|| Jai Sri Gurudev||

SJC Institute of Technology

Department of Computer Science & Design
Date: 24/10/2024

Mini - Project Synopsis

Project Title: Defending Networks with Firewall and IDS

Team: A Bhuvanesh [1SJ22CG064]

Problem Statement:
TL;DR - “Many organizations lack the expertise or resources
to implement advanced security solutions, leaving them vulnerable to
breaches and data loss. Setting up a real-world network defense using a
combination of firewall (pfSense) and IDS (Snort) to test and analyze how
layered security can effectively protect against various cyberattacks.”

Elaboration: In the digital age, organizations rely heavily on

network infrastructure to manage day-to-day operations, from handling
sensitive client data to maintaining online services. However, with the rise
of sophisticated cyber threats, networks have become increasingly
vulnerable to attacks such as Distributed Denial of Service (DDoS),
malware injection, and port scanning.
Traditional security mechanisms like static firewalls are no longer
sufficient to handle evolving threats, which can bypass basic protections
and exploit weaknesses in network configurations. Moreover, many
businesses lack the resources or knowledge to deploy advanced network
security tools, resulting in an increased risk of breaches, data loss, and
financial harm.
This project aims to address these challenges by testing real-world
network defense mechanisms using a combination of firewall
configurations and an Intrusion Detection System (IDS). The objective is
to create an environment to analyze how layered security approach can
protect against a variety of attacks, offering organizations a more robust
solution for network security.

Objective:
1. Simulate a Secure Network Environment:
Create a virtualized network environment using VirtualBox or
VMware to simulate a real-world organizational network.
Set up pfSense as the primary firewall and Snort as the Intrusion
Detection System (IDS) to secure the network from cyber threats.

2. Configure Firewall Settings:

Install and configure pfSense to manage incoming and outgoing
network traffic effectively.
Develop and implement firewall rules that allow legitimate traffic
while blocking unauthorized access attempts.
Enable logging features to track blocked and allowed connections
for analysis.

3. Implement Intrusion Detection System (IDS):

 Install and configure Snort to monitor network traffic for potential
threats and attacks.
Load pre-defined detection rules and create custom rules to identify
specific attack patterns.
Set up alert mechanisms to notify administrators of detected
malicious activities.

4. Conduct Attack Simulations:

Port Scanning: Use tools like Nmap to assess the firewall's ability
to detect reconnaissance efforts.
DDoS Attacks: Simulate overwhelming traffic conditions using
hping3 to test the firewall's resilience.
Exploitation Attempts: Use Metasploit to demonstrate
vulnerabilities and assess how the IDS responds to exploitation
attempts.

5. Analyze and Visualize Network Traffic:

Employ Wireshark to capture and analyze network traffic during the
attack simulations.
Visualize packet data to assess how both pfSense and Snort react to
incoming threats.
Document the behavior of attacks and defenses in real-time.

6. Evaluate Security Effectiveness:

Assess the effectiveness of the firewall and IDS by analyzing logs,
alerts, and captured traffic.
 Identify the types of attacks successfully detected and the responses
generated by the security measures.
Provide insights into potential improvements for the network
security configuration.

7. Generate Comprehensive Reports:

Create detailed reports documenting the setup process, attack
simulations, security configurations, and the outcomes of the tests.
Include log analyses, Wireshark captures, and findings regarding the
network's defense mechanisms.
Highlight best practices for organizations looking to improve their
cybersecurity posture.

8. Promote Security Awareness:

Use the project as a case study to demonstrate the importance of
layered security solutions in protecting organizational networks.
Educate stakeholders on the nature of cyber threats and the
effectiveness of firewalls and IDS in mitigating risks.

Proposed Methodology:

1. Virtual Environment Setup:

The project will be carried out in a fully virtualized network environment
using VirtualBox or VMware. This virtual network will include:
 pfSense acting as the network firewall
  Snort configured as the Intrusion Detection System (IDS)
 Kali Linux as the attacker machine to simulate real-world threats.
Each virtual machine will be set up on a shared virtual network to simulate
a real corporate network environment, where external threats can attempt
to compromise internal systems.

2. Firewall Setup (pfSense):

 Installation: pfSense will be installed on a dedicated virtual
machine (VM) acting as the network’s gateway.
 Network Configuration: Two interfaces will be configured in
pfSense:
o WAN Interface to simulate the internet
o LAN Interface to simulate the internal network of the
organization.
 Firewall Rules:
o Allow HTTP traffic (port 80) to allow web browsing
o Block FTP traffic (port 21) to prevent unauthorized file
transfers
o Implement stateful packet inspection (SPI) to ensure
incoming traffic matches the requested outgoing traffic
o Enable logging for all rules to track denied connections,
showing the importance of monitoring attempted breaches.

3. Intrusion Detection System (Snort):

 Installation: Snort will be installed on a separate VM or within the
same pfSense system as a plug-in.
  Rule Configuration: Pre-defined rules will be loaded into Snort to
detect common network attacks, such as:
o Port Scans: Use of tools like Nmap to discover open ports.
o DDoS Attacks: Simulated by sending high volumes of traffic
using tools like hping3 to stress the network.
o Malware Injection: Using Metasploit to simulate exploits that
target vulnerable services in the network.
 Custom Rule Creation: Additional custom Snort rules will be
created to detect specific types of traffic patterns, such as:
o Unusual traffic patterns (e.g., high packet rates from a single
IP)
o Malicious signatures associated with known vulnerabilities
(CVE identifiers).
 Alerting and Logging: Snort will be configured to send alerts via
logs, providing detailed information about detected threats,
including IP addresses, protocols, and time of the attack.

4. Attack Simulation using Kali Linux:

 Nmap for Reconnaissance:
o Use Nmap to scan open ports and fingerprint the firewall’s and
IDS’s configuration, simulating how attackers gather
information about network defenses.
o Track whether Snort raises alerts for these scans.
 hping3 for DDoS Attack:
o Simulate a DDoS attack by sending a flood of TCP/SYN
packets aimed at a web server running on the internal network.
 o The goal is to overwhelm the server and assess how pfSense
manages the incoming traffic.
o Analyze Snort’s alerts to determine how effectively it detects
the DDoS traffic.
 Metasploit for Exploit Simulation:
o Perform vulnerability scans and exploitation using
Metasploit’s database of exploits, targeting vulnerable services
within the virtual network.
o Attempt to compromise machines within the LAN segment
and observe how the firewall and IDS mitigate these attacks.

5. Monitoring with Wireshark:

 Traffic Capture: Wireshark will be used to capture traffic at various
points in the network to:
o Visualize packet data for each simulated attack.
o Verify that firewall rules are correctly blocking or allowing
traffic.
o Confirm that Snort’s IDS rules are detecting malicious
packets.
 Analysis: The captured traffic will be analyzed to:
o Understand the structure of different types of attacks.
o Determine how the network responds to both legitimate and
malicious traffic.

6. Reporting and Logs Analysis:

 The final step will involve creating a detailed report based on:
 o Firewall Logs: Showing how various attack attempts were
blocked or allowed.
o Snort Alerts: Highlighting the detection of attacks like port
scans, DDoS, and malware injections.
o Wireshark Data: Visualizing and analyzing traffic for
different stages of the simulated attacks.

Expected Outcomes:

1. Enhanced Network Security:

 The firewall will successfully block unauthorized access attempts
(e.g., FTP traffic) and handle malicious DDoS traffic while
allowing legitimate HTTP traffic.
 The IDS will detect and log a variety of attacks, including port
scans, DDoS attempts, and malware injections.

2. Real-World Application:
 This simulation will reflect a typical enterprise environment,
where cyberattacks pose significant threats to the network
infrastructure.
 The layered security approach, with both a firewall and an IDS,
offers enhanced protection against sophisticated threats.
 By simulating real-world attack scenarios, the project will
demonstrate how businesses can protect themselves against
common attack vectors, reducing the risk of breaches and data
loss.
 3. Detailed Attack Analysis:
 The project will generate attack logs, allowing for post-attack
forensic analysis.
 By analyzing the traffic captured during attacks, we will
showcase the effectiveness of both the firewall and the IDS in
real-time defense.
 The project will provide insight into how attackers operate and
how security systems can be configured to detect and prevent
such behavior.

4. Increased Awareness:
 The project will highlight the importance of a proactive approach
to cybersecurity, combining traditional network defenses
(firewall) with advanced detection systems (IDS).
 It will underscore the need for continuous monitoring and
updating of security rules to stay ahead of evolving threats.

----------------------------THANK YOU----------------------------