Base Paper presented by - Muhammad Naveed, Shams un Nihar and Mohammad Inayatullah Babar At 2010 6th International Conference on Emerging Technologies (ICET)
3. Intrusion detection and prevention is necessary
for the security of any network. Initially
firewall was considered essential to provide
security for the network but now IDS (Intrusion
Detection System) and IPS (Intrusion Prevention
System) are the mainstream devices along with
firewalls.
Snort is used as IDS and alerts are logged to a
database from where they are read and router
Access Control List (ACL) rules are generated
based on Snort intrusion alerts and then these
ACL rules are configured on the Cisco router to
block the potential intrusions.
4. Almost all networks are potentially
vulnerable to network intrusions despite
of all security measures. Thus good
security measures are needed to keep our
system secured.
Also I did my summer internship on
Network intrusion detection so I wanted
to learn how Network intrusion prevention
works.
5. Intrusion Prevention System provides the capability to
prevent intrusions but because of its cost, it is not the
option for many small businesses and home users.
Hence, using a lightweight and free Intrusion Detection
System such as Snort, integrating it with a Cisco
router and enhancing its ability to provide a prevention
mechanism provides a good solution for this problem.
Router and computer (to be used as a sensor) are
fundamental components of every major network, so,
the proposed system does not need any additional
hardware.
This study proposes a very basic way to prevent
intrusions without any additional cost.
6. Intrusion detection system includes is a set of
techniques and methods that are used to detect
suspicious activity both at the network and host
level.
Intruders have signatures that can be detected.
Based upon a set of signatures and rules, the
intrusion detection system (IDS) is able to find and
log suspicious activity and generate alerts.
Intrusion prevention system
Intrusion Prevention System on the other hand
provides the capability to prevent intrusions.
7. Snort is an open source network intrusion
prevention system (NIPS) and network intrusion
detection system (NIDS).
It has the ability to perform real-time traffic
analysis and packet logging on Internet Protocol(IP)
networks.
Snort is primarily a rule-based IDS. Snort reads
these rules at the start-up time and builds internal
data structures or chains to apply these rules to
captured data.
10. Intrusion Detection
Snort is used as an intrusion detection system to
provide alerts for the potential intrusions. The
alerts are automatically logged by Snort to
MySQL database from where they are read by
the proposed software and are used to prevent
the potential intrusion
Intrusion Prevention
This is the main part of the proposed system and
it is made up of following two modules which work
together to prevent a potential intrusion.
1. ACL Generation Module
2. Router Configuration Module
11. ACL Generation Module is written in PHP and is used to
access the database to read the alerts and based on the
alerts it generates Cisco ACL rules.
15. ACL rules should be removed from the router in case of false
alarms. Furthermore, after the attack is over the
administrator might want to remove the ACL rules to prevent
the router from unnecessary processing.
Every ACL rule that needs to be configured on the router is
saved in the database and can be used later to remove the
ACLs from the router.
The ACL command when executed with “no” in start removes
the configured ACL rule.
The web browser output showing the configured ACL rules on
the router have a hyperlink in front of it, which
administrator can use to remove the ACL rule.
Hyperlink just calls a script that in turn calls the Router
Configuration Module just like it is called to configure ACL
rule, but this time with “no” to remove the ACL rule.
16. As ACL Generation Module is written in PHP while
Router Configuration Module is written in Perl,
Router Configuration Module should be integrated
with the ACL Generation Module as the ACL rules
are generated by the ACL Generation Module and
they are executed on the router using Router
Configuration Module.
To integrate the Router Configuration Module with
the ACL Generation Module we use php’s shell_exec()
method to access the shell and pass the string
containing Cisco ACL rule to the Router
Configuration Module.
PHP’s shell_exec() method works as an interface
between Router Configuration Module and ACL
Generation Modules
17.
18. All the results were obtained by blocking the
source IP of the intrusive packet of potential
intrusion for all destinations.
All the incoming traffic from the IP
addresses, which are the source of potential
intrusion will be blocked and hence our
system has successfully prevented intrusion
into the network.
19. The system can be implemented on a variety of
platforms
Has a very simple approach
Is easy to configure
Does not incur any cost for implementation as
both routers and computer are already there in
the network
Does not need any specialized person for its
operation.
20. The system might not be suitable with
current implementation for networks using
DHCP(Dynamic Host Configuration
Protocol).
Intrusions contained in a single packet can
intrude the network.
21. Using Snort as IDS to detect intrusions and
using Snort alerts to generate Cisco ACL to
block the potential intrusions provides a very
cost effective way to prevent intrusion.
The approach is very simple, it does not need
any special hardware and uses what is already
present in every major network i.e. a router and
a computer which is used as an intrusion sensor.
Provided Snort is fine-tuned for the network to
be secured the proposed system will provide
very good performance to prevent intrusions
into the network.
22. The work can be extended from centralized to
distributed system to extend its capabilities.
The system can be modified to act as a host
intrusion prevention system and can work
without any router to block intrusions on a host.
The system can also be enhanced, so that it can
be suitable for networks using DHCP(Dynamic
Host Configuration Protocol).
23. [1] Aurobindo Sundaram, “An Introduction to Intrusion Detection,” 1996,
[2] Karen Scarfone, Peter Mell, “Guide to Intrusion Detection and Prevention Systems (IDPS),” 2007,
Special Publication 800-94, Recommendations of the National Institute of Standards and Technology.
[3] Snort IDS Softwrae, “http://www.snort.org”
[4] Configuring IP Access Lists, Cisco Document ID: 23602
“http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a
.shtml
[5] Net-Telnet-3.03 “http://search.cpan.org/~jrogers/Net-Telnet-3.03/lib/Net/Telnet.pm”
[6] PHP Manual, shell_exec(), “http://php.net/manual/en/function.shellexec. php”
[7] 1998 DARPA Intrusion Detection Evaluation Data Set,
“http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/data/1998data.html”
[8] Martuza Ahmed, Rima Pal, Md. Mojammel Hossain, Md. Abu Naser Bikas, and Abdullahil Baki Md.
Ruhunnabi, “PID: A packet based approach to network intrusion detection and prevention”, in Proc.
of International Conference on Information Management and Engineering, 2009, pp. 124- 127
[9] Alexander Krizhanovsky and Alexander Marasanov, “An Approach forAdaptive Intrusion
Prevention Based on The Danger Theory”, in Proc. of The Second International Conference on
Availability, Reliability and Security, 2007, pp. 1135 - 1142.
[10] Xinyou Zhang and Chengzhong Li, Wenbin Zheng, "Intrusion Prevention System Design," cit,
pp.386-390, Fourth International Conference on Computer and Information Technology (CIT'04), 2004
[11] Kuo Zhao, Fei Ren, Nurbol and Liang Hu, “LDLB: A Light Intrusion Prevention System in Data Link
Layer”, in Proc. of 2nd International Confrerence on Anti-counterfeiting, Security and Identification,
2008, pp. 112-122.
[12] H. Bos and Kaiming Huang, “Towards Software-Based Signature Detection for Intrusion
Prevention on the Network Card”, Springer- Verlag Berlin Heidelberg, 2006, vol LNCS 3858, pp. 102–
123.
24. [13] Chih-Chiang Wu, Sung-Hua Wen, and Nen-Fu Huang, “HuangTowards Software-Based
Signature Detection for Intrusion Prevention on the Network Card”, Springer-Verlag Berlin
Heidelberg, 2006, vol LNCS 4301, pp. 318–328..
[14] L. Tan, B. Brotherton and T. Sherwood, “Bit-split string-matching engines for intrusion detection
and prevention,” ACM Trans. Architecture and Code Optimization, vol. 3, no. 1, pp. 3-34, 2006.
[15] Y. Weinsberg, S. Tzur-David, D. Dolev and T. Anker, “High performance string matching
algorithm for a network intrusion prevention system (NIPS),” in Proc. IEEE 2006 workshop on high
performance switching and routing, 2006.
[16] L. Tan and T. Sherwood, “A high throughput string matching architecture for intrusion detection
and prevention,” in Proc. 32nd annual international symposium on computer architecture, 2005,
pp.112-122.
[17] N. Weaver, V. Paxson and J. M. Gonzalez, “The shunt: an FPGAbased accelerator for network
iintrusion prevention,” in Proc. 2007 ACM/SIGDA 15th international symposium on field
programmable gate arrays, Monterey, California, USA, 2007, pp. 199-206.
[18] Nick Moore, “Snort 2.8.4 Installation on FC11” Snort setup guides,
http://www.snort.org/assets/110/Snort_2.8.4.1_FC11.pdf
[19] Patrick Harper, “Snort and BASE Install on CentOS 4, RHEL 4 Fedora Core” Snort setup guides,
http://assets.sourcefire.com/snort/setupguides/Snort_Base_Minimal.pdf
[20] Kerry J. Cox, Christopher Gerg, “Managing Security with Snort and IDS Tools”, O'Reilly, 2004,
Chapter 3
[21] Guardian Active Response for Snort “http://www.chaotic.org/guardian/”