Lab #10 Securing the Network with an Intrusion Detection System (IDS)
Introduction
Nearly every day there are reports of information security breaches and resulting monetary losses in the news. Businesses and governments have increased their security budgets and undertaken measures to minimize the loss from security breaches. While cyberlaws act as a broad deterrent, internal controls are needed to secure networks from malicious activity. Internal controls traditionally fall into two major categories: prevention and detection.
Intrusion prevention systems (IPS) block the IP traffic based on the filtering criteria that the information systems security practitioner must configure. Typically, the LAN-to-WAN domain and Internet ingress/egress point is the primary location for IPS devices. Second to that would be internal networks that have or require the highest level of security and protection from unauthorized access. If you can prevent the IP packets from entering the network or LAN segment, then a remote attacker can’t do any damage.
A host-based intrusion detection system (IDS) is installed on a host machine, such as a server, and monitors traffic to and from the server and other items on the system. A network-based IDS deals with traffic to and from the network and does not have access to directly interface with the host. Intrusion detection systems are alert-driven, but they require the information systems security practitioner to configure them properly. An IDS provides the ability to monitor a network, host or application, and report back when suspicious activity is detected, but it does not block the activity.
In this lab, you will configure Snort, an open source intrusion prevention and detection system, on the TargetSnort virtual machine and the Web-based IDS monitoring tool called Snorby. You also will use the OpenVAS scanning tool to scan the TargetSnort virtual machine to test the Snort configuration and see exactly what circumstances trigger an IDS alert.
This lab has three parts, which should be completed in the order specified. There is no challenge question for this lab. 1. In the first part of the lab, you will configure an IDS for capturing network traffic on the TargetSnort virtual machine. 2. In the second part of the lab, you will conduct a vulnerability scan using OpenVAS. 3. In the third part of the lab, you will review the Snorby monitoring results.

Learning Objectives
Upon completing this lab, you will be able to: * Configure an open source intrusion prevention and detection systems (IPS/IDS), Snort, on the TargetSnort virtual machine to detect a network-based attack * Configure an IDS monitoring tool, Snorby, to view alerting events on a running IDS system * Recognize IDS signatures and understand how scans appear as events in the IDS * Use scanning tools to attack the IDS virtual machine to trigger an alert * Document and describe the attacks detected and be able to identify false positives or remediation actions
Tools and Software
The following software and/or utilities are required to complete this lab. Students are encouraged to explore the Internet to learn more about the products and tools used in this lab. * OpenVAS * Snorby * Snort

Deliverables
Upon completion of this lab, you are required to provide the following deliverables to your instructor:

1. Lab Report file including screen captures of the following step(s): Part 2, Step 19; Part 3, Steps 3, 5, and 7 ; 2. Lab Assessments file.

Hands-On Steps Note:This lab contains detailed lab procedures, which you should follow as written. Frequently performed tasks are explained in the Common Lab Tasks document on the vWorkstation desktop. You should review these tasks before starting the lab. |

1. From the vWorkstation desktop, open the Common Lab Tasks file.
If you desire, use the File Transfer button to transfer the file to your local computer and print a copy for your reference. Figure 1 “Student Landing” workstation 2. On your local computer, create the lab deliverable files. 3. Review the Lab Assessment Worksheet at the end of this lab. You will find answers to these questions as you proceed through the lab steps.
Part 1: Configure an Intrusion Detection System (IDS) Note:The essence of intrusion detection is the process of detecting potential misuse or attacks and the ability to respond on the basis of the alert provided. Best practice in a network environment is to have host-based intrusion detection systems enabled on critical servers and workstations to provide your network and security organization with real-time alerts and alarms for potential system compromise and/or unauthorized access. In the next steps, you will configure Snort on the TargetSnort virtual machine to detect vulnerability scans. Snort is an open source network intrusion prevention and detection system (IPS/IDS), capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching, and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. |

1. Double-click the putty.exe icon on the vWorkstation desktop to open the application. 2. Type 172.30.0.22 as the IP address of the TargetSnort server and click the Open button to open an SSH connection to the TargetSnort server. 3. Click Yes on the PuTTY Security Alert. 4. Log in to the TargetSnort using the following security credentials: * Login: root and press Enter * Password: toor and press Enter

Figure 2 TargetSnort PuTTY session 5. Type service snort status and press Enter to confirm the Snort service is running.
A response of OK indicates that Snort is now running and is configured with the default alerts and rules (signatures). While not common, it is possible to receive a fail status with this command—that’s why you check the status. If you receive a fail status, you will need to restart the Snort service. At the prompt, type service snort restart and press Enter to restart the service, and then repeat step 5 until you receive an OK status.

Figure 3 Snort status response Note:In the next steps, you will use the Snorby tool to review traffic statistics on the TargetSnort virtual machine. Snorby is a Web-based tool that analyzes intrusions detected by Snort. |

6. Type cd /var/www/snorby and press Enter to change directories. 7. Type bundle exec rake snorby:setup and press Enter to refresh the database connections and start the population of data.
Ignore any errors; these are normal on a refresh.

Figure 4 Snorby database connections refresh 8. When the command prompt returns, type bundle exec rails server -e production -b 172.30.0.22 -d and press Enter to start the Snort Web interface Snorby and run it in the background. 9. Type exit and press Enter to close the PuTTY session. 10. Double-click the Firefox Web browser icon on the vWorkstation desktop to open the browser. 11. In the browser’s address bar, type http://172.30.0.22:3000 and press Enter to open the Snorby Dashboard and maximize the browser window, if necessary. 12. Type the following credentials and click Welcome, Sign In to log in: * E-mail: snorby@snorby.org * Password: snorby
Explore the tabs and links on this page to familiarize with the features of Snorby.

Figure 5 Snorby Dashboard Note:Your organization’s security policies should define what are acceptable and unacceptable protocols, applications, and services running on your network. Performing a network traffic baseline definition analysis will provide you with information about what protocols and traffic behavior patterns are normal. Using this as a baseline, the IDS can be configured to recognize abnormal digital signatures or IP traffic patterns which helps harden the LAN-to-WAN domain at the Internet ingress/egress point. |

13. Minimize the Snorby window to return to the vWorkstation desktop.

Part 2: Conduct a Vulnerability Scan Note:In the next steps, you will use OpenVAS to conduct a vulnerability scan on the TargetSnort virtual machine. First, you will create a new user account with administrative privileges. Then you will create a new task definition, and finally you will execute the scan. OpenVAS is a framework of several services and tools offering vulnerability scanning and management solutions. It is used to run tests against client computers using a database of known exploits and weaknesses. |

1. Double-click the OpenVAS icon to launch the application.
The Greenbone Security Assistant will open in a new Internet Explorer tab. The server will need approximately five minutes to initialize. 2. At Certificate Error warning, click Continue to this website (not recommended) to continue. 3. When prompted, type the following credentials and click Login to open the application. * Username: openvasadmin * Password: pass 4. If prompted to save your password, click Not for this site to continue.

Figure 6 Connect to OpenVAS 5. In the OpenVAS toolbar, click the Administration button to add a new user account. 6. In the New User section, type the following logon information and click the Create User button to finish creating the new user account. * User name: student * Password: password * Role: Admin
If prompted to save your password, click Not for this site to continue.

Figure 7 Add a new user in OpenVAS Note: OpenVAS recognizes three distinct roles: * User: Only enough privileges for everyday use. * Administrator: Includes extra administration privileges, like the ability to add users or synchronize the feed. * Observer: Only enough privileges to view resources. That is, an observer is forbidden from creating, removing, modifying, or using any tasks, targets, or configurations. Furthermore, an observer may view these resources only when the owner of the task adds the observer to the task's observer list. | 7. Click the Logout link at the top right of the OpenVAS Server Manager window to log out. 8. Log back in using the new administrator account you created and click Login: * User name: student * Password: password

Figure 8 OpenVAS home page 9. Click the Configuration tab and then click the star icon to create a New Target host to scan.

Figure 9 Create New Target Host in OpenVAS 10. In the New Target section, type the following, or select from the drop-down list: * Name: TargetSnort * Hosts (Manual): 172.30.0.22 * Port List: OpenVAS Default

Figure 10 Entering information for a New Target in OpenVAS 11. Click the Create Target button. 12. From the OpenVAS toolbar, select Scan Management > New Task to add a new task.

Figure 11 Create a new task in OpenVAS 13. In the New Task section, type the following information: * Name: Snort Task * Scan Config: Full and very deep ultimate * Scan Targets: TargetSnort * Maximum concurrently executed NVTs per host: 15

Figure 12 Create a new Snort Task 14. Click the Create Task button to open the Scan Management home page.
Note how Snort Task is now listed as a task on the OpenVAS home page. 15. Click the Green arrow in the Actions column to start the Snort Task scan.
When the scan is completed, you will see a blue Done button in the Status column of the table. The scan can take several minutes to complete. You can use the control buttons to the right in the Actions section to Pause, Resume, or Stop the scan. Use the Task Details button (magnifying glass icon) to see more details about the progress of the scan for each target being scanned. You can manually refresh the page during this time to check the status of the scan, or set the page to automatically refresh. 16. In the Tasks header, select Refresh every 10 Sec from the first drop-down menu and click the Set Button (green refresh arrows button) to its right.

Figure 13 Refresh the screen 17. When the scan completes, click the date associated with the Snort Task to open the report for that scan.
The top of the screen provides a summary of the types vulnerabilities discovered. Vulnerabilities are categorized according to severity: High, Medium, and Low. You can also scroll down to see a detailed report of Security Issues reported. Note:In addition to the onscreen version, reports can be downloaded to your local computer in a variety of formats by selecting the download format (HTML, PDF, TXT and more) from the drop-down list and then clicking the green down arrow in the Download column. Figure 14 OpenVAS report summary |

18. Use the scrollbar to locate the Filtered Results section of the report.
In this case, OpenVAS identified a single security issue of medium risk level. 19. Make a screen capture showing the Filtered Results and paste it into your Lab Report file. 20. Close the browser window to exit from the OpenVAS Client.
Part 3: View the Scan Results in Snorby Note:In the next steps, you will review the Snort alerts captured in Snorby. Snorby is a Web-based front-end to other applications, such as Snort. When Snort captures and examines IP packets, it does not save every IP packet. Rather, it is looking for specific IP packet traffic patterns and abnormal traffic attempting to enter a network. The IDS maintains logs and alerts and alarms when certain IP packet traffic patterns are identified inbound to the organization’s network. Alerts or alarms can be automated to send information to a network or security operations help desk. Should you receive an IDS alert about a port scan detected from the same IP on a subnet, it is one of the first signs of a possibly compromised machine. An attacker may have remote access to a workstation and has enabled a vulnerability assessment scan from within your organization. The results of this scan will be sent back to the attacker unnoticed to your organization. |

1. Maximize the Snorby browser window. 2. Select Dashboard from the Snorby toolbar to refresh the Snorby alert screen.
In this case, Snorby identified 8 high severity issues and 400 issues of medium severity.

Figure 15 Snorby Dashboard 3. Make a screen capture showing the alerts identified by Snort and the date the report was run and paste it into your Lab Report file. 4. Click Events from the Snorby toolbar to open a list of the events classified by Snorby as unusual. 5. Make a screen capture showing the abnormal sessions identified by Snort and paste it into your Lab Report file. You may have to take multiple screen captures to display the entire output. 6. Locate a TFTP GET passwd error in the Event Signatures column and then click anywhere in the corresponding row to expand the detail information.

Figure 16 TFTP GET passwd errors 7. Make a screen capture showing the TFTP GET passwd details and paste it into your Lab Report file. Note:It is possible to identify the digital signatures of common reconnaissance and probing scans, such as Ping, Nmap, and OpenVAS. Program your IDS and IPS devices to specifically alert and block reconnaissance and probing IP packets that are commonly used by these attack tools. All of the normal hacking applications and tools that generate ICMP, IP, UDP, and TCP should also be identified and blocked on your external IDS/IPS device, including denial of service (DoS) and distributed denial of services (DDoS) digital signatures. |

8. Close the Snorby window. Note:This completes the lab. Close the virtual lab, if you have not already done so. |

Assignment Grading Rubric
Course: IT540 Unit: 3 Points: 116
Unit 3 Assignment
Outcomes addressed in this activity:
Unit Outcomes: * Define the term computer forensics. * Conduct a basic forensics exercise using Snort. * Illustrate the importance of audit logs to forensics investigations. * Examine how various forensics tools are used. * Examine the phases of a forensics investigation. * Illustrate basic encryption techniques.
Course Outcome:
IT540-2: Secure computer network data.
Instructions
Write your report in the standard APA style. Your output should be at least four double spaced pages, exclusive of the title page, abstract, table of contents, and references section.
Part 1:
Complete Jones & Bartlett Lab 10: Securing the Network with an Intrusion Detection System (IDS).
Part 2:
Consider the following five questions and write an essay response to each one.
How do you go about finding information when you have been told that there has been a break-in? * What servers were compromised? * Was network equipment comprised? * What user accounts were employed to do gain access? * What vulnerabilities were exploited? * What can be done to prevent a recurrence?
Assignment Requirements: * Answers contain sufficient information to adequately answer the questions * No spelling errors * No grammar errors
*Two points will be deducted from grade for each occurrence of not meeting these requirements.
For more information and example of APA formatting, see the resources in Doc sharing or visit the KU Writing Center from the KU Homepage.
Also review the KU Policy on Plagiarism. This policy will be strictly enforced on all applicable assignments and discussion posts. If you have any questions, please contact your professor.
Review the grading rubric below before beginning this activity.
Assignment grading rubric = 116 points Assignment Requirements | Points Possible | Points Earned | Part 1: Jones & Bartlett Lab 10: Securing the Network with an Intrusion Detection System (IDS). | | | Documented lab | 0–30 | | Part 2: Hypothetical Break-In | | | Q1: Listed steps that would be taken and utilities that would be used to determine what servers were compromised. | 0–17 | | Q2: Properly lists files that would be checked, and utilities that would be utilized for the determination. | 0–17 | | Q3. List included where to check for network account activity. You should also list what the indicators are for attempted network access. | 0–17 | | Q4. Indicated how to check for possible vulnerabilities that could be exploited. | 0–17 | | Q5. Included details how to protect network resources from unauthorized access and other potential security breaches. | 0–18 | | Column Total | 0-116 | | Less deduction taken for spelling, grammar and APA errors. Plagiarism is totally unacceptable | | New total after deductions | |

Lab #10 – Assessment Worksheet
Securing the Network with an Intrusion Detection System (IDS)
Course Name and Number: _____________________________________________________ Student Name: ________________________________________________________________

Instructor Name: ______________________________________________________________ Lab Due Date: ________________________________________________________________
Overview
In this lab, you configured Snort, an open source intrusion prevention and detection system, on the TargetSnort virtual machine, and the Web-based IDS monitoring tool called Snorby. You also used the OpenVAS scanning tool to scan the TargetSnort virtual machine to test the Snort configuration and see exactly what circumstances trigger an IDS alert.
Lab Assessment Questions & Answers 1. What is the difference between an IDS and an IPS? | 2. Why is it important to perform a network traffic baseline definition analysis? | 3. Why is a port scan detected from the same IP on a subnet an alarming alert to receive from your IDS? | 4. If the Snort IDS captures the IP packets off the LAN segment for examination, is this an example of promiscuous mode operation? Are these packets saved or logged? | 5. What is the difference between a host-based IDS and a network-based IDS? | 6. How can you block attackers, who are performing reconnaissance and probing, with Nmap and OpenVAS port scanning and vulnerability assessment scanning tools? | 7. Why is it a good idea to have host-based intrusion detection systems enabled on critical servers and workstations? | 8. Where should you implement intrusion prevention systems in your IT infrastructure? |