Page 72 - DCAP309_INFORMATION_SECURITY_AND_PRIVACY
P. 72

Information  Security and Privacy




                    Notes          Rate-based IPS (RBIPS)

                                   Rate-based IPS (RBIPS) are primarily intended to prevent Denial of Service and Distributed
                                   Denial of Service attacks. They work by monitoring and learning normal network behaviors.
                                   Through real-time traffic monitoring and comparison with stored statistics, RBIPS can identify
                                   abnormal rates for certain types of traffic e.g. TCP, UDP or ARP packets, connections per second,
                                   packets per connection, packets to specific ports etc. Attacks are detected when thresholds are
                                   exceeded. The thresholds are dynamically adjusted based on time of day, day of the week, etc.,
                                   drawing on stored traffic statistics.
                                   Unusual but legitimate network traffic patterns may create false alarms. The system’s effectiveness
                                   is related to the granularity of the RBIPS rulebase and the quality of the stored statistics.





                                     Notes  Once an attack is detected, various prevention techniques may be used such as rate-
                                     limiting specific attack-related traffic types, source or connection tracking, and source-
                                     address, port or protocol filtering (blacklisting) or validation (whitelisting).





                                      Task  Compare and contrast between NIDS and PIDS.

                                   Self Assessment

                                   Fill in the blanks:
                                   11.  An ......................... is a network  security device  that monitors  network and/or system
                                       activities for malicious or unwanted behavior and can react,  in real-time, to block  or
                                       prevent those activities.
                                   12.  A ......................... is  one where  the intrusion-prevention  application is resident on  that
                                       specific IP address, usually on a single computer.

                                   13.  A ......................... inspects the content of network packets for unique sequences, called
                                       signatures, to detect and hopefully prevent known types of attack such as worm infections
                                       and hacks.


                                   5.7 Controlling Visitors

                                   Visitors can be controlled through the following process:
                                   1.  If the company consists of more than about 15-20 people, issue visitor badges and encourage
                                       staff to challenge unaccompanied visitors.
                                   2.  Escort all visitors – don’t let them wander around unsupervised.
                                   3.  Keep a visitor book and log the times when visitors enter and leave the premises. Keep
                                       another signing-in/out list for sensitive areas, such as computer rooms.
                                   4.  Consider CCTV in critical IT areas (e.g., server rooms) and reception areas.









          66                                LOVELY PROFESSIONAL UNIVERSITY
   67   68   69   70   71   72   73   74   75   76   77