Reference no: EM132190643
Part 1: Essay Question
In 2003, a well-publicized report from IT analyst firm Gartner predicted that the market for stand-alone IDS tools would soon disappear, and urged Gartner clients to cease investing in IDS tools in favor of firewalls. Clearly, the obsolescence of IDS tools by 2005 did not occur as Gartner predicted, due in part to significant increases in the technological capability, processing speed, and accuracy of IDS tools in the nearly 10 years since the erroneous prediction.
Contemporary enterprises have a wide array of network and platform security tools from which to choose, and as we have seen in this course there is substantial overlap in the capabilities of different categories of tools such as firewalls, IDS, anti-malware, vulnerability scanners, and so forth. What factors would exert the most influence on an organization and lead it to choose to implement IDS? In your response please identify potential benefits of IDS, potential drawbacks, and any considerations about an organization's operating environment that might drive its decision.
Part 2: Short Answer Questions
1. What are the operational requirements necessary to perform anomaly-based intrusion detection? How does the information gathered about network traffic by anomaly-based IDS tools differ from the information gathered by signature-based NIDS?
2. IDS is a great way to capture forensic evidence for the activity of systems (including intrusion), however, there is inherent problems with using IDS logs as legal evidence because of the possibility for manipulation of the data and therefore credibility of the evidence. Describe the requirements on log data to be admissible as legal evidence.
3. Imagine you are tasked with monitoring network communication in an organization that uses encrypted transmission channels. What are the limitations of using intrusion detection systems in this environment? What methods would you employ to accomplish this task?
4. Describe how Distributed Denial-of-service (DDoS) attacks such as smurf attack may be detected and alerted using Snort.
5. Explain the following Snort rule. What sort of attack is it intended to detect? What network traffic pattern information is it looking for?
6. Write a Snort rule with the following functions:
a. Looks for the case-insensitive string in all traffic matched by the rule header.
b. Skips the first 12 bytes of each packet before starting search, for efficiency
7. Most network IDS tools are designed to optimize performance analyzing traffic using a variety of protocols specific to TCP/IP wired networks. Describe at least two intrusion detection scenarios where specialized types of monitoring and analysis are called for, explaining what limitations exist in conventional NIDS that make them insufficient to provide effective intrusion detection in the environments corresponding to these scenarios.
8. What is a multi-event signature? Provide at least two examples of multi-event signature activities or patterns that might be monitored with an intrusion detection system.
9. Snort rule has a metadata field, with zero or more policy values. Describe currently available policy values along with explanations.
10. Describe what the "fast_pattern" modifier means in Snort rules. Also, explain the differences between "fast_pattern" and "fast_pattern:only" modifiers with examples.
11. Describe the meaning of the following content options used in a Snort rule with matching and unmatching examples:
content:"GET"; depth:3; content:"downloads"; distance:10; within:9;
12. Define and differentiate false positive and false negative. Which is worse, and why? Give one example of each, drawn from any context that demonstrates your understanding of the terms.