructure including file servers, web servers and other resources.
2. Network-Based
IDS (Intrussion Detection System) to obtain information from network packets that exist.
Data Sources Network-based IDS uses raw packet on the network. Tools for capturing packets to be monitored using a network adapter.
Way to recognize an attack on Network-based IDS include:
1. Data patterns, expressions, or matching the bytecode.
2. Frequency or threshold violations
3. The correlation is close to an event.
4. Statistical anomaly detection.
Advantages of using the Network-based:
• The cost is lower because of the supervision carried out at a critical access point to display network traffic over various systems were observed. Thus the software is not required to be installed on many hosts.
• Able to handle the attacks that are not detected by the Host-based IDS such as IpbasedDoS and Fragmented Packet (Tear Drop) because all attacks can be identified by reading the headers of packets that are there.
• The attacker is difficult to remove traces of the use of live network traffic data to detect attacks in real-time.
• Not dependent on the operating system for the evaluation carried out did not have to be on that host.
Examples of Network-based IDS: Snort.
Snort is a NIDS (network-base Intrusion Detection System) which serves to check the incoming data and report to the administrator if found suspicious symptoms. In other words, Snort is the sniffer because watching the movements of the packets that pass through the network. In addition to Snort memsang should be accompanied also with ACID (Analysis Console for Intrusion Databases) because it comes with a library PHPlot to create a graph in PHP.
Tidak ada komentar:
Posting Komentar