This presentation describes how to implement Network based Intrusion Detection System (SNORT) in the network. Detecting and analyzing alerts generated and blocking the Attacker using Access Control List.
5. Requirements &
Specifications• DISK SPACE & MEMORY REQUIREMENTS
• PROCESSER REQUIREMENTS :
Intel / AMD processors (32 bit or 64 bit) with Virtualization Technology
VIRTUAL BOX DISK SPACE
REQUIREMENT
MEMORY REQUIREMENT
UBUNTU SERVER [SNORT] 5 GB 512 MB
WINDOWS XP [VICTIM] 3 GB 256 MB
LINUX MINT [VICTIM] 5 GB 512 MB
BACKTRACK [ATTACKER] 15 GB 512 MB
WINDOWS 8 [HOST] 20 GB 1.5 GB
6. Terminology
• ROUTERS
Layer 3 networking device that is used to put packet in the correct route to reach its
final destination
• FIREWALL
Hardware / software device installed between internal network and rest of the
internet that allows or denies any traffic depending upon the predefined rule.
• SWITCHES
Layer 2 networking device that is for node to node delivery of packet
• IDS / IPS SENSOR
Intrusion Detection System / Intrusion Prevention System Sensor are dedicated
appliance for analyzing the traffic it receives.
7. What is Intrusion?
Anybody trying to gain unauthorized
access to the network.
Virus, Trojans and Worms replicating in
the network.
Sending specially crafted packets to
exploit any specific vulnerability.
Attacks that would make the services
unresponsive even for legitimate clients.
8. Types of Intrusion / Attacks
Web Based Attacks
• Sql Injection, Web Shells
• LFI , RFI and XSS Attacks.
Network Based Attacks
• Unauthorized Login
• Denial Of Service attacks.
• Scanning ports and services.
• Replication of Worms, Trojan, Virus.
• Spoofing Attacks ( Arpspoof, Dns spoof Attacks ).
Triggering Vulnerabilities
• Exploiting Buffer Overflow attacks.
Zero Day Attacks
• Attacks that aren’t known.
9. Intrusion Detection System
An Intrusion detection system (IDS) is software or hardware designed to monitor,
analyze and respond to events occurring in a computer system or network for signs
of possible incidents of violation in security policies.
It is more advanced packet filter than
conventional firewall.
Analyses payload of each packet with
predefined signature or anomaly and
flags the traffic as good or malicious .
Malicious packets logged for further
analyses by network administrator
10. SNORT : Open Source IDS /
IPS
• Open source, freely available IDS software except for rules
• Installed as dedicated server on Windows and Linux, Solaris operating
systems
• Placed as network sensor in a network
• Rules are set of instructions defined to take certain action after matching
some sort of signatures
• Works in three modes
• Sniffer Mode : sniffs each packet receiced
• Packet Logger Mode : logs packets to a file
• Intrusion Detection / Prevention Mode : each packet is compared with
signature and if match found, flagged as alert.
12. Signature Based IDS
Works similar to Antivirus
Low false positive rates
Highly effective towards
well known attack
Fails to identify Zero Day Attacks,
Advanced Malware Attacks.
Can be Bypassed by changing
the signature of attack.
Signature Based IDS analyses content of each packet at Layer 7 and compares it
with a set of predefined signatures.
13. Anomaly Based IDS
Monitors network traffic and compares it against an established baseline
for normal use and classifying it as either normal or anomalous.
Based on rules, rather
than patterns or signatures.
Can be accomplished using
Artificial Intelligence and strict
mathematical modelling
technique.
Prone to high false positive rate
15. Host Based IDS
• Software (Agents) installed on computers to monitor input and
output packets from device
• It performs log analysis, file integrity checking, policy monitoring,
rootkit detection, real-time alerting and active response.
• Examples:
• Cisco Security Agent (CSA) , Tripwire
web server
17. Network Based IDS
• Connected to network segments to monitor, analyse and respond to network
traffic.
• A single IDS sensor can monitor many hosts
• NIDS sensors are available in two formats
• Appliance: It consists of specialized hardware sensor and its dedicated software. The
hardware consists of specialized NIC’s, processors and hard disks to efficiently capture
traffic and perform analysis.
• Examples: Cisco IDS 4200 series, IBM Real Secure Network
• Software: Sensor software installed on server and placed in network to monitor
network traffic.
• Examples: Snort
19. Passive Detection Mode :
IDS
DNS
server
WWW
server
Sensor
Firewall
Management
System
Router
Switch
Internet
Internal Network
Configured as
span port
20. Inline Mode : IPS
TargetManagement
System
The sensor resides in the
data forwarding path.
If a packet triggers a
signature, it can be
dropped before it
reaches its target.
An alert can be
sent to the
management console.
Sensor
Attacker
21. Access Control List Rule
• List of conditions that controls access to any network resource, filter
unwanted traffic and used to implement security policy.
• Used to filter traffic at any interface on the basis of source ip, protocol,
destination port, destination ip etc.
• Example : config # access-list 25 permit 192.168.1.0 0.0.0.255
config # access-list 102 deny ip any any
• These ACL must be associated with the interface where filter needs to be
applied.
config # inter f0/0
(config-if) # ip access-group 25 out
22. Scenario I : Internal Attack
Firewall
Management
Server
Router Switch
CONFIGURED
AS SPAN PORT
Internet
Attacker
Ubuntu
Windows
ATTACKER (BACKTRACK) & VICTIM
(UBUNTU , WINDOWS) ARE
CONNECTED TO SAME NETWORK
ATTACKER TRYING TO
FINGERPRINT THE
VICTIM USING NMAP
IDS SENSOR WILL RECEIVE A
COPY OF EACH PACKET SEND
AND RECEVIED BY ATTACKER
THROUGH SPAN PORT
IDS SENSOR ANALYSES
CONTENT OF EACH PACKET ,
IF THE PAYLOAD MATCHES
WITH PREDEFINED
SIGNATURE. THEN , IT IS
FLAGGED AS AN ALERT AND
DETAILS ARE SAVED IN THE
MYSQL DATABASE
MANAGEMENT SERVER IS
USED TO VIEW THESE ALERTS
VIA WEB INTERFACE BY THE
NETWORK ADMINISTRATOR
NETWORK ADMIN CAN
FIRE ACCESS CONTROL
LIST RULE (ACL) ON
THE SWITCH TO BLOCK
THE ATTACKER
NOW WHEN ATTACKER TRIES
TO REACH THE VICTIM
(WINDOWS), HIS PACKETS
WILL BE DISCARDED
IDS Sensor
ACL RULE UPDATED
SUCCESSFULLY
23. Scenario II : External Attack
Firewall Router Switch
CONFIGURED
AS SPAN PORT
Mac
Ubuntu
Windows
Internet
ATTACKER SENDS
MALICIOUS PACKET
INTO THE NETWORK
IDS RECEVIES THE
TRAFFIC, ANALYSES IT AND
IF MALICIOUS STORES
ALERT IN DATABASE.
NETWORK ADMIN
TRIGGERS ACL RULE
TO BLOCK THE
ATTACKER
IDS SensorManagement Server
Attacker
ADMIN CAN VIEW
ALERT VIA WEB
CONSOLE
ATTACKER IS CONNECTED
VIA INTERNET ( OR OTHER
UNTRUSTED NETWORK)
ACL RULE UPDATED
SUCCESSFULLY
NOW WHEN ATTACKER AGAIN
TRIES TO ACCESS THE VICTIM,
HIS PACKETS ARE DISCARDED
24. How to protect IDS / IPS ?
• Don't run any service on your IDS sensor.
• The platform on which you are running IDS should be
patched with the latest releases from your vendor.
• Configure the IDS machine so that it does not respond to
ping (ICMP Echo-type) packets.
• User accounts should not be created except those that are
absolutely necessary.
25. Conclusion
• Intrusion detection system (IDS) is software or hardware designed to monitor,
analyze and respond to network traffic .
• Can be classified as Profile or Signature based intrusion detection.
• IDS is used as promiscuous mode protection
• IPS is used as Inline mode protection for securing internal network
• Cisco 4200 series IDS and IPS sensors offer rich set of features for IDS and IPS
• Snort is an open source, free IDS and can operate in sniff , logging and Intrusion
detection/prevention modes. Snort uses rules to analyze traffic.
• Each packet is inspected by IDS, if found malicious is flagged as alert and saved in
MySql Database.
• Network Administrator can view these alerts using Snort Report and trigger Access
Control List rule to block the Attacker.