1
00:00:03,620 --> 00:00:08,340
In addition to firewall's There are also network intrusion detection systems.

2
00:00:08,390 --> 00:00:15,690
These are programs or devices that analyze data sent over the network in real time on the basis of predefined

3
00:00:15,690 --> 00:00:18,540
patterns or anomalies from the baseline.

4
00:00:18,630 --> 00:00:22,140
They notify the user or anonymously take preventative actions

5
00:00:26,560 --> 00:00:32,700
the simplest network intrusion detection systems analyze traffic against certain characteristics some

6
00:00:32,700 --> 00:00:37,550
programs create packets in a way that differs from the RAFC standard.

7
00:00:37,580 --> 00:00:42,740
The foremost example of that is a Tisci piece gang called the X Max tree which has the flags in the

8
00:00:42,740 --> 00:00:45,330
TCAP headers set in a nonsensical way.

9
00:00:46,210 --> 00:00:49,100
No host would send packets with flags set that way.

10
00:00:51,110 --> 00:00:53,620
Another example is the null scan.

11
00:00:53,750 --> 00:01:01,010
In this case all of the TCAP Hetter flags are turned off network intrusion detection systems analyze

12
00:01:01,010 --> 00:01:08,190
packet headers looking for anomalies thanks to that they can identify a program which an attacker used

13
00:01:08,190 --> 00:01:10,970
for example to perform a scan.

14
00:01:11,070 --> 00:01:14,190
Each of these programs corrupts packets in a distinctive way.

15
00:01:18,360 --> 00:01:24,350
More and more network intrusion detection systems in use our intelligence systems they learn the behaviors

16
00:01:24,350 --> 00:01:30,760
of the users of the network they protect a system in the learning mode collects data about the user's

17
00:01:30,760 --> 00:01:34,170
activity and the network based on this.

18
00:01:34,200 --> 00:01:36,340
It creates a signature.

19
00:01:36,480 --> 00:01:42,560
We're not talking here about the signature in the sense of the combination of two header fields.

20
00:01:42,700 --> 00:01:48,460
Rather it may include information that for example a user John Doe receives more data than he sends

21
00:01:49,270 --> 00:01:55,150
the ratio of packets downloaded to the packets sent is three to one.

22
00:01:55,150 --> 00:02:00,130
In addition he connects to four favorite's servers and works usually between 9:00 a.m. and 4:00 p.m.

23
00:02:01,270 --> 00:02:05,860
if the same user start sending data at 11:00 p.m. downloading very little.

24
00:02:06,070 --> 00:02:13,050
And in addition sending the data from a database server which is not connected to before his behavior

25
00:02:13,050 --> 00:02:20,220
will be inconsistent with the characteristic calculated beforehand by the intrusion detection system.

26
00:02:20,290 --> 00:02:23,030
This is how intelligent intrusion detection systems work

27
00:02:26,090 --> 00:02:31,460
this functionality is developed as part of an intrusion detection system called Snorre which has become

28
00:02:31,460 --> 00:02:32,450
sort of a standard

29
00:02:35,040 --> 00:02:37,710
having discovered a suspicious situation.

30
00:02:37,710 --> 00:02:43,320
That is a packet matching and a text signature or the one that doesn't match the user's characteristic

31
00:02:43,320 --> 00:02:45,210
or network traffic signature.

32
00:02:45,210 --> 00:02:52,690
The response of the detection system can be passive or active a passive response consists of recording

33
00:02:52,690 --> 00:03:00,170
the attack and signaling it to the administrator an active response is more interesting in an active

34
00:03:00,170 --> 00:03:05,090
response the communication channel is immediately interrupted as a result of an interference with the

35
00:03:05,090 --> 00:03:06,510
TCAP session.

36
00:03:08,620 --> 00:03:13,690
Previously we mentioned that more than 90 percent of the Internet traffic and traffic on local networks

37
00:03:14,020 --> 00:03:21,380
uses a transport layer of TCAP because it's reliable and guarantees packet delivery.

38
00:03:21,410 --> 00:03:28,460
The session can be terminated by the commands of ffin or reset discussing network intrusion detection

39
00:03:28,460 --> 00:03:29,520
systems.

40
00:03:29,540 --> 00:03:31,160
We should mention traps they use

41
00:03:35,400 --> 00:03:37,920
such traps are called honeypots.

42
00:03:38,070 --> 00:03:41,240
These are special systems run in order to attract attackers.

43
00:03:45,250 --> 00:03:51,060
One of their main advantages that they are not production systems they're configured to run certain

44
00:03:51,060 --> 00:03:57,620
services but in fact they do not provide any services useful for the network.

45
00:03:57,620 --> 00:04:01,010
This means that any attack attempt can be easily identified.

46
00:04:01,750 --> 00:04:04,950
Each connection attempt with a honeypot is suspicious.

47
00:04:06,640 --> 00:04:11,670
In a perfectly configured network no one would try to find a database server by trial and error and

48
00:04:11,670 --> 00:04:19,910
then connect to it to read some data each user connects to the server dedicated to a given program with

49
00:04:19,910 --> 00:04:21,180
a honeypot enabled.

50
00:04:21,380 --> 00:04:27,490
It's easier to analyze suspicious traffic because you don't have to filter out regular traffic each

51
00:04:27,490 --> 00:04:30,480
session established with the honeypot is suspicious.

52
00:04:31,530 --> 00:04:33,200
Despite numerous advantages.

53
00:04:33,300 --> 00:04:36,980
Network intrusion detection systems and firewalls have their limitations.

54
00:04:39,580 --> 00:04:41,620
Here's a relatively recent story.

55
00:04:41,770 --> 00:04:48,300
It happened a couple of years ago which it exemplifies these limitations.

56
00:04:48,310 --> 00:04:54,770
It was a four way handshake it was publicized by the Breaking Point Systems Company and the NSA slabs

57
00:04:54,780 --> 00:04:57,240
Research Group.

58
00:04:57,290 --> 00:04:59,030
Let's start from the very beginning.

59
00:05:02,350 --> 00:05:08,840
The TCAP which is a session protocol initiates the communication through a handshake process which involves

60
00:05:08,840 --> 00:05:18,110
establishing a session the RAFC 793 describes the entire process in detail should proceed as follows.

61
00:05:18,250 --> 00:05:24,440
The initiator since the SYN packet in order to synchronize sequence numbers after receiving the packet

62
00:05:24,500 --> 00:05:28,730
the recipient sends an acknowledgment message for a Tisci pay packet.

63
00:05:28,730 --> 00:05:36,700
This means sending in a UK Flegg the recipient then sends its own synchronization packet.

64
00:05:36,710 --> 00:05:44,390
Usually this flag is sent along with the previous one in a single sin a S.K. packet initiator confirms

65
00:05:44,390 --> 00:05:48,640
receiving the packet by sending the HK response.

66
00:05:48,670 --> 00:05:51,850
At this point only that information has been exchanged.

67
00:05:52,990 --> 00:05:55,880
Both parties know the sequence numbers.

68
00:05:56,020 --> 00:06:04,270
It can now reliably exchange data in Section 3.3 of the RAFC 793.

69
00:06:04,270 --> 00:06:06,390
This process is described slightly different

70
00:06:10,090 --> 00:06:18,660
according to the document the client initiator sends a send packet the receiver acknowledges it by sending

71
00:06:18,660 --> 00:06:25,340
an AC packet then it sends it sequence number in a separate packet.

72
00:06:27,810 --> 00:06:32,910
Having received the packet the initiator acknowledges that by sending a UK packet

73
00:06:36,920 --> 00:06:43,470
Thus the RFE described session establishment as a four stage process it requires the exchange of four

74
00:06:43,470 --> 00:06:47,640
messages rather than three issues.

75
00:06:47,650 --> 00:06:52,570
The creators of firewalls and intrusion detection systems face is that their products are suited for

76
00:06:52,570 --> 00:06:54,050
the current situation.

77
00:06:57,810 --> 00:07:04,140
Because it's customary to establish a TCAP session using three packets only firewalls and intrusion

78
00:07:04,140 --> 00:07:11,580
detection systems assume that this is the only way to establish a TCAP session the RFID standard however

79
00:07:11,580 --> 00:07:13,000
is different.

80
00:07:13,110 --> 00:07:17,730
Firewalls are not universal mechanisms that always act in a predictable way.

81
00:07:17,820 --> 00:07:21,550
They are configured with specific situations in mind.

82
00:07:21,590 --> 00:07:26,690
If someone can look at the situation from a different perspective and hackers are people who can easily

83
00:07:26,690 --> 00:07:32,240
find a different perspective then the assumptions underlying the design of a device turn out to be wrong.

84
00:07:34,490 --> 00:07:38,730
The entire device will prove ineffective will show that while.