**2.1.2 Netfilter**

54 Security Enhanced Applications for Information Systems

Cases are known, the network security is the most reliable foundation for network applications. Every country, for commercial or military purposes, spared a lot to study

Although there are various measures to protect safety, they are not the keys to all kinds of

2. Encryption technology itself has some problems, and those shortcomings may lead to

4. The contradiction between the availability and the safety is always one of those contradictions running through the long developing process of computer technology. 5. The complex security system is usually difficult to configure. The blander of wrong

6. The system log and the audit have massive data. They need automatic mode to work

This chapter presents the corresponding research work on the intrusion detection and intrusion prevention in large-scale high-speed network environment and is organized as follows: firstly, a distributed extensible intrusion prevention system is provided, then various packet selection models for intrusion detection systems based-on sampling are illustrated, again the design and implementation of a high-speed traffic collection platform based-on sampling on FPGAs and the research of trusted communication protocol for

The Snort\_inline IPS is a modified version of the famous Snort IDS. It receives packets sent from the Netfilter firewall with the help of the lipipq library1, compares them with Snort signature rules and tags them as drop if they match a rule, then finally sends them back to

There are 5 available default actions in Snort, alert, log, pass, activate , and dynamic: 1. alert-generate an alert using the selected alert method, and then log the packet

5. dynamic - remain idle until activated by an activate rule , then act as a log rule

2. Sdrop – The sdrop rule tells iptables to drop the packet. Nothing is logged.

1 Libipq library is a development library for iptables userspace packet queuing

1. Drop – The drop rule tells iptables to drop the packet and log it via usual snort means

keylogger activities. Moreover, people may misunderstand the arithmetic.

network security. Research on this issue

1. A perfect design of software safety is impossible.

configuration will leave some hidden danger.

intrusion prevention system are presented, last we draw concclusions.

Netfilter where the Snort\_Inline tagged packets are dropped.

4. activate - alert and then turn on another dynamic rule

There are three rule options more than Snort's:

**2. DXIPS: A distributed extensible intrusion prevention system** 

7. Staff members may abuse the safety system.

3. The security hole of the network protocol.

with those information.

**2.1 Related technology** 

**2.1.1 Snort\_inline** 

2. log-log the packet 3. pass - ignore the packet

attack. For instance:

Along with the development of the technology used in Linux firewall, Netfilter comes into being. It is well known that Netfilter is a framework that provides hook handling within the Linux kernel for intercepting and manipulating network packets.

Netfilter is made up of five hook functions towards IPV4, IPV6, and IPX. The identifiers of all hooks for each supported protocol are defined in the protocol-specific header file. The following five hooks are defined for IP Version 4 in <linux/netfilter\_ipv4.h>:


There are five return values in the hook functions:


#### **2.1.3 Iptables**

Iptables is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of builtin chains and may also contain user-defined chains.

Intrusion Detection and Prevention in High Speed Network 57

DXIPS is composed of four modules: intrusion prevention module, log record module, central control module and communication module. These four modules coordinate with

Intrusion prevention module runs on intrusion prevention layer, and it is responsible for capturing packets, intrusion detection and prevention. This module is to be deployed at the crucial position of network, such as the network link between intranet and extranet, thus all the packets are to be monitored. This module is based on the combination of Snort\_inline and Netfilter firewall configured by IPtables, and consists of three submodules such as

Log data

Control information

Log record module

Central control module

Log record module runs on server layer and aims for log collection and formatting. The collected logs include intrusion detection log generated by Snort\_inline and firewall log by

Central control module is the core of the whole system and runs on control layer. It is in charge of coordinating other modules and performing management operations such as the

Communication module has the ability to provide secure and reliable communication

Intrusion prevention module is to be deployed at the crucial position of network and needs the ability of routing, that is, packets with correct route information should be delivered from source address to destination address. Thus normal communication between intranet and extranet is to be done. The part of function of routing in DXIPS makes use of the default

configuration of IPS, management of log server, data analysis and load balancing.

route module in Linux system, and the command is as follows:

each other and perform intrusion prevention in distributed network environment.

**2.3 Construction and implementation of DXIPS** 

Fig. 2. Construction of DXIPS

the configuration of IPtables.

channels between modules.

**2.3.1 Intrusion prevention module** 

"echo 1>/proc/sys/net/ipv4/ip\_ forward"

packets capture, packets detection and response.

packets

Intrusion prevention module

A firewall rule specifies criteria for a packet, and a target. If the packet does not match, the next rule in the chain is the examined; if it does match, then the next rule is specified by the value of the target, which can be the name of a user-defined chain or one of the special values ACCEPT, DROP, QUEUE, or RETURN.

ACCEPT means to let the packet through. DROP means to drop the packet on the floor. QUEUE means to pass the packet to userspace. (How the packet can be received by a userspace process differs by the particular queue handler. 2.4.x and 2.6.x kernels up to 2.6.13 include the ip\_queue queue handler. Kernels 2.6.14 and later additionally include the nfnetlink\_queue queue handler. Packets with a target of QUEUE will be sent to queue number '0' in this case. Please also see the NFQUEUE target as described later in this man page.) RETURN means stop traversing this chain and resume at the next rule in the previous (calling) chain. If the end of a built-in chain is reached or a rule in a built-in chain with target RETURN is matched, the target specified by the chain policy determines the fate of the packet.

### **2.2 Architecture of DXIPS**

DXIPS is a distributed network IPS based on the combination of Snort\_inline and Netfilter firewall configured by IPtables, and it provides the ability to detect malicious network traffic, drop or reject attack packets, and perform intrusion detection and prevention on 4-7 layers of network protocol.

Hierarchical structure is applied to the architecture of DXIPS, which consists of three layers:

Intrusion prevention layer: monitor the network traffic passing by and perform intrusion detection and prevention.

Server layer: collect log data and save to readable format.

Control layer: analysis console and perform data display.

Fig. 1. Architecture of DXIPS
