Intrusion Detection/Prevention Systems
It’s Friday night, William, a network engineer at Foadco, a financial trading company is at the bar with his girlfriend and their friends. His cellular phone rings and he hesitates before answering it. The voice at the other end is his boss. His boss has just received a call from a client stating that their website had some weird message saying “you’re pwn3d” on it. The client called the boss, who then called him immediately, and began demanding explanations. What William didn’t know was for three weeks prior, a group of crackers were performing network reconnaissance on his network and mapping every internet facing node. Some of the traffic they generated toward his network was stopped by the firewall but after a couple weeks of research, the attackers had a very good understanding of what sort of traffic was permitted by the firewall, they used this to their advantage and broke into the Foadco network, stealing trading information, and later selling it.
One things William should have done was to set up an Intrusion Detection/Prevention System. This works just like a security alarm, but it is for your network. A very popular intrusion detection system is Snort, which is freely available from www.snort.org. First of all, these programs run just like an anti-virus and examine both ingress (incoming) and egress (outgoing) traffic on the network. They are typically set up using a passive network tap on the perimeter of the network. This lets them examine all traffic without the nuisance of the firewall. How these systems works is like this:
1. An attacker begins scanning the network
2. The intrusion detection system picks up these scanning probes and catalogs the originating IP address.
3. The prevention system reads this file of IP addresses and adds them to a blacklist which the firewall reads.
4. The firewall reloads the blacklist file typically every 300 seconds (5 minutes) and for each IP address listed in the file, their corresponding packets are dropped (impolitely).
5. The cycle repeats back to 1 usually (some people are very determined!).
Now, the intrusion detection system will identify what the threat is, then the intrusion prevention system works to block that address from ever accessing the network again, this is useful because an attacker cannot attack your network if they are blocked out from it. Now, when I say blocked out, what I mean is that when they attempt to send to your network after they’ve been blacklisted, the firewall will respond with an RST, which is a TCP reset packet. This terminates the connection immediately and is considered impolite, as it is akin to saying “Goodbye” then hanging up the telephone. The “polite” way to tear down a connection is to send a FIN-ACK, which means we’re finished, tell me if you got this and have a good one! The combination of a quality Intrusion Detection/Prevention system ensures network safety and limits liability for the company. For more information on these technologies, check out the Snort primer at the aforementioned web address
