Improve security factor with Intrusion Detection System

As the name suggests, an intrusion detection system is a system that can detect intrusions in a timely manner. It collects and analyzes network data information from several key points in the network to identify network violations and signs of attacks. Compared with other security products, the intrusion detection system needs to be more intelligent, rather than determining that these data characters do not comply with the security policy just like the firewall. A good intrusion detection system can greatly improve the network security factor.

The firewall is not secure.

Firewall is the most commonly used tool to ensure network security for a long time. It is a special network interconnection device used to enhance access control between networks. It checks the data transmitted between the internal network and the external network according to the preset security policies, to determine which data is invalid. In this way, the access and data transmission between the internal network and the external network are effectively controlled, so as to protect the information of the internal network from access by external unauthorized users and filter out bad information.

As shown in 1, the firewall system is generally divided into two layers. The inner layer is the router with the packet filtering function, and the outer layer is the proxy server. The packet filtering Firewall only accepts service requests sent by the proxy server and service connections initiated by the internal network. The proxy server is responsible for providing network services permitted by the internal network to public network users.

498) this. style. width = 498; "border = 0>

Figure 1

The dual-layer firewall system of packet filtering and proxy technology improves the security of the system to a certain extent. However, it is mainly used to deny access by unauthorized users, prevent unauthorized users from accessing sensitive data, and allow legal users to access network resources without hindrance. if used properly, although the firewall can effectively defend against external network attacks, it is powerless to defend against attacks from internal networks, in fact, more than 60% of network security problems come from internal networks, and network programs and network management systems may have defects. Therefore, firewall technology alone is not enough for network security.

Because the firewall has its own limitations:

1. Inflexible

The firewall strictly limits inbound and outbound traffic to ensure network security. But this will inevitably cause the network to be too closed, and many services such as Telnet, FTP... will be blocked.

2. One piece is hard to defend against

The firewall performs tasks to hold the door and prevent external users from illegally obtaining sensitive data or performing operations. However, it has no restrictions on the behavior of internal users. At this time, it is no wonder that the internal users are lawless.

3. Backdoor defense

The firewall has opened the door, but what if there is a backdoor in the network and it is under control? The firewall is also virtual.

When there are so many limitations in the firewall, people think of "active attack" and send "Intrusion Detection System" inside the company to patrol key network nodes to find the enemy of intrusion at any time.

Technical Requirements

Intrusion detection technology is a new generation of security protection technology following traditional security measures such as firewall and data encryption.

A good network intrusion detection system should at least meet these functional requirements:

1. Real-time performance:

If network attacks or attack attempts are discovered as soon as possible, this may prevent further attacks and minimize the loss. Real-time intrusion detection can avoid inefficiency and delay in identifying intrusion behaviors by the Administrator auditing system logs.

2. Scalability:

An existing intrusion detection system must be able to ensure that when a new attack type occurs, it can use a certain mechanism without modifying the intrusion detection system itself, this allows the system to detect new attacks. In addition, an extensible structure must be established in the overall functional design of the intrusion detection system so that the system structure can adapt to the expansion requirements that may arise in the future.

3. event records:

As a complete network intrusion detection system, log recording and log auditing functions must be complete for detected intrusion events.

4. Security:

Intrusion detection systems must be as robust and sound as possible, so they cannot introduce new security problems and security risks to their host computer systems and their computer environments.

5. Effectiveness and ease of use:

It can ensure that the designed network intrusion detection system is effective, that is, the error and omission of attack behaviors can be controlled within a certain range. And the system should be user-friendly and simple to use.

Application Instance

The following describes the main features and configuration methods of the network intrusion detection system using the network intrusion detection system of the Chinese Emy of science and technology.

* Distributed system design. You can flexibly configure the entire system based on different network topologies.

* Fast detection speed. Sensors often detect problems in microseconds or milliseconds.

* High security. Each module of the system adopts advanced encrypted transmission.

* Easy to control. The system consists of sensors, control centers, and reaction units. Both sensors and reaction units are designed based on unattended design. Users only need to control the entire system in the control center.

* Smart counterattack. After an alert is triggered by a sensor, the control center issues a counterattack command to filter data packets or disconnect connections based on different protocols.

* Data filtering. Filters specific data packets and filters data packets based on user requirements for a certain period of time.

* The system is highly scalable. The distributed structure design of the system and the structure design of the core sensor determine the high scalability of the system.

* Good concealment and independence. Sensors are not as easy as hosts, so they are not so vulnerable to attacks. In addition, it does not run other applications and does not provide network services, so it is conducive to ensuring network security.

* Resource configuration requirements are not high. Because a detector can protect a shared network segment, many detectors are not needed. However, if you use a splitter (Tap) in an exchange environment, connect it to all the lines to be detected. In addition, sensors do not occupy protected resources.

* It is easy to capture evidence. The network intrusion detection system performs real-time detection based on ongoing network communication, so attackers cannot transfer evidence. The system has complete logging and auditing functions. In this way, hackers cannot conceal the traces of crimes by erasing system records.

Since the network intrusion detection system is so good, how should we configure it in a specific network environment? The following figure (2) illustrates the network of Anhui guoyi environmental protection and energy-saving technology Co., Ltd.
This network uses a m high-speed Ethernet Switching Network. The network structure is a star hierarchical topology. Master switch, that is, the figure of the first node, using Cisco4006 (with a WS-X4232-L3, two WS-5484 module), the second node using two Cisco3524XL (each with a WS-5484) switch; the access system uses the CISCO2621 router (with a NM-8AM module ). Uses 1000BASE-SX, 100 BASE-FX, 100 BASE-TX standard to construct a 100/1000 M network bandwidth and provide a M connection to the desktop.

It can be seen that the network has one level-1 node, three level-2 nodes, and one level-3 node. So how can we configure the network intrusion detection system in this network?

Generally, the reaction unit is placed on the gateway ,. The control center is randomly placed in a convenient place on the internal network, where it is placed in the central data center. Sensors are the soul of the system and must be placed in a place where network traffic is concentrated. Otherwise, the system performance will not be guaranteed. Put it on three second-level nodes and one third-level node.

Application Results

After the system is configured, what is the effect of the entire network on attacks?

The China University of Science and Technology's guobiao network intrusion detection system can detect more than 1200 network attacks including buffer overflow and denial of service attacks and various network scans.

To test the system performance, we conducted a series of attack tests. Ping of Death, SYN Flood, UDP Flood, Smurf, Unicode Attack, and network Attack using the famous network scanning tools Nmap and Nessus and Shadow Security token.

In the above attacks, our system shows the real-time, efficient, secure, and well-developed advantages of a good network intrusion detection system.

In addition, what is the system performance in the case of heavy network loads? Experiments show that our system is still quite satisfactory in a 40 M/sec network environment and a 60 M/sec network environment. In the 90 M/sec network environment, the system performance has declined, but 60% of network attacks can still be detected. This is a common problem to be resolved.

The network security solution we proposed has been shown in the above example. In combination with the advantages of the firewall and network intrusion detection system, you can configure a firewall at the entrance and exit of the enterprise LAN to cope with basic external network attacks and configure a network intrusion detection system in the internal network, in order to make up for the shortcomings of the firewall, and patrol the internal network to detect attacks from the internal network.