International Journal of Computer Engineering and Technology (IJCET), ISSN 0976INTERNATIONAL JOURNAL OF COMPUTER ENGINEERING & 6367(Print), ISSN

0976 - 6375(Online), Volume 5, Issue 1, January (2014), IAEME

TECHNOLOGY (IJCET)

ISSN 0976 6367(Print) ISSN 0976 6375(Online) Volume 5, Issue 1, January (2014), pp. 112-117 IAEME: www.iaeme.com/ijcet.asp Journal Impact Factor (2013): 6.1302 (Calculated by GISI) www.jifactor.com

IJCET
IAEME

ROBUST CAMPUS WIDE NETWORK DEFENDER

Archana D Wankhade1, Dr. P. N. Chatur2
2

Assistant Professor in information Technology Department, GCOE, Amravati, India Head and Professor in Computer Science and Engineering Department, GCOE, Amravati, India.

ABSTRACT The proposed software architecture is implemented by using agile software development process. The proposed software for the defence against attacks deals with the attack generation, attack detection in the intranet and then prevention of attacks. Attack prevention module is flexible as we can add the rule in the firewall to prevent the any known attack. Due to space problem we considered two attacks on every packet such as ICMP, UDP and TCP packet. Keywords: Smurf, Ping of Death, ICMP Flood, LAND, XMAS, TCP Flood, Ping Pong Attack Generation, Firewall Rules. 1. INTRODUCTION Nations without controlled borders cannot ensure the security and safety of their citizens, nor can they prevent privacy and theft. Similarly, networks without controlled access cannot ensure the security or privacy of stored data, nor can they keep network resources from being exploited by hackers. When internal network is connected to the internet, there is no inherent central point of security control; in fact there is no security at all. Network security is one of the major considerations in computer networking. Various types of tools are being used for providing security to networks. Firewall and Intrusion Detection System are majors among them. We start with description of firewall, types of firewall, comparison between firewalls, followed by algorithms used in our system. Then we will cover IDS part of our system followed by algorithms. Lastly we see programming languages and tools to be used in our system. Security consists of mechanisms for providing confidentiality, integrity, and availability. Confidentiality means that only the individuals allowed access to particular information should be able to access that information. Integrity refers to those controls that prevent information from being altered in any unauthorized manner. Availability controls are those that prevent the proper functioning of computer systems from being interfered
112

International Journal of Computer Engineering and Technology (IJCET), ISSN 09766367(Print), ISSN 0976 - 6375(Online), Volume 5, Issue 1, January (2014), IAEME with. As mentioned in computer network, security of data from network attacks is a major concern area. In most networks firewalls are used as filter to prevent unwanted entry into private network. Firewall is dedicated to only one thing Deciding between authorized and unauthorized communications. But still firewall cannot detect attacks on network. But IDS has its own limitations. So we try to integrate them in such a way that to get best out of them. 2. LITERATURE SURVEY 2.1 Firewall Firewall is dedicated to only one thing Deciding between authorized and unauthorized communications. This prevents having to make compromises between security, usability and functionality. Without a firewall, systems are left to their own security devices and configurations. The firewall is a single point of contact between untrusted networks. In general, firewalls mitigate the risk that system will use for unauthorized or unintended purposes. There are three primary attributes that are protected by a firewalls. Risk to confidentiality Risk to data integrity Risk to availability

Most common usage of a firewall is between the internet connection and the local area network. Other common firewall usages include protecting connections to external third parties, such as market data providers, and between sensitive areas of an internal network. 2.2 How Firewall Works A firewall is a software program or device that monitors, and sometimes controls, all transmissions between an organization's internal network and the Internet. However large the network, a firewall is typically deployed on the network's edge to prevent inappropriate access to data behind the firewall. The firewall ensures that all communication in both directions conforms to an organization's security policy. Firewall technologies are configurable. You can limit communication by direction, IP address, protocol, ports, or numerous other combinations. If you have access to the firewall, you can configure it to enable the ports, protocols, and addresses. In some cases, however, your organization's security policy may prevent optimal streaming. For example, firewalls configured to only allow TCP traffic may cause the user to see frequent buffering of clips. User experience of the presentation is compromised; greater latency and start up times affect the time needed to view the clip, and delivery of the clip requires more total bandwidth. There are three techniques used for detection Anomaly detection (behaviour based) Misuse detection or Signature detection (knowledge based) State full protocol analysis

113

International Journal of Computer Engineering and Technology (IJCET), ISSN 0976 09766367(Print), ISSN 0976 - 6375(Online), Volume 5, Issue 1, January (2014), IAEME

Figure 1.1 Detection Capabilities of Different Intrusion Detection Model Above Figure 1.1 shows detection capabilities of legal and illegal activities, it is misuse for knowledge based and behaviour-based based systems. Anomaly detection: Anomaly detection is describes abnormal patterns behaviour, where abnormal patterns it is defined beforehand. Anomaly based models are supposed to describe only legal activities. and Also in this case, incompleteness and inaccuracy can false positive and false negatives. Anomaly-based based detection is process of comparing definitions of what activity is considered normal ormal against observed events to identify significant deviations. An IDPS using anomaly-based based detection has profiles that represent the normal behaviour of such things as users, hosts, network connections, or applications. The profiles are developed by mon monitoring the characteristics of typical activity over a period of time. Following tables are shown comparison of firewalls. Table 1.1 Comparison of firewalls.

114

International Journal of Computer Engineering and Technology (IJCET), ISSN 09766367(Print), ISSN 0976 - 6375(Online), Volume 5, Issue 1, January (2014), IAEME 3. PROPOSED INTRUSION PREVENTION SYSTEM Due to space problems, we have considered very few attacks and their defence mechanisms. The implementation of proposed system is divided into following process: Attack Generation algorithms, Defence Against Attack (Attack Prevention algorithms), Attack Detection Algorithms. Some of the sample attack detection and prevention rules are discussed below: 3.1 Attack Generation algorithms Packet Capture: We o used TCP dump and window dump to capture the incoming flow of information and analysed this traffic by using the proposed IDS. Attack Generation Process can use different tools like NMAP, Nessus, hping3 and Scapy to generate different kinds of trailer made packet to do the attack. For Attack Generation we used the following tools Scapy(http://www.scapy.org),Nmap(http://www.nmap.org),Hping3http://www.hping.org) 3.1.1 Land Attack Generation: #hping3 a spoof -flood <src_ip> <dst_ip> where a:spoof source address src_ip : source ip address which is spoofed dst_ip : destination ip address 3.1.2 XMAS Attack Generation: Using the Hping #hping3 c 1 V p 80 s 5050 M 0 UPF 192.16.0.103 Where c: count V: command line switch for addition information about the packet p : port no , s: source port, M: set the sequence 3.1.3 SYN Flood Attack Generation Using the command: hping3 S fast a <src_ip> <dest_ip> where S : SYN packets are generated fast : 10 packets per second a:for spoofing option src_ip : is a Source ip 3.1.4 XMAS Attack Generation Using Scapy #hping3 c 1 V p 80 s 5050 M 0 UPF 192.16.0.103 Where: src :source ip, dst :destination ip flags : FPU-FIN,PUSH,URGENT count : no of packet to generate. 3.2 Attack Detection Algorithms Attack detection task will be carried out through SnortIDSwww.snort.org),SPADE(www.silicondefence.com/Spice_JCS.pdf,www.silicondefense.org) ,NIDES(www.nides.org),HONEYPOT(www.Honeydpot.org),KESENSOR(www.keyfocus.net/kfsen sor),HONEYD(www.Honeyd.org),TRIPWIRE(www.tripwire.org) 3.2.1 ICMP Attacks Detection: If protocol: ICMP and tyop: Request check if state[ipaddress] : active else if state[ipaddress] :active and returncheck if lastpacket.time < 1 [1in 1sec] count[ipaddress]++ else cout[ipaddress] : 0 if count[ipaddress] > 25 [70 in 1sec] reset count[ipaddress]:0 and lastpacket.time :0 set alarm flag. 3.2.2 Smurf attack Detection: Alert icmp $External_net any : $home_net any (msg:icmp smurf attack detected; dsize:4; icmp_id:0 ;icmp_seq:0 ; itype:8 ; classtype: attempted recon ; sid:78787878; )
115

International Journal of Computer Engineering and Technology (IJCET), ISSN 09766367(Print), ISSN 0976 - 6375(Online), Volume 5, Issue 1, January (2014), IAEME 3.2.3 SYN Flood Attack Detection: If protocol: TCP and Type: Syn check if state[ipaddress] : active else if state[ipaddress] : active and return check if lastpacket.time < 1 [1in 1sec] count[ipaddress]++ else cout[ipaddress] : 0 if count[ipaddress] > 25 [70 in 1sec] reset count[ipaddress]:0 and lastpacket.time :0 set alarm flag 3.2.4 LAND Attack Detection If protocol: TCP and type: SYN, if Sourceip port == Destination port , if Sourceip ip : Destination ip, set alarm flag Udp Attacks 3.2.5 XMAS Attack Detection: Alert tcp any any : any any (msg: X mas attack detected flow: stateless; flags: FPU,12; sid: 1234556;) 3.2.6 Fraggle Attack Detection: alert udp $EXTERNAL_NET any: $HOME_NET any (msg:"UDP_Flood Attack!!!!!"; content:"UDP Flood Test"; flow:stateless; threshold:type threshold, track . 4. CONCLUSIONS Critical literature survey is made in order to carry this work. Enterprises general purpose Application firewall / IDS evolved in way that has created conundrum for security. So, prime goal is provide emerging solution which gives hybrid functionality of IDS, IPS, and Firewalls functionality in single box which would be practical and easy to maintain. We have studied various packet generation tools such as Nmap, Nessus, hping3 and Scapy. Then we have made experimentation for the detection of attacks using the open source tools such as snort IDS, NIDES, HONEYPOT KESENSOR, HONEYD, TRIPWIRE, and then we run the various firewalls such as iptable/Netfilter, fwSnort Squid, CCProxy, Kerio. REFERENCES [1] [2] [3] [4] Intrusion detection system using Sax 2.0 and wire shark 1.2.2. Shaw n Conaway, Using an Intrusion Prevention System as Part of a Layered Security Approach, Network Support, Technical Enterprises, October-2006. Ido green, tzvi raz, moshe zviran, analysis of active intrusion prevention data for predicting hostile activity in computer networks, communications of the acm april 2007/vol. 50, no. 4. suresh n. chari and pau-chen cheng, BlueBoX: A Policy-Driven, Host-Based Intrusion Detection System, ACM Transactions on Information and System Security, Vol. 6, No. 2, May 2003. Nong Ye, Senior Member, IEEE, Syed Masum Emran, Qiang Chen, and Sean Vilbert(2002), Multivariate Statistical Analysis of Audit Trails for Host-Based Intrusion Detection, ieee transactions on computers, vol. 51, no. 7, july 2002. Fang Yu, T. V. Lakshman, Randy H. Katz (2006), Efficient Multimatch Packet Classification for Network Security Applications, ieee journal on selected areas in communications, vol. 24, no. 10, october 2006. Jianchao Han, Mohsen Beheshti, Kazimierz Kowalski, Joel Ortiz, Johnly Tomelden, Component-based Software Architecture Design for Network Intrusion Detection and Prevention System, IEEE Computer society Sixth International Conference on Information Technology: New Generations 2009.
116

[5]

[6] [7]

International Journal of Computer Engineering and Technology (IJCET), ISSN 09766367(Print), ISSN 0976 - 6375(Online), Volume 5, Issue 1, January (2014), IAEME [8] david j., chaboya, richard a. raines, rusty o. aldwin, and barry e. mullins,Network ntrusion etection Automated and Manual Methods Prone to Attack and Evasion, published by the ieee computer society, 2006. Jiong Zhang, Mohammad Zulkernine, and Anwar Haque(2008), Random-Forests-Based Network Intrusion Detection Systems. Catherine Paquet Network security using Cisco IDS IPS, Pearson Education intrusion detection system using Sax 2.0 and wireshark 1.2.2. Nong Ye, Senior Member, IEEE, Syed Masum Emran, Qiang Chen, and Sean Vilbert(2002), Multivariate Statistical Analysis of Audit Trails for Host-Based Intrusion Detection, ieee transactions on computers, vol. 51, no. 7, july 2002. George Lawton, Open Source Security: Opportunity or Oxymoron? March 2002. K. Salah A. Kahtani(2009), Improving Snort performance under Linux, IET Commun., 2009, Vol. 3, Issue. 12. Fang Yu, T. V. Lakshman, Randy H. Katz (2006), Efficient Multimatch Packet Classification for Network Security Applications, ieee journal on selected areas in communications, vol. 24, no. 10, october 2006. Jianchao Han, Mohsen Beheshti, Kazimierz Kowalski, Joel Ortiz, Johnly TomeldenComponentbased Software Architecture Design for Network Intrusion Detection and Prevention System, 2009 IEEE Computer society Sixth International Conference on Information Technology: New Generations 2009. Hui Li, Dihua Liu, Research on Intelligent Intrusion Prevention System Based on Snort, International Conference on Computer, Mechatronics, Control and Electronic Engineering (CMCE) 2010. Snort Manual and Whitepapers on Rule Optimization, Detection, High-performance multi rule detection engine, Protocol Flow analyzer. All available at the Snort homepage: http://www.sourcefire.com/products/library.html. Jiong Zhang, Mohammad Zulkernine, and Anwar Haque(2008), Random-Forests-Based Network Intrusion Detection Systems, vol. 38, no. 5, september 2008. SNORT R Users Manual 2.9.1. Anna Sperotto, Gregor Schaffrath, Ramin Sadre, Cristian Morariu, Aiko Pras and Burkhard Stiller (2010)An Overview of IP Flow-Based Intrusion Detection, ieee communications surveys & tutorials, vol. 12, no. 3, third quarter 2010. P.Vigneshwaran and Dr. R. Dhanasekaran, A Novel Protocol To Improve TCP Performance Proposal, International Journal of Computer Engineering & Technology (IJCET), Volume 3, Issue 2, 2012, pp. 372 - 377, ISSN Print: 0976 6367, ISSN Online: 0976 6375. Kusum Nara and Aman Dureja, A Dynamic Approach for Improving Performance of Intrusion Detection System Over Manet, International Journal of Computer Engineering & Technology (IJCET), Volume 4, Issue 4, 2013, pp. 61 - 81, ISSN Print: 0976 6367, ISSN Online: 0976 6375. Syeda Gauhar Fatima, Dr. Syed Abdul Sattar and Dr.K.Anita Sheela, Energy Efficient Intrusion Detection System for WSN, International Journal of Electronics and Communication Engineering & Technology (IJECET), Volume 3, Issue 3, 2012, pp. 246 - 250, ISSN Print: 0976- 6464, ISSN Online: 0976 6472. JPCAP online tutorial. http://www.cert.org/advisories/CA-1996-01.html. http://www.cert.org/advisories/CA-1996-26.html.

[9] [10] [11]

[12] [13] [14]

[15]

[16] [17]

[18] [20] [21]

[21]

[22]

[23]

[24] [25] [26]

117