IDS:
An IDS(Intrusion detection system) is a device or software application that monitors network or system activities for malicious activities that violate policies and notify the administrator. These systems typically trigger on events by referencing network activity against an attack signature database or by monitoring network behavior. If an attack is detected (or believed to be detected), an alert takes place and the event is logged for future reference.
Creating and maintaining the attack signature database is the most difficult part of working with IDS technology. It is important to always keep the IDS up to date with the latest signature database provided by the vendor as well as updating the database with the signatures found in testing.
Firewalls:
A Firewall is a network security device that monitors and filters incoming and outgoing network traffic based on an organization’s previously established security policies. At its most basic, a firewall is essentially the barrier that sits between a private internal network and the public Internet.
Due to a growing number of intrusions and since the Internet and local networks have become so ubiquitous, organizations are increasingly implementing various systems that monitor IT security breaches. Intrusion detection systems (IDSes) are those that have recently gained a considerable amount of interest. An IDS is a defense system that detects hostile activities in a network. The key is then to detect and possibly prevent activities that may compromise system security, or a hacking attempt in progress including reconnaissance/data collection phases that involve, for example, port scans.
what IDS do?
One key feature of intrusion detection systems is their ability to provide a view of unusual activity and issue alerts notifying administrators and/or block a suspected connection. According to Amoroso, intrusion detection is a process of identifying and responding to malicious activity targeted at computing and networking resources.
In addition, IDS tools are capable of distinguishing between insider attacks originating from inside the organization (coming from its own employees or customers) and external ones (attacks and the threat posed by hackers) (Source: http://www.windowsecurity.com)
What Firewalls Do?
A Firewall is a necessary part of any security architecture and takes the guesswork out of host level protections and entrusts them to your network security device. Firewalls, and especially Next Generation Firewalls, focus on blocking malware and application-layer attacks, along with an integrated intrusion prevention system (IPS).
so, these Next Generation Firewalls can react quickly and seamlessly to detect and react to outside attacks across the whole network. They can set policies to better defend your network and carry out quick assessments to detect invasive or suspicious activity, like malware, and shut it down.
Why Do We Need Firewalls?
Firewalls, especially Next Generation Firewalls, focus on blocking malware and application-layer attacks. Along with an integrated intrusion prevention system (IPS), these Next Generation Firewalls are able to react quickly and seamlessly to detect and combat attacks across the whole network.
Firewalls can act on previously set policies to better protect your network and can carry out quick assessments to detect invasive or suspicious activity, such as malware, and shut it down. By leveraging a firewall for your security infrastructure, you’re setting up your network with specific policies to allow or block incoming and outgoing traffic.
As the number of attacks grows it is important to know vulnerabilities, what are the cons of IDS and firewalls and how to get through them or bypass them. so that attackers can not use those vulnerabilities .
Evading IDS and Firewalls
Following are the ways by which we can Evade IDS and firewalls.
- Detecting Intrusion using Snort.
- thus, Detecting Intruders using KFsensor Honeypots IDS.
Here we going to know little about Snort
Snort:
logs the packets coming through the network and analyzes the packets. Snort checks the packets coming against the rules written by the user and generate alerts if there are any matches found. The rules are written by the user in a text file which is linked with snort.
so, conf file where all the snort configurations are mentioned. There are few commands which are use to get snort running so that it can analyze network behavior.
Snort is typically run in one of the following three modes:
- Packet sniffer: Snort reads IP packets and also displays them on the console.
- Packet Logger: Snort logs IP packets.
- Intrusion Detection System: thus, Snort uses rulesets to inspect IP packets. When an IP packet matches the characteristics of a given rule, Snort may take one or more actions.
With the ability to use rulesets to monitor IP packets.
though Snort is an excellent choice for administrators – security on small-to medium-sized networks.
ease with which Snort may be deployed on a network allowing the quick installation of a flexible and cost-effective IDS.
Evasion Techniques
- Decoys
- Proxies
- MAC Address Spoofing
- Ping Suppression
- Half Open Scan
- Fragmentation
- Timing
- Changing Data length
- Transmission Unit
- Random Scan
- Sending Bad Checksums
- Using Multiple Techniques
Tools: Wireshark, Nmap, EtherApe.
Conclusion
This blog will give you fundamental knowledge what firewalls and IDS are, why we use them, why we need them.
thus, tools used and evading IDS and firewalls using snort, and what are the other evasion techniques. Attacks can be minimize but can not stopped.
written by: Deepak Rathour
reviewed by: Sayan Chatterjee
If you are Interested In Machine Learning You Can Check Machine Learning Internship Program
Also Check Other Technical And Non Technical Internship Programs