Intrusion Prevention System Alexis V. Pantola
Aileen N. Choa
Antonio C. Ipili
De La Salle University - PSI 2401 Taft Ave. Manila, Philppines, 1004 +632 524 0402
De La Salle University - PSI 2401 Taft Ave. Manila, Philppines, 1004 +632 524 0402
De La Salle University - PSI 2401 Taft Ave. Manila, Philppines, 1004 +632 524 0402
[email protected]
[email protected]
[email protected]
Kent Derrick C. Tan
Anthony O. Yan
De La Salle University - PSI 2401 Taft Ave. Manila, Philppines, 1004 +632 524 0402
De La Salle University - PSI 2401 Taft Ave. Manila, Philppines, 1004 +632 524 0402
[email protected]
[email protected]
ABSTRACT Many institutions greatly depend on the Internet. This in turn opens up opportunit ies for hackers to infiltrate their network. Firewalls and Intrusion Detection Systems (IDS) are the most prevalent forms of security developed for the network. Firewall permits or denies the entry of a network packet based on its port number or IP address. On the other hand, IDS acts as a security camera that watches over incoming packets and reports any malevolent activities that are present in a network. However, IDS is a passive device. It only reports malicious activities and necessary actions must be done manually by the network administrator. With all these limitations, a new breed of security measure must be realized; thus, the emergence of the Network Intrusion Prevention System (NIPS). NIPS combines the capabilities of the technologies mentioned above and use them together by scanning incoming packets for malicious contents. A packet handler module and an intrusion prevention algorithm are developed to capture incoming packets, decode their contents, and drop malicious ones. Log sheets are generated containing a list of anomalous packets that attempted to penetrate a network system.
Categories and Subject Descriptors C.2.0 General - Security and Protection. C.2.1. Network Architecture and Design - Network communications.
General Terms Security, Management.
Keywords Network security, network management, network infrastructure.
1.
INTRODUCTION
In the past years, people and companies have relied much on using the Internet as their primal source of data. Its security, however, is
always challenged; hence, intrusions are able to penetrate systems, destroying millions of records leading to financial deficiencies and productivity losses. The first solution proposed is using a firewall—blocking invalid IP addresses from entering a network or allowing access only to limited ports for certain IP addresses. This has proven its worth in preventing various intrusion types. However, other forms of attacks such as Reconnaissance, Denial of Service (DoS) attacks, and Protocol Anomalies are still able to infiltrate a network. The second solution offered is using an Intrusion Detection System (IDS) which serves as a video camera inspecting network traffics and logging them onto databases and at times even sending off alarms to warn the network administrator of attacks. This solution has an advantage: it is deployed offline; hence, no network interruptions are caused. Its inability, however, to stop intrusions—detecting and not preventing—makes it seem useless at times, without needing to mention the lengthy period to respond to attacks. A new solution needs to be realized and this includes being able to block malicious packets that penetrate a system.
2.
SYSTEM ARCHITECTURE
the particular traffic needed, and stores the data in a buffer. The contents of network traffic are revealed in the Decode block and afterwards, temporarily save the contents of the packet in another data buffer.
2.2
Packet Scanne r
Figure 2-3 Packet Scanner Block Diagram
Figure 2-1 NIPS Architecture Design The NIPS consists of four modules as shown in Figure 2-1. These are the Packet Sniffer, Packet Scanner, Event Log and Packet Forwarder. Through the Packet Sniffer, an NIPS sniffs network packets and scans their contents using the Packet Scanner. All the packets detected to be malicious are dropped and necessary data entries are made through the Event Log. These are comprised of the source and destination IP address of the attacker, the name of the attack, and date and time the attack occurred. After removing all malicious packets, the legitimate packets are forwarded to their destination through the Packet Forwarder. Internally, there are two sets of Packet Sniffer and Packet Forwarder since packets may come from and go to the external and internal networks1.
2.1
Packet Sniffer
As shown in Figure 2-3, this module has three components namely Port Scan, Scanning Algorithm—representing the Inverse Exclusion Filter, Protocol Validation Filter, Signature Pattern Matching Filter—and the Response Engine. Port Scan may be turned on or off depending on the presence of a Load Balancers and the preference of the network administrator. The Scanning Algorithm encompasses three aspects. In the Inverse Exclusion Filter, “all requests except those that are legal for a given destination are dropped.” [2] Attacks that are detected include address spoofing and IP address filter. In the Protocol Validation Filter, “illegal request methods are dropped” [2] based on the required protocols. The attacks identified are LanD and Smurf. In the Signature Pattern Matching Filter, attacks are detected based on comparisons of packet contents with predefined signatures. Its list of detected intrusions includes HTTP and ICMP attacks. The Response Engine takes care of the packets that are detected by the filters to be malicious thus rejecting it and sending the malicious packet to the Event Log module for logging.
Figure 2-2 Packet Sniffer Block Diagram
2.2.1 This module captures packet passing through the network. This module runs in promiscuous mode where all packets are captured regardless of their destination MAC (Media Access Control) addresses. As shown in Figure 2-2, this module has three components: capture driver, buffer and decode. The capture driver captures the network traffic using an interface card, filters it for
1
An NIPS is not necessarily directly connected to an internal and/or external networks. Instead, NIPS load balancers may be used to distribute the work to several NIPS. This paper does not discuss the use of NIPS load balancers, however in some diagrams, load balancers replace the internal and external networks.
Inverse Exclusion
Spoofing of IP address (limited) – Detecting spoofed IP addresses are done in both directions (i.e., from internal to external and viceversa). If a computer in an internal subnet is to send a packet, it is only identified as an attack if the source IP address used is not found inside the network. This, however, does not prove effective if one of the internal networks assumed the IP address of another internal network. If the external subnet is to send a packet, it is considered an attack only if the IP address it spoofed is found inside the internal network, otherwise, the packet is allowed to pass through. This is done by comparing the source IP addresses to a list of IP addresses considered to be illegal for the said network. Unwanted IP Address – Packets with unwanted IP addresses are verified using an access control list (ACL) where a list of unwanted source and destination addresses previously specified is
used as a comparison for incoming and outgoing IP addresses. If an address matches an entry in the list, the packets they are sending are automatically dropped.
2.2.2
Protocol Validation
LanD – This attack is detected by making a comparison between the source and destination IP addresses. If they are found to be similar, they are immediately dropped by the system. Smurf – This attack is detected by checking the destination address of a packet. If the destination address is considered as a broadcast address, it is immediately discarded.
2.2.3
Signature Pattern Matching
HTTP – Upon receiving an HTTP packet, the NIPS does a comparison between the contents of a packet and its file of predefined signatures. ICMP – There are three types of ICMP attacks being considered and checked. These are ICMP Max Length Exceeded Check, IP Options Check, and Illegal Header Value Check. The first type checks for code or fields of ICMP Headers and compare them to a list of correct information to determine if they are valid or not. IP Options Check checks whether there are IP Options mentioned in the packet. The last type looks for anomalous data in the packet and if found, the packet is dropped.
2.3
Packet Forwarder
Figure 2-4 Packet Forwarder Block Diagram After the packet is scanned and is considered to be attack-free, this module (see Figure 2-4) allows the said packet to reach its destination. The Packet Forwarder is also responsible in sending unique Keep Alive packets to a Load Balancer if existing. This Keep Alive packets are messages that are sent to acknowledge the presence and connection of the NIPS to the load balancer.
2.4
Event Log
This module records events whenever the system drops a packet due to malicious content. These logs are recorded for review of the administrator and this contains source IP, destination IP, name, date, and time of the attacks detected.
3.
EXPERIMENTS AND RESULTS
The NIPS is tested using two computers and a machine loaded with the NIPS software (see Figure 3-1). The first computer represents an external network while the second computer acts as the internal network. The machine with the NIPS software is located between the two computers.
Figure 3-1 Experiment Set-up The scanning component of the NIPS is designed to sniff all packets from the source network and check for attacks by comparing the packet to a file of unwanted contents based on HTTP and ICMP samples and dropping all those found to be malevolent. Also, those violating rules as LanD, Smurf, IP Address Filter, and IP Spoofing are blocked as needed. Prior to this, the port scan functionality is used to perform checking on attacks which looks for active ports in the network. Afterwards, its system log creates a database of all these discovered attacks. The external network (source) sends packets (valid and malicious ones) using a packet generator. On the other hand, the internal network executes a packet sniffer that checks the number of packets received. The Windows Protocol Stack of the machine with the NIPS software is disabled to allow the system to act as a wire that does not interfere with the communication between the source and receiving computers, except to transport these data. Also, the first two sections of this experiment are done in the Monitor Mode of the NIPS such that all detected attacks are not dropped. The last three are tested in the Activate Mode; hence, malicious packets detected are dropped. Both modes list down all discovered attacks in the log sheet. Different attacks are sent from the external network. Five trials are performed for each attack. Below is the result of the experiment. Table 3-1 Result of Experiment Attacks:
1 st run
2 nd run
3 rd run
4 th run
5 th run
Telnet: Root Login
ü
ü
ü
ü
ü
Telnet: passwd file look-up
ü
ü
ü
ü
ü
FTP: Root Login
û
ü
û
ü
ü
FTP: No Password
ü
ü
ü
ü
ü
Attacks:
1 st run
2 nd run
3 rd run
4 th run
5 th run
FTP: Pass Guest
ü
ü
ü
ü
ü
FTP: etc passwd file look-up
ü
Finger: demo
ü
ü
ü
ü
ü
255 FTP: long password
ü
ü
ü
ü
ü
WEB: DOTDOT
ü
ü
ü
ü
ü
WEB: DOTDOT2
ü
ü
ü
ü
ü
WEB: etc password file look-up
ü
ü
ü
ü
ü
WEB: HTACCES
ü
ü
ü
ü
ü
Finger: search
ü
ü
ü
ü
ü
Finger: root
ü
ü
ü
ü
ü
Finger: bomb
ü
ü
ü
ü
ü
Finger: probe
ü
ü
ü
ü
ü
TFTP: group file look-up
ü
ü
ü
ü
ü
FTP: user-anon
û
ü
û
ü
ü
FTP: user-ftp
û
ü
û
ü
ü
FTP: group file look-up
ü
ü
ü
ü
ü
TFTP: passwd file look-up
ü
ü
ü
ü
ü
LanD
ü
ü
ü
ü
ü
Smurf
ü
ü
ü
ü
ü
IP Address Filter
ü
ü
ü
ü
ü
[2] Attack Mitigator IPS: Configuration and Management
Limited IP Spoofing
ü
ü
ü
ü
ü
[3] Botha, M. Rossouw von Solms, Perry, K., Loubser, E., and
Backdoor Signature – Q ICMP
ü
ü
ü
ü
ü
ICMP Ping Delphi-Piette Win
ü
ü
ü
ü
ü
Attacks: Fin
1 st run
2 nd run
3 rd run
4 th run
5 th run
ü
ü
ü
ü
ü
Legend: ü
-
Attack Detected
û
-
Attack Missed
As seen in the result, all of the attacks are detected except for FTP: Root Login, User-Anonymous, and User-FTP. These may be attributed to the way the system logs attacks. Some attacks are not detected on several accounts because of the order by which the attack signatures are listed. In single-packet attacks, the very first signature it finds in its list that is violated by the packet is the one it records in the Log Sheet. If multiplefragmented packets are sent and the attack signatures are separated, the records made comprises all the violations found per individual fragment sent and after the whole packets are actually received.
4.
CONCLUSION
The Network Intrusion Prevention System is a system that detects and blocks malicious packets from entering and leaving the network. In addition, the system provides an event log that provides a list of attacks discovered by the system. The NIPS module identifies malicious packets by searching through a user-input list of signatures. This signature file, when configured properly, detects HTTP, IP, ICMP, TCP, and UDP attacks. Other functionalities as IP Spoofing, Port Scan detection, IP Address Filter, LanD, and Smurf are also present to protect the internal network from being penetrated.
5.
REFERENCES
[1] Anderson, R.J. (2001). Network Attack and Defense. http://ww.ftp.cl.cam.ac.uk/ftp/users/rja14/c18_anderson.pdf Manual (June 1, 2003) Yamoyany, G. (2002). The Utilization of Artificial Intelligence in a Hybrid Intrusion Detection System.
[4] Cisco Systems Inc. (1999). Cisco Secure Intrusion Detection System, Technical Overview ü
ü
ü
ü
[5] Fu, Arvin, et. al. (2003). Linux-Based Intruder Detection [6] Lee, W. Stolfo, S.J. (2001). A Framework for Constructing
System. De La Salle Unversity, Philippines.
ICMP Ping Microsoft Windows
ü
ü
ü
ü
ü
ICMP Ping Pinger Windows
ü
ü
ü
ü
ü
ICMP Address Mask Reply
ü
ü
ü
ü
ü
Syn
ü
ü
ü
ü
ü
Features and Models for Intrusion Detection Systems.
[7] Miller, I. (2001). Protection Against a Variant of the Tiny Fragment Attack.
[8] Ziemba, G. et. al. (1995). Security Consideration for IP Fragment Filtering.
