DIYTP 2009. Computer Security – Virus Scanners Works in two ways: List of known ‘bad’ files ...

DIYTP 2009

Computer Security – Virus Scanners Works in two ways:

List of known ‘bad’ files Suspicious activity

Terminate and Stay Resident (TSR) program File that persists in memory after execution

Five ways of scanning E-mail/attachment Download File Heuristic

Rules that determine if a file is behaving like a virus

Active code (i.e. Java, ActiveX)

Computer Security – Virus Scanners Mcafee www.mcafee.com Symantec www.symantec.com AVG www.avg.com Trend Micro www.trendmicro.com

Computer Security – Anti-Spyware Spyware

Toolbars, skins, enhancements Threat to privacy

Ad-aware www.lavasoft.com Spybot Search and Destroy

www.safer-networking.org

Computer Security – Intrusion Detection Systems Intrusion Detection Systems (IDS)

Inspects incoming and outgoing activity and looks for patterns

Common categorizations: Misuse vs. Anomaly Passive vs. Reactive Network-based vs. Host-based

Computer Security – Intrusion Detection Systems Misuse Detection vs. Anomaly Detection

Misuse detection Attack signatures

Anomaly detection Detects intrusions and notifies administrator

Passive Systems vs. Reactive Systems Passive

Detects, logs, and sends alert Reactive

Reacts by logging off user or blocking traffic on firewall

Computer Security – Intrusion Detection Systems Network-Based vs. Host-Based

Network-based Analyzes packets on network

Host-based Analyzes a specific host/computer

Computer Security – Intrusion Detection Systems

Figure 1.0 – Intrusion Detection System typical setup

Computer Security – Intrusion Detection Systems Snort www.snort.org Cisco IDS

http://www.cisco.com/warp/public/cc/pd/sqsw/sqidsz/index.shtml

BASE http://sourceforge.net/projects/secureideas/

Computer Security - Firewalls Firewall

Barrier between network and the outside world

Filters packets based on certain parameters IP address Protocol

Components Screening Application gateway Circuit-level gateway

Computer Security - Firewalls Screening

Also known as ‘packet-filtering’ Most basic type Works in ‘Network’ layer of OSI Examines incoming packets and allows

or prohibits based on a set of pre-established rules

Example: Windows firewall

Computer Security - Firewalls Application Gateway

Also known as ‘application proxy’ Runs on firewall Client connects to program and then

proxy establishes connection for client Protects client computers Supports user authentication

Computer Security - Firewalls Circuit-level Gateway

More secure than application gateway Generally found on high-end equipment User must be verified before

communication can take place Passes traffic on to destination and vice

versa Internal systems are not visible to

outside world

Computer Security - Firewalls How firewalls look at packets

Stateful packet inspection (SPI) Examine each packet Bases decision on current and previous

packets Can look at actual contents of packet

Stateless packet inspection Very basic Only looks at current packet Does not look at contents

Computer Security - Firewalls Software-based

Zone Alarm www.zonealarm.com Mcafee Personal Firewall

www.mcafee.com Norton Personal Firewall

www.symantec.com/norton Hardware-based

Cisco www.cisco.com Juniper NetScreen www.juniper.net