This presentation describes how to implement Network based Intrusion Detection System (SNORT) in the network. Detecting and analyzing alerts generated and blocking the Attacker using Access Control List.
Requirements &Specifications• DISK SPACE & MEMORY REQUIREMENTS• PROCESSER REQUIREMENTS :Intel / AMD processors (32 bit or 64 bit) with Virtualization TechnologyVIRTUAL BOX DISK SPACEREQUIREMENTMEMORY REQUIREMENTUBUNTU SERVER [SNORT] 5 GB 512 MBWINDOWS XP [VICTIM] 3 GB 256 MBLINUX MINT [VICTIM] 5 GB 512 MBBACKTRACK [ATTACKER] 15 GB 512 MBWINDOWS 8 [HOST] 20 GB 1.5 GB
Terminology• ROUTERS Layer 3 networking device that is used to put packet in the correct route to reach itsfinal destination• FIREWALL Hardware / software device installed between internal network and rest of theinternet that allows or denies any traffic depending upon the predefined rule.• SWITCHES Layer 2 networking device that is for node to node delivery of packet• IDS / IPS SENSOR Intrusion Detection System / Intrusion Prevention System Sensor are dedicatedappliance for analyzing the traffic it receives.
What is Intrusion? Anybody trying to gain unauthorizedaccess to the network. Virus, Trojans and Worms replicating inthe network. Sending specially crafted packets toexploit any specific vulnerability. Attacks that would make the servicesunresponsive even for legitimate clients.
Types of Intrusion / Attacks Web Based Attacks• Sql Injection, Web Shells• LFI , RFI and XSS Attacks. Network Based Attacks• Unauthorized Login• Denial Of Service attacks.• Scanning ports and services.• Replication of Worms, Trojan, Virus.• Spoofing Attacks ( Arpspoof, Dns spoof Attacks ). Triggering Vulnerabilities• Exploiting Buffer Overflow attacks. Zero Day Attacks• Attacks that aren’t known.
Intrusion Detection System An Intrusion detection system (IDS) is software or hardware designed to monitor,analyze and respond to events occurring in a computer system or network for signsof possible incidents of violation in security policies. It is more advanced packet filter thanconventional firewall. Analyses payload of each packet withpredefined signature or anomaly andflags the traffic as good or malicious . Malicious packets logged for furtheranalyses by network administrator
SNORT : Open Source IDS /IPS• Open source, freely available IDS software except for rules• Installed as dedicated server on Windows and Linux, Solaris operatingsystems• Placed as network sensor in a network• Rules are set of instructions defined to take certain action after matchingsome sort of signatures• Works in three modes• Sniffer Mode : sniffs each packet receiced• Packet Logger Mode : logs packets to a file• Intrusion Detection / Prevention Mode : each packet is compared withsignature and if match found, flagged as alert.
Classification of IDSIDSSignatureBasedAnomalyBased
Signature Based IDSWorks similar to AntivirusLow false positive ratesHighly effective towardswell known attackFails to identify Zero Day Attacks,Advanced Malware Attacks. Can be Bypassed by changingthe signature of attack. Signature Based IDS analyses content of each packet at Layer 7 and compares itwith a set of predefined signatures.
Anomaly Based IDS Monitors network traffic and compares it against an established baselinefor normal use and classifying it as either normal or anomalous. Based on rules, ratherthan patterns or signatures. Can be accomplished usingArtificial Intelligence and strictmathematical modellingtechnique. Prone to high false positive rate
Host Based IDS• Software (Agents) installed on computers to monitor input andoutput packets from device• It performs log analysis, file integrity checking, policy monitoring,rootkit detection, real-time alerting and active response.• Examples:• Cisco Security Agent (CSA) , Tripwireweb server
Host Based IDSFirewallAgent Agent Agent AgentAgent AgentDNS serverAgent AgentInternetWWW Server
Network Based IDS• Connected to network segments to monitor, analyse and respond to networktraffic.• A single IDS sensor can monitor many hosts• NIDS sensors are available in two formats• Appliance: It consists of specialized hardware sensor and its dedicated software. Thehardware consists of specialized NIC’s, processors and hard disks to efficiently capturetraffic and perform analysis.• Examples: Cisco IDS 4200 series, IBM Real Secure Network• Software: Sensor software installed on server and placed in network to monitornetwork traffic.• Examples: Snort
Network Based IDSDNSserverWWWserverSensorSensorFirewallUntrustednetworkManagementSystem
Passive Detection Mode :IDSDNSserverWWWserverSensorFirewallManagementSystemRouterSwitchInternetInternal NetworkConfigured asspan port
Inline Mode : IPSTargetManagementSystemThe sensor resides in thedata forwarding path.If a packet triggers asignature, it can bedropped before itreaches its target.An alert can besent to themanagement console.SensorAttacker
Access Control List Rule• List of conditions that controls access to any network resource, filterunwanted traffic and used to implement security policy.• Used to filter traffic at any interface on the basis of source ip, protocol,destination port, destination ip etc.• Example : config # access-list 25 permit 192.168.1.0 0.0.0.255config # access-list 102 deny ip any any• These ACL must be associated with the interface where filter needs to beapplied.config # inter f0/0(config-if) # ip access-group 25 out
Scenario I : Internal AttackFirewallManagementServerRouter SwitchCONFIGUREDAS SPAN PORTInternetAttackerUbuntuWindowsATTACKER (BACKTRACK) & VICTIM(UBUNTU , WINDOWS) ARECONNECTED TO SAME NETWORKATTACKER TRYING TOFINGERPRINT THEVICTIM USING NMAPIDS SENSOR WILL RECEIVE ACOPY OF EACH PACKET SENDAND RECEVIED BY ATTACKERTHROUGH SPAN PORTIDS SENSOR ANALYSESCONTENT OF EACH PACKET ,IF THE PAYLOAD MATCHESWITH PREDEFINEDSIGNATURE. THEN , IT ISFLAGGED AS AN ALERT ANDDETAILS ARE SAVED IN THEMYSQL DATABASEMANAGEMENT SERVER ISUSED TO VIEW THESE ALERTSVIA WEB INTERFACE BY THENETWORK ADMINISTRATORNETWORK ADMIN CANFIRE ACCESS CONTROLLIST RULE (ACL) ONTHE SWITCH TO BLOCKTHE ATTACKERNOW WHEN ATTACKER TRIESTO REACH THE VICTIM(WINDOWS), HIS PACKETSWILL BE DISCARDEDIDS SensorACL RULE UPDATEDSUCCESSFULLY
Scenario II : External AttackFirewall Router SwitchCONFIGUREDAS SPAN PORTMacUbuntuWindowsInternetATTACKER SENDSMALICIOUS PACKETINTO THE NETWORKIDS RECEVIES THETRAFFIC, ANALYSES IT ANDIF MALICIOUS STORESALERT IN DATABASE.NETWORK ADMINTRIGGERS ACL RULETO BLOCK THEATTACKERIDS SensorManagement ServerAttackerADMIN CAN VIEWALERT VIA WEBCONSOLEATTACKER IS CONNECTEDVIA INTERNET ( OR OTHERUNTRUSTED NETWORK)ACL RULE UPDATEDSUCCESSFULLYNOW WHEN ATTACKER AGAINTRIES TO ACCESS THE VICTIM,HIS PACKETS ARE DISCARDED
How to protect IDS / IPS ?• Dont run any service on your IDS sensor.• The platform on which you are running IDS should bepatched with the latest releases from your vendor.• Configure the IDS machine so that it does not respond toping (ICMP Echo-type) packets.• User accounts should not be created except those that areabsolutely necessary.
Conclusion• Intrusion detection system (IDS) is software or hardware designed to monitor,analyze and respond to network traffic .• Can be classified as Profile or Signature based intrusion detection.• IDS is used as promiscuous mode protection• IPS is used as Inline mode protection for securing internal network• Cisco 4200 series IDS and IPS sensors offer rich set of features for IDS and IPS• Snort is an open source, free IDS and can operate in sniff , logging and Intrusiondetection/prevention modes. Snort uses rules to analyze traffic.• Each packet is inspected by IDS, if found malicious is flagged as alert and saved inMySql Database.• Network Administrator can view these alerts using Snort Report and trigger AccessControl List rule to block the Attacker.