Windows Server 2003 SP2 build IDS process details

In reality, the price of the most popular IDS products in the market ranges from hundreds of thousands to millions, and this relatively expensive cheese is widely criticized, resulting in The result is: general SMEs do not have the ability to implement IDS products, their energy will be placed on the router, firewall and the reinforcement of the three-layer switch; although many large and medium-sized enterprises have been on the IDS products, but IDS natural defects Causes it to seem to be ineffective. But we can't be tired of this, because IDS is a necessary process. IPS with IDS function is likely to completely replace the dominant position of single IDS in a few years. From passive to active defense is the general trend. In fact, the technical means of IDS is not very mysterious. Next, this article will introduce a simpler IDS entry-level framework with a vein of "shun vines". From the perspective of market distribution and difficulty in starting, it is more appropriate to choose NIDS as an example for deployment. This article uses the complete Windows platform to run through the entire intrusion detection process. Due to space limitations, it is stated in terms of qualitative analysis.

Prerequisites

IDS: Intrusion Detection System, an intelligent combination of software and hardware for intrusion detection analysis by collecting network system information.

Two organizations working on standardization of IDS: Intrusion Detection Working Group (IDWG, Intrusion Detection Working Group) and Common Intrusion Detection Framework (CIDF), the makers of Internet standards .

IDS classification: Network IDS (network based), Host-based IDS (host based), Hybrid IDS (hybrid), Consoles IDS (console), File Integrity Checkers (file integrity checker), Honeypots. Event Generation System

According to CIDF, the general model idea of ​​Intrusion Detection System (IDS) is described. The most simple intrusion detection component is shown in the figure. According to the CIDF specification, the data that IDS needs to analyze is collectively referred to as an Event. The Event may be Data Packets in the network, or Information obtained from other methods such as System Log.

No data flow (or data is collected), IDS is a rootless wood, completely useless.

As the grassroots organization of IDS, the event generation system can play a big role. It collects all the events defined and then transmits them to other components. In the Windows environment, the current basic practice is to use Winpcap and WinDump.

As you know, for event generation and event analysis systems, Linux and Unix platforms are widely used. In fact, on Windows platforms, there are similar Libpcaps (which are Unix or Linux to capture network data from the kernel). The tool for the package's must-have software is Winpcap.

Winpcap is a free, Windows-based network interface API that sets the network card to "mixed" mode and then loops through the packets captured by the network. The technology is simple to implement, portable, and has nothing to do with the network card, but the efficiency is not high, suitable for networks below 100 Mbps

The corresponding Windows-based network sniffing tool is WinDump (Linux/Unix platform) Tcpdump is a ported version of Windows. This software must be based on the Winpcap interface (here someone calls Winpcap: Data Sniffing Driver). Using WinDump, it can display the header of the packet that matches the rule. You can use this tool to find network problems or monitor the status on the network, and to effectively monitor the security and unsafe behavior from the network to some extent.

These two softwares are available for free on the Internet, and readers can also view related software usage tutorials.

The following is a brief introduction to the steps of establishing event detection and acquisition.

1. Assembly software and hardware system. Depending on the busyness of the network, it is decided whether to use a common compatible machine or a dedicated server with higher performance; if you install the Windows operating system of the NT core, it is recommended to use Windows Server 2003 Enterprise Edition. If the conditions are not met, you can use Windows 2000 Advanced Server. The partition format is recommended for the NTFS format.

2, the space division of the server should be reasonable and effective, the installation of the program, the storage of the data log, the space between the two is best placed in different partitions.

3, Simple implementation of Winpcap. First install its driver, you can download WinPcap auto-installer (Driver+DLLs) from its homepage or mirror site and install it directly.

Note: If you are developing with Winpcap, you will also need to download the Developer's pack.

WinPcap consists of three modules: the first module, NPF (Netgroup Packet Filter), is a VxD (Virtual Device Driver) file. Its function is to filter the packets and pass them to the user mode module intact. The second module, package.dll, provides a common interface to the Win32 platform, built on top of packet.dll, providing a more convenient and straightforward programming method. The third module Wpcap.dll does not depend on any operating system, is the underlying dynamic link library, provides high-level, abstract functions. Specific instructions for use are available on all major websites. How to better use Winpcap requires a strong C environment programming capability.

4, WinDump creation. After installation, run in the Windows command prompt mode, the user can view the network status, which will not be described.

Event detection and acquisition can be achieved without software compatibility issues, installation and configuration. Event Analysis System Since most of our networks are connected by switched Ethernet switches, the purpose of establishing an event analysis system is to detect multiple network firewall devices and multiple acquisition methods (such as Snmp-based and Syslog data collection). Log support, and provide certain event log processing, statistics, analysis and query functions.

The event analysis system is the core module of IDS. The main function is to analyze various events and find out the behaviors of violating security policies. How to establish is the key point and the difficulty. If you can work with someone to write a software system, you need to be prepared for rigorous pre-development, such as a clear understanding of network protocols, hacker attacks, system vulnerabilities, and then start to develop rules and strategies, which should be based on standard technology. Standards and specifications, then optimize the algorithm to improve execution efficiency, build a test model, and simulate the attack and analysis process.

The event analysis system resides in the monitoring network segment and generally analyzes it through three technical means: pattern matching, protocol analysis, and behavior analysis. When a misuse pattern is detected, a corresponding warning message is generated and sent to the response system. For the time being, using protocol analysis is the best way to detect in real time.

One possible way of this system is that the protocol analyzer is the main body, which can be built on the basis of the off-the-shelf, open protocol analysis toolkit; the protocol analyzer can display the packet-level network transport stream, based on the network. Alerts to protocol rules are automatically analyzed to quickly detect the presence of an attack; thus, network programmers and administrators can monitor and analyze network activity to proactively detect and locate faults. Users can try a free network protocol analyzer called Ethereal, which supports Windows systems. The user can analyze the data saved on the hard disk after being captured by the event generation system. You can interactively browse the captured packets and view the summary and details of each packet. Ethereal has a variety of powerful features, such as support for almost all protocols, rich filtering languages, easy to view TCP session reconfigured data streams, and more.

Response System

The response system is an interactive system for people and things. It can be said to be the transfer station and coordination station of the entire system. The person is the system administrator, and the object is all other components. In detail, the response system coordinator has a lot to do: record security events, generate alarm information (such as E-mail form), record additional logs, isolate intruders, terminate processes, and ban victims according to preset definitions. The port and service, even anti-going; can take manual response and automatic response (machine-based response), the combination of the two will be better.

Design Elements of Response System

(1) Accept event alarm information filtered, analyzed, and reconstructed from the event generation system by the event analysis system, and then interactively query the user (administrator) and Make rule judgments and take management actions.

(2) Provide administrators with an interface to manage the event database system, modify the rule base, configure security policies, read and write database systems according to different network environments.

(3) When acting on the front-end system, it can manage the event generation and analysis system (collectively called event detector), classify and filter the events collected, detected and analyzed by the system, which can be used for different security conditions. Re-shuffle the safety rules.

Response systems and event detectors are usually implemented as applications.

Design Idea: The response system can be divided into two program parts, monitoring and control. The listening part is bound to a free port, receives the analysis results and other information sent from the event detector, and converts the stored file to the event database system, as an administrator can call read-only, modify, and special operations according to user permissions. The control part can use GTK+ to write the GUI and develop a more intuitive graphical user interface. The main purpose is to give the user a more convenient and friendly interface to view warning information.

Event Database System

Under Windows, although Access is easier to master, building with SQL Server 2000 is more effective than Access, and it is not very difficult to get started. The main functions of this system: record, Store and rearrange event information for administrators to view and use for attack review and forensics.

This system is relatively simple to construct, using only some of the basic functions of the database software.

To coordinate purposeful communication between components, each component must be able to correctly understand the semantics of the various data passed between each other. A 3-layer model can be constructed by referring to the communication mechanism of CIDF. Pay attention to the interoperability between the components to ensure safety, efficiency and smoothness.

Integration will continue in the rest of the work, and the functionality of each component will continue to improve. A basic, Windows-based IDS framework is built. If you meet the network conditions, try to make your own cheese. There is an unspeakable sweetness after work.