Internal Network Protection

alert tcp any 20 -> any any (msg:"Possible for FTP Bounce"; content:"total"; depth:10; rev:1;)

The best way to deal with ftp bounce is to enable the preprocessor_ftp and also enable the bounce option of the preprocessor (bounce yes\). The bounce option can take further configuration. The available option here is to determine the IP addresses that the bounce is allowed. This further configuration will eliminate the false alarms since Snort will generate the alarms for bounces to IP addresses that are different from those of the internal network.

bounce_to (192.168.10.0/24)

4.7 Internal Network Protection

As was mentioned in the previous chapter the clients of the Internal Network are not allowed to visit two specific web sites. These websites are www.facebook.com and www.miniclip.com. For that reason the firewall of the enterprise blocks the traffic from these to web servers. The firewall uses a rule which is based on the IP addresses of these two locations. Unfortunately there are many easy ways to bypass a firewall which uses rules based on IP addresses.

A very simple trick that can used to bypass a firewall that blocks traffic from a specific IP address is to connect to another server and gain traffic from the bound IP address through that server. An easy way to do that is with the use of Google online translate service. A client can connect to translate.google.gr and then choose to translate French words to English (this selection is not random since all the letters of the French alphabet are the same with the English one). If the client chooses to translate the French word www.miniclip.com to English the link for the miniclip web site appears on the screen. The client can then connect through that link to the desirable location. The incoming traffic has the source IP address of a Google server which is allowed by the firewall (http://www.wikihow.com/Bypass-a-Firewall-or-Internet-Filter).

Network administrator can prevent this kind of penetrations simply by enabling additional Snort rules. Snort like all IDSs works as an additional security measure for a system, this means that the configuration Snort is made according to the configurations of all the other security tools of the system. In this case the additional Snort rules must be based on the content because firewall already blocks traffic from these locations by using their IP address. The rule that can be used is very plain and simple:

# Alert for any TCP packet from any network to any network from any port to any port. The Snort decoders search inside the TCP packets to find “www.miniclip.com”

alert tcp any any -> any any (msg:"someone is using

www.miniclip.com"; content:"www.miniclip.com";

sid:1000002; rev:1;)

If one of the clients of the internal network tries to bypass the firewall of the enterprise with the use of the trick that was mentioned above then Snort will return:

Figure4.17. Snort detects a client that is visiting the web site:

www.miniclip.com

From these results it is clear that the client of the internal network with the IP address 192.168.5.4 visits the www.miniclip.com website.

5. Conclusions

Network administrators always used security mechanism to create safe environments for their networks. On the other hand, attackers have become more effective in penetrating systems due to the sophisticated penetration techniques that developed and shared by attackers through the internet. The need for additional security measures gave birth to the Intrusion Detection Systems (IDS). The IDS cannot close all the open holes and eliminate the vulnerabilities of a network, although it is a great weapon that can be used in the battle against intruders.

The scope of this dissertation was to present the Intrusion Detection Systems technology and demonstrate how they work under the attack made by specialized tools that are used by attackers. For that reason a test-bed environment was created and several attacks were performed to hosts that were using Snort as an NIDS. Nmap was the specialized tool that was used for the attacks. The main goal of this attack was to present how Snort reacts to possible threats.

The test-bed environment that was created with the use of Vm-workstation was used to represent a hypothetical network under attack. To test the detection capability

of Snort several scans were performed with the use of Nmap. These tests show that Snort was able to detect all the scans that were performed:

 SYN scan

 FIN scan

 NULL scan

 Xmas scan

 Port scan

 Scan with Fragmentation

Snort uses specified rules to detect these kinds of scans which were discussed on chapter 4. Snort was also used for the detection of users that were visiting specific internet locations. This test showed how a sophisticate user can penetrate firewalls and at the same time how an IDS should work in order to provide additional protection to a network.

The use of Snort can help network administrators to check their networks for possible threats every time an alarm is triggered. The main disadvantage of Snort is that this is not always true. Snort alarms can be triggered for no reason; these alarms are known as false alarms. The worst thing is that these false alarms are triggered by rules that are used for the detection of malicious attacks. What really happens is that Snort recognizes regular traffic as a signature of a malicious attack and generates the alarm. The false alarms are like the allergic reactions of humans. For example humans snort whenever a virus is detected by their immune system, although humans may also snort as an allergic reaction to a substance that is considered to be harmless.

Maybe this is the reason way the word “snort” was selected to be the name for an IDS.

Snort is an IDS that can be configured according to the security policy of the network. The configuration can customize the detection ability of Snort to benefit its users. The customization of snort can increase its process power and also decrease the percentage of false alarms. The configuration of Snort is briefly presented in chapter 3.

To sum up Snort is a security tool that can be used as additional security mechanism for computer networks that already use other security tools for their protection. It is a powerful security tool that focuses on detecting malicious attacks.

Snort can also be customized and become even more effective in detecting attacks.

On the other hand an IDS may produce false alarms and alert its users for events that are not characterized as possible threats. The careful configuration before the implementation can prevent most of these false alarms. The configuration of Snort can be tested by its users with the use of specialized attack tools that perform attacks to the network where Snort is installed and observe its ability to detect these attacks.

Snort is a mechanism that enables network administrators to monitor their networks in real time and increase their ability to react almost directly to any possible malicious attacks.

References

1. Kizza, Joseph. (2005) System Intrusion Detection and Prevention. Computer Network Security pp.315-346

2. Vokorokos, Kleinova, Latka (2006) Network Security on the Intrusion Detection System Level. INES 2006- 10th International Conference on Intelligent Engineering Systems.

3. Yeung, Ding (2003) Host-based intrusion detection using dynamic and static behavioral models. Pattern Recognition 36, pp.229 – 243

4. Wang, Yang, Li, (2010) Study of Network-based Intrusion Detection System for Virtualization. 2010 2nd International Conference on Computer Engineering and Technology.

5. Rowan, Tom (2007) Intrusion prevention systems: superior security Network Security 9 pp. 11-15.

6. Jia, Chen (2009) Performance Evaluation of a Collaborative Intrusion Detection System Fifth International Conference on Natural Computation.

7. Bace, Mell (2001) Intrusion Detection Systems NIST Special Publication on Intrusion Detection Systems

8. Bierman, Cloete, Venter (2001) A comparison of Intrusion Detection System.

Computers & Security. 20 (2001) pp. 676-683

9. Mutz, Vigna, Kemmerer (2003)Proceedings of the 19th Annual Computer Security Applications Conference (ACSAC 2003). An Experience Developing an IDS Stimulator for the Black-Box Testing of Network Intrusion Detection Systems 2003

10. Aydın, Zaim, Ceylan (2009) A hybrid intrusion detection system design for computer network security. Computers and Electrical Engineering 35, pp.

517–526

11. Harley Kozushko (2003) Intrusion Detection: Host-Based and Network-Based Intrusion Detection Systems

12. Dr Rhodri M. Davies (2002) Firewalls, Intrusion Detection Systems and Vulnerability Assessment: A superior Conjunction? Vistorm Ltd pp. 9-11

13. Jay Beale (2004) Snort 2.1 Intrusion Detection, 2^nd Edition. 800 Hingham Street Rockland, MA 02370: Syngress Publishing, Inc.

14. Ansari, Rajeev S.G., Chandrashekar (2002) Packet Sniffing: A Brief Introduction. IEEE POTENTIALS. 0278-6648 pp. 17-19

15. Paxson, Rothfuss, Tierney (2004) Bro Quick Start Guide http://www.bro-ids.org/ [Accessed 20nth June 2011]

16. Hay, Cid, Bray (2008) OSSEC Host-Based Intrusion Detection Guide.

Syngress Publishing, Inc. Elsevier, Inc. 30 Corporate Drive Burlington, MA 01803

17. https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Us er_Guide [Accessed June 21st June 2011].

18. http://nmap.org/ [Accessed 28^th June 2011].

19. Rogers, Carey, Criscuolo, Petruzzi (2008). Nessus Network Auditing. 2^nd Edition. 30 Corporate Drive Burlington, MA 0180: Burlington, MA 01803, Elsevier, Inc.

20. Vigna, Robertson, Balzarotti (2004) Testing Network-based Intrusion Detection Signatures Using Mutant Exploits. CCS’04 October 25–29 Washington, DC, USA.

21. Yang, Gasio, Katipally, Cui (2010) IEEE International Conference on Social Computing / IEEE International Conference on Privacy, Security, Risk and Trust.

22. http://sectools.org [Accessed 15^th May 2011].

23. http://www.wikihow.com/Bypass-a-Firewall-or-Internet-Filter [Accessed 25th May 2011].