This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
Intrusion Detection is a system used in many of the systems that have problems with the scalability, configurability and efficiency. Network Systems are exposed to the threats posed by hackers as well as malicious users in the network. To avoid these threats I use a tool called observer which is supported by SNMP(Simple Network Management Protocol) . These are used to monitor the network at any time. SNMP is the network simulation tool which is used to monitor the networks. So, to avoid these threats SNMP makes use of observer tool.
By monitoring the network we can easily phase out the defects like Intrusion (Hacking)
Intrusion detection systems are developed due to increase in number of attacks on the system. SNMP is used in monitoring intrusion detection over a network or a pc. The SNMP then uses a tool called observer in identifying different kinds of threats so as to make the systems and network run effectively and in an efficient manner.
2 Literature Review
Intrusion refers to unauthorized access into others computer or on a network unknowingly.
It is the process of identifying malicious activities from a computer or from a network and responding to that unauthorized access. Intrusion Detection provides secure
to the system from different threats.. The main components in the Intrusion Detection is Network Monitoring and Traffic analysis. Intrusion Detection uses SNMP in finding these threats by using different tools like observer. Intrusion Detection involves taking all the required data from the system, analysis of data and data logs from the operating system. IDS acts like an alarm for the computer and also defense for the systems from attacks. It provides some functions like Monitoring System Activities, Analyzing System Configuration, Tracking user policies, Recognizing the attacks. IDS id divided into 2 types NID, HID
NID(Network Intrusion Detection) These are placed inside the network for monitoring traffic between the devices that are in the network. It scans all the in and out going packets for finding the speed of the network. This helps in finding the unauthorized access into the system by watching the TCP requests to different ports and also by TCP port scan. NID monitors all the traffic on the route, hub in the network.
HID(Host Intrusion Detection) These are run on the individual hosts in the network. It monitors and alerts the user when any suspicious activity is found in in and outgoing packets. HID system performs various functions including log analysis, alerting, detection and checking in the network. The agent monitors the traffic and alerts if any suspicious activity is found by the pop-up, block that activity or making the server to be aware of it. Signature Based IDS It monitors all the packets on the network. It compares the database of signatures for threats. If any threat is found it compares against a large collection of signatures in verifying that. This must be updated regularly to work efficiently.
Anomaly Based IDS It monitors all the network traffic, transactions that are going on the network and compares them with the baseline if any suspicious activity is found. The baseline includes what protocols used, the sort of bandwidth, ports used. It alerts the system when traffic detected which is different than the baseline.
Simple Network Management Protocol (SNMP) is a set of protocols used in managing the networks. It is a service used mainly for monitoring and management capabilities. SNMP is a manager agent model. They provide interfaces between the system, human and the devices. SNMP used MIB(Management Information Base) in exchange of information between the devices in the network. In SNMP the communication is done between the client and server by get request, get response, get next request, set request, trap. These SNMP messages are used between the SNMP manager and agent. Message is set in a single packet all part of message called PDU(Protocol Data Unit). The main aspect in SNMP is Network Monitoring which involves routers, hosts and many devices.
MIB is used to help SNMP in network management system. The MIB gives information needed for configuring, administration if SNMP. SNMP MIB is divided into different groups. SNMP Statistics which gives statistics about agent information and messages that are not processed. Object Resource provides data about which objects are allowed by the SNMP agent object identifier. Trap Group gives information of table of each trap agents send. Each trap has its Object Identifier(OID). Set Group In this single object allows multiple managers to send SNMP set messages. It has its serial no to avoid problems. In Network system different types of threats are seen which make the hackers gain access into others systems. SNMP helps the system by using different tools like observer in maintaining security.
3. Problem Area
Security is the major problem in any of the intrusion detection system. To maintain security we should concentrate more on these below
Network Monitoring In this we should collect and analyze information of various IP address and also on the internal traffic. If any of the host provides unauthorized access we will see the missing in traffic. For this we use different tools like packet capture utilities, Intrusion detection system, sniffers etc to get the information on the traffic. In this we mainly concentrate TCP, UDP, ICMP traffic packets by considering source and destination packets.
Traffic Analysis In this we focus on servers and ports that are being used. Concentrate more on the IP address validation. If any of the traffic seems to be suspicious we should deeply examine that. All the internal hosts should be in you IP ranges. The IP address also be in your IDS so it alerts when IP is used by unauthorized persons. Security is the main issue in any of the intrusion detection system using SNMP so many devices are used in finding the hackers that gain access into other systems unknowingly.
4. Threats in Network
In network system we can see different types of attacks that harms the computer. Some of them are Smurf Attack, SYN Attack, IP Sequence Prediction Attack.
Smurf Attack It is a modified one of ping attack i.e. ping traffic. The hacker sends pings to a broadcast address instead of sending to attacked system by knowing his IP address. Source IP address is then changed and made as target address. Then all hosts send reply with echo to that target address thinking that they received an echo request by the ping from it. He sends hundreds pings to victim in order to make his system get trouble and shutdown and gain access into system by overload.
SYN Attack This is seen mainly in the TCP/IP communication protocol.TCP SYN and SYN ACK occurs when there is transfer of packets between two hosts. In any of the TCP connection source host SYN packet to destination host it then sends SYN ACK packet. By seeing this hacker changes its source address and sends a request. Then a PC sends the ACK. The hacker doesnâ€™t give response to that and make them wait and he sends repeated requests. In the waiting time he gains access into his system by the requests and that system cannot respond to the other requests which gets into trouble.
IP Sequence Prediction Attack By using the SYN FLOOD the hacker makes a connection with the requested system and obtains its IP Sequence number. By using this he controls his system without knowing to him. In order to prevent this attack many operating system are randomizing their sequence number.
IP Spoofing It is also a type of attack on the network caused by the internet between the systems which are monitored and controlled by routers. Routers because they examine any of the destination IP address deeply. The hacker sends some messages to the system showing that they came from trusted IP address. Initially he chooses correct IP and in the middle he changes the header packets. By this he gains total access into the system hosts as it was his goal.
All the attacks threats are also identified in the observer used by SNMP.
5. Statement of findings
SNMP uses observer tool in finding threats and reducing them in the network system. Observer is used because it examines deeply into each and every part of traffic, network, bandwidth for finding the threats.
The step by step procedure
Initially we create a network device by giving IP address, device type and community string to be public.
By using traffic generators we use different required patterns of traffic in this intrusion detection system.
The alarms are set and filters are activated depending on the type of attack
After that MIB walker, ping trace options if necessary in network detection.
Finally we can see by using observer how the security is maintained by finding the threats using different devices in observer.
In this ICMP packet chart we can see initially it was in a normal level then at by giving the packet size to 600 at rate of 1000sec it goes on increasing. We can observe there is a variation in graph. By this if a hacker tries to comes into our system he sends hundreds of packets then the graph increases then we can check the IP and packets transferred from that IP and block it.
C:\Documents and Settings\Naveen Teja\My Documents\naveen proj\nav.JPG
In TCP packet chart also we can see the variation in graph which increases at later stages by increasing size of packets and time at seconds.
C:\Documents and Settings\Naveen Teja\My Documents\naveen proj\naveen.JPG
In observer we can give access to only one user of probe instance so that the network configuration cannot be changed at any time.
In this we can see the IP address that are on the network which are trusted ones. If any other IP exists we can check by different devices in the observer. If we detects to be untrusted we can stop in and out transfer of packets to that IP.
C:\Documents and Settings\Naveen Teja\My Documents\naveen proj\nav2.JPG
Top Talkers is one of the option in observer which is used mostly in finding the number of packets, bytes that are transferred and also the utilization percentage. In this see all the details of the IP address on the network we use and also the broadcast IP address.
C:\Documents and Settings\Naveen Teja\My Documents\naveen proj\naveen3.JPG
The hackers gain their access into the system by sending the packets through the broadcast IP address. Pings are sent to that IP to get control of that system.
6. Analysis and Discussion
In Smurf Attack by sending more request by overload he gains control of the system. The solution for this is to deny the IP broadcasts from other networks. Also the user of that system should make the router to block that untrusted IP. This is done to all the routers in the network to make it run effectively.
In SYN FLOOD Attack the waiting time period should be reduced if there is no reply the sending of ACK packets should be stopped to maintain security. By using Top Talkers we get many benefits like security, load balancing, traffic analysis. By SNMP we can get may benefits like portability, extendibility as it works in any type of device supporting any type of information and also defining a set of operations.
I conclude that there are many threats to the networking system. SNMP is a network protocol which is used in intrusion detection system to remove threats with the help of a tool observer. By using SNMP with the help of obsever we can find the unauthorized access into other systems by using IP of that hacker and can stop him. SNMP and Observer plays a vital role in monitoring intrusion detection system. We have several features by using observer like Ping Tracer, Top Talkers, network names, MIB walker, Alarms, Filters and many by this we can detect the entrance of hacker into a system and can take necessary preventions to that. Intrusion Detection System is managed and monitored by SNMP using observer.