|
|
|
|
Blessed are the Geeks, for they shall internet the earth |
|
Global Network Security
Response
I have computer networking friends that work with various departments of the government, corporations and private companies that are very aware of the possible threats to their computers and networks. They are and have been taking serious steps to secure their systems, despite little interest or concern from company or agency managers. Because of this lack of concern, many network security managers must take it upon themselves to secure their networks, but with little or no budget, they must rely or Open Source software to do it. One such software I use is SNORT. SNORT is an open source network intrusion prevention and detection program (NIDS). This is a must have in any network managers security toolbox. If you are a Linux fan, then I’m sure you already know about SNORT, as it comes preinstalled with such Linux installs as Back/Track 4 and Knoppix-STD. Note there is also a Windows install. SNORT, monitors, captures and analysis incoming packages and scans for a pattern of intrusion. In other words, it looks for specific packet signatures used by hackers, and automated hacking programs. Snort can detect attacks, probes, operating system fingerprinting, buffer overflows, port scans, and server message block scans. (In other words; all incoming network traffic.) I recently used SNORT and another program I like EtherApe to detect a major intrusion on my network. Within minutes millions of people were on my private fiber network. Once I isolated the problem I immediately connected my Internet provider. Like with many ISPs they denied it and recommended I look at my routing tables. If you are a network manager then you know in very many cases you must provide proof to your ISP before they are willing to provide you with support. In this case I recorded the event showing that there was hundreds of thousands, perhaps even a million people was passing traffic on my network. I sent the logs, and a video of my SNORT and EtherApe displays and emailed them to the ISP. I then shutdown the two interfaces on my router and waited for a return call. The call came quickly too.
The ISP’s main core router was hacked, and their routes were re-directed. Two hours later all the ISPs network engineers were called in. I stopped it on my end by shutting down the two interfaces it was coming in from, but it took them two more days to correct it on their end. I have redundant circuits from another provider, so I simply used those. The direct impact to me was minimal. Still, with the flood of hundreds of thousands of people directed to my private network with over twenty offices connected, I am still waiting to discover any long term damage. Privately one of the techs from my ISP told me later that they thought the intrusion came from China. With the help of SNORT and EtherApe I was immediately alerted to a flood of unwanted traffic to my network. To me this reaffirmed the necessity of intrusion detection programs, and also made me research how many more types there are.
Types of Intrusion Detection Systems: Intrusion prevention systems (ISP) This device, also know as Intrusion Detection and Prevention Systems are network security appliances that monitor for malicious activity. This is a stand alone appliance identifies suspicious activity, isolates and logs it, and attempts to block. Host-based intrusion detection systems (HIDS) Host-based intrusion detection systems are installed on the computer level and monitor the actual server it is installed for suspicious activity, where ISPs operate on the network and analyze packets. Protocol-based intrusion detection systems (PIDS) This detection system is generally added in front of a web server and analyzes the HTTP, (and HTTPS) protocol stream and or port numbers. Application protocol-based intrusion detection systems (APIDS) APIDS typically are placed between servers and monitors the application state, or more accurately the protocols being passed between them. For example a web server that might call on a database to populate a webpage field. I like SNORT because; one it is free, and two because of the support and its sheer flexibility. (I know, that is three things) SNORT RULES… Like with any intrusion detection device, SNORT has Rules. alert tcp any any -> 192.168.1.0/24 111 \ (content:"|00 01 86 a5|"; msg:"mountd access";) The rules are actions that tells Snort what to do when it finds a packet that matches the rule criteria. There are 5 default actions; alert, log, pass, activate, and dynamic. If you are running Snort inline mode, there are additional options which include; drop, reject, and sdrop. 1. alert - generate an alert using the selected alert method, and then log the packet 2. log - log the packet 3. pass - ignore the packet 4. activate - alert and then turn on another dynamic rule 5. dynamic - remain idle until activated by an activate rule , then act as a log rule 6. drop - block and log the packet 7. reject - block the packet, log it, and then send a TCP reset if the protocol is TCP or an ICMP port unreachable message if the protocol is UDP. 8. sdrop - block the packet but do not log it. If you want to learn more about SNORT, I recommend you visit there site at: I know there are other NIDS programs out there, and I’m sure they are just as good as SNORT, but as a network administrator/engineer this particular program has already proven itself to me. EtherApe: Gorilla Virtual Warfare As I mentioned before, another program I like is EtherApe. EtherApe is a graphical network monitor for UNIX modeled operating systems. It doesn’t have the same features as SNORT, but what is does do is gives you a graphical overview, on what is going on in your network. I run EtherApe on a large screen monitor above my desk. When trouble comes, I can see an immediate flash of color that warns me that there is a possible situation on my network. This seemingly simple program has called me to action a couple of times. EtherApe has the ability to filter just the port number you want to monitor, or by default all of them. Like the name implies it works on an Ethernet network, but it also works with FDDI, Token Ring, ISDN, PPP, and SLIP. Global Network Security Response By Douglas Chick The expansion of the “Global economy” gave such countries as China and India an epic technology leap forward. With a combined population of 2.3 billion people, the students learning computers alone dwarf the population of many, if not most countries; including the United States. Needless to say with this has given way for the immediately demand for more computer and network security. I’m not of course suggesting that China and India is a threat to computer systems around the world, I am saying because of their sheer numbers, if the same percentage of hackers grows out of this, like with other nations, the threat can be insurmountable. I have computer networking friends that work with various departments of the government, corporations and private companies that are very aware of the possible threats to their computers and networks. They are and have been taking serious steps to secure their systems, despite little interest or concern from company or agency managers. Because of this lack of concern, many network security managers must take it upon themselves to secure their networks, but with little or no budget, they must rely or Open Source software to do it. One such software I use is SNORT. SNORT is an open source network intrusion prevention and detection program (NIDS). This is a must have in any network managers security toolbox. If you are a Linux fan, then I’m sure you already know about SNORT, as it comes preinstalled with such Linux installs as Back/Track 4 and Knoppix-STD. Note there is also a Windows install. SNORT, monitors, captures and analysis incoming packages and scans for a pattern of intrusion. In other words, it looks for specific packet signatures used by hackers, and automated hacking programs. Snort can detect attacks, probes, operating system fingerprinting, buffer overflows, port scans, and server message block scans. (In other words; all incoming network traffic.) I recently used SNORT and another program I like EtherApe to detect a major intrusion on my network. Within minutes millions of people were on my private fiber network. Once I isolated the problem I immediately connected my Internet provider. Like with many ISPs they denied it and recommended I look at my routing tables. If you are a network manager then you know in very many cases you must provide proof to your ISP before they are willing to provide you with support. In this case I recorded the event showing that there was hundreds of thousands, perhaps even a million people was passing traffic on my network. I sent the logs, and a video of my SNORT and EtherApe displays and emailed them to the ISP. I then shutdown the two interfaces on my router and waited for a return call. The call came quickly too.
The ISP’s main core router was hacked, and their routes were re-directed. Two hours later all the ISPs network engineers were called in. I stopped it on my end by shutting down the two interfaces it was coming in from, but it took them two more days to correct it on their end. I have redundant circuits from another provider, so I simply used those. The direct impact to me was minimal. Still, with the flood of hundreds of thousands of people directed to my private network with over twenty offices connected, I am still waiting to discover any long term damage. Privately one of the techs from my ISP told me later that they thought the intrusion came from China.
With the help of SNORT and EtherApe I was immediately alerted to a flood of unwanted traffic to my network. To me this reaffirmed the necessity of intrusion detection programs, and also made me research how many more types there are. Types of Intrusion Detection Systems: Intrusion prevention systems (ISP) This device, also know as Intrusion Detection and Prevention Systems are network security appliances that monitor for malicious activity. This is a stand alone appliance identifies suspicious activity, isolates and logs it, and attempts to block. Host-based intrusion detection systems (HIDS) Host-based intrusion detection systems are installed on the computer level and monitor the actual server it is installed for suspicious activity, where ISPs operate on the network and analyze packets. Protocol-based intrusion detection systems (PIDS) This detection system is generally added in front of a web server and analyzes the HTTP, (and HTTPS) protocol stream and or port numbers. Application protocol-based intrusion detection systems (APIDS) APIDS typically are placed between servers and monitors the application state, or more accurately the protocols being passed between them. For example a web server that might call on a database to populate a webpage field. I like SNORT because; one it is free, and two because of the support and its sheer flexibility. (I know, that is three things) SNORT RULES… Like with any intrusion detection device, SNORT has Rules. alert tcp any any -> 192.168.1.0/24 111 \ (content:"|00 01 86 a5|"; msg:"mountd access";) The rules are actions that tells Snort what to do when it finds a packet that matches the rule criteria. There are 5 default actions; alert, log, pass, activate, and dynamic. If you are running Snort inline mode, there are additional options which include; drop, reject, and sdrop. 1. alert - generate an alert using the selected alert method, and then log the packet 2. log - log the packet 3. pass - ignore the packet 4. activate - alert and then turn on another dynamic rule 5. dynamic - remain idle until activated by an activate rule , then act as a log rule 6. drop - block and log the packet 7. reject - block the packet, log it, and then send a TCP reset if the protocol is TCP or an ICMP port unreachable message if the protocol is UDP. 8. sdrop - block the packet but do not log it. If you want to learn more about SNORT, I recommend you visit there site at: I know there are other NIDS programs out there, and I’m sure they are just as good as SNORT, but as a network administrator/engineer this particular program has already proven itself to me. EtherApe: Gorilla Virtual Warfare As I mentioned before, another program I like is EtherApe. EtherApe is a graphical network monitor for UNIX modeled operating systems. It doesn’t have the same features as SNORT, but what is does do is gives you a graphical overview, on what is going on in your network. I run EtherApe on a large screen monitor above my desk. When trouble comes, I can see an immediate flash of color that warns me that there is a possible situation on my network. This seemingly simple program has called me to action a couple of times. EtherApe has the ability to filter just the port number you want to monitor, or by default all of them. Like the name implies it works on an Ethernet network, but it also works with FDDI, Token Ring, ISDN, PPP, and SLIP.
|
The
expansion of the “Global economy” gave such countries as China and India an epic
technology leap forward. With a combined population of 2.3 billion people, the
students learning computers alone dwarf the population of many, if not most
countries; including the United States. Needless to say with this has given way
for the immediately demand for more computer and network security. I’m not of
course suggesting that China and India is a threat to computer systems around
the world, I am saying because of their sheer numbers, if the same percentage of
hackers grows out of this, like with other nations, the threat can be
insurmountable. 
