A Network Intrusion Detection System and Security Attacks - Assignment Example

PREVENTION TO THREATS AND ATTACKS INTRODUCTION Intrusion detection has become an important sector. Besides, it is a research area and a critical information security tool. A Network Intrusion Detection System monitors networks for intrusions and attacks reporting any anomalies to the administrator. Presently, computers may constitute, distributed systems and networked systems that cover buildings thousands in separation miles from each other. Networks in such systems serve as both communication pathways between the computers and intrusion pathways. The system detects and combats common attacks on networks by following the IDS methodology for identifying attacks, which is signature, based. An IDS based signature monitors the network for packets and compares them against signatures or known threats in the database. AIM Tremendous increase of services and information that is sensitive on networks has made security very important. However, the more network technologies have developed, the more network attacks have increased in severity and numbers. Intrusion detection systems (IDS) can effectively provide network security by preventing, detecting, and possibly fighting attacks. Such systems monitor sources of activities while employing various security techniques. Therefore, they ought to be precise in quickly defining attacks, in training and generating very few positives. LITERATURE REVIEW Network Intrusion Detection Systems (NIDS) monitor networks for intrusions or attacks, reporting them to the administrator for necessary activity. A NIDS server that is large enough may be created on a backbone of network, to check and asses all traffic; or other smaller systems may be created to check or asses traffic for a specific server, gateway, switch, or router. The computing environment is constantly evolving and this demands Intrusion detection products to aid in managing attacks in this changing environment. Threats can be individuals or groups that wish to compromise a computer system such as disgruntled employees, rival companies or even foreign governments and their attacks can be devastating on the network systems. Intrusion attacks are those where an attacker enters ones network to read, damage, and/or steal data (Albitz 1992). These attacks can be divided into two: Pre-intrusion activities and Intrusions Pre-intrusion activities These are activities used to prepare before intruding a network. They include port scanning to find scavenge into the network and IP spoofing to mask the identity that belongs to attacker. Port scans: A scanner is a program that probes a system remotely to establish which TCP/UPD ports are open and if they are subject to attacks. It identifies a computer at risk within the network, find the services that are installed on the computer, and show weaknesses in operation (Hudson KURT and Stewart Michael. 1998). IP spoofing: Spoofing is impersonation of a machine by forging the source IP address. By spoofing the address of a trusted port, packets can be accessed by the attacker who make use of firewall tools. Intrusions: Source routing attack: In such attacks, hackers strive to access IP addresses owned privately on networks by changing the routes of traffic to another computer to be accessed from the local network and in the global internet. Trojan attacks: Programs that pose as other programs and permit hackers to hijack your machine, peruse drives, download, or upload data, etc are known as Trojans. Registry attack: Are attack that occur when a user who remotely connects to a Windows computer machine’s registry and tries or makes alterations to the registry settings. Such attacks can be prevented by configuring permissions to limit access. Password hijacking attacks: This entails gaining unauthorized access to protected systems by finding legitimate passwords. It can be achieved through social engineering (getting authorized users to give their passwords through intimidation, trickery, or persuasion) or employing brute force (Liu 1994). Dangerous attacks i. Packet sniffing Packet sniffers need a network interface that is in promiscuous mode. They also require administrative privileges on the computer being used to packet sniff. Such systems use network probes to get raw packet data, which can be used to get packet information such as source, and destination IP addresses. ii. IGMP KOD A KOD (Kiss of Death) is a denial-of-service attack, which results in a "Blue Screen" error message or an instantaneous computer reboot. When sent to a victims computer it alters the IGMP (Internet Group Management Protocol) packets causing TCP/IP stacks to fail (Liu 1994). iii. DOS attack Attempts to make computer resources unavailable to its intended users are denial-of-service attacks (DOS). DOS attacks violate the Internet proper use policies as specified by the internet Architecture Board (IAB). DOS attacks have two general forms: I. Eliminating the resource by forcing the victim’s computer to reset or consume it. II. Obstructing communication between intended users and the victims for example by causing a network to flood. iv. DOS conceal Large numbers of spoofed UDP packets sent to the firewall may cause the conceal firewall product to initiate a system reboot or lock up. This may happen in two ways: If Conceal is in "learning" mode, large numbers of packets causes the software to repeatedly try and write some new guidelines and If conceal becomes set to keep a log of attacks, resources the system marshal may be eaten up leading to the death of the computer machine. v. DOS bloop It works by sending numerous ICMP packets to target computers. Since the computers have to respond to each of these packets, the machines’ bandwidths are exhausted denying legitimate users access to the computers. METHODOLOGY Network design Below are mandatory steps to implement an effective plan and run a security strategy: 1. Identify network security assets. 2. Analyze system security risks. 3. Determine security requirements and available tradeoffs. 4. Develop a system security plan. 5. Define network security policy (NSP). 6. Come up with procedures for applying security policies. 7. Design the technical implementation strategy. 8. Achieve acceptance from users. 9. Train users. 10. Implement the security procedures. 11. Test. 12. Maintain security system. Network assets to be used in a network security system should be composed of; Network hosts (together with operating systems, applications, and data) Internetworking devices (routers and switches) Network data Other requirements include intellectual property and trade secrets Design requirements 1. Systems software The security system software should have capabilities as elaborated below; Packet Sniffer The sniffer records traffic to the network through operating adapters. Installation should be done on system at the other end of the network. Determination of attack signatures Attack Signatures are patterns of attack traffic modeled based on the packet header pattern followed by a particular attack. It entails counts of packets from a specific target or a specific source or destination port. Identification and definition of attacks It entails extraction of important information that is available recorded as local traffic. They can be IP address of source or destination then comparing the details with modeled attack signatures to establish if an attack occurred. Reporting of attack details Reporting involves giving attack information such as victim and source IP addresses to the administrator so that evasive action may be taken. Signature based intrusion detection This detection system, monitors events and matches them with a database full of previous attack signatures in order to perform detection of intrusions. Common signature-based IDS are SNORT, Network Flight Recorder, Net Ranger, and Real Secure. This system achieves objectives by following methodology of signature-based IDs to confirm through searching for known attacks or signatures for specific intrusion events. This can be achieved by first changing ways in which attacks are made, signature-based solutions can easily be fooled. Secondly, for cases where the signature databases are advanced and with superior system CPU load that is charged with personal analysis. Uncompromising, the highest possible bandwidth may be dropped (Allchin 1983). 2. NSP This is an official notice statement concerning the rules, which those who access to the network of that organizations technology and information assets must abide. It informs users and the technical staff the individual responsibilities towards protecting technology and information assets. The NSP should spell out the mechanisms of meeting the obligations. NSP contains access policy, authenticity, accountability, and privacy policy. 3. NMAP The wellspring of peculiar new sweep examples distinguished by shadow IDSs in the Internet was NMAP. This current sweeps signature has SYN packets that are sent to irregular end of the line ports over watchful reach of qualities. The end of outputs, we commonly see a few parcels to higher number including TCP ports and UDP ports, took after by a little number of bundles to a typical end of the line port. Two fundamental sweep sorts utilized most as a part of NMAP are TCP join checking and SYN filtering otherwise called stealth scanning. 4. DNS solinger Berkeley Internet Name Domain (BIND) is away of accomplishing the Domain Name System (DNS) conventions it offers reference that are re-distributable unabashedly for execution of the significant parts making up the Domain Name System. Weakness of BIND SOLINGER could permit remote agressors to hang the administration up to 120 seconds by starting unusual TCP associations with the area. It is likewise conceivable in a few frameworks to set the framework SOLINGER time out to an easier esteem. 5. Testing tools There are numerous trying apparatuses accessible to find out and verification interruption strike. It picking one of this frameworks, the framework overseer or the business in pursuit ought to at all times guarantee that the looked for framework meets a few necessities. It ought to give extraordinary industry affirmed programming answer for inspecting and testing the distinguishment and reaction abilities of Intrusion location frameworks (Albitz 1992). Features include • Traffic Replay • Traffic scan list • Reporting • Traffic file editor • Command prompt CONCLUSION With mark IDS technique, a system based interruption recognition framework has effectively been made. It capably tracks bundles streaming over the whole system by indiscriminate operation mode, contrasts the activity, and created ambush marks. The assault log presentations records of strike heads for equivocal movement. This framework can run out of sight as it screens the system. It additionally permits the fuse of capacities that distinguish introduced connectors inside the framework, select connector for catch, stop information catching and clear information that has been caught. It could be utilized to be a standalone for giving assault cautions to the administrator; it could likewise be utilized as a base framework to create a system interruption aversion framework. LIST OF REFERENCES ALBITZ, Paul, and Liu, Cricket (1992). DNS and BIND. vol.2. 2 ed., Havard, havard university press. albitz, 1. ALLCHIN, J.E (1983). An Architecture for Reliable Distributed Systems. techreport, Georgia Inst.of Tech, Georgia Inst.of Tech (23). HUDSON KURT AND STEWART MICHAEL. (1998). TCP/IP. vol.2. 2 ed., CHICAGO, the coriolosis group. coriolis group, 1. HUNT, Craig (1992). TCP/IP Network Administration. vol.1. 2 ed., washington, OReilly & Associates. OReilly & Associates, 2. LIU (1994). Managing Internet Information Services. vol.3. 3 ed., illinois, OReilly & Associates. oreilly, 4. Read More