mod5mod5Implementing IDSesImplementing IDSeslinks../mod5/assets/coursemap.swfcourseMenuBtnCourse menu. Select this button to access the course menu.MainMenuButtonClickedmoduleMapBtnLesson Map. Select this button to access the lesson map.CourseMapButtonClickedglossaryBtnGlossaryGlossary. Select this button open the glossary.GlossaryButtonClickedresourcesBtnResources. Select this button open the resources.ResourcesButtonClickedexitBtnExit. Select this button to exit the course.ExitButtonClickedreplayBtnReplay. Select this button to replay the current screen.ReplayButtonClickedpauseBtnPause. Select this button to pause the course.PauseButtonClickedresumeBtnResume. Select this button to resume the course.ResumeButtonClickedpreviousPgBtnPrevious PagePrevious. Select this button to go to the previous screen.PreviousButtonClickednextPgBtnNext PageNext. Select this button to go to the next screen.NextButtonClickedIntroductionObjectives and Topicsidsl5_011Welcome to the lesson on Implementing Intrusion Detection Systems, or IDSes. When you have completed this lesson, you will be able to identify what a Demilitarized Zone, or DMZ, is and why it is important. You will also be able to identify the different methods of sniffing network traffic and the advantages and disadvantages of each method. Finally, you will be able to identify some IDS configuration issues. There are four topics in this lesson. After you have completed the Introduction, You will learn about DMZ design and how a DMZ can protect your trusted network. You will learn about the fundamentals of sniffing and effective locations to sniff network traffic. Finally, you will learn about the different issues to account for when configuring your IDS. Screen 1 of 21. Please use the up and down arrows to navigate through the Introduction to D O D I D S Analysis Course, Implementing I D S's. For each screen you will hear a description. The description is cued by an audio tone. Complex screens are divided into several descriptions. Listen to the description, and then select the play audio narration button to continue. You can access the glossary and a list of resources at any time without losing your place in the course. Topic title: Introduction. Screen title: Objectives and Topics. Bulleted text and text boxes appear with objectives and topics in support of audio. Text box displays text References to open source or freeware in this training product are for training purposes only, and should not be considered endorsements of these products. Please check with your command, service or agency for guidance on the use of these products.DMZs in NetworksWhat is a DMZ?idsl5_022Most local area networks, or LANs, not only communicate with the internal, or trusted, devices on their network but also interact with an untrusted side, most commonly the Internet. Most networks have hosts that provide services to outside users coming from untrusted networks, such as email, web, and Domain Name Service, or DNS. Basic networks have simple firewalls between the untrusted and trusted side to mitigate server-side attacks through these service hosts. The networks also include a boundary router, which provides the connection between the untrusted network and the firewall. This router is sometimes provided by the Internet Service Provider, or ISP. The placement of public-facing servers on internal trusted networks is an insecure design. This design allows your entire network to be open to an attack through the public-facing servers. You can minimize attacks to your organization's network by adding an additional layer of security, called a demilitarized zone, or DMZ. This buffer zone is designed to prevent unauthorized or unwanted communications between computer networks or hosts. The public-facing, Internet-exposed servers, or service hosts, are placed in the DMZ. Here the servers are allowed to communicate with other hosts in the DMZ and with external networks. These hosts have limited connectivity to specific hosts in the trusted, or internal, network, outside of the DMZ. This allows hosts in the DMZ to provide services to both the external and internal networks, while an intervening firewall controls the traffic between the DMZ servers and the internal network clients. Screen 2 of 21. Topic title: D M Z's in Networks. Screen title: Why use a D M Z? An image of a cloud labeled Untrusted appears connected to a device labeled boundary router, connected to an image of a wall with fire above it labeled firewall, connected to a cloud labeled Trusted. A callout from the Untrusted cloud image displays e mail, web, d n s. Warning image appears between the firewall and trusted cloud image, near the cloud image. The firewall divides in two. The one near the trusted cloud is labeled Internal firewall, and the one near the boundary router is labeled external firewall. Image of a tube labeled D M Z appears between the two firewalls with a server image labeled S M T P server with a callout that displays e mail, web, d n s. Text box appears with bullet points. Rollover text displays for D N S Domain Name Service, D M Z demilitarized zone. Why Use a DMZ?idsl5_033An insecure design can place your network at a higher risk of attacks. For example, placing public-facing servers on internal trusted networks can increase the risk of an internal compromise. Most attackers want to compromise any internal host to establish a foothold on the internal network. The idea is to attack from behind the firewall, where more hosts may be available to attack. One way the hackers achieve this is through a technique called pivoting. When launching a pivot attack, an attacker scans a network and looks for a vulnerable host to compromise. The attacker needs only to compromise one host to gain access to the rest of the network and the public-facing servers are prime candidates. Once on the compromised host or system, the attacker can launch another port scan from the view of the first compromised host searching for other victims. The attacker then uses the compromised system to attack other systems on the same network, by pivoting from one machine to another. If your network design includes a DMZ, you can mitigate the risk of pivoting. Let's see how the DMZ design can prevent malicious traffic from getting to the trusted side of the network. Screen 3 of 21. Topic title: D M Z's in Networks. Screen title: Why use a D M Z? An image of a cloud labeled Untrusted appears connected to a device labeled boundary router, connected to an image of a wall with fire above it labeled firewall, connected to a cloud labeled Trusted, which is connected to two workstation and two server images. One of the servers is labeled S M T P server. An image of a masked man operating a laptop appears on the other side of the untrusted cloud image. Warning symbols appear next to the servers and workstation images with text Attack strategy attack from behind. Bulleted text appears. Animation shows data going from the masked man's computer through the untrusted cloud, boundary router, firewall, trusted cloud, and to the S M T P server now labeled compromised S M T P server. Animation appears of data going from the server to the other server and two workstations. Text D M Z appears between the trusted cloud and firewall.DMZ Designidsl5_044DMZs make pivoting difficult, reducing your risk of a pivot attack. The design goal of a DMZ is to contain any compromise to the DMZ and prevent the attack from spreading to the rest of the network. The DMZ acts as a filter of network traffic. Traffic is filtered from the untrusted to the trusted side, from the untrusted side to the DMZ, and from the DMZ to the trusted side. To create a successful buffer zone, all DMZ servers should be hardened, or secured, to mitigate threats. This process generally includes turning off any services that are not essential to the server. The use of insecure services should be prohibited, and all software should be properly configured, with up-to-date patching. Finally, only required ports should be open on DMZ servers. There are two types of DMZ designs, the classic design and the service leg design. The two designs differ in where the DMZ is placed on the network. Select each design to learn more about its DMZ placement.DMZ Designidsl5_04_014In the classic DMZ design, there are two firewalls to filter traffic. One firewall filters the untrusted traffic to and from the DMZ and the second firewall filters the trusted traffic to and from the DMZ. This design places the public-facing servers, or exposed servers, in between the two firewalls. This DMZ design is also known as a firewall sandwich. ClassicPopup 1 of 2. Popup title: Classic. Image reprises from the base screen, showing An image of a cloud labeled Untrusted connected to a device labeled boundary router, connected to an image of a wall with fire above it labeled external firewall, connected to a tube labeled D M Z, connected to a firewall labeled internal firewall, connected to a cloud labeled Trusted. An image of a server labeled S M T P appears connected to the D M Z image. Bulleted text appears. The external and internal firewalls along with the D M Z image and S M T P server image appear enclosed in a circle in support of audio.DMZ Designidsl5_04_024A service leg DMZ design uses only one firewall. The firewall filters the trusted and untrusted traffic as well as the traffic to and from the DMZ. By properly configuring available ports on the firewall, the DMZ, containing public-facing servers, is a third branch stemming from the firewall. This DMZ design is also known as a 3-legged firewall. Service LegPopup 2 of 2. Popup title: Service Leg. Image shows a cloud labeled Untrusted connected to a device labeled boundary router, connected to an image of a wall with fire above it labeled firewall, connected to a cloud labeled Trusted. The firewall is also connected to a tube image labeled D M Z, connected to a server labeled S M T P server. Bulleted text appears. The firewall, D M Z image, and S M T P server appear enclosed in a circle in support of audio.Screen 4 of 21. Topic title: D M Z's in Networks. Screen title: D M Z Design. An image of a cloud labeled Untrusted appears connected to a device labeled boundary router, connected to an image of a wall with fire above it labeled external firewall, connected to a tube labeled D M Z, connected to a firewall labeled internal firewall, connected to a cloud labeled Trusted. A null sign with the word Pivoting appears above the D M Z image. Text and bullet points appear. Two buttons appear labeled classic design and service leg design. Instructions appear to select each D M Z design to learn more. Rollover text for harden is Server hardening includes techniques used to establish a security baseline on a system, particularly those connected to semi- or untrusted networks. These techniques include, but are not limited to, disabling unnecessary services; preventing the use of unsecure services; up-to-date patching; and enforcing strong password policies.Successful Pivot Attack Defenseidsl5_055So how does the DMZ successfully defend against pivot attacks? Because the public-facing servers are the most vulnerable hosts, these servers should be placed in the buffer zone of the DMZ. For example, let's assume our email gateway, the SMTP server, is placed in the DMZ. Then, through the publicly available TCP port 25 and a weakness in the server configuration, the server becomes compromised by an attacker. The attacker then attempts to pivot from the compromised SMTP server to attack a host on the internal trusted network. The attack is blocked by the firewall and fails due to proper DMZ design. The damage is contained within the DMZ. The DMZ host is compromised but the pivot attack to the internal network has failed. Screen 5 of 21. Topic title: D M Z's in Networks. Screen title: Successful Pivot Attack defense. An image of a masked man operating a computer connected to a cloud labeled Untrusted connected to a device labeled boundary router, connected to a firewall image, connected to a tube labeled D M Z, connected to a server labeled S M T P server. The firewall is also connected to a cloud labeled Trusted. Animation shows data going from the masked man's computer through the untrusted cloud, boundary router and firewall, through the D M Z image to the S M T P server image now labeled compromised S m t p server with a warning image. Animation shows data going from the S M T P server through the d m z to the firewall, and the text pivot attack failed appears between the firewall and the trusted cloud.Knowledge Checkidsl5_066Knowledge Check1550625The goal of a DMZ is to contain a compromise from spreading to the rest of the network.TrueFalseCorrect. The goal of a DMZ design is to contain a compromise from spreading to the rest of the network.Incorrect. The goal of a DMZ design is to contain a compromise from spreading to the rest of the network.DMZs house public-facing, Internet-exposed servers.TrueFalseCorrect. The public-facing, Internet-exposed servers, or service hosts, are placed in the DMZ to prevent unauthorized communications.Incorrect. The public-facing, Internet-exposed servers, or service hosts, are placed in the DMZ to prevent unauthorized communications.A service leg DMZ uses two firewalls.TrueFalseCorrect. A service leg, or 3-legged, design uses only one firewall.Incorrect. A service leg, or 3-legged, design uses only one firewall.Without a DMZ, an attacker can more easily use a pivot attack to compromise multiple hosts on a network.TrueFalseCorrect. DMZs defend against pivot attacks by eliminating the attacker's ability to pivot from one compromised host to other hosts on the network.Incorrect. DMZs defend against pivot attacks by eliminating the attacker's ability to pivot from one compromised host to other hosts on the network.Now check your knowledge of DMZs. Screen 6 of 21. Topic title: D M Z's in Networks. Screen title: Knowledge Check. This knowledge check presents four statements. For each statement there are two possible answers, true or false. Use the down arrow key to move through the statements and answer options. Use the enter key to make your selection.Network Sniffing FundamentalsWhat is a Sniffer?idsl5_077A sniffer is a tool that allows the complete capture of traffic that is traveling between networked devices. Sniffers are also known as network data packet analyzers or network protocol analyzers. Network sniffers not only capture the network traffic but they also analyze the packets of data. They are able to decode protocols, and present the packets in a format you are able to understand. A network sniffer speaks TCP/IP natively. This means it can see the Network Access, Internet, Transport, and Application layers. A sniffer can also correlate the corresponding layers of the OSI model. The layers are Data Link, Network, Transport, and Application. The Data Link layer contains Media Access Control, or MAC, addresses, the factory-set 48 bit addresses on network interface cards. The sniffer can read the frames at layer two. The sniffer can also see the IP addresses contained within the Network layer. Remember that routers operate at this layer. At the Transport layer are the TCP and UDP headers. The sniffer can understand the port concept here. Finally, the sniffer can see the application data of the Application layer. This layer provides services to end-user applications, such as FTP and HTTP, to name a few. An intrusion detection system is basically a network sniffer with the additional functionality to send alerts when a rule is matched. Screen 7 of 21. Topic title: Network Sniffing Fundamentals. Screen title: What is a Sniffer? Two workstation images appear with two lines between them, and a net or matrix overlaying the lines. Bulleted text appears. A stack of four text boxes appears labeled t c p I p. From the top, text boxes are labeled Application, Transport, Internet, and Network access. This image is replaced by a stack of seven text boxes labeled O S I. From the top, the text boxes are labeled Application, Presentation, Session, Transport, Network, Data link, and Physical. Text appears and boxes are highlighted. Image of the Snort logo appears with trademark symbol and statement Snort is a registered of Sourcefire, Inc. Rollover text displays T C P I P Transmission Control Protocol Internet Protocol. O S I Open Systems Interconnection.What is Promiscuous Sniffing?idsl5_088A sniffer requires promiscuous access, which is reading all traffic to the network card and not just traffic destined for the system running the sniffer, to capture all types of traffic on a network. There are three types of traffic devices and systems a network will see: unicast, broadcast, and multicast traffic. Unicast traffic is transmissions sent to a single network destination identified by a unique address. Broadcast traffic is when data is transmitted to all network destinations, simultaneously addressed to all computers. Finally, multicast traffic is transmitted data to multiple destinations, but not all network destinations, using special address assignments. For the different devices to send and receive traffic from one another there must be a communication system between them. This system is called duplex. Most IP traffic uses a full duplex system. This is when communication is occurring in both directions between a sender and a receiver simultaneously. TCP/IP is designed this way, like a phone conversation. A half duplex system is communication between two devices but in only one direction at a time. The sender and receiver take turns, like communicating over a walkie-talkie. So promiscuous network access provides the sniffer access to all traffic between any two devices in any direction on the duplex system. Promiscuous sniffing focuses on passive, or read only, access. A sniffer with promiscuous access to a network should not impede operations and should not be evident to anyone, including attackers. Three fundamental methods of sniffing are to connect via a hub, through a switch port, or through an Ethernet network TAP. Let's learn more about each method. Screen 8 of 21. Topic title: Network Sniffing Fundamentals. Screen title: What is Promiscuous Sniffing? Image labeled O S I displays a stack of seven text boxes labeled O S I. From the top, the text boxes are labeled Application, Presentation, Session, Transport, Network, Data link, and Physical. A network card image overlays the boxes. Animation shows a data stream of ones and zeroes going to the device. Image of network comprising a server, three workstations, and a printer appears with bulleted text in support of audio. Animation shows data moving across the network. Snort logo appears with trademark symbol and statement Snort is a registered of Sourcefire, Inc. Rollover text displays unicast Transmissions sent to a single network destination identified by a unique address. Broadcast Data is transmitted to all network destinations, simultaneously addressed to all computers. Multicast Transmitted data to multiple destinations, but not all network destinations, using special address assignments. Half duplex Communication between two devices but in only one direction at a time. Full duplex Communication occurs in both directions between a sender and a receiver simultaneously.Sniffing with a Hubidsl5_099A hub operates at the Physical layer, layer one, of the OSI model. A hub does not manage any of the traffic that comes through its ports but acts as a multi-port repeater. A hub simply regenerates any traffic coming through a port and rebroadcasts the packets on all other ports. It has no concept of the protocols contained within the traffic. Hubs are also half duplex. Remember, this means that the system can only transmit one half of a conversation at a time. All ports on a hub share a collision domain, where any devices connected to that domain compete for network access. A collision occurs when more than one device tries to send a data packet across the hub. A data transmission detects that another transmission is sent, stops transmitting, and sends a jam signal. The data transmission waits for an interval of time before trying to send that data packet again. To minimize the data packet collisions, Ethernet hubs use Carrier Sense Multiple Access With Collision Detection, or CSMA/CD. This is an improved system that terminates the competing data packets as soon as a collision is detected, and resends each packet one at a time. CSMA/CD reduces the probability of a second collision when the transmission is attempted again. To sniff the traffic using a hub, an IDS is placed at one of the ports. The hub rebroadcasts the traffic from the other ports, so the IDS receives all the traffic. This traffic can then be monitored by an analyst. You can only sniff the network through a hub if it is in a properly engineered environment, only one device per switch, and very small amounts of traffic. Overall this method does not work on larger networks. Select the disadvantages button to learn more about the challenges of sniffing with a hub. Sniffing with a Hubidsl5_09_019If you add a hub to sniff traffic, you may cause additional operational network issues. The half duplex operation with shared collision domains cause congestion and collisions. Although an Ethernet hub using CSMA/CD is a better system, it can also become a source of inefficiency, slowing down the network. In addition, many devices labeled hub are really simple or inexpensive switches. These unmanaged switches usually do not support a monitoring port. A 100 megabit size hub can support the port, but these hubs are no longer being manufactured. Disadvantages of a hubPopup 1 of 1. Popup title: Disadvantages of a hub. Image of a hub reprises. Bulleted text appears. Ports on the hub are highlighted with the text Shared Collision Domain. Screen 9 of 21. Topic title: Network Sniffing Fundamentals. Screen title: Sniffing with a hub. Image labeled O S I displays a stack of seven text boxes labeled O S I. From the top, the text boxes are labeled Application, Presentation, Session, Transport, Network, Data link, and Physical. Physical layer is highlighted. Bulleted text appears. A hub image show ports with lines going from a different ports on the hub to each of the following images: a firewall, untrusted router, trusted router, and I D S. A button labeled Disadvantages is selectable as a popup. Rollover for collision domains displays A network segment where devices compete for network access and only one device may transmit at a time. Data packets from different devices can potentially collide with one another resulting in the data transmission being stopped, a jam signal being sent, and the transmission re-tried at a later time. C S M A C D C Carrier Sense Multiple Access With Collision Detection. An improved system that terminates the competing data packets as soon as a collision is detected, and resends each packet one at a time. C S M A C D reduces the probability of a second collision when the transmission is attempted again. S M A C D. Instructions appear to select Disadvantages to learn more.Sniffing with a Switchidsl5_1010A network switch operates at the Data Link layer, layer 2. Switches create different collision domains for each switch port and recognize different MAC addresses for each port. By connecting one device per switch port, no data transmission collisions should occur. Switches also allow for full duplex communication to occur. Remember, this means both sides of the traffic can occur at the same time. Having a different device on each port also creates traffic isolation and IDS blindness. A switch learns the locations of firewalls and trusted network routers but the IDS can't sniff the traffic between a firewall and a trusted router. This limits the IDS to only see the traffic from the port it is connected to. To avoid this, sniffing with a switch requires a port be configured to copy the network traffic on the other ports to this specially configured port. The mirrored network traffic can be of a sub-set of switch ports or all of the ports. An IDS is then connected to the port configured to copy the data packets from the other ports and can see all the traffic. The IDS is then able to monitor all traffic mirrored from the other ports on the switch without adding any collisions to the network segment. This monitoring port configuration is known on CISCO switches as a Switched Port Analyzer, or SPAN, port and on Hewlett Packard, or HP, switches as a mirror port. Sniffing with a switch can work on a smaller network, or in an organization with smaller amounts of traffic but there are some disadvantages to this method. Select the disadvantages button to learn more about the challenges of sniffing with a switch. Select the configuration buttons to learn more about the SPAN and mirror port configuration examples. Sniffing with a Switchidsl5_10_0110On CISCO switches, the mirroring port is known as a SPAN port. To configure the SPAN port, first, identify the interface. Then, list the ports you want to monitor. Span portPopup 1 of 3. Popup title: Span port. An image of a port labeled Span port appears. Bulleted text appears. Sniffing with a Switchidsl5_10_0210On HP switches, the mirroring port is known as a mirror port. To configure the mirror port, first, identify the mirror port. Then, list each port to monitor. Mirror portPopup 2 of 3. Popup title: Mirror port. An image of a port labeled Mirror port appears. Bulleted text appears. Sniffing with a Switchidsl5_10_0310While sniffing with a switch is preferable to using a hub, there are disadvantages. Some of the traffic may be dropped, or sanitized. A switch may not forward broken or fragmented frames to a SPAN/Mirror port. Unfortunately, attackers will use fragmented frames to attack and the IDS may not see that traffic. Most switches can only support a single SPAN/Mirror port. Additional equipment is required to allow two devices to monitor one SPAN/Mirror port. Also, mirroring multiple ports on a switch can overload the monitoring port. For example, let's assume a 100 megabit switch, mirroring ten 100 megabit ports of traffic. The IDS is set up on one of the standard 100 megabit monitoring ports that has been configured as a SPAN/Mirror port. All that traffic filtering through a 100 megabit SPAN/Mirror port will overload the port. The sniffer will miss traffic and may miss malicious events. DisadvantagesPopup 3 of 3. Popup title: Disadvantages. An image of a switch appears showing ports with lines going from different ports to each of the following images: a firewall, untrusted router, trusted router, and I D S. Bulleted text appears. Text appears. The set of ports connected to the firewall and untrusted router, and the trusted router are encircled.Screen 10 of 21. Topic title: Network Sniffing Fundamentals. Screen title: Sniffing with a switch. Image labeled O S I displays a stack of seven text boxes labeled O S I. From the top, the text boxes are labeled Application, Presentation, Session, Transport, Network, Data link, and Physical. Data link layer is highlighted. Bulleted text appears. Switch image appears with 24 ports labeled collision domain 1 through collision domain 24. Image of a cell phone appears. Collision domain labels are replaced with lines going from one port on the switch to a firewall connected to an untrusted router image. Another port is connected to a trusted router image. Additional bulleted text appears. Span Port, Mirror port and Disadvantages are enabled as popups. Instructions appear to select the configuration examples and Disadvantages to learn more.Sniffing with a TAPidsl5_1111An Ethernet Test Access Port, or TAP, operates at the Physical layer, layer one. A TAP is placed on cables between devices to capture the network traffic. TAPs are usually passive and monitor ports in a read-only fashion. They can capture full duplex communications without slowing down the network. When sniffing with a TAP, an IDS is connected to monitoring ports on the TAP. The TAP passes through all traffic between A and B, so A and B still think they are connected to each other. At the same time, the TAP copies the traffic between A and B to its monitor port. Then the IDS connected to the monitoring ports can receive the copied data, enabling the IDS to monitor all traffic crossing the TAP. Simple network TAPs require two monitoring ports to relay both sides of the full duplex communication, as shown here. More advanced aggregation taps combine the two sides of the full-duplex conversation into one monitoring port. This allows full duplex monitoring on a single port by the IDS interface. There are also multi-aggregation and port aggregator TAPs. A multi-aggregator TAP allows separate devices to receive the same stream of data packets for multiple monitoring devices. Whereas, a port aggregator TAP allows a single device to receive multiple streams of data packets. Similar to hubs and switches, TAPs also have some disadvantages. Unlike the other methods, TAPs can use buffers to minimize some of the disadvantages. Select each type of aggregation TAP to view configuration samples. Select disadvantages to learn about the challenges of port aggregators. Select buffers to learn how to combat overloading a port. Sniffing with a TAPidsl5_11_0111A multi-aggregator TAP splits a single traffic stream into multiple monitoring ports for traffic monitoring by multiple devices. In this example, a 1 by 2 aggregation TAP allows one full duplex traffic stream to be monitored by two IDSes. Multi Aggregator TAPPopup 1 of 4. Popup title: Multi Aggregator TAP. Image of a monitoring port device appears with one port connected to a firewall and untrusted router image. A second port connected to a trusted router image. Two ports appear connected to an I D S 1 device, and the other to an I D S 2 device. Text and bullet points appear.Sniffing with a TAPidsl5_11_0211A port aggregator TAP combines multiple traffic streams to be sent to one monitoring port, monitored by a single device. In this example, a 4 by 1 port aggregator allows four full duplex traffic streams to be monitored by one IDS. Port AggregatorPopup 2 of 4. Popup title: Port Aggregator. Image of a monitoring port device appears with five ports connected to a firewall 1, firewall 2, D M Z 1 switch, D M Z 2 switch, and an I D S 1 device. Text and bullet points appear.Sniffing with a TAPidsl5_11_0311To minimize port overload, aggregation TAPs should incorporate a memory buffer. A memory buffer temporarily holds data while it is being moved from one place to another. The memory buffer is designed for occasional, high volume traffic to mitigate monitor port overload. The TAP buffer can only store so much data, and will fail if aggregated traffic consistently overloads the TAP port. Tap BuffersPopup 4 of 4. Popup title: Tap Buffers. Image of a monitoring port device and bulleted text appears. Sniffing with a TAPidsl5_11_0411Network TAPs are a reliable method of sniffing, but there are still issues to consider when using TAPs. A network TAP requires more hardware to be installed and is therefore more expensive. If multiple traffic streams are combined, an IDS may become confused regarding the network topology. Similar to a switch, the combination of multiple streams of traffic can also overload the monitoring port. For example, let's assume you have 100 megabit ports, with 70 megabit streams of traffic running through each one. You then combine two streams of traffic to form a 140 megabit stream. Your IDS is set up on one of the standard 100 megabit monitoring ports. The 140 megabit traffic stream sent through the 100 megabit port is too much traffic and will overload the port. The sniffer will miss traffic and can miss malicious events. Disadvantages.Popup 3 of 4. Popup title: Disadvantages. Image of a monitoring port device appears with five ports connected to a firewall 1, firewall 2, D M Z 1 switch, D M Z 2 switch, and an I D S 1 device with a callout A plus B plus C plus D traffic. Text and bullet points appear in support of audio.Screen 11 of 21. Topic title: Network Sniffing Fundamentals. Screen title: Sniffing with a tap. Image labeled O S I displays a stack of seven text boxes labeled O S I. From the top, the text boxes are labeled Application, Presentation, Session, Transport, Network, Data link, and Physical. Physical layer is highlighted. Rollover for Taps displays Test access ports. Image of a monitoring port device appears with one port connected to a firewall and untrusted router image. A second port connected to a trusted router image. Two ports appear connected to an I D S device with one line labeled A Traffic and the other B Traffic. Bulleted text appears. Multi Aggregator, Port Aggregator, Disadvantages, and Buffers text boxes appear selectable as popups. Instructions appear to select each type of Tap aggregator, disadvantages, and buffers to learn more.Summary of Sniffing Methodsidsl5_1212Before moving on, take a few minutes to review the advantages and disadvantages of each sniffing method: hubs, switches, and Ethernet taps. Screen 12 of 21. Topic title: Network Sniffing Fundamentals. Screen title: Summary of Sniffing Methods. A 3 column table appears with columns labeled Method, Advantages, Disadvantages. For hubs method, advantages include Act as a multi-port repeater. Regenerates and broadcasts all traffic. IDS receives all traffic rebroadcasted. Disadvantages include Causes operational network issues. Causes congestion and collisions. Slows down the network. Cannot be done with cheap switches. Can only be done in properly engineered environment. One device per switch. Very small amounts of traffic. For switches method, advantages include Create a different collision domain per port. No data collisions. Are full duplex. IDS receives all traffic mirrored from the other ports on the switch. Disadvantages include Traffic is sanitized. Sniffer misses dropped fragmented frames. Can only support a single mirror port. Additional equipment required for 2 devices. Overloads the monitoring port. Sniffer misses traffic. For Ethernet taps method, advantages include Listen into network traffic. Are passive, read only. Are full duplex. I D S receives all copied traffic crossing the TAP through the monitoring port. Do not slow down the network. Multi aggregator TAPs have a single traffic stream to multiple monitoring devices. Port aggregator TAPs have multiple traffic streams to a single monitoring device. Disadvantages include Requires more hardware. More expensive. IDS confuses network topology. Overloads the monitoring port. Sniffer misses traffic. Can be mitigated with a tap buffer.Places to Sniffidsl5_1313You now know that a hub, switch, or TAP can be used to sniff your network. But where exactly do you place the IDS on your network to sniff successfully? In general, a NIDS should be placed at network choke-points and boundaries. Common network choke-point locations include where security zones meet, such as between a DMZ and the trusted network or at the boundary of a classified and unclassified network; beyond a security perimeter, such as before the external interface of the Internet exposed firewall or boundary router; and on the trusted side of the network. Select the network locations to learn more about each IDS placement. Places to Sniffidsl5_13_0113Remember a DMZ contains those servers exposed to the Internet to provide services like mail and web. A sound network design should have a firewall filtering traffic to and from the DMZ including any limited access to the internal trusted network. With DMZ servers more exposed than internal machines even the most hardened server risks compromise. There is also the danger of pivoting once a DMZ server is compromised. While a properly implemented DMZ can make pivoting difficult for attackers, detecting a pivot attempt is a clue there is a compromise within the DMZ. An IDS inspecting traffic within the DMZ can detect these potential compromises within the DMZ and successful pivot attempts from the DMZ. Security ZonePopup 1 of 3. Popup title: Security Zone. Network image reprises, showing The network comprising a cloud labeled Untrusted connected to a device labeled boundary router, connected to a firewall image, connected to a trusted cloud. The firewall is also connected to a tube labeled D M Z, connected to a server labeled S M T P server. Snort logo with trademark symbol and statement Snort is a registered of Sourcefire, Inc. and a NIDS device appear. Bulleted text appears. Arrows appear connecting the NIDS device with the network between the firewall and the trusted cloud image;and between the firewall and the D M Z image.Places to Sniffidsl5_13_0213Some organizations may find it beneficial to monitor the traffic outside the boundary router or external firewall. An IDS placed beyond the network perimeter of an organization can observe what types of attacks are targeting the network or test the traffic filtering efficiency of the firewall. Analysis of events collected by an external IDS can also put events detected by internal IDSes into context. Some parts of an intrusion, such as scanning or failed penetration attempts, may be blocked while others manage to bypass the firewall. There are potential pitfalls to monitoring the unfiltered Internet traffic at the network perimeter. With no firewall or router filtering traffic, the noise level and maliciousness of the traffic is very high, resulting in frequent alerts. The NIDS must have hardware capable of processing that level of traffic to prevent IDS overload. Finally, note that an IDS can be compromised by simply sniffing and analyzing maliciously crafted packets. External InterfacePopup 2 of 3. Popup title: External Interface. Network image reprises, showing The network comprising a cloud labeled Untrusted connected to a device labeled boundary router, connected to a firewall image, connected to a trusted cloud. The firewall is also connected to a tube labeled D M Z, connected to a server labeled S M T P server. Snort logo with trademark symbol and statement Snort is a registered of Sourcefire, Inc. and a NIDS device appear. Bulleted text appears. Arrows appear connecting the NIDS device with the network between untrusted cloud and the boundary router. Bulleted text appears.Places to Sniffidsl5_13_0313The internal trusted network is the core of the network infrastructure with multiple levels of enforcement mechanisms, assuming proper network design. The trusted side of the network is a high risk/high reward area as any successful penetration at this level of the network leaves resources, assets, and data extremely exposed. IDSes placed on or between internal subnets, inside the firewall or network switch, are useful in detecting client-side attacks; the proliferation of malware; and attacks triggered by insiders. Placement at these locations provides a viewpoint into attacks that originate in the trusted network and may never reach a network choke-point. Trusted NetworkPopup 3 of 3. Popup title: Trusted Network. Network image reprises, showing The network comprising a cloud labeled Untrusted connected to a device labeled boundary router, connected to a firewall image, connected to a trusted cloud. The firewall is also connected to a tube labeled D M Z, connected to a server labeled S M T P server. Snort logo with trademark symbol and statement Snort is a registered of Sourcefire, Inc. and a NIDS device appear. Bulleted text appears. Arrows appear connecting the NIDS device with the network between the firewall and the D M Z image. The S M T P server appears with a warning symbol.Screen 13 of 21. Topic title: Network Sniffing Fundamentals. Screen title: Places to sniff. Images of a hub, switch and tap appear in synch with audio. Image of the snort logo appears with trademark symbol and statement Snort is a registered of Sourcefire, Inc. Image of a network appears with a question mark. The network comprises a cloud labeled Untrusted connected to a device labeled boundary router, connected to a firewall image, connected to a trusted cloud. The firewall is also connected to a tube labeled D M Z, connected to a server labeled S M T P server. Snort logo with trademark symbol and statement Snort is a registered of Sourcefire, Inc. and a NIDS device appear. Bulleted text appears. Arrows appear connecting the NIDS device with the network between the firewall and the trusted cloud image; between the untrusted cloud and the boundary router; and between the firewall and the D M Z image. The text Trusted networks appears selectable as a popup above and between the firewall and trusted cloud. The text Security Zone appears selectable as a popup below the NIDS device next to the D M Z image. And the text External interface appears selectable as a popup under the untrusted cloud image. Instructions appear to select network locations to learn more.Knowledge Checkidsl5_1414Knowledge Check1500525Which of the following methods operates in full duplex and allows the IDS to see traffic that passes through it, without interruption?A HubA SwitchA TAPCorrect. A TAP operates in full duplex and allows the IDS, or IDSes, to see all traffic that passes through it without interrupting operations or slowing down the network.Incorrect. A TAP operates in full duplex and allows the IDS, or IDSes, to see all traffic that passes through it without interrupting operations or slowing down the network.Which of the following methods operates in half duplex and allows the IDS to see traffic that has been rebroadcasted from other ports?A HubA SwitchA TAPCorrect. A hub operates in half duplex and allows the IDS to see traffic it regenerates and broadcasts from other ports.Incorrect. A hub operates in half duplex and allows the IDS to see traffic it regenerates and broadcasts from other ports.Which of the following methods operates in full duplex and allows the IDS to see traffic through a SPAN port?A HubA SwitchA TAPCorrect. A switch operates in full duplex and allows the IDS to see traffic that has been mirrored from another port through a SPAN or mirror port.Incorrect. A switch operates in full duplex and allows the IDS to see traffic that has been mirrored from another port through a SPAN or mirror port.Now check your knowledge of the different sniffing methods. Screen 14 of 21. Topic title: Network Sniffing Fundamentals. Screen title: Knowledge Check. This is a series of three multiple choice questions. Each one has three possible choices. Use the down arrow key to move through the options. Use the enter key to make your selection.IDS Configuration IssuesConfiguring Networksidsl5_1515You now know what to use to sniff your network traffic and where to place your IDS. If you left the system unconfigured, you may be bombarded with an unmanageable amount of alerts to investigate. Now your IDS needs to be configured for your particular network, telling it specifically what to look for. Configuring, or tuning, your IDS sensors will allow you to limit the alerts you receive to those that match the rules you set, making your system more effective. The first step is defining your trusted and untrusted networks. Most IDSes already have a concept of trusted and untrusted networks. For example, the open source IDS Snort rules use $HOME_NET to represent the trusted network and $EXTERNAL_NET to represent the untrusted network. For example, if your trusted network is 192.168.1.0/24, then the configuration is $HOME_NET == 192.168.1.0/24. The untrusted network is $EXTERNAL_NET == ![192.168.1.0/24]. The exclamation point categorizes anything other than 192.168.1.0/24 as untrusted. Screen 15 of 21. Topic title: I D S Configuration Issues. Screen title: Configuring Networks. Image of a NIDS device appears. Image of a network comprising a cloud labeled Untrusted connected to a device labeled boundary router, connected to a firewall image, connected to a trusted cloud. The firewall is also connected to a tube labeled D M Z, connected to a server labeled S M T P server. Snort logo with trademark symbol and statement Snort is a registered of Sourcefire, Inc. and a NIDS device appear. Bulleted text appears. Arrows appear connecting the NIDS device with the network between the firewall and the trusted cloud image; between the untrusted cloud and the boundary router; and between the firewall and the D M Z image. Image of a user and laptop appears with Alert messages popping up on the user's screen followed by an image of command line prompts. Bulleted text and a table with a Network column and Snort Configuration column appears in support of audio.Tuning Specific Serversidsl5_1616Another aspect of tuning your IDS is to set the variables for the specific servers in your environment. Configuring server variables will lower the amount of traffic that the IDS has to process, because potentially malicious traffic is matched to specific rules. Specifying your servers helps your IDS avoid producing false positive and false negative alerts. To tune your servers, you need to have a thorough understanding of your network environment and your server locations. Most IDSes allow tuning for specific servers, such as DNS, SMTP, HTTP, SQL, Telnet, and SNMP. Snort's default value is HOME_NET for each of these servers. If you do not have a good understanding of your server locations, leaving the default values may be your best option. Some IDSes have the ability to passively and automatically learn server locations and types. If you do have knowledge of your servers, you can tune the various Snort server variables to specific IP addresses. Select tune to specific IP addresses to view server tuning examples. Tuning Specific Serversidsl5_16_0116Instead of maintaining the default values for your Snort sensor, you can tune the various Snort server variables to specific IP addresses. Here are examples of the tuning for DNS, SMTP, HTTP, SQL, Telnet, and SNMP servers. Tune to specific I p addressesPopup 1 of 1. Popup title: Tune to specific I p addresses. Two column table displays examples of Servers and Tuned Server Locations. D N S is var D N S underscore servers in brackets 1 92 dot 1 68 dot 64 dot 2 slash 32, 1 92 dot 1 68 dot 64 dot 3 slash 32. S M T P is s m t p underscore servers in brackets 1 92 dot 1 68 dot 64 dot 2 slash 32, 1 92 dot 1 68 dot 64 dot 7 slash 32. h t t p is h t t p underscore servers in brackets 1 92 dot 1 68 dot 64 dot 11 slash 32, 1 92 dot 1 68 dot 64 dot 12 slash 32. S Q L is s q l underscore servers in brackets 1 92 dot 1 68 dot 64 dot 23 slash 32, 1 92 dot 1 68 dot 64 dot 24 slash 32. Telnet is telnet underscore servers in brackets 1 92 dot 1 68 dot 64 dot 26 slash 32, 1 92 dot 1 68 dot 64 dot 33 slash 32. s n m p is s n m p underscore servers in brackets 1 92 dot 1 68 dot 64 dot 39 slash 32.Screen 16 of 21. Topic title: I D S Configuration Issues. Screen title: Tuning Specific Servers. Network image appears. Bulleted text appears. Table appears with two columns labeled Servers and Snort's Default Server Values. For D N S server, default value is var D N S underscore servers home net. S m t p default value is var s m t p underscore servers home net. For h t t p, default value is var h t t p underscore servers home net. For s q l, default value is var s q l underscore servers home net. For telnet, default value is var telnet underscore servers home net. For s n m p, default value is var s n m p underscore servers home net. Text Tune to specific I p addresses is selectable as a popup. Instructions appear to select Tune to specific I p addresses to learn more. Rollover text displays D N S Domain Name System, S M T P Simple Mail Transfer Protocol, Hypertext Transfer Protocol, S Q L Structured Query Language, Telnet Terminal Emulation, and S N M P Simple Network Management Protocol.Tuning Specific Portsidsl5_1717It is also common to configure variables for specific ports and the services that run on those ports in the Snort configuration files. While variables can be created for any port and service combination, one of the most typically configured port variables is for your web servers. Web servers are the hosts delivering your web content but many other devices may be running a web service including printers, scanners, copiers, and fax machines; Voice Over IP phones; and desktops running antivirus or backup configurations. An attacker could compromise any of these devices so it is important for the IDS to be able to identify each one as a web server to launch the appropriate rules and recognize an attack. Most web servers run on port 80 or port 8080 as an alternate and servers using HTTPS, typically use port 443, but a web server may run on any TCP port. The IDS must be configured to look for any ports on your network running a web service. Snort uses the HTTP_PORTS variable to configure ports to monitor for http traffic. HTTP_PORTS defaults to port 80. You can also set port 8080, port 443, or any other port where a web service is running. Screen 17 of 21. Topic title: I D S Configuration Issues. Screen title: Tuning Specific Ports. Snort logo with trademark symbol and statement Snort is a registered of Sourcefire, Inc. appear. Text displays Snort configurations var h t t p underscore ports. var shellcode underscore port. var oracle underscore ports. Network image appears comprising a server image connected to a network of three workstations and a phone and printer. The server is also connected to an I D S device and a server labeled web server with a globe image. The web server appears highlighted and bulleted text appears in support of audio. Two column table displays ports and Snort web server configurations in support of audio.Determining Server Location and Open Portsidsl5_1818Each organization may have already determined its server locations and open ports, mapping its networks in detailed network documentation and diagrams. The documentation is a useful start for determining the locations of your servers and available services on any open ports. But do not rely solely on this information because the accuracy and completeness of the documents can't always be trusted. To determine server location and services, you can use a sniffer to passively detect where the active servers are. This method only works if the server is active at the same time that the sniffer is running and looking for the servers and open ports. Another method is to actively scan your network for servers using a network scanner such as Nmap. By sending certain data packets out and evaluating the server's response, you can determine the different server locations and what services might be running. An active scan can be the best way to discover servers in production. Remember, you want to always sniff or scan with explicit permission to do so. Performing active network scans is often a violation of security policy and could be mistaken for malicious network probing and attack. If you have any doubt about your permission to sniff or scan the network, do not do it. Screen 18 of 21. Topic title: I D S Configuration Issues. Screen title: Determining Server Location and Open Ports. An image shows 5 servers connected together, labeled D N S, S N M P, S Q L, H T T P, and S M T P. A text box displays bulleted text. An image of a monitor labeled scanner appears outside the network. An image of a laptop labeled sniffer appears with a line connected to the h t t p server image. Text explicit permission appears next to the sniffer image. Data streams animate going from the scanner image to the D N S server image.Nmapidsl5_1919To determine the different server locations and open ports on your network, one option is to use a network scanner or mapping tool, such as Nmap. Nmap is an active scanning tool that discovers hosts and services, creating a map of the network. Nmap sends specially designed packets to a specific host and then analyzes the responses. Nmap includes a variety of scanning options. To scan a specific port range use the "-P" option. By default Nmap scans the thousand most commonly used ports. To scan all of the ports, you use "-p 0-65535". However, expanding the port range to include all ports can greatly increase the scan time. Nmap can also detect both the operating system, or OS, and the service version of the targeted server. For OS and version detection, you can use "-A" followed by the target address. This is an example of Nmap scanning results. The Nmap results can also be viewed through a graphical user interface, called Zenmap. Once you have the Nmap results, you can tune your IDS accordingly. Select Zenmap to view an example of the interface. Select the Snort tuning options to learn more about them. Nmapidsl5_19_0119Zenmap is a GUI, providing the user a graphical frontend to the command-line based tool. Zenmap makes Nmap more convenient, repeatable, and interactive. ZenmapPopup 1 of 2. Popup title: Zenmap. Image of a Zenmap sample screen appears. Bulleted text appears. Rollover for Goo EE displays Graphical user interface.Nmapidsl5_19_0219Based on the previous Nmap results, here are the accompanying Snort configurations. Recommendations include listing the server under HTTP_SERVERS. Because this is a Linux host, set the server's fragment reassembly variable to Linux. HTTP_PORTS should also be set accordingly. In this case, ports 80 and 8000 were identified by Nmap as open HTTP ports. Snort tuning optionsPopup 2 of 2. Popup title: Snort tuning options. Bulleted text appears. Tuning option for h t t p underscore servers is var h t t p underscore servers in brackets brackets 1 92 dot 1 68 dot 2 dot 1 42 slash 32. For Linux v o processor frag 3 underscore engine colon policy linux bind underscore to in brackets 1 92 dot 1 68 dot 2 dot 1 42 slash 32. For h t t p ports var h t t p underscore ports in brackets 80, and var h t t p underscore ports in brackets 8 thousand.Screen 19 of 21. Topic title: I D S Configuration Issues. Screen title: N Map. An image shows 5 servers connected together, labeled D N S, S N M P, S Q L, H T T P, and S M T P. An image of a computer monitor labeled N map appears outside the network with an animation showing data going from N Map device to the D N S and S N M P servers. Bulleted text appears. Rollover for N map displays network mapper.Knowledge Checkidsl5_2020Knowledge Check1600625Most IDSes have a concept of trusted and untrusted networks.TrueFalseCorrect. Most IDSes have a concept of trusted and untrusted networks and should be configured accordingly.Incorrect. Most IDSes have a concept of trusted and untrusted networks and should be configured accordingly.Tuning your IDS sensors increases the processing load.TrueFalseCorrect. Tuning your IDS lowers the amount of traffic that the IDS has to process, as it matches the potentially malicious traffic to specific rules.Incorrect. Tuning your IDS lowers the amount of traffic that the IDS has to process, as it matches the potentially malicious traffic to specific rules.It is important to get permission to perform an active network scan.TrueFalseCorrect. Getting written permission to perform active network scans avoids potential policy violations and legal issues.Incorrect. Getting written permission to perform active network scans avoids potential policy violations and legal issues.It is not important to tune the IDS to recognize any device running as a web server.TrueFalseCorrect. An attacker could compromise any device running as a small web server, so it is important for the IDS to be able to identify each one to launch the appropriate rules and recognize an attack.Incorrect. An attacker could compromise any device running as a small web server, so it is important for the IDS to be able to identify each one to launch the appropriate rules and recognize an attack.Now check your knowledge of IDS configurations. Screen 20 of 21. Topic title: I D S Configuration Issues. Screen title: Knowledge Check. This knowledge check presents four statements. For each statement there are two possible answers, true or false. Use the down arrow key to move through the statements and answer options. Use the enter key to make your selection.ConclusionSummary and Conclusionidsl5_2121Congratulations! You have completed the Implementing IDSes lesson. You should now be able to identify what a DMZ is and why it is important. You should be able to identify the different methods of sniffing network traffic and the advantages and disadvantages of each method. Finally, you should be able to identify some IDS configuration issues. Screen 21 of 21. Topic title: Conclusion. Screen title: Summary and Conclusion. The word Congratulations appears in large text. Text and bullet points display lesson objectives. Bullet points turn into checkmarks in synch with audio.