stages to achieving security in networks

• Prevention: stops attacks before they enter system

• Detection: discover the attacks after they have entered

• Correction: involves taking action to address the problem or issue and

prevent it from occurring again
security mechanisms
• Anti-virus
• viruses are program which cause computer failure and damage data
• In network environment:
• virus poses an immeasurable threat and can be very destructive

• Anti-virus program are software that can be installed onto a computer

in order to detect, prevent and make decisions regarding whether to
quarantine or delete malicious programs such as malware, worms or
viruses.
• Protect data from modification
Disadvantage of anti-virus
• unable to block unwanted network traffic intended to damage the
network
• Able to detect the traffic stable on device
firewall
• network traffic is usually filtered according to criteria such as
source, destination, protocol or service
• Firewall prevent from communication forbidden by the
predefined security policy
• firewall is an active protection
• Firewall can’t detect the attack which target legitimate services
• firewall to allow access to port 80 (HTTP) on the Internet
web server within their network
• Firewall does not examine the content of the legitimate traffic
Intrusion detection System(IDS)
• An Intrusion Detection System (IDS) is a network security tool that
monitors network or system activities for malicious activities or policy
violations, and produces alerts when such activities or violations are
detected.
• intruder is a somebody (hacker or cracker) attempting to bypass to
system by authorized or unauthorized methods in order to misuse
the resources or damaged the system
• Intrusions are unauthorized access attempts or malicious activities
that are targeted at systems or networks
• Detection is the method used to describe the characteristics of the
analyzer
 Zero-Day Attacks

• A zero-day attack is a cyberattack that tries to exploit

software vulnerabilities that are unknown or undisclosed by
the software vendor.
• The term zero-day describes the moment when a previously
unknown threat is identified
IDS components
• Sensors: collect data from sources
• Analyzers: determine if intrusion has occurred
• User interface: view output or control system behavior
Type of intrusion detection
• IDS divided into two basic classes based on their position:
• host-based IDS (HIDS) : monitor the inbound and outbound packet from that
device only and alerts the user or administrator if suspicious activity is
detected

• Network based IDS (NIDS)

 HIDS

• monitors a single machine and audit data such as:

• resource usage
• system logs
• traced by the hosting operating system
• Take the hash of the packet and compare them with database
or signature for known malicious threats previously established
• Similar to the way most anti-virus software detects malware
Advantages and disadvantage of HIDSs
• advantage
• operate with specific host such as servers.
• Integrated with other network components and operating system

• Disadvantage:
• consume computer system resources
• may conflict with existing security policies (such as firewalls) and operating
systems
• It’s difficult to analysis intrusion attempts on multiple computers
• difficult to maintain in large networks with different operating systems and
configurations
• Many essential servers cannot support this operation
 Display
signature
Add custom
signature
NIDS

• used to analysis traffic at all layers by detecting the behavior of

normal traffic or suspicious activities
Disadvantage of NIDS
• unable to analyses entire network packets in high speed and high
load network
• NIDS itself is affected by DoS and DDoS attacks
• NIDS is unable to inspect encrypted network traffic
Type of NIDS based on works
• Signature-based SNIDS:
• Anomaly-based ANIDS
Signature-based SNIDS
• misuse detection or rule detection
• Take signature of known attacks and stored it at
database
• Monitor suspicious packet and match it’s signature
with database signature, if matched it’s malware, or
legitimate packet
• Similar to anti-virus
Advantage and disadvantage of SNIDS
• advantage
• High confidence in detection
• Low false positive rate
• More understood
• Widely applied
• Disadvantage
• Can not detect new attack whose
signatures are unknown
• Require a huge database that
contain, cause overhead in search
on signature
• Not appropriate in high speed
network
 ANIDS
• known as detection by behavior
• detected by observing a deviation from normal
or expected behavior
• If a deviation is observed, an alarm is generated
• anything that does not match to a previously
learned behavior is considered intrusion
ANIDS
• advantage • Disadvantage
• ability to detect unknown • High false positive rate
attacks as well as zero-day
attacks • Difficulty in identification
of attack type
• anomaly detection
plays a role in flood
detection
Category
virtual
sensor 0
Virtual
Sensor
0
IDS true positive, false positive, false negative,
true negative
• In IDS:
• A True positive is an alert generated by the IDS that is a legitimate
security incident.
• A false positive is an alert generated by the IDS that is not a legitimate
security incident.
• A false negative is an attack that the IDS fails to detect.
• A true negative is an alert that the IDS correctly identifies as not being
a security incident.
 IDS Principles
• Assumption: intruder behavior differs from
legitimate users
• Expect overlap as shown loose vs tight interpretation:
• for legit users: catch more (false +) or catch less (false -)

Observe major deviations

from past history
• Problems of:
• false positives valid user identified as intruder
• false negatives
• must compromise intruder not identified

23
Distributed host-based IDS

* Host agent
* LAN agent (analyzes LAN traffic)
* Central manager

24
Distributed host-based IDS: agent
architecture retain only sec. data,
use a std format,
host audit record

analyze for failed file access,

change to AC matrix

Analysis module:
Suspicious activity?
Send to central mgr

25
 Comparison between IDS And IPS
IPS IDS
In line Off line
Some impact on network (latency,
No Impact on network (latency, jitter)
jitter)
Response action cannot stop trigger
Stops trigger packets
packets
Sensor issues might affect network No Network impact if there is a sensor
traffic failure
Sensor overloading impacts the No network impact if there is sensor
network overload
Can use stream normalization More vulnerable to network security
techniques evasion techniques
Passive NIDS sensors

27
AIDS Approaches
• The most important approaches:
• Statistical-based detection
• Data mining-based detection
• Knowledge-based detection
• Machine learning-based detection
• flow-based detection
Statistical anomaly-based approach
• Most widely used
• user or system behavior is measured by a number of
variables sampled over time such as:
• Login and logout time of each session
• The resource consumed duration a period of time
processor-memory-disk during the session
• Number of files accessed in a period of time.
Data Mining-based approach
• Work with signature approach
• Build model from large data store, so it’s reduce the amount
of data that must be reserved
• Advantage
• Reduce the research in large store
• Reduce the false alarm
• Disadvantage
• Analyzed of large store database
Knowledge-based detection technique
• Knowledge-based detection techniques use a set of predefined rules to detect
malicious activities. These rules can be based on expert knowledge, such as a
signature database or an intrusion detection system.
• The rules can also be based on the behaviour of the system.
• knowledge accumulated about specific attacks and system vulnerabilities
• IDS have information about these vulnerabilities and looks for attempts to
exploit them
• For example, the system can be monitored for changes in access patterns or
unusual activities.
• Knowledge-based detection techniques are often used in combination with
other techniques, such as anomaly-based detection, to provide a more
comprehensive approach to detecting malicious activities.
Knowledge-based detection technique
• Advantage • Disadvantage
• Accuracy is good • requires updated
• Low false alarm rate regularly with new
vulnerable
Machine Learning-based approach
• technique which can be capable knowledge
automatically
• learn from experience, training, analytical observation
• The system can continuously self-improve
• used in DDoS attack
• Disadvantage:
• expensive
packet based NIDS
• Packet-based NIDS: process all traffic receive on the edge router, and analyze the
whole payload content beside headers
• Packet-based Network Intrusion Detection Systems (NIDS) analyze individual
packets that are sent across a network in order to detect malicious activity.
• They look for anomalies such as unexpected data in a packet, unexpected
protocol behavior, or unexpected source and destination addresses.
• Additionally, NIDSs can be configured to look for specific patterns, such as known
malicious code signatures, in order to detect malicious activities.
• advantage:
• all common kinds of known attacks and intrusions practically can be detected
• Disadvantage
• cannot detect unknown attack
• Difficulty in work with high speed network and vast amount of data
Flow-based NIDS
• Flow based is a steam share the following characteristics:
• IP address, port number source and destination and protocol value
• provide information about behavior of connection
• attack that only injected in payload will not be identified in flow-
based approach
• Flow based can detect attackes such as:
• DoS, computer worms, network probing , flooding
 Flow based advantage
• Advantage • disadvantage
• Detect unknown attack or zero • Increased false alarm
days
 Snort IPS
• Snort is an open source network IPS that performs real-time traffic
• analysis and generates alerts when threats are detected on IP
networks
• The Snort engine runs in a virtual service container on Cisco 4000
Series ISRs
• Snort IPS Rule Actions
• (Snort can be enabled in IDS mode or in IPS mode).
 Snort IDS, IPS
• Snort IDS mode
• Alert : Generate an alert
• Log : Log the packet.
• Pass : Ignore the packet.
• Snort IPS mode
• Drop : Block and log the packet
• Reject : Block the packet, log it, and then send a TCP reset if the protocol is
TCP or an ICMP port unreachable message if the protocol is UDP.
• Sdrop : Block the packet but do not log it
 Snort IPS interfaces
• (Snort IPS requires two VPG interfaces)
• VPG: virtual port group
• Management interface (VPG0)
• This is the interface that is used to source logs to the log collector
and for retrieving signature updates from Cisco.com.
• For this reason, this interface requires a routable IP address.
• Data interface (VPG1)
• This is the interface that is used to send user traffic between the Snort virtual
container service and the router forwarding plane.
Configure snort for kali

Add IP address for kali linux to snort config file

Snort on kali linux
Open listen state on kali
Scan kali from other kali 1
SNMP scan on port 161
Example 2 scan with scripts
Snort activity capture
Example 2: Scan udp port
Snort capture UDP port scan
Example 3: ping to kali
Capture ping traffic