Manajemen Sistem File
-
Upload
sandra4211 -
Category
Documents
-
view
1.764 -
download
1
Transcript of Manajemen Sistem File
Isbat Uzzin
Keamanan Jaringan
Intrusion Detection System
Keamanan Jaringan
Politeknik Elektronika Negeri Surabaya
2007
Isbat Uzzin
Keamanan Jaringan
Firewall Saja Tdk Cukup
• Tidak semua akses melalui firewall• Ada beberapa aplikasi yang memang diloloskan oleh
firewall (Web, Email, dll)• Tidak semua ancaman berasal dari luar firewall, tapi
dari dalam jaringan sendiri• Firewall kadang merupakan object serangan• Perlu suatu aplikasi sebagai pelengkap Firewall yang
bisa mendeteksi ancaman yang tidak bisa diproteksi oleh firewall
Isbat Uzzin
Keamanan Jaringan
Mobile worker
Web site
Hacker
Hacker
Supplier
Branch Office
Mailserver
Manufacturing
Engineering
HR/Finance
Corporate Intranet
Hacker
Internet
Isbat Uzzin
Keamanan Jaringan
Pengertian IDS
• IDS kepanjangan Intrusion Detection System• Sistem untuk mendeteksi dan merespons adanya “intrusion”
yang dilakukan oleh “intruder”• Pendeteksian bisa dilakukan sebelum, selama dan sesudah
kejadian.– Terdeteksi sebelum, maka bisa melakukan tindakan pencegahan– Terdeteksi selama : bisa diputuskan untuk diblok dan alarm– Terdeteksi setelah : melihat akibat yang ditimbulkan
• IDS mengumpulkan info dari dari berbagai sistem dan source network kemudian melakukan analisa terhadap info tsb sesuai dengan rule yang sudah ditetapkan
Isbat Uzzin
Keamanan Jaringan
Pengertian IDS (Cont…)• Intrusion
– Didefinisikan sebagai kegiatan yang bersifat anomaly, incorrect, inappropriate yang terjadi di jaringan atau di host
– Klasifikasi intrusi :• Attempted Break-ins• Masquerade attacks• Penetration of Security Control Systems• Leakage• Denial of Service• Malicious Use
• Anomaly merupakan Traffic/aktivitas yang tidak sesuai dgn policy:– akses dari/ke host yang terlarang– memiliki content terlarang (virus)– menjalankan program terlarang (web directory traversal:GET ../..;cmd.exe
)
Isbat Uzzin
Keamanan Jaringan
Konsep IDS
TargetSystem
IntrusionDetectionSystem
Intrusion Detection System Infrastructure
Monitor
Respond Report
Isbat Uzzin
Keamanan Jaringan
Teknologi IDS
• Network Based
• Host Based
• Application Based
• Target Based
• HoneyPots
Isbat Uzzin
Keamanan Jaringan
Teknologi IDS…• Network-based
– memantau anomali di jaringan,misal melihat adanya network scanning
– Menyediakan real-time monitoring activity jaringan: • mengcapture, menguji header dan isi paket, • membandingkan dengan pattern dengan threat yang ada di database dan • memberikan respon jika dianggap intruder.
– Packet monitors bisa ditempatkan di luar firewall (mendeteksi Internet-based attacks) and di dalam jaringan(mendeteksi internal attacks).
– Respons berupa : notifying a console, sending an e-mail message, terminating the session.– Tools : Snort
• Host-basedmemantau anomali di host,misal memonitor logfile, process, file owenership, mode
– Tools :Log scanners
– Swatch– Log check
File System Integrity Checkers– Tripwire
Isbat Uzzin
Keamanan Jaringan
Teknologi IDS
• Application Based– Special subset of Host-Based IDS, that analyzes the events
transpiring within a software.– The most common information source for Application-
Based IDS is the application’s transaction log file– Interaction between user and application, wich traces
activity to individual users• HoneyNet
– Merupakan sebuah resource yang berpura-pura menjadi sebuah target real, yang diharapkan untuk diserang.
– Tujuan utamanya :• membelokkan attacker dari serangan ke productive system• mendapatkan informasi tentang jenis-jenis serangan dan penyerang.
Isbat Uzzin
Keamanan Jaringan
Snort
• Open source IDShost-basednetwork-basedpacket snifferimplementasi di UNIX & Windows
• Beroperasi berdasarkan “rules”
Isbat Uzzin
Keamanan Jaringan
Log Snort• The log begins from: Mar 9 09:11:05• The log ends at: Mar 9 12:22:24• Total events: 161• Signatures recorded: 6• Source IP recorded: 12• Destination IP recorded: 44
• # of attacks from to method• ===========================================• 61 202.138.228.73 202.138.228.74
IDS135-CVE-1999-0265-MISC-ICMPRedirectHost• 31 192.168.1.51 192.168.1.11 ICMP
Destination Unreachable {ICMP}• 5 202.110.192.93 202.138.228.74
spp_http_decode: ISS Unicode
Isbat Uzzin
Keamanan Jaringan
Masalah IDS
• Serangan baru memiliki signature yang baru sehingga daftar signature harus selalu diupdate
• Network semakin cepat (giga) sehingga menyulitkan untuk menganalisa setiap paket
• Jumlah host makin banyak: distributed IDS
• Terlalu banyak laporan (false alarm)
Isbat Uzzin
Keamanan Jaringan
Honeypot
• Merupakan sebuah resource yang berpura-pura menjadi sebuah target real, yang diharapkan untuk diserang.
• Tujuan utamanya :– membelokkan attacker dari serangan ke productive
system– mendapatkan informasi tentang jenis-jenis
serangan dan penyerang.
Isbat Uzzin
Keamanan Jaringan
honeypot HTTP DNS
Isbat Uzzin
Keamanan Jaringan
Value Honeypot• Research Honeypots
– gather as much as information as possible• help to understand the blackhat community and their attacks• help to build some better defenses against security threats
– 'counter-intelligence'• Prevention
– Honeypots add little value to prevention.• conflict with definition
• Detection– Honeypots add extensive value to detection.
• simple and easy to detect cf) IDS• Reaction
– Honeypots also add value to reaction.• Easy to analyze & recover
If a honeypot does not get attacked, it is worthless.
Isbat Uzzin
Keamanan Jaringan
What is a Honeynet?
• High-Involvement Honeypot designed primarily for research, to gather information on the enemy
• differences from a traditional honeypots– not a single system - a network of multiple systems – standard production systems - Nothing is emulated.
• The risks and vulnerabilities discovered within a Honeynet are the same that exist in many organizations today.
• value lies in research
Isbat Uzzin
Keamanan Jaringan
Requirements
• Data Capture– capturing of all of the blackhat's activities– Challenge
• capture as much data as possible, without the blackhat knowing their every action is captured
– capture the blackhats every move without them knowing, but we have to store the information remotely
Isbat Uzzin
Keamanan Jaringan
Requirements
• Third requirement : Data Collection– for organizations that have multiple Honeynets in
distributed environments– collecting all of the captured information securely
from distributed Honeynets
Isbat Uzzin
Keamanan Jaringan
Implement
• firewall separating the Honeynet into three different networks
syslog Sparc Linux NT
switch
Firewall
IDS
Log/AlertServer
router
Internet
Honeynet
AdministrativeNetwork
Isbat Uzzin
Keamanan Jaringan
Implement
• Data Control– firewall is our primary tool for the data control
• allow any inbound connections, but control outbound connections
• if a honeypot has reached a certain limit of outbound connections, the firewall will then block any more attempts
• firewall implement– CheckPoint FireWall-1 and shell script
– IPTables with its limit functionality
– OpenBSD's pf with a session-limit pf patch
Isbat Uzzin
Keamanan Jaringan
Implement
• Data Control (cont’d)– router is used to supplement this filtering
• hides the firewall
• act as second access control device– allows only packets with the source IP address of the
Honeynet
– block ICMP outbound traffic
Isbat Uzzin
Keamanan Jaringan
Implement
• Data Capture– firewall
• the first layer of capturing activity• logs all connections initiated to and from the Honeynet• Alert
– IDS• capture all network activity - important• alert us to any suspicious activity
– not critical but it can give detailed information
• IDS Implement– snort - alerts are forwarded to the syslog server
Isbat Uzzin
Keamanan Jaringan
Implement
• Data Capture (cont’d)– System themselves
• capture all system and user activity that occurs on a system– all system logs not only log locally, but to a remote log server
» UNIX : adding an entry for a remote syslog server in the configuration file
» Windows : third party applications– do not hide the use of a remote syslog server
• capture keystrokes and screen shots and remotely forward that data» Unix : modified version of bash» Windows : ComLog
Isbat Uzzin
Keamanan Jaringan
Virtual Honeynet
• implement honeynet into a single system • advantages
– reduced cost – easier management
• disadvantages– limited types of operating system – risk
• attacker can break out of the virtualization software and take over the Honeynet system, bypassing Data Control and Data Capture mechanisms.
Isbat Uzzin
Keamanan Jaringan
Virtual Honeynet
• Implement– VMware
Internet
Host Operating System
Guest OS Guest OS Guest OS