DEPARTMENT OF COMPUTER AND SCIENCE ENGINEERING

MANIPAL INSTITUTE OF TECHNOLOGY

(A Constituent College of Manipal University)

MANIPAL – 576104, KARNATAKA, INDIA

Seminar On

Network Intrusion Prevention by Configuring ACLs

on the Routers, based on Snort IDS alerts

Base Paper presented by-

Muhammad Naveed, Shams un Nihar and Mohammad Inayatullah Babar

At 2010 6th International Conference on Emerging Technologies (ICET)

By – Disha Bedi Roll no 104 Section B

CONTENTS Abstract Keywords Introduction Background Motivation Objective Experimental setup Methodology Results Analysis and discussion of results Advantages of the presented system Limitation Possible improvements Conclusion References

Abstract

Intrusion detection and prevention is necessary for the security of any network. Initially firewall was considered essential to provide security for the network but now IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) are the mainstream devices along with firewalls.

Snort is used as IDS and alerts are logged to a database from where they are read and router Access Control List (ACL) rules are generated based on Snort intrusion alerts and then these ACL rules are configured on the Cisco router to block the potential intrusions.

KeywordsIntrusion Prevention; Snort; Router; Access Control List (ACL); ACL Generation; Router Configuration

Introduction

Intrusion prevention is very important for the defence in depth approach to network security along with firewalls and intrusion detection systems. Guardian is a software system which also provides a mechanism for using Snort alerts for blocking the potential intrusions, but, the system can only work in Linux and FreeBSD.

Our proposed system is almost independent of the underlying operating system and runs on every operating system. Snort can run on many operating systems and also PHP and Perl are compatible with nearly all operating systems. Guardian also uses relatively complex approach, with difficult configuration. The proposed approach is simple and can be easily configured.

Background

Intrusion detection system

Intrusion detection system includes is a set of techniques and methods that are used to detect suspicious activity both at the network and host level.

Intruders have signatures that can be detected. Based upon a set of signatures and rules, the intrusion detection system (IDS) is able to find and log suspicious activity and generate alerts.

Intrusion prevention system

Intrusion Prevention System on the other hand provides the capability to prevent intrusions.

Snort

Snort is an open source network intrusion prevention system (NIPS) and network intrusion detection system (NIDS).

It has the ability to perform real-time traffic analysis and packet logging on Internet Protocol (IP) networks.

Snort is primarily a rule-based IDS. Snort reads these rules at the start-up time and builds internal data structures or chains to apply these rules to captured data.

Components of snort

Motivation

Almost all networks are potentially vulnerable to network intrusions despite of all security measures. Thus good security measures are needed to keep our system secured.

Also I did my summer internship on Network intrusion detection so I wanted to learn how Network intrusion prevention works.

Objective

Intrusion Prevention System provides the capability to prevent intrusions but because of its cost, it is not the option for many small businesses and home users.

Hence, using a lightweight and free Intrusion Detection System such as Snort, integrating it with a Cisco router and enhancing its ability to provide a prevention mechanism provides a good solution for this problem.

Router and computer (to be used as a sensor) are fundamental components of every major network, so, the proposed system does not need any additional hardware.

This study proposes a very basic way to prevent intrusions without any additional cost.

Experimental SetupThe systems used for the implementation was a Core 2 Duo computer with 2 GB RAM and Cisco 2691 Router with standard hardware configuration. Operating system installed on the computer was Fedora 12 x86_64 and router was installed with Cisco IOS Software Version 12.4(13b).

The software was written in PHP and Perl, so PHP and Perl were also installed on the system. Snort version installed was Snort 2.8.6 (Build 38). As the main aim of the software was to configure ACL rules based on the Snort alerts, so, we used 1998 MIT DARPA Intrusion detection data to test the proposed system and it is sufficient to provide a valid testing environment for our proposed idea in every aspect as the basic traffic analysis and intrusion detection is performed by Snort, which is just used as a readymade IDS software.

Snort should be built with MySQL capability and then installed on the system. Building with MySQL capability integrates MySQL to Snort and enables Snort to log the alerts to a MySQL database, from where the alerts can be used by our proposed system.

The experiments were performed using MIT DARPA 1998 intrusion detection data to test our software.

Methodology

Whenever Snort will run in IDS mode all of the alerts will be logged to a MySQL database. This database can be used to generate ACL rule for every alert logged to the database, which in a fine tuned IDS system represents a potential attack. After generating the ACL rules the router configuration module access the router automatically using telnet and configure the ACL rules on it. ACL rules can also be removed after the attack is over or if the configured ACL rules have some undesired effect on the network.

There are two stages of the complete process: Intrusion detection Intrusion prevention

A. Intrusion Detection

Snort is used as an intrusion detection system to provide alerts for the potential intrusions. The alerts are automatically logged by Snort to MySQL database from where they are read by the proposed software and are used to prevent the potential intrusion. It was very important that Snort should be fine tuned for the network because only then false alarms will be minimum and almost all the alerts indicate potential intrusions. Hence, proposed system can work at its best to block illegitimate traffic while allowing legitimate traffic to enter network easily.

B. Intrusion Prevention

This is the main part of the proposed system and it is made up of following two modules which work together to prevent a potential intrusion.The study proposes software having two modules:

ACL Generation Module Router Configuration Module

ACL Generation Module

ACL Generation Module is written in PHP and is used to access the database to read the alerts and based on the alerts generate Cisco ACL rules. Snort’s database has source and destination IP addresses and ports for each and every alert generated by Snort. This information can be easily accessed from the database and used to generate a specific ACL rule to block the incoming packets from the potential intruder.

Snort generates alerts whenever it detects a potential intrusion and in fine-tuned Snort deployment almost all of the alerts will indicate an intrusion. These alerts can be logged to a MySQL database through proper configuration. ACL Generation Module connects to this database and check for any new alerts generated by Snort. If there is any new alert it queries the database for the “iphdr” table in the database, which contains information about the IP header of the packets that generated the alert. After query, IP header of every alert is fetched. The “Protocol” field in the IP header is checked to find the upper layer protocol and according to the value of the field and corresponding upper layer protocol, table is selected to gather additional information about the source of intrusion as shown. After retrieving all the pertinent information from the database, the corresponding alert is marked as checked so it should not be processed again. With all the relevant information, an extended Cisco ACL rule is generated, and then Router Configuration Module is used to connect to the router and configure the ACL rule on it and hence block the source of potential intrusion.

The following flow chart represents this process:

Router Configuration ModuleRouter Configuration Module is basically designed to access the router and configure it automatically. Router configuration module is written in Perl. For using telnet in a Perl script, Perl telnet module is needed. By using this module, the router can be accessed and commands can be entered to configure the router. Access lists that will be used to configure the router based on Snort alerts should be already applied to the interface connected to untrusted networks. They should also be configured properly to permit all traffic initially or according to network requirement can be initially configured to block the known sources of dangerous or illegitimate traffic. The main aim of the study is to execute the ACL rules based on Snort alerts on the router to stop the potential intrusion. After ACL Generation Module generates an ACL rule based on the Snort alert, it should be configured on the router. Router Configuration Module is used to access the router and configure the required ACL rule in the correct mode. First of all we need to instantiate Net::Telnet object and specify a timeout in case the expected prompt does not match to the router prompt. All methods used in this module are of the Net::Telnet object. To connect to router using telnet open() method is used. Router Configuration Module then waits for the vty (virtual terminal) “Password: ” prompt on the router. Password is provided by the script to the router and router enters into “User Mode”. In “User Mode” we do not have access to configure the router, so, now we should switch to “Privileged Mode”. Now the Router Configuration Module sends “enable” command to the router to switch to “PrivilegedExec Mode”, the router asks for the “Privileged Exec Mode” password, which the module provides. Now we have to switch to “Global Configuration Mode”, using “configure terminal” command. Now, in this mode the access list rule can be configured on the router by simply sending the string (i.e. an extended ACL rule based on Snort alert) passed to Router Configuration Module by ACL Generation Module to the router and returning result of the operation to the ACL Generation Module. The following flow chart represents this process:

ACL Rules Removal Mechanism

ACL rules should be removed from the router in case of false alarms. Furthermore, after the attack is over the administrator might want to remove the ACL rules to prevent the router from unnecessary processing.

Every ACL rule that needs to be configured on the router is saved in the database and can be used later to remove the ACLs from the router. The ACL command when executed with “no” in start removes the configured ACL rule. The web browser output showing the configured ACL rules on the router have a hyperlink in front of it, which administrator can use to remove the ACL rule. Hyperlink just calls a script that in turn calls the Router Configuration Module just like it is called to configure ACL rule, but this time with “no” to remove the ACL rule.

Interface Between ACL Generation Module and Router Configuration Module

As ACL Generation Module is written in PHP while Router Configuration Module is written in Perl, Router Configuration Module should be integrated with the ACL Generation Module as the ACL rules are generated by the ACL Generation Module and they are executed on the router using Router Configuration Module. To integrate the Router Configuration Module with the ACL Generation Module we use php’s shell_exec() method to access the shell and pass the string containing Cisco ACL rule to the Router Configuration Module. PHP’s shell_exec() method works as an interface between Router Configuration Module and ACL Generation Modules.

RESULTAll the results were obtained by blocking the source IP of the intrusive packet of potential intrusion for all destinations.

All the incoming traffic from the IP addresses, which are the source of potential intrusion will be blocked and hence our system has successfully prevented intrusion into the network.

Analysis and discussion of results

Results were obtained using 1998 MIT DARPA Intrusion Detection Training data. The table shows the traffic statistics (breakdown by protocol including rebuild packets) as detected by the Snort.

Snort detected 871 alerts and all of the alerts were logged to the database. Alerts statistics as given by Snort are shown by the following table.

The next table shows the types of alerts logged by the Snort, listed with corresponding Snort Signature ID and Signature Group ID. Alert Classification column provides enough details to understand the nature of the each type of intrusion.

Cisco ACL rules executed on the router and obtained from the router using “show access-lists” command are as follows:

Extended IP access list 103

10 deny tcp host 197.218.177.69 any20 deny tcp host 172.16.112.50 any30 deny tcp host 196.227.33.189 any40 deny tcp host 172.16.112.207 any50 deny tcp host 172.16.113.84 any60 deny tcp host 194.27.251.21 any70 deny tcp host 135.13.216.191 any80 deny tcp host 172.16.114.168 any90 deny tcp host 195.73.151.50 any100 deny tcp host 172.16.114.207 any

110 deny tcp host 194.7.248.153 any120 deny tcp host 197.182.91.233 any130 deny tcp host 135.8.60.182 any140 deny tcp host 172.16.114.148 any150 deny tcp host 172.16.113.204 any160 deny tcp host 152.169.215.104 any170 deny tcp host 172.16.112.149 any180 deny tcp host 172.16.113.105 any190 deny tcp host 172.16.114.169 any200 deny tcp host 172.16.113.50 any210 deny tcp host 196.37.75.158 any220 deny tcp host 195.115.218.108 any230 deny tcp host 172.16.112.194 any240 deny udp host 152.169.215.104 any

Advantages of the presented system

The system can be implemented on a variety of platforms Has a very simple approach Is easy to configure Does not incur any cost for implementation as both routers and

computer are already there in the network Does not need any specialized person for its operation.

Limitations

The system might not be suitable with current implementation for networks using DHCP (Dynamic Host Configuration Protocol).

Intrusions contained in a single packet can intrude the network.

Possible improvement

The work can be extended from centralized to distributed system to extend its capabilities.

The system can be modified to act as a host intrusion prevention system and can work without any router to block intrusions on a host.

The system can also be enhanced, so that it can be suitable for networks using DHCP (Dynamic Host Configuration Protocol).

Conclusion

Using Snort as IDS to detect intrusions and using Snort alerts to generate Cisco ACL to block the potential intrusions provides a very cost effective way to prevent intrusion. The approach is very simple, it does not need any special hardware and uses what is already present in every major network i.e. a router and a computer which is used as an intrusion sensor.

Provided Snort is fine-tuned for the network to be secured the proposed system will provide very good performance to prevent intrusions into the network.

References[1]Aurobindo Sundaram, “An Introduction to Intrusion Detection,” 1996, http://www.alexeng.edu.eg/~sghanem/network-security/IDS-Intro.pdf[2] Karen Scarfone, Peter Mell, “Guide to Intrusion Detection and Prevention Systems (IDPS),” 2007, Special Publication 800-94, Recommendations of the National Institute of Standards and Technology.[3] Snort IDS Softwrae, “http://www.snort.org”[4] Configuring IP Access Lists, Cisco Document ID: 23602 “http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml”[5] Net-Telnet-3.03 “http://search.cpan.org/~jrogers/Net-Telnet- 3.03/lib/Net/Telnet.pm”[6] PHP Manual, shell_exec(), “http://php.net/manual/en/function.shellexec.php”[7] 1998 DARPA Intrusion Detection Evaluation Data Set, “http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/data/1998data.html”[8] Martuza Ahmed, Rima Pal, Md. Mojammel Hossain, Md. Abu Naser Bikas, and Abdullahil Baki Md. Ruhunnabi, “PID: A packet based approach to network intrusion detection and prevention”, in Proc. Of International Conference on Information Management and Engineering, 2009, pp. 124- 127[9] Alexander Krizhanovsky and Alexander Marasanov, “An Approach for Adaptive Intrusion Prevention Based on The Danger Theory”, in Proc. of The Second International Conference on Availability, Reliabilityand Security, 2007, pp. 1135 - 1142.[10] Xinyou Zhang and Chengzhong Li, Wenbin Zheng, "Intrusion Prevention System Design," cit, pp.386-390, Fourth International Conference on Computer and Information Technology (CIT'04), 2004[11] Kuo Zhao, Fei Ren, Nurbol and Liang Hu, “LDLB: A Light Intrusion Prevention System in Data Link Layer”, in Proc. of 2nd International Confrerence on Anti-counterfeiting, Security and Identification, 2008,pp. 112-122.[12] H. Bos and Kaiming Huang, “Towards Software-Based Signature Detection for Intrusion Prevention on the Network Card”, Springer- Verlag Berlin Heidelberg, 2006, vol LNCS 3858, pp. 102–123.[13] Chih-Chiang Wu, Sung-Hua Wen, and Nen-Fu Huang, “HuangTowards Software-Based Signature Detection for Intrusion Prevention on the Network Card”, Springer-Verlag Berlin Heidelberg, 2006, vol LNCS 4301, pp. 318–328..[14] L. Tan, B. Brotherton and T. Sherwood, “Bit-split string-matching engines for intrusion detection and prevention,” ACM Trans. Architecture and Code Optimization, vol. 3, no. 1, pp. 3-34, 2006.[15] Y. Weinsberg, S. Tzur-David, D. Dolev and T. Anker, “High performance string matching algorithm for a network intrusion prevention system (NIPS),” in Proc. IEEE 2006 workshop on high performance switching and routing, 2006.[16] L. Tan and T. Sherwood, “A high throughput string matching architecture for intrusion detection and prevention,” in Proc. 32nd annual international symposium on computer architecture, 2005, pp.112-122.[17] N. Weaver, V. Paxson and J. M. Gonzalez, “The shunt: an FPGAbased accelerator for network iintrusion prevention,” in Proc. 2007 ACM/SIGDA 15th international symposium on field programmable gate arrays, Monterey, California, USA, 2007, pp. 199-206.[18] Nick Moore, “Snort 2.8.4 Installation on FC11” Snort setup guides, http://www.snort.org/assets/110/Snort_2.8.4.1_FC11.pdf[19] Patrick Harper, “Snort and BASE Install on CentOS 4, RHEL 4 or Fedora Core” Snort setup guides,http://assets.sourcefire.com/snort/setupguides/Snort_Base_Minimal.pdf[20] Kerry J. Cox, Christopher Gerg, “Managing Security with Snort and IDS Tools”, O'Reilly, 2004, Chapter 3[21] Guardian Active Response for Snort “http://www.chaotic.org/guardian/”