Investigating the efficiency of modern Intrusion Detection Systems (IDS) in detecting current evasion techniques – Part 5 – Tools and Procedures


Welcome back all, this part of the series we will test some of the methods described previously as outlined on the upcoming sections where we will discuss the tools and the procedures followed to attempt such tests and then in the final sections of this series we will discuss the results.

The tools used in this study are all preinstalled into Backtrack operating system with the exception of snort; although snort is also installed in Backtrack a separate installation was used. The tools discussed in this chapter are used throughout the experiments.

Please note that as previously mentioned, this series contained sections from an entire Distinctions Grade MSc. Dissertation that I have attempted as part of my master’s degree years back and I have tried my best to keep it without any modifications as best as I can.

The dissertation is very long and as was described by my supervisor, was a PHD grade level research, therefore I have tried to keep it as short as possible for this blog series without impacting the benefits I am intending to pass forward to the InfoSec community and I hope you all enjoy it.

Snort IDS

According to Richard Bejtlich (2005, pg 149) snort is a network intrusion detection system that can also be used for packet capture and analysis.

Snort NIDS in standby mode

A more detailed description of snort is given by (Brandon Franklin 2006, p.3):

Snort is a freeware IDS developed by Martin Roesch and Brian Caswell. It’s a lightweight, network-based IDS that can be set up on a Linux or Windows host. While the core program uses a Command Line Interface (CLI), graphical user interfaces (GUIs) can also be used. Snort operates as a network sniffer and logs activity that matches predefined signatures. Signatures can be designed for a wide range of traffic, including Internet Protocol (IP), Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP).

Snort consists of two basic parts:

  • Header where the rules “actions” are identified.
  • Options where the rules “alert messages” are identified.

Continue reading Investigating the efficiency of modern Intrusion Detection Systems (IDS) in detecting current evasion techniques – Part 5 – Tools and Procedures

2. Guidelines For Secure Network Administration – part 1


Installing networks and making sure they’re able to communicate and talk to each other is the end of it for a network administrator. There are some guidelines that many admins neglect, which exposes the network and makes them vulnerable to attacks. In this section I’ll try to cover some of these guidelines. These guideline can be used as a general security guidelines and not just network security.

Rule-based Management

Firewalls, proxies, routers, IDPSs (IDS/IPS), antivirus, and more are example of rule-based security devices. Rule-based managements is a method of controlling the network activity via the use of rule-based devices. Each rule can either be explicit allow or deny. Continue reading 2. Guidelines For Secure Network Administration – part 1

1. Network Security – part 2


1.1.        Security functions of network devices – Continued

VPN Concentrator

VPN (Virtual Private Network) will be discussed in the future as a chapter of its own due to its importance in the network security world.

VPN concentrators are sometimes known by many other names such as VPN servers, VPN firewalls, VPN RAS (VPN Remote Access Servers), VPN Proxies, etc.

VPN concentrators allows for high availability, high scalability and performance for VPN connections. They’re hardware appliances designed to facilitate a large number of multiple simultaneous VPN connections, usually hundreds or even in some implementations thousands of simultaneous VPN connections. Continue reading 1. Network Security – part 2

1. Network Security – Part 1


1.1.        Security functions of network devices

Firewalls

Firewalls are security devices designed to control traffic and protect networks from each other they’re usually applied to protect high trust networks from low trust ones or to stop networks part of the same organisation but from different departments. They can be either hardware or software.

There are four different types of firewalls:

Packet filter Firewalls – uses the packet header to do basic traffic filtering usually based of the source and destination address, port numbers and protocols. They operate in the network and transport layers of the OSI model. Continue reading 1. Network Security – Part 1