Transcript for:
Defensive Strategies for Network Security

hi and welcome back to another episode of how to hack so today the primary discussion is how can we play defense we have discovered so many different kind of attack methods techniques and try to get access into confidential systems critical databases sequel injection mobile device attack so we're gonna play defense today we're gonna talk about network intrusion prevention system we're gonna learn about how we can use rules policy settings on network protocols on services on a different kind of potential attack that could come into your web application server that could be on the network it could be a ARP poisoning it could be a different kind of combination of techniques coming in there attacking and disrupting your network so in your enterprise network environment chances are you have different specific policies so specific route of network traffic information environment and using snot which is a network detection system we are able to filter out using all these different kind of policies and be able to identify specific attacks so you could be information leakage it could be a tempting buffer overflow against any services and we are able to detect many of this information through a software base open source network intrusion prevention system so let's begin a tutorial so on the left side of the screen I have a bunch of running so I can open terminal and again I can zoom in so that it gets the logic phone and it's easier for you to see and re-enter I have conflict and this time round we have the Internet work interface card as en p0s tree so again you're now we're interface card is going to be different from mine and chances are your IP address may also be different from mine and in this case I have IP address of one and two one six eight dot one dot one eight and on the right side of the screen I have Kali Linux running and I can log in to colonics so as I log in to call Linux again it's gonna surf as the attacking machine I'm gonna close this over here I'm gonna launch a new terminal and in a new terminal I'm gonna zoom in a little more so again it's easier for you to visualize what's happening in a kind of attack we're attempting so as I enter ifconfig remember clearly we have a IP address from attacking machine is 192 168 done 1.17 so again the tutorial for today is network intrusion detection system using snort so what we're gonna do is we're gonna go into pseudo G edit and going into e TC snort snort con so this is the main configuration follower snorts so we're gonna validate on the static configuration structure of the configuration file for snort and then we're gonna run snot so that we are able to see the kind of detection that we can get using the ni PS so I hit enter it asks for a password for my sudo I enter the password for user and I go in so over here we can see the the foul has the structure and in this structure there are nine specific segments so you have network variables you're gonna configure a decoder based detection engine and many other different capabilities for you to learn and to investigate on so that you are able to produce and maximize the value from the NI PS so as you scroll down as you scroll down once that thing that I have key in is HomeNet is one I two one six eight dog one does 0/24 so my home network on in this testing lab environment and running on is running on a variable of the from from one all the way to 254 for the IP address of one I to one sixty eight dot again if you're if you're running on an enterprise environment chances are your external network may just be anything outside of home so in this case we have a example here that you can use so this is the inverse of home network and again if you have DNS servers you can specify them if your MSN SMTP server 60gb service and it likes it can the configuration can grow more complex as you as you get larger but one important case I want to really take note of are the rules so over here we have a rule path that we have set as a variable and it's in the in the folder of etcs not slash rules so this is a area where we're gonna explore a little more on because it's critical for the rule setting the policy setting so that in a policies are you placing it allows you to detect it different kind of attacks coming in so as we scroll down what's really important is the lease of rules that are available for you to actually to actually use the lies that are available from the community that are available as some out of snort and over here for example we can see the kind of different files that you can input in and you'll be able to activate them and there they will be able to find out information whenever they're different kind of attacks over here we got ddosed we got dns but they are all commented out so what is being in part of the rule engine is actually the fingered or rules FTP ICMP I maps and Ally information some miscellaneous multimeter my sequel if you're running sequel if you're running Oracle databases you're running Oracle Solaris again you want to enable all these policies it's irrelevant to the system that you're monitoring and again if we go in-depth into for example some of the rules here we'll be able to see what a kind of traffic policy that they input in so for example if I were to go into this path over here so I'm gonna open a new terminal again I'm gonna zoom in a little more over here I'm gonna click on to the view zoom in and zoom in a little more and over here what I'm gonna do is I'm gonna do a pseudo G edit / etc' snot / rules / for example live the FTP not rules so when I enter and of course I enter my password to access the file so once I go in I see a new file that's open up and over here you have all the rules that are available as part of the verification so in this case we have a lot of a tcp coming from any network from any source destination and then from here we can see the port number 21 coming to home network and then of course if we look at certain types of the tank that's coming in we can flag them out we can put a message they say FTP FTP and then DB overflow attempt and and alike so again we are trying to find all the different kind of attacks coming in so that with all these rules all these signatures we're able to tagged to cyber threat so as I as I continue into the demonstration of technology it's very important for you to understand how many of these rules work so what we're gonna do now is we are going to do a testing so I'm gonna do pseudo snort - capital T - t et Cie snort snort con conference configuration that's I the np0 ash tree so EMP 0's tree is the network interface card and I'm running on so again if if it's yours chances are it's going to be different so when I do this it will allow me to test whether my configurations of propo so only my my configuration is a propyl will I be able to run snot if not you got to validate the configuration make sure that the parameters they are putting in a correct and proper so once we have tested the configuration and it's good to go all you got to do is enter sudo snort - a console that's Q that you snore - geez snort there see et Cie snort and then pointing to the configuration file again and then of course your interface card that you want monitoring and from there you will be able to start monitoring against the cyber attacks so I'm gonna go back to my co Linux now now that I've enabled the monitoring on the Ubuntu operating system so I'm gonna do for example a direct network mapper scanning onto one eye two dot one sixty eight dot 1.18 and what's gonna happen it's deep is gonna pick up directly the kind of a Texas coming in so over here we can see the SNMP requests classification is that this is attempted information leak and again we see another attempt at information leak against the the operating system so if I was to turn on another information gathering - like for example if I turn on spot ah so sponsoring is a great GUI tool that it runs all the different kind of reconnaissance attack on Cole Linux against the operating system so I say I want to target a specific IP address which is 192.168.1.1 eight and I click Add to scope and once I've added the scope beginning all the scanning on an map you sees on stage Juan is running multiple services it's beginning to kick-start different services and we see it in on the backdrop we we see that Dubin to is detecting all this different kind of attacks coming in and of course we see the IP address of 1 & 2 1 6 8 1 2 1 7 which is the attacking machine against the destination of 1 & 2 1 6 8.1 8 so we are able to perform the scanning attack against the the operating system and then of course we are able to detect them and we're able to respond the discover attacks either by disabling the service or by stopping the attack all together in a network there you seen we have used a software based network intrusion prevention system and were able to detect the different kind of scanning reconnaissance in the environment and of course if you were to try to use buffer overflow attacks if you're trying to do sequel injection derald rules and policies they're specific and designed for certain application service so one of the rules that you can see under the configuration file is actually a server Apache so we are specifically designing rules and policies to actually protect a kind of web application server and from there the different rules will be applicable to this application server so that you can properly defend against it so it could be certain kind of fault reversal it could be some kind of injection coming in a cross-site scripting request cross-site request forgery again we're able to pick it up within the operating system through the use of snot as a network intrusion detection system and of course in lots care and the prices that you are deploying on you have many different services your service could be residing on the DMZ zone your service could be residing on the sub networks so again your policies your rules have to be different and because network intrusion prevention systems generally requires a lot of computation power so you actually have to tap the network traffic the data the events are lock information into a separate system so that that system is customized and built Hoddy just to do network intrusion prevention and detection and it from there is able to compute to you why other potential attacks or offenses in the environment so with that we come to the end of tutorial and I hope you learn something valuable today if you have any questions feel free to leave a comment below and thank you so much for watching