1. Home
    2. /
  2. Manuals
    3. /
  3. SnapGear
    4. /
  4. SG565
    5. /
  5. 27
Page 131 / 249 Scroll up to view Page 126 - 130
Intrusion Detection
126
The benefits of using an IDS
External attackers attempting to access desktops and servers on the private network
from the Internet are the largest source of intrusions.
Attackers exploiting known flaws in
operating systems, networking software and applications, compromise many systems
through the Internet.
Generally firewalls are not granular enough to identify specific packet contents that signal
an attack based on a known system exploit.
They act as a barrier analogous to a
security guard screening anyone attempting to enter and dismissing those deemed
unsuitable, based on criteria such as identification.
However identification may be
forged.
On the other hand intrusion detection systems are more like security systems
with motion sensors and video cameras.
Video screens can be monitored to identify
suspect behaviour and help to deal with intruders.
Firewalls are often easily by-passed through well-known attacks.
The most problematic
types of attacks are tunnelling-based and application-based.
The former occurs when an
attacker masks traffic that should be normally screened by the firewall rules by
encapsulating it within packets corresponding to another network protocol.
Application-
based attacks occur when vulnerabilities in applications can be exploited by sending
suspect packets directly with those applications.
These attacks can potentially be detected using an intrusion detection system (IDS).
The
IDS logs information and sends alerts, so that administrators may be able to contain and
recover from any harm caused.
Page 132 / 249
Intrusion Detection
127
Basic Intrusion Detection and Blocking
The following figure shows the Intrusion Detection and Blocking (IDB) configuration:
Figure 7-1
IDB operates by offering a number of services to the outside world that are monitored for
connection attempts.
Remote machines attempting to connect to these services
generate a system log entry providing details of the access attempt, and the access
attempt is denied.
Because network scans often occur before an attempt to compromise a host, you can
also deny all access from hosts that have attempted to scan monitored ports.
To enable
this facility, select one or both of the block options and these hosts are automatically
blocked once detected.
Page 133 / 249
Intrusion Detection
128
Several shortcut buttons also provide pre-defined lists of services to monitor.
The
basic
button installs a bare bones selection of ports to monitor while still providing sufficient
coverage to detect many intruder scans.
The
standard
option extends this coverage by
introducing additional monitored ports for early detection of intruder scans.
The
strict
button installs a comprehensive selection of ports to monitor and should be sufficient to
detect most scans.
Warning
The list of network ports can be freely edited, however adding network ports used by
services running on the CyberGuard unit (such as telnet) may compromise the security of
the device and your network.
It is strongly recommended that you use the pre-defined
lists of network ports only.
The
trigger count
specifies the number of times a host is permitted to attempt to connect
to a monitored service before being blocked.
This option only takes effect when one of
the previous blocking options is enabled.
The trigger count value should be between 0
and 2 (o represents an immediate blocking of probing hosts).
Larger settings mean more
attempts are permitted before blocking and although allowing the attacker more latitude,
these settings will reduce the number of false positives.
The ignore list contains a list of host IP addresses which the IDB will ignore for detection
and blocking purposes.
This list may be freely edited so trusted servers and hosts are
not blocked.
The two addresses
0.0.0.0
and
127.0.0.1
cannot be removed from the
ignore list because they represent the IDB host.
You may enter the IP addresses as a
range, see the IP address ranges section further on for more information.
Warning
A word of caution regarding automatically blocking UDP requests.
Because an attacker
can easily forge the source address of these requests, a host that automatically blocks
UDP probes can be tricked into restricting access from legitimate services.
Proper
firewall rules and ignored hosts lists will significantly reduce this risk.
Page 134 / 249
Intrusion Detection
129
Advanced Intrusion Detection
Advanced Intrusion Detection
is based on the tried and tested
Snort v2
IDS.
It is able to
detect attacks by matching incoming network data against defined patterns or rules.
Advanced Intrusion Detection utilizes a combination of methods to perform extensive IDS
analysis on the fly.
These include protocol analysis, inconsistency detection, historical
analysis and rule based inspection engines.
Advanced Intrusion Detection can detect
many attacks by checking destination port number, TCP flags and doing a simple search
through the packet’s data payload.
Rules can be quite complex, allowing a trigger if one
criterion matches but another fails and so on.
Advanced Intrusion Detection can also
detect malformed network packets and protocol anomalies.
Advanced Intrusion Detection can detect attacks and probes such as buffer overflows,
stealth port scans, CGI attacks, NetBIOS SMB probes, OS finger printing attempts and
many other common and not so common exploits.
Typically, Advanced Intrusion Detection will be configured to log intrusion attempts to a
remote database server, which in turn will run an analysis console.
An analysis console,
such as ACID (Analysis Console for Intrusion Databases), is an application purpose built
for analyzing this log output.
Page 135 / 249
Intrusion Detection
130
Advanced Intrusion Detection configuration
Figure 7-2
Check
Enabled
, and select the
Interface
/network port to monitor.
This will typically be
Internet
, or possibly
DMZ
.
Checking
Use less memory
will result in slower signature detection throughput, but may
be necessary if your CyberGuard SG appliance is configured to run many services or
many VPN tunnels.
Next the
Rule sets
, of which there are more than forty, need to be selected.
They are
grouped by type such as DDOS, exploit, backdoor, NETBIOS, etc.
Each type in turn has
many subtypes depending on the exact attack signature.
For example, selecting
NETBIOS
will enable matching subtype signatures for
NETBIOS
winreg access
and
NETBIOS Startup Folder access attempt
, etc.
The subtypes or
signatures themselves however are not displayed on the Web Management Console.
The full subtype signatures can be viewed at Snort web site.
Included is detailed
information such as signature, impact, operating systems affected, attack scenarios, ease
of attack, corrective action.
There are thousands of these in the Snort signature
database:

Rate

4 / 5 based on 3 votes.

Popular SnapGear Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top