Seminar On

Network Intrusion Prevention by Configuring ACLs

on the Routers, based on Snort IDS alerts

By – Disha Bedi

Contents Abstract Motivation Objective Background Methodology Results Advantages Limitation Future work Conclusion References

Abstract Intrusion detection and prevention is necessary

for the security of any network. Initially firewall was considered essential to provide security for the network but now IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) are the mainstream devices along with firewalls.

Snort is used as IDS and alerts are logged to a database from where they are read and router Access Control List (ACL) rules are generated based on Snort intrusion alerts and then these ACL rules are configured on the Cisco router to block the potential intrusions.

Motivation Almost all networks are potentially

vulnerable to network intrusions despite of all security measures. Thus good security measures are needed to keep our system secured.

Also I did my summer internship on Network intrusion detection so I wanted to learn how Network intrusion prevention works.

Objective Intrusion Prevention System provides the capability to

prevent intrusions but because of its cost, it is not the option for many small businesses and home users.

Hence, using a lightweight and free Intrusion Detection System such as Snort, integrating it with a Cisco router and enhancing its ability to provide a prevention mechanism provides a good solution for this problem.

Router and computer (to be used as a sensor) are fundamental components of every major network, so, the proposed system does not need any additional hardware.

This study proposes a very basic way to prevent intrusions without any additional cost.

BACKGROUND

Intrusion detection system

Intrusion detection system includes is a set of techniques and methods that are used to detect suspicious activity both at the network and host level.

Intruders have signatures that can be detected. Based upon a set of signatures and rules, the intrusion detection system (IDS) is able to find and log suspicious activity and generate alerts.

Intrusion prevention system Intrusion Prevention System on the other hand

provides the capability to prevent intrusions.

Snort Snort is an open source network intrusion

prevention system (NIPS) and network intrusion detection system (NIDS).

It has the ability to perform real-time traffic analysis and packet logging on Internet Protocol(IP) networks.

Snort is primarily a rule-based IDS. Snort reads these rules at the start-up time and builds internal data structures or chains to apply these rules to captured data.

Components of snort

MethodologyProposed System for Preventing Intrusions:-

There are two stages of the complete process: Intrusion DetectionSnort is used as an intrusion detection system to provide alerts for the potential intrusions. The alerts are automatically logged by Snort to MySQL database from where they are read by the proposed software and are used to prevent the potential intrusion Intrusion PreventionThis is the main part of the proposed system and it is made up of following two modules which work together to prevent a potential intrusion.1. ACL Generation Module 2. Router Configuration Module

ACL Generation ModuleACL Generation Module is written in PHP and is used to access the database to read the alerts and based on the alerts it generates Cisco ACL rules.

Router Configuration ModuleRouter Configuration Module is basically designed to

access the router and configure it automatically.

ACL Rules Removal Mechanism

ACL rules should be removed from the router in case of false alarms. Furthermore, after the attack is over the administrator might want to remove the ACL rules to prevent the router from unnecessary processing.

Every ACL rule that needs to be configured on the router is saved in the database and can be used later to remove the ACLs from the router.

The ACL command when executed with “no” in start removes the configured ACL rule.

The web browser output showing the configured ACL rules on the router have a hyperlink in front of it, which administrator can use to remove the ACL rule.

Hyperlink just calls a script that in turn calls the Router Configuration Module just like it is called to configure ACL rule, but this time with “no” to remove the ACL rule.

Interface Between ACL Generation Module and Router Configuration Module

As ACL Generation Module is written in PHP while Router Configuration Module is written in Perl, Router Configuration Module should be integrated with the ACL Generation Module as the ACL rules are generated by the ACL Generation Module and they are executed on the router using Router Configuration Module.

To integrate the Router Configuration Module with the ACL Generation Module we use php’s shell_exec() method to access the shell and pass the string containing Cisco ACL rule to the Router Configuration Module.

PHP’s shell_exec() method works as an interface between Router Configuration Module and ACL Generation Modules

Interface Between ACL Generation Module and Router Configuration Module

RESULT All the results were obtained by blocking

the source IP of the intrusive packet of potential intrusion for all destinations.

All the incoming traffic from the IP addresses, which are the source of potential intrusion will be blocked and hence our system has successfully prevented intrusion into the network.

Advantages of the presented system The system can be implemented on a variety

of platforms Has a very simple approach Is easy to configure Does not incur any cost for implementation as

both routers and computer are already there in the network

Does not need any specialized person for its operation.

Limitations The system might not be suitable with

current implementation for networks using DHCP(Dynamic Host Configuration Protocol).

Intrusions contained in a single packet can intrude the network.

Conclusion Using Snort as IDS to detect intrusions and using

Snort alerts to generate Cisco ACL to block the potential intrusions provides a very cost effective way to prevent intrusion.

The approach is very simple, it does not need any special hardware and uses what is already present in every major network i.e. a router and a computer which is used as an intrusion sensor.

Provided Snort is fine-tuned for the network to be secured the proposed system will provide very good performance to prevent intrusions into the network.

Future Work The work can be extended from centralized to

distributed system to extend its capabilities. The system can be modified to act as a host

intrusion prevention system and can work without any router to block intrusions on a host.

The system can also be enhanced, so that it can be suitable for networks using DHCP(Dynamic Host Configuration Protocol).

References[1] Aurobindo Sundaram, “An Introduction to Intrusion Detection,” 1996, [2] Karen Scarfone, Peter Mell, “Guide to Intrusion Detection and Prevention Systems (IDPS),” 2007, Special Publication 800-94, Recommendations of the National Institute of Standards and Technology.[3] Snort IDS Softwrae, “http://www.snort.org”[4] Configuring IP Access Lists, Cisco Document ID: 23602 “http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml[5] Net-Telnet-3.03 “http://search.cpan.org/~jrogers/Net-Telnet-3.03/lib/Net/Telnet.pm”[6] PHP Manual, shell_exec(), “http://php.net/manual/en/function.shellexec. php”[7] 1998 DARPA Intrusion Detection Evaluation Data Set, “http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/data/1998data.html”[8] Martuza Ahmed, Rima Pal, Md. Mojammel Hossain, Md. Abu Naser Bikas, and Abdullahil Baki Md. Ruhunnabi, “PID: A packet based approach to network intrusion detection and prevention”, in Proc. of International Conference on Information Management and Engineering, 2009, pp. 124- 127[9] Alexander Krizhanovsky and Alexander Marasanov, “An Approach forAdaptive Intrusion Prevention Based on The Danger Theory”, in Proc. of The Second International Conference on Availability, Reliability and Security, 2007, pp. 1135 - 1142. [10] Xinyou Zhang and Chengzhong Li, Wenbin Zheng, "Intrusion Prevention System Design," cit, pp.386-390, Fourth International Conference on Computer and Information Technology (CIT'04), 2004[11] Kuo Zhao, Fei Ren, Nurbol and Liang Hu, “LDLB: A Light Intrusion Prevention System in Data Link Layer”, in Proc. of 2nd International Confrerence on Anti-counterfeiting, Security and Identification, 2008, pp. 112-122. [12] H. Bos and Kaiming Huang, “Towards Software-Based Signature Detection for Intrusion Prevention on the Network Card”, Springer- Verlag Berlin Heidelberg, 2006, vol LNCS 3858, pp. 102–123.

[13] Chih-Chiang Wu, Sung-Hua Wen, and Nen-Fu Huang, “HuangTowards Software-Based Signature Detection for Intrusion Prevention on the Network Card”, Springer-Verlag Berlin Heidelberg, 2006, vol LNCS 4301, pp. 318–328..[14] L. Tan, B. Brotherton and T. Sherwood, “Bit-split string-matching engines for intrusion detection and prevention,” ACM Trans. Architecture and Code Optimization, vol. 3, no. 1, pp. 3-34, 2006. [15] Y. Weinsberg, S. Tzur-David, D. Dolev and T. Anker, “High performance string matching algorithm for a network intrusion prevention system (NIPS),” in Proc. IEEE 2006 workshop on high performance switching and routing, 2006.[16] L. Tan and T. Sherwood, “A high throughput string matching architecture for intrusion detection and prevention,” in Proc. 32nd annual international symposium on computer architecture, 2005, pp.112-122.[17] N. Weaver, V. Paxson and J. M. Gonzalez, “The shunt: an FPGAbased accelerator for network iintrusion prevention,” in Proc. 2007 ACM/SIGDA 15th international symposium on field programmable gate arrays, Monterey, California, USA, 2007, pp. 199-206.[18] Nick Moore, “Snort 2.8.4 Installation on FC11” Snort setup guides, http://www.snort.org/assets/110/Snort_2.8.4.1_FC11.pdf[19] Patrick Harper, “Snort and BASE Install on CentOS 4, RHEL 4 Fedora Core” Snort setup guides, http://assets.sourcefire.com/snort/setupguides/Snort_Base_Minimal.pdf[20] Kerry J. Cox, Christopher Gerg, “Managing Security with Snort and IDS Tools”, O'Reilly, 2004, Chapter 3[21] Guardian Active Response for Snort “http://www.chaotic.org/guardian/”