**2.3 Construction and implementation of DXIPS**

56 Security Enhanced Applications for Information Systems

A firewall rule specifies criteria for a packet, and a target. If the packet does not match, the next rule in the chain is the examined; if it does match, then the next rule is specified by the value of the target, which can be the name of a user-defined chain or one of the special

ACCEPT means to let the packet through. DROP means to drop the packet on the floor. QUEUE means to pass the packet to userspace. (How the packet can be received by a userspace process differs by the particular queue handler. 2.4.x and 2.6.x kernels up to 2.6.13 include the ip\_queue queue handler. Kernels 2.6.14 and later additionally include the nfnetlink\_queue queue handler. Packets with a target of QUEUE will be sent to queue number '0' in this case. Please also see the NFQUEUE target as described later in this man page.) RETURN means stop traversing this chain and resume at the next rule in the previous (calling) chain. If the end of a built-in chain is reached or a rule in a built-in chain with target RETURN is matched, the target specified by the chain policy determines the fate of the

DXIPS is a distributed network IPS based on the combination of Snort\_inline and Netfilter firewall configured by IPtables, and it provides the ability to detect malicious network traffic, drop or reject attack packets, and perform intrusion detection and prevention on 4-7

Hierarchical structure is applied to the architecture of DXIPS, which consists of three layers: Intrusion prevention layer: monitor the network traffic passing by and perform intrusion

Control layer Server layer

values ACCEPT, DROP, QUEUE, or RETURN.

packet.

**2.2 Architecture of DXIPS** 

layers of network protocol.

detection and prevention.

Fig. 1. Architecture of DXIPS

Intrusion

prevention layer

IPS

Server layer: collect log data and save to readable format. Control layer: analysis console and perform data display.

Server zone

Extranet

IPS

Log database

Office zone

Intranet

console

DXIPS is composed of four modules: intrusion prevention module, log record module, central control module and communication module. These four modules coordinate with each other and perform intrusion prevention in distributed network environment.

#### Fig. 2. Construction of DXIPS

Intrusion prevention module runs on intrusion prevention layer, and it is responsible for capturing packets, intrusion detection and prevention. This module is to be deployed at the crucial position of network, such as the network link between intranet and extranet, thus all the packets are to be monitored. This module is based on the combination of Snort\_inline and Netfilter firewall configured by IPtables, and consists of three submodules such as packets capture, packets detection and response.

Log record module runs on server layer and aims for log collection and formatting. The collected logs include intrusion detection log generated by Snort\_inline and firewall log by the configuration of IPtables.

Central control module is the core of the whole system and runs on control layer. It is in charge of coordinating other modules and performing management operations such as the configuration of IPS, management of log server, data analysis and load balancing.

Communication module has the ability to provide secure and reliable communication channels between modules.

#### **2.3.1 Intrusion prevention module**

Intrusion prevention module is to be deployed at the crucial position of network and needs the ability of routing, that is, packets with correct route information should be delivered from source address to destination address. Thus normal communication between intranet and extranet is to be done. The part of function of routing in DXIPS makes use of the default route module in Linux system, and the command is as follows:

"echo 1>/proc/sys/net/ipv4/ip\_ forward"

Intrusion Detection and Prevention in High Speed Network 59

Parse rules library Constructing two dimensional linked list

Initialization

Activate libipq interface

Packet capture

Packet parsing

matching

N

Y

Return result

Log record module is applied to record and audit the time when event happened and corresponding information of subjects and objects, and it aims for providing sufficient

Log record module collects log of intrusion prevention module, saves it to log server, and provides analysis data for security policy specified by central control module. The collected logs include intrusion detection log generated by Snort\_inline and firewall log by the

Snort\_inline will generate corresponding log based on specific parameter of rule action such

The Netfilter firewall log may be accessed with LOG target of IPtables. To make use of LOG

LOG target is dedicated for recording detailed packet information such as IP header and other useful information. The default directory of log of IPtables is "/var/log/message",

as alert, log, drop and reject. The default directory of log files is "/var/log/snort".

For instance, all the connection information passing by may be recorded as follows:

Fig. 3. Flow diagram of packets detection

information for detailed analysis of security events later.

target, ipt\_LOG module is needed to be loaded as follows:

**2.3.2 Log record module** 

configuration of IPtables.

"/sbin/modprobe ipt\_LOG"

"#iptables -A FORWARD -j LOG"

which is done by the "syslogd"daemon.

When packets are captured by intrusion prevention module, the function of IP forward is active, and kernel will deliver packets based on address information of packets and routing table information.

1. Packets capture

Packets capture procedure is to pass packets from kernel space to user space, and includes event generator, Netfilter hook program, IPtables, ip\_queue kernel module and netlink interface.

During the procedure of packets capture, intrusion prevention module looks on the filtered packets by Netfilter firewall configured by IPtables as data source. It may reduce the amount of packets to be detected by performing intrusion detection on the specific traffic with regard to security policy. IPtables, which is a packet filter firewall running on data link layer and network layer, may firstly filter packets according to security policy, then pass the filtered packets to Snort\_inline and perform intrusion detection.

Specific types of packets are to be accepted by Snort\_inline according to the configuration of IPtables. For example, SMTP traffic is to be monitored by Snort\_inline according to the configuration of IPtables. The following parts present the commands:

"iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p tcp --dport 25 -j QUEUE"

"iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT"

"iptables -A FORWARD -p tcp --dport 25 -m state --state NEW -j QUEUE"

2. Packets detection

Packets detection procedure is to perform intrusion detection corresponding with rules set, and includes event analyzer, libipq library, Snort\_inline and rules set.

Intrusion prevention module captures packets according to security policy and parses the structure of packet based on protocol specifications, then executes data formatting and performs string matching on packets with rules set.

Fig.3 illustrates the packets detection procedure. Snort\_inline executes initialization based on command line parameters, and working mode is specified by parameters. Then two dimensional linked lists are constructed based on rules by parsing rules library. Again, Snort\_inline performs intrusion detection on packets by calling the function "ProcessPacket( )" after packets are accessed cyclically from structure "ip\_queue". Function "ProcessPacket( )" firstly executes protocol parsing and set structure "Packet", then calls detection function "Detect( )" to perform detection according to rule linked lists in certain turn, lastly returns detection results.

Corresponding response actions based on packet detection results may be executed. There are 5 available default actions in Snort, alert, log, pass, activate, and dynamic. In addition, there are additional options which include drop, sdrop and reject in Snort\_inline. Action "drop" is to make IPtables drop the packet and log the packet; action "sdrop" is to make IPtables drop the packet but does not log it; action "reject" is to make IPtables drop the packet, log it, and then send a TCP reset if the protocol is TCP or an ICMP port unreachable message if the protocol is UDP.

When packets are captured by intrusion prevention module, the function of IP forward is active, and kernel will deliver packets based on address information of packets and routing

Packets capture procedure is to pass packets from kernel space to user space, and includes event generator, Netfilter hook program, IPtables, ip\_queue kernel module and netlink

During the procedure of packets capture, intrusion prevention module looks on the filtered packets by Netfilter firewall configured by IPtables as data source. It may reduce the amount of packets to be detected by performing intrusion detection on the specific traffic with regard to security policy. IPtables, which is a packet filter firewall running on data link layer and network layer, may firstly filter packets according to security policy, then pass the

Specific types of packets are to be accepted by Snort\_inline according to the configuration of IPtables. For example, SMTP traffic is to be monitored by Snort\_inline according to the

"iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p tcp --dport 25 -j

Packets detection procedure is to perform intrusion detection corresponding with rules set,

Intrusion prevention module captures packets according to security policy and parses the structure of packet based on protocol specifications, then executes data formatting and

Fig.3 illustrates the packets detection procedure. Snort\_inline executes initialization based on command line parameters, and working mode is specified by parameters. Then two dimensional linked lists are constructed based on rules by parsing rules library. Again, Snort\_inline performs intrusion detection on packets by calling the function "ProcessPacket( )" after packets are accessed cyclically from structure "ip\_queue". Function "ProcessPacket( )" firstly executes protocol parsing and set structure "Packet", then calls detection function "Detect( )" to perform detection according to rule linked lists in certain turn, lastly returns

Corresponding response actions based on packet detection results may be executed. There are 5 available default actions in Snort, alert, log, pass, activate, and dynamic. In addition, there are additional options which include drop, sdrop and reject in Snort\_inline. Action "drop" is to make IPtables drop the packet and log the packet; action "sdrop" is to make IPtables drop the packet but does not log it; action "reject" is to make IPtables drop the packet, log it, and then send a TCP reset if the protocol is TCP or an ICMP port unreachable

filtered packets to Snort\_inline and perform intrusion detection.

configuration of IPtables. The following parts present the commands:

"iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT"

"iptables -A FORWARD -p tcp --dport 25 -m state --state NEW -j QUEUE"

and includes event analyzer, libipq library, Snort\_inline and rules set.

performs string matching on packets with rules set.

table information. 1. Packets capture

interface.

QUEUE"

2. Packets detection

detection results.

message if the protocol is UDP.

Fig. 3. Flow diagram of packets detection
