Transcript IDS
Enterprise IP Solutions OfficeServ 7400 Quick Install Guide - Data Server – IDS Mar, 2006 OfficeServ Lab1 Samsung Electronics Co., Ltd. 7400 -0/17- Samsung Confidential & Proprietary Information IDS functions • Real-time detection and response to network based attacks – backdoor, DoS, DDoS, anomalous network access, etc. • Using web management • Support almost all kinds of protocol used in Internet • Intrusion detection according to risk level – High, medium, low • Correspond to intrusion detection – Log audit – IP blocking as linked with firewall • Report to admin using e-mail about detected attacks – 5 categories : Intrusion Type, Source IP, Destination IP, Port, Port scan • Rule update 7400 -1/17- Samsung Confidential & Proprietary Information IDS Rule Update • Sourcefire VRT Certified Rules – Official rules of snort.org(www.snort.org) – Three ways to obtain these rules: • Subscribers (a charge) – Online web subscriber – Receive real-time rules updates as they are available • Registered users (Free) – Online web subscriber – Can access rule updates 5days after release to subscription users • Unregistered users (Free) – Receive a static ruleset at the time of each major Snort Release – CANNOT use for GWIM (limited to commercial use!) 7400 -2/17- Samsung Confidential & Proprietary Information IDS Rule Update • Open Community Rulesets – Submitted by members of the open source community – Release to users without basic tests • not to ensure that new rules will not break Snort – Distributed under the GPL – Freely available to all open source Snort users 7400 -3/17- Samsung Confidential & Proprietary Information Using Snort. • Three main operational modes – – – – Sniffer Packet logger Network Intrusion Detection System (Forensic Data Analysis Mode) 7400 -4/17- Samsung Confidential & Proprietary Information Network Environment 165.213.109.2 165.213.109.254 165.213.146.134 ••••• Send an attack packet pattern or packet pattern similar to attack Untrusted Network Mail Server 165.213.88.100 Internet Send a packet pattern similar to attack Trusted Terminal WAN1 Management PC 165.213.89.238 165.213.87.230 10.0.0.1 LAN Important File Server Internal Network 7400 -5/17- Samsung Confidential & Proprietary Information Assumption 1. A server containing important data exists in the internal network of GWIM. 2. An attack pattern of packets come from the PC terminal in the untrusted 165.213.109.0/24, 165.213.146.0/24 network which has an external anonymity. 3. The PC terminal (165.213.87.230) used in a remote area supports an easy maintenance with OfficeServ 7400. In other words, a misdetection by IDS is taken into account. 4. The mail server supports SMTP with an IP (165.213.88.100). 7400 -6/17- Samsung Confidential & Proprietary Information Filtering Setup 1.From the [Firewall][Management] menu, select the ‘Enable’ item and click the ‘OK’ button. 7400 -7/17- Samsung Confidential & Proprietary Information Configuration 1. Move to the [IDS][Configuration] menu, and select a device which interface is WAN and the protocol monitors only for a static network, and select whether to restrict an access from the outside according to the level when using the [IDS][Block Config] function. ※The higher a level for detecting intrusion is set, the more processing load increases and the more log messages are left in the system. When running in the [IDS]->[Block Config] menu, IDS is executed at only a level set in the window. 7400 An access corresponding to Medium Level is notified by only a mail and an access to the remote area is not restricted. -8/17- Samsung Confidential & Proprietary Information 2. Select a required IDS rule and click the [OK] button. The window below has been applied as default: ※For further information on each rule, refer to http://www.snort.org/snort-db. 7400 -9/17- Samsung Confidential & Proprietary Information Management 1. From the [IDS][Management] menu, click the [Run] button to execute IDS. ‘Block time’ is used to set a timeout value to release a restriction of access. If Run is executed, the blocking function of a remote data terminal which generated a type of intrusion detected by IDS is performed. However the blocking function is based on the level set in [IDS][Configuration]. ※ If IDS is running, block module is running. By default IPS is running. 7400 -10/17- Samsung Confidential & Proprietary Information Block Config 1. 2. In the [IDS][Block Config] menu, set whether to restrict an access to the remote data terminal or network which generated a type of intrusion detection set in [IDS][Configuration]. You can view IP information on the remote data terminal which performs a restriction of access by detecting as a intrusion type in IDS. In the following window, you can view the results of the misdetected IP address of a maintenance PC: 7400 165 213 87 230 165 213 87 227 165 213 87 231 165 213 109 189 165 213 146 134 -11/17- IP Address of a Maintenance PC Hosts of the Network Where the Administrator is Located Hosts of an Untrusted Network Samsung Confidential & Proprietary Information 3. To register trusted IPs, enter an IP address of a maintenance PC. This allows the maintenance PC restricted to the access to the ‘Blocked IPs’ to enable accessibility. <Figure 1> shows a registration of only a PC and <Figure 2> shows a registration of all network hosts to which an administrator IP belongs. <Figure 1> <Figure 2> 7400 -12/17- Samsung Confidential & Proprietary Information Log Analysis 1. If you select the [IDS][Log Analysis] menu, the window below appears that analyzes the left messages whose intrusion type is detected by IDS according to source address, destination address, risk level, service port information and intrusion type. Basically, all categories are set ‘all’, but you can select and check a desired log. Default ‘all’ 7400 -13/17- Samsung Confidential & Proprietary Information 2. If you set as shown in <Figure 1>below to check a log corresponding to the security level ‘med’ among logs that a host with an IP ‘165.213.87.230’ accesses the IP ‘165.213.89.238’, http(80) port, you can view the results as shown in <Figure 2>. <Figure 1> <Figure 2> 7400 -14/17- Samsung Confidential & Proprietary Information Mail Config 1. Click the [IDS][Mail Config] menu to send the result message on intrusion detected by IDS to the set mail address by mail. Set to send a mail at 5 p.m. every day SMTP Port Information Mail Server IP Address Mail Address 7400 -15/17- Samsung Confidential & Proprietary Information Rule Update 1. If you click [Rule Config] from the left menu, you can update a ruleset. To update a ruleset click ‘browse’ button and select the desired rule file on your PC. GWIM IDS spec (based v1.25) 7400 -16/17- Samsung Confidential & Proprietary Information Thank you ! 7400 -17/17- Samsung Confidential & Proprietary Information