TCIL-IT ETHICAL HACKER ASSIGNMENT NO. 9 1. What is IDS Ans.

An IDS (Intrusion Detection System) gathers information within a LAN/CAN about unauthorized access as well as misuse. An IDS is also referred as packet sniffer. An IDS evaluates a suspected intrusion once it has taken place and signals an alarm. IDS Placement:

Types of IDS: Two general types of IDS are Network Based IDS (HIDS) & Host Based IDS (NIDS) those are explain below: Network Based IDS: The first type of IDS is the Network based IDS. This type of IDS is deployed at strategic places in the network infrastructure (sometimes outside the firewall, in the DMZ, or various places throughout the internal network) to capture traffic going across the wire, and comparing it to a database of known attack signatures. If the packets are inspected, and there is a match to the signature database. Many types of actions can be taken, including alerts to the administrator, sending a RST to the attacking host to kill the connection, or even dynamically modifying firewall rules to block the connection (although this is often very risky because of the probability that valid traffic will be blocked from the network if a false positive

is detected. NIDS can most similarly be compared to a sniffer on steroids. Types of NIDS include Snort, Cisco NIDS.

HOST Based IDS: HIDS is a bit different than NIDS in the aspect that it is run as a service or agent on the protected host. HIDS does not insect traffic that is not directed at the host it is protecting. Instead, the HIDS agent monitors settings on the machine, like critical system

files (/etc/passwd, the NT SAM file, etc), registry settings, file checksums, or just about any other parameter you define. When an attack is made to a machine, the agent will typically block the connection, log a record of the session, report it back to a central management console, and of course alert the admin of the problem. HIDS also has another distinct characteristic; it can inspect encrypted traffic, because the traffic is actually decrypted before the agent inspects it. NIDS on the other hand can't do anything about encryption. Types of HIDS, include Tripwire, Cisco HIDS.

2. What is Firewall? Ans. Firewall helps protect computers in large organization from unauthorized data that comes from INTERNET with any requested application. In other words we can say that it helps to prevent our computer from Trojan, Virus & any other harmful application that comes from INTERNET.

Types of Firewall: There are basically two types of firewall those are explain below:

Hardware Firewall: Hardware firewalls can be purchased as a stand-alone product but more recently hardware firewalls are typically found in broadband routers, and should be considered an important part of your system and network set-up, especially for anyone on a broadband connection. Hardware firewalls can be effective with little or no configuration, and they can protect every machine on a local network. Most hardware firewalls will have a minimum of four network ports to connect other computers, but for larger networks, business networking firewall solutions are available.

Software Firewall: For individual home users, the most popular firewall choice is a software firewall. Software firewalls are installed on your computer (like any software) and you can customize it; allowing you some control over its function and protection features. A software firewall will protect your computer from outside attempts to control or gain access your computer, and, depending on your choice of software firewall, it could also provide protection against the most common Trojan programs or e-mail worms.

Basic work of Firewall: Packet Filtering: Packet filtering inspects each packet passing through the network and accepts or rejects it based on userdefined rules. Although difficult to configure, it is fairly effective and mostly transparent to its users. It is susceptible to IP spoofing. Application Gateway: Applies security mechanisms to specific applications, such as FTP and Telnet servers. This is very effective, but can impose a performance degradation. Circuit Level Gateway: Applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking.

 Proxy Server: Intercepts all messages entering and leaving the network. The proxy server effectively hides the true network addresses. 3. What is Honeypot? Ans. A honey pot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems. Generally it consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated, unprotected, and monitored, and which seems to contain information or a resource of value to attackers. Types of Honeypots: There are two types of Honeypots those are explain below: Production Honeypots: Production honeypots are easy to use, capture only limited

information, and are used primarily by companies or corporations; Production honeypots are placed inside the production network with other production servers by organization to improve their overall state of security. Normally, production honeypots are low- interaction honeypots, which are easier to deploy. They give less information about the attacks or attackers than research honeypots do. The purpose of a production honeypot is to help mitigate risk in an organization. The honeypot adds value to the security measures of an organization. Research Honeypots: Research honeypots are run by a volunteer, non-profit research organization or an educational institution to gather information about the motives and tactics of the Blackhat community targeting different networks. These honeypots do not

add direct value to a specific organization. Instead they are used to research the threats organizations face, and to learn how to better protect against those threats. This information is then used to protect against those threats. Research honeypots are complex to deploy and maintain, capture extensive information, and are used primarily by research, military, or government organizations.