1.1 NETWORK SECURITY It is the protection of networks and their services from unauthorized modification, destruction, or disclosure, and provision of assurance that the network performs its critical functions correctly and there are no harmful side effects. Network security also includes data integrity. Network security involves all activities that organizations, enterprises, and institutions undertake to protect the value and ongoing usability of assets and the integrity and continuity of operations. An effective network security strategy requires identifying threats and then choosing the most effective set of tools to combat them. Need For Network Security With the rapid growth of interest in the Internet, network security has become a major concern to companies throughout the world. The fact that the information and tools needed to penetrate the security of corporate networks is widely available. Because of this increased focus on network security, network administrators often spend more effort protecting their networks than on actual network setup and administration. Providing access to your network services and providing access to the outside world through your organization gives many benefits. However, the more access that is provided, the greater the danger that someone will exploit the increased vulnerability that results. We refer to an individual who attempts to access network or computer resources without authorization as a network intruder, or intruder. The intruder can be further classified as either a cracker or a hacker. 1.2WHAT IS IDS? In the last three years, the networking revolution has finally come of age. More than ever before, we see that the Internet is changing computing. The possibilities and opportunities are limitless; unfortunately, so too are the risks and chances of malicious intrusions. An intrusion attempt or a threat is the potential possibility of a deliberate unauthorized attempt to
Access information, Manipulate information, or Render a system unreliable or unusable
It is very important that the security mechanisms of a system are designed so as to prevent unauthorized access to system resources and data. However, completely preventing breaches of security appear, at present, unrealistic. We can, however, try to detect these intrusion attempts so that action may be taken to repair the damage later. This field of research is called Intrusion Detection. “Intrusion Detection” is the art of detecting inappropriate, incorrect, or anomalous activity. An intrusion detection system (IDS) inspects all inbound and outbound network activity and identifies suspicious patterns that may indicate a network or system attack from someone attempting to break into or compromise a system. Intrusion detection systems provide a mechanism to detect attacks that were not foreseen or covered by other security mechanisms. 1.2 NEED FOR IDS DYNAMIC DEFENSIVE SYSTEM Firewalls are simply a device that shuts off everything, and then turns back on only a few well-chosen items. A firewall is simply a fence around your network, with a couple of well-chosen gates. A fence has no capability of detecting somebody trying to break in (such as digging a hole underneath it), nor does a fence know if somebody coming through the gate is allowed in. Firewall is not the dynamic defensive system that users imagine it to be. In contrast, an IDS is much more of that dynamic system. An IDS does recognize attacks against the network that firewalls are unable to see. MONITORING INSIDER ATTACKS
Another problem with firewalls is that they are only at the boundary to your network. Roughly 80% of all financial losses due to hacking come from inside the network. A firewall at the perimeter of the network sees nothing going on inside. It only sees that traffic which passes between the internal network and the Internet. But IDS is capable of monitoring insider attacks. TRIANGULAR SECURITY Implementing intrusion detection gives potential intruders no place to hide, but it cannot replace a firewall or anti virus program. All three-security technologies need to be integrated thereby providing a figurative triangle of security, a synergistic barrier around a computer and network. Hence this project focuses on detecting insider attacks using Host-based IDS. 1.4 HOME FOR IDS Network hosts Even though intrusion detection systems have traditionally been used as probes, they can also be placed on hosts. IDS installed like virus-scanning software is the most effective way to detect such intrusions. Network perimeter IDS is most effective on the network perimeter, such as on both sides of the firewall, near the dial-up server, and on links to partner networks. WAN backbone Another high-value point is the corporate WAN backbone. A frequent problem is hacking from "outlying" areas to the main corporate network. Since WAN links tend to be low bandwidth, IDS systems can keep up. Server farms Serves are often placed on their own network, connected to switches. The problem these servers have, though, is that IDS systems cannot keep up with highvolume traffic. For extremely important servers, you may be able to install dedicate
IDS systems that monitor just the individual server's link. Also, application servers tend to have lower traffic than file servers, so they are better targets for IDS systems. LAN backbones IDS systems are impractical for LAN backbones, because of their high traffic requirements. Some vendors are incorporating IDS detection into switches. A full IDS system that must reassemble packets is unlikely to keep up. A scaled-down system that detects simpler attacks but can keep up is likely to be a better choice.
2. TYPES OF IDS
Intrusion Detection systems that operate on a host to detect malicious activity on that host are called „host-based ID systems‟ and systems that operate on network data flows are called „network-based ID systems‟.
2.1 HOST-BASED IDS Host based ID involves loading a piece or pieces of software on the system to be monitored. The loaded software uses log files and/or the system's auditing agents as sources of data. Host-based ID involves not only looking at the communications traffic in and out of a single computer, but also checking the integrity of our system files and watching for suspicious processes. To get complete coverage at our site with host-based ID, we need to load the ID software on every computer. There are two primary classes of host-based intrusion detection software. Host wrappers/personal firewalls software Agent-based software Both are relatively effective for detecting attacks from the outside. Host wrappers or personal firewalls can be configured to look at all network packets, connection attempts, or login attempts to the monitored machine. Host-based agents may be able to monitor accesses and changes to critical system files and changes in user privilege The software should be tailored to the individual computer that's being monitored. For example, if a machine has only a handful of users, perhaps only the connections from the outside and the integrity of the system files need to be monitored; whereas, a machine with a lot of users or network traffic may need more stringent monitoring.
2.2 NETWORK BASED IDS
A network- based ID system monitors the traffic on its network segment as a data source. This is generally accomplished by placing the network interface card in promiscuous mode to capture all network traffic that crosses its network segment. Traffic on other network segments will not be monitored. Network-based ID involves looking at the packets on the network as they pass by some sensor. Packets are considered to be of interest if they match a signature. Three primary types of signatures are string signatures, port signatures, and header condition signatures. String signatures look for a text string that indicates a possible attack. Port signatures simply watch for connection attempts to well known, frequently attacked ports. Header signatures watch for dangerous or illogical combinations in packet headers. “Truly effective IDS” will use a combination of network- and host-based intrusion detection. Figuring out where to use each type and how to integrate the data is a real and growing concern.
3. EXPLORING INTRUSION DETECTION SYSTEM
3.1 INTRUSION SCENARIO 3.1.1 Physical Intrusion If intruders have physical access to a machine, they will be able to get into the system. Techniques range from special privileges the console has, to the ability to 5
physically take apart the system and remove the disk drive. Even BIOS protection is easy to bypass. 3.1.2 System Intrusion If the system doesn't have the latest security patches, there is a good chance an intruder with low level user privileges uses the loop holes in the system in order to gain additional administrative privileges. 3.1.3 Remote Intrusion This type of hacking involves a intruder who attempts to penetrate a system remotely across the network. The intruder begins with no special privileges. There are several forms of this hacking like spoofing, sniffing etc. 3.2 INTRUDERS FOOT HOLD Software always has bugs. System Administrators and Programmers can never track down and eliminate all possible holes. Intruders have only to find one hole to break in. Software bugs Software bugs are exploited in the server daemons, the client applications, the operating system, and the network stack. Software bugs can be classified in the following manner: Buffer Overflows Unexpected Combinations Unhandled Input Race Conditions
System configuration System configuration bugs can be classified in the following manner:
Default Configurations Host Creation Trust Relationship
Password cracking This is a special category all to itself. Really weak Passwords Dictionary Attacks Brute Force Attacks
Sniffing unsecured traffic Design flaws Even if a software implementation is completely correct according to the design, there still may be bugs in the design itself that leads to intrusions TCP/IP Protocol Flaws UNIX Design Flaws Shared Medium Server Sniffing Remote Sniffing
5. ETHICAL HACKING TECHNIQUES
5.1 RECONNAISANCE The intruder uses more invasive techniques to scan for information, but still doesn't do anything harmful. They might do a 'ping' sweep in order to see which machines are alive. They might do a UDP/TCP scan/strobe on target machines in order to
see what services are available. At this point, IDS will be able to tell you that "somebody is checking door handles", but nobody has actually tried to open a door yet. 5.1.1 Port scanning TCP scans Probes for open (listening) TCP ports looking for services the intruder can exploit. Scans can use normal TCP connections or stealth scans that use halfopen connections (to prevent them from being logged) or FIN scans (never opens a port, but tests if someone's listening). Scans can be sequential, randomized, or configured lists of ports. UDP scans These scans are a little bit more difficult because UDP is a connectionless protocol. The technique is to send garbage UDP packet to the desired port. Most machines will respond with an ICMP "destination port unreachable" message. 5.1.2 Information gathering using ICMP ICMP messages with different code and type values can be used to get different kinds of information on the remote system. Information gathering is the first step a hacker takes to detect any loopholes in the target system. ICMP will not tell everything but give quite a lot of information. Ping sweeps This simple scan simply pings a range of IP addresses to find which machines are alive. Note that more sophisticated scanners will use other protocols (such as an SNMP sweep) to do the same thing.
By sending illegal (or strange) ICMP or TCP packets, an intruder can identify the operating system. Each operating system's unique responses to invalid inputs form a
signature that hackers can use to figure out what the target machine is. This type of activity occurs at a low level (like stealth TCP scans) that systems do not log. 5.2 EXPLOITS The intruder crosses the line and starts exploiting possible holes in the target machines. The intruder might attempt to exploit well-known buffer-overrun holes by sending large amounts of data. The intruder may start checking for login accounts with easily guessable (or empty) passwords. The hacker may go through several stages of exploits. For example, if the hacker was able to access a user account, they will now attempt further exploits in order to get root/admin access.
5.2.1 IP spoofing Spoofing involves fooling the distant computer into believing that they are a legitimate member of the network. An intruder can pretend to be you when talking to a server. The intruder never sees the response packets The intruder won't get data back this way, but can still send commands to the server pretending to be you. IP spoofing is frequently used as part of other attacks like TCP sequence number prediction, denial of service.
5.2.2 Sniffing Sniffing involves listening to packets in the network that are not intended to them. Setting the Network Interface Card of the machine in Promiscuous mode does it. The purpose of sniffing is for Getting usernames and passwords For reading traffic Analyzing network
5.3 DENIAL-OF-SERVICE (DOS) ATTACKS
It is to prevent the victim from getting access to a particular resource .It is done by overloading network links, disrupting the connections between two machines, attacking client or server, overloading the CPU, or filling up the disk. The intruder is not trying to gain information, but to simply act as a vandal to prevent you from making use of your machine. 5.3.1 Ping-of-Death Ping of death is the use of ping command to exploit the fact that maximum packet size that TCP/IP allows for being transmitted over the Internet is restricted to 65536 octets. When host receives such a large packet (>65536) it will probably crash, reboot or hang 5.3.2 SYN Flooding Sends TCP SYN packet (which start connections) very fast, leaving the victim waiting to complete a huge number of half open connections, causing it to run out of resources and dropping legitimate connections.
6. HACKING EXPOSED
ICMP SWEEPS PORT SCANNING
PING OF DEATH SYN FLOODING
Send ICMP Echo Request Packets to all the hosts
Any Reply from host?
Destination Host Reachable
Check for ports reachable in the host Select Reachable Host
Check for open ports?
Display all ports Accepted for connection
HACKER Uses these ports to enter into the host
Sniff packets in the network
Find the connected ports by analyzing the packets 11
Send FIN packets to the source
Wait for ACK from destination
Received Change sequence and acknowledgement number and send message by spoofing the address of the source
9. STRENGTHS AND LIMITS FACING IDS
Terminate the connection IDS are just another tool part of a good security architecture and Multi-Layered Defense Strategy. It has its own strengths and weaknesses,
Provides worthwhile information about malicious network traffic Can be programmed to minimize damage Helps to identify the source of the incoming probes or attacks Can collect forensic evidence, which could be used to identify intruders Alert security personnel that someone is picking the "lock” or some Network Invasion may be in progress
Part of a Total Defense Strategy infrastructure
10. RESULTS AND OBSERVATIONS
The preliminary scans include port scanning, sending ICMP requests. PORTSCANNING 12
Here any remote host could scan a range of ports of a particular host. Portscanning detection involves identification and recording of the remote machine‟s IP address that scanned over a particular port of that host. SENDING ICMP REQUESTS Here ICMP Echo Request Packets are sent to a remote host that gathers information about that particular host. The detection part checks these Echo Request Packets that arrive on a particular host. EXPLOITS A TCP connection is established which follows a standard procedure of Three Way Handshake procedure. An exploit consisting of a detailed analysis of sequence and acknowledgement number is made on this existing TCP connection by analyzing the sequence of packets exchanged between the client and the server. During detection the packets exchanged across the machines are captured and analysis is made on the malicious packets sent by the intruder, by interpreting the sequence and acknowledgement numbers. A machine can also be checked for its promiscuous mode, which reveals the usage of that machine to exploit some connection.
Intrusion Detection System is one that can assist in protecting a company from intrusion by expanding the options available to manage the risk from threats and vulnerabilities. The sooner you know someone has broken in, the easier it will be to recover from the intrusion. Intrusion detection capabilities can help a company secure its information. It could be used to detect an intruder, identify and stop the intruder, support investigations to find out how the intruder got in, and stop the exploit from use by future intruders. Intrusion Detection System can become a very powerful tool for information security when integrated with firewalls and anti virus software. “Intrusion detection should be part of a defense in depth strategy and no single technology should be relied upon exclusively.”