Network Security
HoneypotsIntrusion Detection & Prevention Systems
Intrusion Detection Systems (IDS) and Both host-based (HIDS) and network-based (NIDS) systems can be knowledge-based, behavior-based, or a mix of the two.NetworkIntrusion AttacksPrevention
Systems Honeypot
A Honeypot(IPS) isare essentiallyintegral atools decoy system orin network resource.security. Both IDS and IPS analyze entire packets, including the header and payload, in search of recognized events.
PurposeIDS:: ToWhen attracta potentialknown attackers,event allowingis youdetected, toa monitorlog theirmessage activitiesis generated. There may also be reports or optional alerts. IDS observes, logs, and studyoptionally theiralerts. techniques.It doesn't take action.RulesIPS:: When it detects a known event, it rejects the packet. IPS takes action! It rejects malicious packets.
Types of IDS Systems
IDS/IPS Classification by Deployment
warningHost-based (HIDS/HIPS) Enticement, NOT entrapment. E.g., You can't let attackers download fake payroll files.
Why?Ifin legalsoftware orform.insurancemattersinstalled arise,on impropera handlingserver.mightjeopardizeobserves claimsand orlogs cases.
GoalNetwork-based (NIDS/NIPS): Deflect attackers from genuine assets and keep them contained long enough to gather intelligence or for possible identification.
- Typically in hardware form at the network level.
HoneynetModes of Operation for Network-based IDS and IPS
- Inline (In-band)
- Positioned on or near the firewall to enhance security layers.
- Might integrate with a switch close to the firewall.
- Passive (Out-of-band)
- Traffic doesn't directly flow through the NIPS/NIDS.
- Uses sensors and collectors to forward alerts to the NIDS.
Sensors and collectors can be strategically placed in a network. For instance, a sensor on the internet side can scan all inbound traffic. But remember that running all traffic through an inline setup can be resource-intensive. Position sensors where they best serve your network's needs.
Secure Network Design
Understanding and leveraging secure network designs can significantly enhance the overall protection of systems and data. Here's a concise breakdown:
Bastion Host
A HoneynetBastion Host is ana extensioncomputer or appliance with exposure to the internet. It undergoes hardening, which means all unnecessary elements, such as non-essential services, programs, protocols, and ports, are eliminated.
Key characteristics of a Bastion Host:
- Only necessary ports are open.
- Removal of non-essential elements.
- Examples include hardened browsers like Librewolf or the Firefox community version.
Screened Host
A Screened Host is a system protected by a firewall and is logically located just inside a private network. This design is optimal for heightened security.
It's one of the honeypotmost concept,secure butoptions itdue involvesto its firewall protection and its location within a wholenetwork
Screened upSubnet
Conceptually akin to a Screened Host, a Screened Subnet is a subnet positioned between two routers or firewalls. A Bastion Host is typically situated within this subnet.
Proxy Server
A Proxy Server acts on behalf of the client, forwarding its service request and hiding the client's true origin. It's prevalent in corporate environments for internet browsing. A proxy server masks the sametrue deceptiveorigin purpose.of the request, often caching content for performance enhancements.
Network Attacks
Teardrop Attack
-
Description: A DoS attack involving the sending of mangled IP fragments with overlapping, oversized payloads to a target machine.
-
Effect: The target system tries, and fails, to reassemble these fragments, often leading to system crashes.
Fraggle Attack
- Description: A DoS attack where an attacker sends a large volume of spoofed UDP traffic to a router's broadcast address within a network. It's akin to the smurf attack but uses UDP instead of ICMP traffic.
Land Attack
-
Description: Layer 4 DoS attack where both the source and destination addresses in a TCP segment are set to be the same.
-
Effect: Vulnerable machines might crash or freeze because the TCP stack keeps trying to process the confusing packet.
SYN Flood
-
Description: A DoS attack where attackers send multiple SYN requests (the initiation step in TCP handshake) to a target, overwhelming it.
-
Effect: Consumes server resources, rendering the system unresponsive to legitimate traffic.
Ping of Death
-
Description: Involves sending an abnormally large ping packet. The max allowed packet size is 65,536 bytes. Ping of Death sends packets of size 65,537 bytes or larger.
TCP 3-way Handshake
The TCP 3-way handshake is the process used in a TCP/IP network to establish a connection between a client and a server.
-
SYN: The client sends a SYN (synchronize) packet to the server.
-
SYN-ACK: The server responds with a SYN-ACK (synchronize-acknowledge) packet.
-
ACK: The client replies with an ACK (acknowledge), and the connection is established.
This handshake ensures both the client and server are ready for data transmission. Think of it as a polite introduction. Before two people (client and server) have a detailed conversation (data exchange), they introduce themselves and acknowledge each other.
Network Defense: Honeypot
A Honeypot is essentially a decoy system or network resource.
-
Purpose: To attract potential attackers, allowing you to monitor their activities and study their techniques.
-
Rules:
warning Enticement, NOT entrapment. E.g., You can't let attackers download fake payroll files.
Why? If legal or insurance matters arise, improper handling might jeopardize claims or cases.
-
Goal: Deflect attackers from genuine assets and keep them contained long enough to gather intelligence or for possible identification.
Honeynet
A Honeynet is an extension of the honeypot concept, but it involves a whole network set up for the same deceptive purpose.