An Open Source IPS. IIT Network Security Project Project Team: Mike Smith, Sean Durkin, Kaebin Tan

Transcription

1 An Open Source IPS IIT Network Security Project Project Team: Mike Smith, Sean Durkin, Kaebin Tan

2 Introduction IPS or Intrusion Prevention System Uses a NIDS or Network Intrusion Detection System Includes an added component that takes preventative action Our Project: Build and implement an IPS using only Open Source products

3 IPS Components Snort - Open Source Network Intrusion Detection System Detects intrusions, generates alerts, logs alerts. BASE - Open Source Snort console for viewing alerts. SnortSam Open Source IPS Snort output plug-in, called by Snort alert process. SnortSam IPS FW agent Called by SnortSam output plug-in, blocks the malicious traffic

4 IPS Design Approach Distributed Snort IDS sensor with a SnortSam output plug-in Snortsam agents running on Linux hosts with IPTables. Intrusions are detected at a network level and prevented at a host level Central Snort IDS with BASE, Apache, MySQL Snort alerts and SnortSam actions are logged centrally

5 IPS Design External Network Campus Router Campus Server Linux/IPTables/ Host IPS FW Agent Campus Switched LAN (public) SPAN Port Distr. IDS/Host IPS Linksys FW (NAT w/dmz) Central IDS/Host IPS/ DB/IConsole/ IPS Utils

6 IPS Design - Performance Distribute the functions Distributed IDS/IPS: monitors public network traffic and generates alerts Central IDS/IPS receives and logs all Snort alerts and SnortSam actions Central IDS/IPS serves BASE and SnortSam log web pages Isolate the Central Server Central IDS/IPS behind NAT box, blocks public network traffic

7 IPS Design System Integrity Run minimal services on Distributed IDS/IPS Encrypt IPS traffic so attacker cannot learn the address of the IDS/IPS servers All IDS/IPS servers run IPTables and SnortSAM FW Agents

8 Host IPS Details Our implementation uses Linux Hosts with IPTables (Linux host FW) SnortSam includes an IPTables FW agent All traffic between the IDS/IPS and the FW Agents is encrypted

9 IPS Network Flows External Network Campus Router Campus Server Linux/IPTables/ Host IPS FW Agent Campus Switched LAN (public) SPAN Port Distr. IDS/Host IPS ` Administrator Linksys FW (NAT w/dmz) Snort Alert - MySQL IDS/IPS Mgt SSH Block Request SnortSAM Central IDS/Host IPS/ DB/IConsole/ IPS Utils Console & Log - http

10 IPS Process Flow Attacker targets a public campus server The Distributed IDS/IPS will capture the packets from the SPAN port The Distributed IDS/IPS will match the packets to the rules and generate an alert The SnortSam plug-in will forward a blocking request to all SnortSam FW Agents The MySQL plug-in will send the data to the central IDS DB The SnortSam FW Agents will send commands to Host FW to block the Source IP

11 IPS in Action External Network Campus Router Campus Server Linux/IPTables/ Host IPS FW Agent Campus Switched LAN (public) SPAN Port Distr. IDS/Host IPS Attacker Linksys FW (NAT w/dmz) Port Scan Block Request SnortSAM Snort Alert - MySQL Central IDS/Host IPS/ DB/IConsole/ IPS Utils

12 IPS Configuration White List Prevent blocking of IPS servers & other Campus servers e.g. DNS SnortSAM FW Agent Runs on campus servers Controlled by local.conf file Can be configured to ignore certain block requests as appropriate Based on Alert SID (Signature ID) from Snort Allows specific tuning of rules for individual servers

13 IPS Monitoring BASE console PHP based web page for viewing the Snort Alerts Includes multiple views of alerts Includes functions for managing the alert DB SnortSAM Log SnortSAM log file in Apache directory Allows administrator to view the SnortSAM logs via browser remotely

14 Other Possibilities Blocking at Network or Subnet Additional SnortSam Agents Checkpoint FW Agent Checkpoint FW Agent Netscreen FW Agent Cisco Pix & Router Agents Runs on host with access to device

15 Questions?