INTRUSION DETECTION AND PREVENTION SYSTEM
CHAPTER ONE
INTRODUCTION
1.1 Background of the Study
Intrusion detection and prevention systems in an enterprise network is a study into the forms and techniques of prevention and detection of intrusions into an enterprise computer network. Technological advancements in the twenty-first century witnessed an increase in cyber-attacks. This is usually preceded by heavy expenditure in recovery of lost data and possible lawsuits. This project aims to bring into limelight the various ways of preventing and detecting hacks into a computer network. Computer network hacking is not peculiar to the western world. There have been several cases of computer networks being hacked in Nigeria. According to Thisdaylive.com, an online newspaper company, a recent survey by Centrex Ethical Lab, a Nigerian cyber-security and intelligence company shows that 23 government websites on the gov.ng domain were defaced out of a total of 60 website defacements in 2012. The report also said the official websites of the National Assembly and Economic and Financial Crimes Commission appeared to be the most defaced government websites between 2010 and 2012. The company’s data analysis stated that the defacement of government websites increased from one per cent in 2009, to 10 per cent in 2010, and 60 per cent in 2012 [Thisdaylive14]. IDPS is an acronym for Intrusion Detection and Prevention Systems and will be used as such in the context of this thesis.
This study describes the characteristics of IDPS technologies and provides recommendations for designing, implementing, configuring, securing, monitoring, and maintaining them. The types of IDPS technologies are differentiated primarily by the types of events that they monitor and the ways in which they are deployed. Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices. An intrusion into a system is an attempt by an outsider to the system to illegally gain access to the system. Intrusion prevention, on the other hand, is the art of preventing an unauthorized access of a system’s resources.
The two processes are related in a sense that while intrusion detection passively detects system intrusions, intrusion prevention actively filters network traffic to prevent intrusion attempts. There are six types of intrusions:
– Attempted break-ins, which are detected by typical behavior profiles or violations of security constraints. An intrusion detection system for this type is called anomaly-based IDPS.
– Masquerade attacks, which are detected by a typical behavior profiles or violations of security constraints. These intrusions are also detected using anomaly-based IDPS.
– Penetrations of the security control system, which are detected by monitoring for specific patterns of activity.
– Leakage, which is detected by a typical use of system resources.
– Denial of service, which is detected by a typical use of system resources.
– Malicious use, which is detected by a typical behavior profiles, violations of security constraints, or use of special privileges.
Intrusion prevention is the process of performing intrusion detection and attempting to stop detected possible incidents. Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, attempting to stop them, and reporting them to security administrators. Many IDPSs can also respond to a detected threat by attempting to prevent it from succeeding. They use several response techniques, which involve the IDPS stopping the attack itself, changing the security environment (e.g., reconfiguring a firewall), or changing the attack’s content. In conclusion, it is expected that at the end of this thesis, the reader is expected to be conversant with the various methods of securing a company network system and be able to prevent any source of intrusions from accessing or disrupting company activities.
1.2 Statement of the Problem
This project aims to solve the problems encountered by network administrators in managing their networks in order to prevent and detect intrusions which may come in the form of virus, Trojans, hack attacks, Denial of Service (DOS) attacks or Distributed Denial of Service (DDOS) attacks all of which might lead to sensitive information being compromised. The system designed provides an easy-to-use interface for a network administrator to monitor his network and check for anomalies.
1.3 Objectives of Study
i. To create a system to facilitate easy monitoring of the events occurring on an enterprise network system.
ii. To determine the challenges facing computer network security in the twenty-first century.
iii. To determine ways of detecting and preventing computer network intrusions.
iv. To assess the current trends in intrusion detection and prevention.
v. To prescribe possible updates for existing IDPS Systems.
1.4 Significance of Study
This project seeks to assist in the understanding of intrusion detection system (IDS) and intrusion prevention system (IPS) technologies and in designing, implementing, configuring, securing, monitoring, and maintaining intrusion detection and prevention systems (IDPS). The project also provides an overview of complementary technologies that can detect intrusions, such as security information and event management software and network forensic analysis tools. It focuses on enterprise IDPS solutions, but most of the information in the project is also applicable to standalone and small-scale IDPS deployments.
With the development of network technologies and applications, network attacks are greatly increasing both in number and severity. As a key technique in network security domain, Intrusion Detection System (IDS) plays vital role of detecting various kinds of attacks and secures the networks. With the tremendous growth of network-based services and sensitive information on networks, network security is becoming more and more important than ever before.
1.5 Scope of Work
This study deals with the intrusion and detection systems available for use in an enterprise computer network and more recent ways of combating the threats faced by any computer network in the modern era. Since intrusion detection and prevention involves networks, we will come in contact with various aspects of networking.
1.6 Limitation of the Study
Some of the major limitations during the course of the study were as follows;
i. Financial constraint to provide adequate funding for the research.
ii. Reluctance of some firms to provide information pertaining to the IDPS technologies they use
iii. Poor network reception for online research.
iv. Short time duration provided for the research.
1.7 Definition of Terms
Intrusion Detection: The process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents.
Intrusion Prevention: The process of performing intrusion detection and attempting to stop detected possible incidents.
Enterprise Network: An enterprise’s communications backbone that helps connect computers and related devices across departments and workgroup networks, facilitating insight and data accessibility.
Intrusion Detection and Prevention System (IDPS): The systems set up by an enterprise to identify possible incidents, log information about them, attempt to stop them, and report them to security administrators.
Denial of Service (DoS): The interruption of service either because the system is destroyed or because it is temporarily unavailable.
Distributed Denial of Service (DDoS): A variant of DOS in which a single is used to control multiple computers and used to generate multiple data streams at the intended victim.
Media Access Layer (MAC): A network layer responsible for controlling how computers in the network gain access to data and permission to transmit it.
Point-to-Point Protocol: A data link protocol used to establish connection between two nodes.
Segmentation/ Desegmentation: The processes of dividing and recompiling data packets for transmission over a network.
Worms: Type of malicious software (malware) that self-replicates and distributes copies of itself to its network without intervention from and unknown to computer users.
Virus: A malware program that, when executed, replicates by inserting copies of itself (possibly modified) into other computer programs.
Trojans: A Trojan horse is a seemingly benign program that when activated, causes harm to a computer system.
Virtual Local Area Network (VLAN): A logical group of servers, workstations and network devices that appear to be on the same network despite their geographical distribution.
Blacklists: A blacklist is a list of discrete entities, such as hosts, TCP or UDP port numbers, ICMP types and codes, applications, usernames, URLs, filenames, or file extensions, that have been previously determined to be associated with malicious activity.
Whitelists: A list of discrete entities that are known to be benign.
Demilitarized Zone: A firewall configuration for securing local area networks.
STA (Station): a device that is capable of using the 802.11 protocol. This may be a laptop, phone etc.
SSID: A case sensitive, 32 alphanumeric character unique identifier attached to the header of packets sent over a wireless local-area network (WLAN) that acts as a password when a mobile device tries to connect to the basic service.