4. What is Network Security
Application of administrative, physical, and technical
controls in a network to provide Confidentiality, Integrity
and Availability.
4
5. CIA Triad
Protection from unauthorized access
Protection from unauthorized alteration Provide timely and uninterrupted access
6. Few Terminologies
Vulnerability: Any weakness
Attack: Exploitation of a vulnerability
Threat: The possibility of an attack
Cyber Attack: Any action compromising the security of information owned by an individual /
organization
Cyber Weapon: Any S/W, H/W or User used for a cyber attack
8. Network Security Monitoring (NSM)
Network security monitoring is an automated process that monitors network
devices and traffic for security vulnerabilities, threats, and suspicious activities.
Organizations can use it to detect and respond to cybersecurity breaches
quickly.
8
9. The NSM Cycle consists of three distinct phases:
Collection
Detection
Analysis
NSM Cycle
10. Intrusion Detection System (IDS)
A collection of techniques and methodologies used to monitor suspicious
activities both at the network and the host level
It is not a firewall (Additional level of security in the network)
IDS is more like an alarm system
It will perform actions like
Alerting, logging , etc upon detection.
Network administrators can make changes in the firewall rules upon detection of attacks
Can help detect attacks that pass through the firewall
Protection from the insiders
It inspects the content of the network traffic
10
11. IDS
Deployed with multiple sensors on various location on the network
Report to a centralized management console
A sensor
Monitors traffic, matches against the rule sets and raises alerts, logs it or
some other action.
A rule set contains
Traffic signatures or rules for unwanted behavior
Rules
Check for threshold, protocol IP source and destination
Signatures
Traffic patterns associated with attack
13. Host Based IDS (HIDS)
Log Monitors
Parse system event Log files
Example: Apache,
access log file
check for “cgi-bin”
Integrity Checkers
check for key system structures to change
System files, registry keys
Tripwire (FIM solution)
File Additions , deletions, flag modifications, access time etc.
14. Network Based IDS (NIDS)
Signature Based
Database of know signatures
Similar to virus signatures, but it looks for attack signatures
Anomaly based
Form a baseline for a normal system
Raise an alarm when the system is no longer functioning under normal conditions
15. Signature Based IDS
The most common form of IDS is signature-based
These systems work by examining packet data for indicators of
compromise (IOCs)
Indicators are combined with IDS platform-specific directives to form
signatures (also called rules)
Whenever a signature-based IDS locates data that matches content found
in a signature, it generates an alert
The two most popular signature-based detection IDS’s are Snort and
Suricata
15
16. Snort - an network intrusion
prevention and detection system
16
17. Snort Modes
Sniffer mode
simply reads the packets off of the network and displays them for you in a
continuous stream on the console (screen).
Packet Logger mode
logs the packets to disk
IDS / offline mode
IPS / Inline mode
17
19. Packet Decoder
Takes packets from different types of network interfaces (Ethernet, SLIP,PPP…)
Determine which underlying protocols are used in the packet (such as Ethernet,
IP, TCP, etc.)
It also detects various anomalous behaviors in packet headers.
19
20. Preprocessor
Plugins that modify or setup data for the detection engine
It rearranges the data to be detectable by the IDS
Packet defragmentation
If the packets are too large, then it gets fragmented into smaller packets
Must be reassembled prior to analysis
20
21. Preprocessor
frag3 – Detects packet fragmentation
Stream5 (Self protection against TCP and UDP)
http_inspect – Web Traffic
rpc_decode – RPC traffic
Reputation - provides basic IP blacklist/whitelist capabilities
sfportscan – Detect port scanning activities.
21
+Many other
22. Detection Engine
Most important part of the engine
Uses the detection rules
It is dependent on
Speed of the machine
Number of rules
Load on the network
The Detection Engine applies rules to different parts of the packet
Header (IP/TCP/Application)
Packet Payload
Policy for matching of rules varies with versions
22
23. Logging and Alerting system
Based upon the matched rule
Logged, alert generated
Logs /var/log/snort
-l for the modification of location
23
24. Snort Rules
In a single line
Rules are created by known intrusion signatures.
Included in snort configuration file.
rule header rule options
26. Rule Header - Actions
The first item in a rule is the rule action. The rule action tells Snort what to do
when it finds a packet that matches the rule criteria. There are 3 available
default actions in Snort, alert, log, pass. In addition, if you are running Snort
in inline mode, you have additional options which include drop, reject, and
sdrop.
alert - generate an alert using the selected alert method, and then log the packet
log - log the packet
pass - ignore the packet
drop - block and log the packet
reject - block the packet, log it, and then send a TCP reset if the protocol is TCP or
an ICMP port unreachable message if the protocol is UDP.
sdrop - block the packet but do not log it.
27. Rule Header - Source and Destination
IP Address Field (1/2)
(source network) (port) -> (destination network) (port)
CIDR (Classless Inter Domain Routing) notation is used for the
network arguments. 10.35.24.0/24
For the Snort rules files, you really deal with only two types of
entries:
Networks
Hosts
28. Rule Header - Source and Destination
IP Address Field (2/2)
Source and Destination IP Address Field
Format: Address/netmask
Address x.x.x.x
Netmask = bits of network mask
For example
24.0.0.0/8 Class A
24.3.0.0/16 Class b
192.185.67.0/24 Class C
192.185.67.188 host address
Special keywords:
any
! (negation)
$HOME_NET (variable defined elsewhere)
29. Rule Header -Source and Destination Port
Field
Source and Destination Port Field
Static port: 111
All ports: any
Range: 110:3000
Negation: !80
Less than or equal :1023
Greater than or equal 1024:
30. Rule Header –Direction Indicator
Rule Header Fields
->
Source information specified to the left of arrow, destination information
specified to the right of the arrow
There is also a bidirectional operator, which is indicated with a <> symbol. This
tells Snort to consider the address/port pairs in either the source or destination
orientation. This is handy for recording/analyzing both sides of a conversation,
such as telnet or POP3 sessions
31. Rules Options
All Snort rule options are separated from each other using the semicolon (;)
character. Rule option keywords are separated from their arguments with a
colon (:) character
There are four major categories of rule options
General (msg, reference & classtype)
These options provide information about the rule but do not have any affect during detection
Payload (content, depth, offset & nocase)
These options all look for data inside the packet payload and can be inter-related
Non-Payload (ttl, id, dsize, flags, seq & icmp-id)
These options look for non-payload data
Post Detection (logto & session)
These options are rule specific triggers that happen after a rule has “fired.”
37. Snort Configuration: Variables
Variables are used to store information to be referenced and manipulated
Three Types of Variables may be defined in snort:
var
Simple variable can be defined for any purpose
Portvar
Portvar are used to define port or ports list
Ipvar
Ipvar is used to define Ips or IP lists
38. Snort Configuration: Variables
example
var RULES_PATH /usr/local/etc/rules/
portvar MY_PORTS [22,80,1024:1050]
ipvar MY_NET [192.168.1.0/24,10.1.1.0/24]
Usage:
alert tcp any any -> $MY_NET $MY_PORTS (flags:S; msg:"SYN packet";)
39. Snort Configuration: Config
Many configuration and command line options of Snort can be specified in
the configuration file
Format
config <directive> [: <value>]
Example
Config frag3
OR
config alert_with_interface_name ens33 (snort –I)
40. Snort Configuration: Include
The include keyword allows other snort config files to be included within the
snort.conf indicated on the Snort command line
It work much like #include in C programming language
Format
include <include file path/name>
Example
include $RULE_PATH/example.rule