Traditional and Wireless IDS/IPS Techniques - Research Paper Example

Traditional and Wireless IDS/IPS Techniques Security in terms of computer networks has marked its significance. Senior management address security issues to an optimal level and enforces strict security procedures in order to protect strategic and financial assets. Previously, firewall and other related monitoring tools were not sufficient to cater the needs for efficient security architecture. Likewise, new and improved sensing technologies are now mandatory for any organization maintaining highly classified data. Consequently, IPS/IDS (Intrusion Prevention System / Intrusion detection system) are invented. They are derived from the traditional security appliances, and defined by the computer desktop encyclopedia, as a sensor “set up to detect illegal actions within the host. Most IDS programs typically use signatures of known cracker attempts to signal an alert. Others look for deviations of the normal routine as indications of an attack. Intrusion detection is very tricky. Too much analysis can add excessive overhead and also trigger false alarm”. IDS are of many types and organizations choose the best possible type that suits their prioritized mission critical systems. The types includes network based IDS, host based IDS and software based IDS. These types are further categorized in to signature based IDS which is also referred as misuse detection, and Anomaly detection. As per the current scenario, IT administrators have analyzed that an intruder from the internal and external premises of the organization is trying to bypass a corporate access point. Before demonstrating steps for capturing and eliminating the attack, we will compare the two types of IDS/IPS i.e. Signature based IDS and Anomaly based IDS. After discussing these two basic types of IDS, we will be able to select an appropriate type of IDS for this specific scenario. Signature Based IDS The functionality of ‘signature based IDS’ is dependent on known signatures. The word ‘known’ is important because threats that are detecting so far are categorized as known threats and are called signatures. Signature based IDS only detect threats similar to the defined available signatures and do not comply with any new threat. Whereas, Anomaly based IDS detect unknown activities within the network and detect them as threats and vulnerabilities. These two IDS types comply with different types of methods, process, and various profiles. The signature based IDS analyze and identify specific patterns of attacks that are recognized by raw data that is in terms of byte sequences called strings, port number, protocol types etc. Likewise, apart from the normal operational pattern, signature based IDS detects any activity that is unusual from previously defined patterns. Moreover, the patterns are monitored with strict control algorithms. The signatures are stored in a signature repository. The prime object of a ‘signature based IDS’ is to search signatures in order to detect a threat or vulnerability that is similar to antivirus software that also detects viruses. The functionality of IDS is to detect attacks that are initiated directly towards the network. Moreover, IDS tries to identify as many events as possible and therefore generate logs. The location if IDS is behind the firewall so that it may analyze packets that are passed via a firewall. The detection engine of IDS compares predetermined rules in order to deny or accept packets. The rules are categorized in two domains i.e. Chain headers and Chain options. The structure of a signature contains the following attributes: Identification number, Message and Rule. However, in the current scenario, a threat is detected that is trying to gain access to the confidential data of the organization. Probably, signature based IDS has detected this particular threat. Anomaly Based IDS Anomaly based intrusion detection system is based on data driven methodology that complies with data mining techniques. The functionality of an anomaly based IDS involves in the creation of profiles associated with normal behavior and activities within the network. If any unknown activities initializes that is not similar to the normal profiles, is considered as anomalies or attacks. Moreover, the normal routines of normal profiles are also monitored, if they also exceeds from their given boundaries, they are also considered as anomalies also called as false positives. An efficient anomaly based IDS may extract results containing high detection success rate along with low false positive rate. Moreover, these systems are categorized in to various sub categories including data mining, statistical methodologies, artificial neural networks, immune systems and genetic algorithms. Among all of these, statistical methods are more commonly used for detecting intrusions by finding out any anomaly that has initiated within the network (Aydın, Zaim, & Ceylan, 2009). By combining these two types of IDS, network administrators eliminate or fill vulnerabilities within the network. 1.1.1 IPS/IDS Actions As threats are detected within and from an external source, network administrator will follow these steps until the threats are detected and eliminated. However, these procedural steps can be replicated (Paquet, n.d): Configuring Deny attacker inline: This feature is configured to monitor attacks from the wireless hacker on the network within a specific time. Moreover, the feature will also show the activity of eliminating the threat from the network. By reviewing frequency of attacks from internal and external premises of the organization, network administrator can assume the algorithm and techniques that are currently being used by the hacker. Configuring Deny connection inline: By configuring this option, network administers will identify the TCP stream, both internal and external, that is being used by the hacker to attack the network, and will set both of these streams to terminate. Deny packet inline: During the process, if any packets coming from the wireless stream acts abnormally can be terminated by this feature. Configuring Log attacker packets: This option logs the entries of packets from the source of attacker and transmits an alert. Configuring Log pair packets: Network administrator can also set logging for both the attack and the victim. Request block connection: On the analysis of the above mentioned steps, firewall receives a message to block the specific and identified data stream. Request block host: However, if host of the hacker is identified, firewall will block and restrict access from the host. Snort In order to deploy Snort, network administrator will inject a tracing mechanism that will collect raw data packets from the network interfaces. As per the current scenario, protocols related to wireless access will be considered i.e. WAN, SLIP, PPP, VPN by deploying kernel named as ‘Libpcap’, in order to get prepared for preprocessing mechanism in the packet decoder (Kumar, Bhaskari, Avadhani, & Kumar, 2010). Likewise, the preprocessor modifies data packets prior to their way to the detection engine, in order to analyze them and generate alerts for anomalies related to wireless attacks associated with headers of the packets. Likewise, the core function of a preprocessor is to prepare or shape the network traffic for applying rules that are applicable at the next stage that is detection engine. This is usually called as packet defragmentation. Moreover, Snort will decode HTTP and will also re construct TCP streams that are currently being used by the hackers. The detection engine is based on time and operates in an extensive evidence collection mechanism (Kumar, Bhaskari, Avadhani, & Kumar, 2010). It is time- based because, if many rules are applied, the packet processing will consume time. The detection engine of Snort, stops’ processing, whenever, a rule is matched. Network administrator will only apply rules on protocols that are currently been utilized by attackers. According to the defined parameters of a specific rule, the detection engine will log the packet or else generate an alert. Consequently, before Snort generates an alert, it makes sure that all rules are matched. The next component of Snort known as the collection engine will collectivizes evidence from the hosts and networks that is an input for a forensic investigation team. (Kumar, Bhaskari, Avadhani, & Kumar, 2010). Windump Windump will detect for any unknown malware installation on each workstation including servers on the network. The primary focus is to analyze and report any file that is installed on any workstation providing remote access to the hacker. The tool is specifically developed for supporting functions related to digital forensics investigation. The tool can specifically analyze traffic broadcasting from workstation that has a malware installed in it. Likewise, it extracts the source information from the packet header in terms of IP addresses. Moreover, the tool can also facilitate the investigation tem to filter the required information. For instance, investigation team is currently analyzing SSL packets because of an online crime. Consequently, the tool will only provide information related to SSL packets only and ignore the rest. References Ids. (2011). Computer Desktop Encyclopedia, , 1. Paquet, C.Implementing cisco IOS network security (IINS): (CCNA security exam 640-553) (authorized self-study guide) Cisco Press. Aydın, M. A., Zaim, A. H., & Ceylan, K. G. (2009). A hybrid intrusion detection system design for computer network security Computers & Electrical Engineering, 35(3), 517 526. doi:10.1016/j.compeleceng.2008.12.005 Kumar, T. P., Bhaskari, L., Avadhani, P., & Kumar, P. V. (2010). Digital evidence collection in cyber forensics using snort. Proceedings of the International Conference on Information Warfare & Security, , 216-222. Read More