Defensive Strategies for Network Security

Sep 12, 2024

How to Hack: Defense Tutorial Notes

Introduction

  • Focus on defensive strategies against various attack methods.
  • Common attacks include:
    • SQL injection
    • Mobile device attack
    • ARP poisoning

Network Intrusion Prevention System (NIPS)

  • Discussed the importance of NIPS in protecting enterprise networks.
  • Use of rules and policy settings to mitigate potential attacks.
  • Tool used: Snort (an open-source network intrusion detection/prevention system).

Overview of Snort Configuration

  • Important to configure the Snort settings correctly.
  • Example configuration file location: /etc/snort/snort.conf
  • Key segments in configuration:
    • Network variables
    • Decoder settings
    • Detection engine

Network Variables

  • Example of home network variable: HomeNet set to 192.168.1.0/24.
  • Considerations for external networks in enterprise environments.

Rules and Policy Settings

  • Rules define how Snort responds to different types of traffic.
  • Rules path set in configuration: /etc/snort/rules.
  • Community rules available and can be enabled or disabled based on the needs.

Testing Configuration

  • Command to test Snort configuration:
    • sudo snort -T -c /etc/snort/snort.conf
  • Validation ensures that configurations are properly set before running Snort.

Running Snort

  • Command to run Snort:
    • sudo snort -A console -c /etc/snort/snort.conf -i <interface>
  • Here, <interface> refers to the network interface card (e.g., enp0s3).

Monitoring Network Traffic

  • Demonstrated using NMAP for scanning and detecting attacks.
  • Example IP addresses used:
    • Attacker: 192.168.1.17
    • Target: 192.168.1.18
  • Detection of information leak attempts by Snort during scans.

Conclusion

  • Importance of having a well-configured NIPS to detect attacks like
    • Buffer overflow
    • SQL injection
    • Cross-site scripting
  • Network policies must be tailored to specific services and environments (e.g., DMZ, sub-networks).
  • Acknowledge that NIPS requires significant computational resources, and should be set up on separate systems dedicated to intrusion detection and prevention.