Network Management Tasks. 17: Network Management and Monitoring. Snort. Snort IDS. Snort Rules



Similar documents
This Lecture. NWEN 403 Advanced Network Engineering. Network Management. Outline. Network management. Qiang Fu

Network Management. What is network management?

Chapter 9 Network Management

Chapter 8 Network Management. Chapter 8 outline. What is network management? Chapter 8: Network Management

Chapter 9 Network Management

Chapter 9 Network Management. ISO network management. What is network management? Chapter 9: Network Management. Network Management standards

Network Management: - SNMP - Software Defined networking

Simple Network Management Protocol - SNMP v1, ASN, MIB, BER. Network Management

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Firewalls. Chapter 3

Chapter 8 Security Pt 2

Lab exercise: Working with Wireshark and Snort for Intrusion Detection

Introduction to Firewalls

SNMP Basics BUPT/QMUL

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Managing and Securing Computer Networks INFO-056

Chapter 8 Network Security

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Network Defense Tools

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Configuring SNMP Cisco and/or its affiliates. All rights reserved. 1

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

Text Book: Computer Networking: A Top Down Approach Featuring the Internet 3rd edition, by Jim Kurose and Keith Ross, Addison-Wesley

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Introduction to Intrusion Detection and Snort p. 1 What is Intrusion Detection? p. 5 Some Definitions p. 6 Where IDS Should be Placed in Network

Linux Network Security

Working with Snort Rules

Firewalls. Ahmad Almulhem March 10, 2012

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

CS5008: Internet Computing

SIMPLE NETWORK MANAGEMENT PROTOCOL (SNMP)

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

Network Management. Jaakko Kotimäki. Department of Computer Science Aalto University, School of Science. 21. maaliskuuta 2016

What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services

Cisco PIX vs. Checkpoint Firewall

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Security Technology: Firewalls and VPNs

Proxy Server, Network Address Translator, Firewall. Proxy Server

INTRODUCTION TO FIREWALL SECURITY

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

CSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Firewalls

ITEC310 Computer Networks II

FIREWALL AND NAT Lecture 7a

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

TELE 301 Network Management

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

Firewalls, IDS and IPS

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Basic Network Configuration

SNMP. Simple Network Management Protocol

Introduction of Intrusion Detection Systems

Lecture 23: Firewalls

CMPT 471 Networking II

Network Management. Network Management. Copyright and acknowledgments. Acknowledgements. Pag. 1

Simple Network Management Protocol

Network Management. Copyright and acknowledgments

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Protocols and Architecture. Protocol Architecture.

Lesson 5: Network perimeter security

SNMP and Network Management

Solution of Exercise Sheet 5

INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM

Simple Network Management Protocol

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Network Management. Network management definition? Network Management. Network management definition? Copyright and acknowledgments

Chapter 9 Firewalls and Intrusion Prevention Systems

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP

8. Firewall Design & Implementation

Network Monitoring. By: Delbert Thompson Network & Network Security Supervisor Basin Electric Power Cooperative

Overview. Firewall Security. Perimeter Security Devices. Routers

CSCE 465 Computer & Network Security

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

Simple Network Management Protocol

Firewall Implementation

Stateful Firewalls. Hank and Foo

Cryptography and network security

Firewalls Netasq. Security Management by NETASQ

Internet Protocol: IP packet headers. vendredi 18 octobre 13

OS/390 Firewall Technology Overview

IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT

Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology

Cisco Configuring Commonly Used IP ACLs

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

IDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Basic Networking Concepts. 1. Introduction 2. Protocols 3. Protocol Layers 4. Network Interconnection/Internet

Computer Security: Principles and Practice

INTRUSION DETECTION SYSTEMS and Network Security

Transcription:

Network Management Tasks 17: Network Management and Monitoring Last Modified: 4/21/2003 2:46:25 PM Protecting the network (e.g. intrusion detection) Detecting failed components (interfaces, links, hosts, routers) Monitoring traffic patterns (recommend needed upgrades, cap certain types of traffic) Detect abnormal traffic (rapid changes in routing tables, huge spikes in BW usage) 8: Network Management 1 8: Network Management 2 Snort Snort IDS Detection/logging of packets matching filters/rule sets similar to Ethereal capture/display filters Three primary uses Packet sniffer Packet logger Intrusion Detection System Snort consists of three subsystems: packet decoder (libpcap-based) detection engine logging and alerting subsystem Detection engine: Rules form signatures Modular detection elements are combined to form these signatures Anomalous activity detection is possible: stealth scans, OS fingerprinting, invalid ICMP codes, etc. Rules system is very flexible, and creation of new rules is relatively simple 8: Network Management 3 8: Network Management 4 Snort Rules Writing Snort Rules Snort rules consist of two parts Rule header Specifies src/dst host and port Alert tcp!128.119.0.0/16 any -> 128.119.166.5 any Notice: negation, any in network 128.119.0.0 Rule options Specifies flags, content, output message (flags: SFAPR; msg: Xmas tree scan ) Snort uses a simple rules language http://www.snort.org/writing_snort_rules.htm Rule header consists of Rule Actions Alert, Log, Pass Dynamic, activate, etc Protocol Tcp, udp, icmp, etc IP Addresses Source, dest, CIDR mask Port numbers Source, dest, range Direction Negation 8: Network Management 5 8: Network Management 6 1

Simple examples log tcp any any -> $SMTP 23 (msg: telnet to the mail server! ;) alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg: TELNET login incorrect ; content: Login incorrect ; flags: A+;) alert icmp any any -> any any (msg: ICMP Source Quench ; itype: 4; icode: 0;) 8: Network Management 7 Prewritten Rulesets Snort comes packaged with a number of prewritten rulesets include bad-traffic.rules include exploit.rules include scan.rules include finger.rules include ftp.rules include telnet.rules include smtp.rules include rpc.rules include rservices.rules include dos.rules include ddos.rules include dns.rules include tftp.rules include web -cgi.rules include web -coldfusion.rules include web -frontpage.rules. 8: Network Management 8 Vulnerability databases Rules correlated to common databases Bugtraq http://www.securityfocus.com/cgi-bin/vulns.pl Ex. Bugtraq id 2283: 23-01-2001: Lotus Domino Mail Server 'Policy' Buffer Overflow Vulnerability ArachNIDS http://www.whitehats.com/ids/index.html Common Vulnerabilities and Exposures http://cve.mitre.org Firewalls Gateway machines through which all traffic passes Can *stop* rather than simply log traffic that matches rules/filters 8: Network Management 9 8: Network Management 10 Types of firewalls Packet Filtering firewall Operate on transport and network layers of the TCP/IP stack Internal Network Proxy Client Application Gateways/Proxies Packet Filtering Firewall Proxy Firewall Actual Server Operate on the application protocol level External Network Packet Filtering Firewall Operate on transport and network layers of the TCP/IP stack Decides what to do with a packet depending upon the following criteria: Transport protocol (TCP,UDP,ICMP), Source and destination IP address The source and destination ports ICMP message type/code Various TCP options such as packet size, fragmentation etc A lot like Ethereal capture/display filters 8: Network Management 11 8: Network Management 12 2

Packet Filtering Example 1: block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23. All incoming and outgoing UDP flows and telnet connections are blocked. Example 2: Block inbound TCP segments with ACK=0 or with SYN bit set and ACK bit unset. Prevents external clients from making TCP connections with internal clients, but allows internal clients to connect to outside. Packet Filtering Firewall: Terminology Stateless Firewall: The firewall makes a decision on a packet by packet basis. Stateful Firewall : The firewall keeps state information about transactions (connections). NAT - Network Address translation Translates public IP address(es) to private IP address(es) on a private LAN. We looked at this already (must be stateful) 8: Network Management 13 8: Network Management 14 Packet Filtering Firewall: Functions Application Gateway (Proxy Server) Forward the packet(s) on to the intended destination Reject the packet(s) and notify the sender (ICMP dest unreach/admin prohibited) Drop the packet(s) without notifying the sender. Log accepted and/or denied packet information NAT - Network Address Translation Operate at the application protocol level. (Telnet, FTP, HTTP) Filters packets on application data as well as on IP/TCP/UDP fields Application Gateways Understand the protocol and can be configured to allow or deny specific protocol operations. Typically, proxy servers sit between the client and actual service. Both the client and server talk to the proxy rather than directly with each other. 8: Network Management 15 8: Network Management 16 Application gateways Example: allow select internal users to telnet outside. host -to -gateway telnet session application gateway gateway-to -remote host telnet session router and filter 1. Require all telnet users to telnet through gateway. 2. For authorized users, gateway sets up telnet connection to dest host. Gateway relays data between 2 connections 3. Firewall filter blocks all telnet connections not originating from gateway. Firewall Hardware/Software Dedicated hardware/software application such as Cisco PIX Firewall which filters traffic passing through the multiple network interfaces. A Unix or Windows based host with multiple network interfaces, running a firewall software package which filters incoming and outgoing traffic across the interfaces. A Unix or Windows based host with a single network interface, running a firewall software package which filters the incoming and outgoing traffic to the individual interface. 8: Network Management 17 8: Network Management 18 3

Firewall Architecture In the real world, designs are far more complex Core Switch Core Switch Core Switch Internal Network Internal Router Modem Internal Firewall IDS DMZ Web Server External Firewall Border Router External Network Limitations of firewalls and gateways IP spoofing: router can t know if data really comes from claimed source If multiple app s. need special treatment, each has own app. gateway. Client software must know how to contact gateway. e.g., must set IP address of proxy in Web browser Filters often use all or nothing policy for UDP. Tradeoff: degree of communication with outside world, level of security Many highly protected sites still suffer from attacks. 8: Network Management 19 8: Network Management 20 Managing the network? autonomous systems (network under a single administrative control): 100s or 1000s of interacting hw/sw components Many complex pieces that can break Hardware (end hosts, routers, hubs, cabling) Software Something is broken where? What is normal? What is abnormal? Planning for the future where is the bottleneck? Need information stream from remote components 8: Network Management 21 Network Management Architecture (1) a network manager (2) a set of managed remote devices (3) management information bases (MIBs) (4) remote agents that report MIB information and take action under the control of the network manager (5) a protocol for communicating between the network manager and the remote devices Network Operations Center (NOC) = control center 8: Network Management 22 Infrastructure for network management definitions: managing entity managing entity data network management protocol managed device managed devices contain managed device managed objects whose data is gathered into a Management Information Base (MIB) managed device managed device Network Management standards OSI CMIP Common Management Information Protocol designed 1980 s: the unifying net management standard too slowly standardized SNMP: Simple Network Management Protocol Internet roots (Simple Gateway Monitoring Protocol, SGMP) started simple deployed, adopted rapidly growth: size, complexity de facto network management standard 8: Network Management 23 8: Network Management 24 4

SNMP overview: 4 key parts SMI: data definition language SNMP protocol convey manager<->managed object info, commands Structure of Management Information (SMI): data definition language for MIB objects, format of data to be exchanged Protocol independent type language Management information base (MIB): distributed information store of network management data, collection of MIB objects security, administration capabilities major addition in SNMPv3 Purpose: syntax, semantics of management data welldefined, unambiguous base data types: straightforward, boring Higher level structs OBJECT-TYPE MODULE_IDENTITY SMI Basic Data Types INTEGER Integer32 Unsigned32 OCTET STRING OBJECT IDENTIFIED IPaddress Counter32 Counter64 Guage32 Tie Ticks Opaque 8: Network Management 25 8: Network Management 26 OBJECT-TYPE MODULE-IDENTITY SYNTAX = basic type of this object MAX-ACCESS = operations allowed on the object (read, write, create, notify) STATUS = current/valid, obsolete (should not be implemented), deprecated (implemented for backwards compatibility) DESCRIPTION = comment, human readable description ipindelivers OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of input datagrams successfully delivered to IP user-protocols (including ICMP)." ::= { ip 9 } MODULE-IDENTITY construct allows related objects to be grouped together within a "module. Contains the OBKECT- TYPE constructs for each object in the module Plus contact and description information ipmib MODULE-IDENTITY LAST-UPDATED 941101000Z ORGANZATION IETF SNPv2 Working Group CONTACT -INFO Keith McCloghrie DESCRIPTION The MIB module for managing IP and ICMP implementations, but excluding their management of IP routes. REVISION 019331000Z ::= {mib-2 48} 8: Network Management 27 8: Network Management 28 SNMP MIB SNMP Naming MIB module specified via SMI MODULE-IDENTITY (100+ standards-based MIBs written by IETF, more vendor-specific) MODULE OBJECT TYPE: OBJECT TYPE: OBJECT TYPE: question: how do we keep track of/name every possible standard object (protocol, data, more..) in every possible network standard?? answer: ISO Object Identifier tree: hierarchical naming of all objects each branchpoint has name, number 1.3.6.1.2.1.7.1 objects specified via SMI OBJECT-TYPE construct 8: Network Management 29 ISO ISO-ident. Org. US DoD Internet udpindatagrams UDP MIB2 management 8: Network Management 30 5

OSI Object Identifier Tree Check out www.alvestrand.no/harald/objectid/top.html 8: Network Management 31 MIB example: UDP module Object ID Name Type Comments 1.3.6.1.2.1.7.1 UDPInDatagrams Counter32 total # datagrams delivered at this node 1.3.6.1.2.1.7.2 UDPNoPorts Counter32 # underliverable datagrams no app at portl 1.3.6.1.2.1.7.3 UDInErrors Counter32 # undeliverable datagrams all other reasons 1.3.6.1.2.1.7.4 UDPOutDatagrams Counter32 # datagrams sent 1.3.6.1.2.1.7.5 udptable SEQUENCE one entry for each port in use by app, gives port # and IP address 8: Network Management 32 SNMP protocol SNMP protocol: message types Two ways to convey MIB info, commands: managing entity managing entity Message type GetRequest GetNextRequest GetBulkRequest Function Mgr-to-agent: get me data (instance,next in list, block) request response trap msg InformRequest SetRequest Mgr-to-Mgr: here s MIB value Mgr-to-agent: set MIB value Managed device request/response mode: Give me your regular report Managed device trap mode: Better hear about this now! 8: Network Management 33 Response Trap Agent-to-mgr: value, response to Request Agent-to-mgr: inform manager of exceptional event 8: Network Management 34 SNMP protocol: message formats SNMP security and administration encryption: DES-encrypt SNMP message authentication: compute, send Message Integrity Code (MIC) MIC(m,k): compute hash (MIC) over message (m), secret shared key (k) protection against playback: use nonce view-based access control SNMP entity maintains database of access rights, policies for various users database itself accessible as managed object! 8: Network Management 35 8: Network Management 36 6

Multi Router Traffic Grapher (MRTG) Outtakes SNMP client Will gather data from remote machines via SNMP Graphs changes in info over time 8: Network Management 37 8: Network Management 38 Packet Filtering Firewall: Disadvantages Filters can be difficult to configure. It s not always easy to anticipate traffic patterns and create filtering rules to fit. Filter rules are sometimes difficult to test Packet filtering can degrade router performance Attackers can tunnel malicious traffic through allowed ports on the filter. Application Gateway (Proxy Server): Disadvantages Requires modification to client software application Some client software applications don t accommodate the use of a proxy Some protocols aren t supported by proxy servers Some proxy servers may be difficult to configure and may not provide all the protection you need. 8: Network Management 39 8: Network Management 40 Snort: Sample IDS output Apr 12 01:56:21 ids snort: EXPLOIT sparc setuid 0: 218.19.15.17:544 xxx.yyy.zzz.41:37987 Apr 12 01:56:21 ids snort: EXPLOIT x86 NOOP: 23.91.17.7:544 xxx.yyy.zzz.41:37987 Apr 12 07:31:03 ids snort: ICMP Nmap2.36BETA or HPING2 Echo : 63.26.255.221 xxx.yyy.zzz.34 Apr 12 09:59:38 ids snort: RPC portmap request rstatd: 28.11.67.132:1033 xxx.yyy.zzz.29:111 Apr 12 13:20:05 ids snort: ICMP Nmap2.36BETA or HPING2 Echo : 12.13.1.67 xxx.yyy.zzz.126 Apr 12 14:13:22 ids snort: RPC portmap request rstatd: 134.1.5.12:3649 xxx.yyy.zzz.29:111 Apr 12 20:19:34 ids snort: BACKDOOR back orrifice attempt: 209.255.213.130:1304 xxx.yyy.zzz.241:31337 Apr 12 22:53:52 ids snort: DNS named iquery attempt: 209.126.168.231:4410 xxx.yyy.zzz.23:53 Example: smtp.rules alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"smtp RCPT TO overflow"; flags:a+; content:"rcpt to 3a "; dsize:>800; reference:cve,can-2001-0260; reference:bugtraq,2283;classtype:attempted-admin; sid:654; rev:1;) alert tcp $EXTERNAL_NET 113 -> $SMTP 25 (msg:"smtp sendmail 8.6.9 exploit";flags: A+; content:" 0a D/"; reference:arachnids,140; reference:cve,cve-1999-0204; classtype:attempted-admin; sid:655; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"smtp expn root";flags: A+; content:"expn root"; nocase; reference:arachnids,31;classtype:attempted-recon; sid:660; rev:2;) 8: Network Management 41 8: Network Management 42 7

8: Network Management 43 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information