Transcript IDS
Enterprise IP Solutions
OfficeServ 7400
Quick Install Guide
- Data Server –
IDS
Mar, 2006
OfficeServ Lab1
Samsung Electronics Co., Ltd.
7400
-0/17-
Samsung Confidential & Proprietary
Information
IDS functions
• Real-time detection and response to network based attacks
– backdoor, DoS, DDoS, anomalous network access, etc.
• Using web management
• Support almost all kinds of protocol used in Internet
• Intrusion detection according to risk level
– High, medium, low
• Correspond to intrusion detection
– Log audit
– IP blocking as linked with firewall
• Report to admin using e-mail about detected attacks
– 5 categories : Intrusion Type, Source IP, Destination IP, Port, Port scan
• Rule update
7400
-1/17-
Samsung Confidential & Proprietary
Information
IDS Rule Update
• Sourcefire VRT Certified Rules
– Official rules of snort.org(www.snort.org)
– Three ways to obtain these rules:
• Subscribers (a charge)
– Online web subscriber
– Receive real-time rules updates as they are available
• Registered users (Free)
– Online web subscriber
– Can access rule updates 5days after release to subscription users
• Unregistered users (Free)
– Receive a static ruleset at the time of each major Snort Release
– CANNOT use for GWIM (limited to commercial use!)
7400
-2/17-
Samsung Confidential & Proprietary
Information
IDS Rule Update
• Open Community Rulesets
– Submitted by members of the open source
community
– Release to users without basic tests
• not to ensure that new rules will not break Snort
– Distributed under the GPL
– Freely available to all open source Snort users
7400
-3/17-
Samsung Confidential & Proprietary
Information
Using Snort.
• Three main operational modes
–
–
–
–
Sniffer
Packet logger
Network Intrusion Detection System
(Forensic Data Analysis Mode)
7400
-4/17-
Samsung Confidential & Proprietary
Information
Network Environment
165.213.109.2
165.213.109.254
165.213.146.134
•••••
Send an attack packet pattern or packet
pattern similar to attack
Untrusted Network
Mail Server
165.213.88.100
Internet
Send a packet pattern similar to attack
Trusted Terminal
WAN1
Management
PC
165.213.89.238
165.213.87.230
10.0.0.1
LAN
Important File Server
Internal Network
7400
-5/17-
Samsung Confidential & Proprietary
Information
Assumption
1.
A server containing important data exists in the internal network of GWIM.
2.
An attack pattern of packets come from the PC terminal in the untrusted
165.213.109.0/24, 165.213.146.0/24 network which has an external
anonymity.
3.
The PC terminal (165.213.87.230) used in a remote area supports an easy
maintenance with OfficeServ 7400. In other words, a misdetection by IDS is
taken into account.
4.
The mail server supports SMTP with an IP (165.213.88.100).
7400
-6/17-
Samsung Confidential & Proprietary
Information
Filtering Setup
1.From the [Firewall][Management] menu, select the ‘Enable’ item and click
the ‘OK’ button.
7400
-7/17-
Samsung Confidential & Proprietary
Information
Configuration
1. Move to the [IDS][Configuration] menu, and select a device which interface
is WAN and the protocol monitors only for a static network, and select whether
to restrict an access from the outside according to the level when using the
[IDS][Block Config] function.
※The higher a level for detecting intrusion is set, the more processing load increases and
the more log messages are left in the system.
When running in the [IDS]->[Block Config] menu,
IDS is executed at only a level set in the window.
7400
An access corresponding to Medium Level
is notified by only a mail and an access to
the remote area is not restricted.
-8/17-
Samsung Confidential & Proprietary
Information
2. Select a required IDS rule and click the [OK] button.
The window below has been applied as default:
※For further information on each rule, refer to http://www.snort.org/snort-db.
7400
-9/17-
Samsung Confidential & Proprietary
Information
Management
1.
From the [IDS][Management] menu, click the [Run] button to execute IDS.
‘Block time’ is used to set a timeout value to release a restriction of access. If
Run is executed, the blocking function of a remote data terminal which generated
a type of intrusion detected by IDS is performed. However the blocking function
is based on the level set in [IDS][Configuration].
※ If IDS is running, block module is running. By default IPS is running.
7400
-10/17-
Samsung Confidential & Proprietary
Information
Block Config
1.
2.
In the [IDS][Block Config] menu, set whether to restrict an access to the
remote data terminal or network which generated a type of intrusion
detection set in [IDS][Configuration].
You can view IP information on the remote data terminal which performs a
restriction of access by detecting as a intrusion type in IDS. In the following
window, you can view the results of the misdetected IP address of a
maintenance PC:
7400
165
213
87
230
165
213
87
227
165
213
87
231
165
213
109
189
165
213
146
134
-11/17-
IP Address of a Maintenance PC
Hosts of the Network Where the
Administrator is Located
Hosts of an Untrusted Network
Samsung Confidential & Proprietary
Information
3. To register trusted IPs, enter an IP address of a maintenance PC.
This allows the maintenance PC restricted to the access to the ‘Blocked IPs’ to
enable accessibility.
<Figure 1> shows a registration of only a PC and <Figure 2> shows a registration
of all network hosts to which an administrator IP belongs.
<Figure 1>
<Figure 2>
7400
-12/17-
Samsung Confidential & Proprietary
Information
Log Analysis
1. If you select the [IDS][Log Analysis] menu, the window below appears that
analyzes the left messages whose intrusion type is detected by IDS according to
source address, destination address, risk level, service port information and
intrusion type. Basically, all categories are set ‘all’, but you can select and check
a desired log.
Default ‘all’
7400
-13/17-
Samsung Confidential & Proprietary
Information
2. If you set as shown in <Figure 1>below to check a log corresponding to the
security level ‘med’ among logs that a host with an IP ‘165.213.87.230’ accesses
the IP ‘165.213.89.238’, http(80) port, you can view the results as shown in
<Figure 2>.
<Figure 1>
<Figure 2>
7400
-14/17-
Samsung Confidential & Proprietary
Information
Mail Config
1. Click the [IDS][Mail Config] menu to send the result message on intrusion
detected by IDS to the set mail address by mail.
Set to send a mail at 5 p.m. every day
SMTP Port
Information
Mail Server
IP Address
Mail Address
7400
-15/17-
Samsung Confidential & Proprietary
Information
Rule Update
1. If you click [Rule Config] from the left menu, you can update a ruleset.
To update a ruleset click ‘browse’ button and select the desired rule file
on your PC.
GWIM IDS spec (based v1.25)
7400
-16/17-
Samsung Confidential & Proprietary
Information
Thank you !
7400
-17/17-
Samsung Confidential & Proprietary
Information