RUAHA CATHOLIC UNIVERSITY

FACULTY OF INFORMATION TECHNOLOGY AND

COMMUNICATION
DEPARTMENT OF COMPUTER SCIENCE

RCS 305: Computer Security

INTRUSION DETECTION SYSTEMS,
FIREWALL AND HONEYPOTS

(December 21st , 2018)

Dani Mfungo
 Content
2

 Introduction
 Types of Intrusion-Detection systems
 Passive and reactive systems
 Comparison with firewalls
 Statistical anomaly and signature-based IDS
 Intrusion Prevention
 IDS Tools

05/24/2023
 Introduction
3

 IDS is a device or software application that

monitors network or system activities for malicious
activities or policy violations.
 This includes network attacks against vulnerable
services, data driven attacks on applications and
host based attacks.

05/24/2023
 Introduction …
4

 Components of Ids.
 Sensors: - which sense the network traffic or
system activity and generate events. 
 Console: - to monitor events and alerts and control
the sensors
 Detection Engine: - that records events logged by
the sensors in a database and uses a system of rules
to generate alerts from the received security events.

05/24/2023
 Types of Intrusion-Detection systems

 Network Intrusion Detection System:

 Host-based Intrusion Detection System:

 Hybrid Intrusion Detection System:

05/24/2023
 Passive and reactive systems

 In a passive system :- Sensor detects a potential

security breach, logs the information and signals an
alert on the console or owner.

 In a reactive system :- The IPS auto-responds to

the suspicious activity by resetting the connection
or by reprogramming the firewall to block network
traffic from the suspected malicious source.

05/24/2023
 Comparison with firewalls

 Firewall in that a firewall looks outwardly for

intrusions in order to stop them from happening.

 Firewall do not signal an attack from inside the

network.

05/24/2023
 Statistical anomaly and signature-based IDSes

 Statistical anomaly-based IDS

Will monitor network traffic and compare it against
an established baseline.
 Signature based detection:-

This detection technique uses specifically known

patterns to detect malicious code. These specific
patterns are called signatures.
 

05/24/2023
 Intrusion Prevention
9

 Intrusion prevention follows the same process of

gathering and identifying data and behavior, with
the added ability to block (prevent) the activity.
This can be done with Network, Host, and Physical
intrusion detection systems.

05/24/2023
 IDS Tools

10

 KF Sensor
 Snort
 Suricata
 Bro
 Kismet
 Ossec

05/24/2023
 FIREWALL
05/24/2023
 Outline
12

 Introduction to Firewall
What Is a Firewall
 Types of Firewall
 What Can a Firewall Do

 Design Principles of Firewall

 Firewall Tools installation and Configuration
 Iptables demonstration

05/24/2023
 Introduction to Firewall

13

 Filter or control traffic flows

 Implemented in a network perimeter (zones)

05/24/2023
 Introduction con..
14

 May also contains multiple less trusted zone

 Referred to Demilitarized Zones (DMZ’s)

 Each firewall’s interface assigned security level

05/24/2023
 Types of Firewall
15

1. Packet Filtering : Drop or reject the packet if it

matches the packet filter’s set rules
 Filtering is based on different criteria
Source or destination address
 Protocol Type ( TCP, UDP, ICMP, etc.)
 Source or destination Port

05/24/2023
 Types of Firewall
16

2. Stateful Packet Inspection

 Tracking TCP or UDP sessions between devices

 Packets are kept in state session table

 Retain the packets until enough are available to

make judgment about its state

 e.g DoS attack.

05/24/2023
 Types of Firewall …
17

3. Application layer filtering/Proxying

 Requests and replies pass through a proxy server

 No direct connection between client and server

source (Cisco, Networks 2004)

05/24/2023
 Types of Firewall …
18

4. Network Layer/NAT Firewall

 Internal addresses are not exposed
 Protecting LANs from external attacks

5. Personal Firewall
 Version for laptop and desktop
 Watch inbound/outbound traffic
 Disallow inbound traffic unless explicitly stated

e.g windows Firewall

05/24/2023
 What can a firewall do
19

 Manage and control network traffic

 Firewalls Authenticate Access
 Act as an intermediary
 Protect resources
 Record and report on events

05/24/2023
 Hardware and Software Firewall
20

Hardware Firewall Software Firewall

Cisco ASA 5505 Iptables
WatchGurd Firebox T10 pfSense
Ubiquite Unifi USG ZoneAlarm
Sophos SG 105 ,125, RED 50, XG 85
Dell sonicWall TZ300

05/24/2023
 Hardware vs Software Firewall

21

 Hardware firewalls are built within hardware devices like routers

whereas software firewalls are software programs installed on
computers.
 Hardware firewalls protect a whole network while software firewalls
my also protect individual computers on which they are installed.
 By default, hardware firewalls filter web packets while
software firewalls may not filter web packets unless web
traffic filtering controls are enabled.
 A hardware firewall can be configured to use a proxy service for
filtering packets while a software firewall does not use a proxy
service to filter.

05/24/2023
 Design Principles of Firewall

22

 Based on Rules sets [Deny, Accept, Drop Reject]

 Packet State Monitoring [ State database]
 Authentication and Content Filter Mechanism

05/24/2023
 Firewall installation and Configuration
23

 Security on Linux - Iptables

 • What is Iptables
 • Architecture of Iptables
 • Command Format
 • Examples

05/24/2023
 24

HONEYPOT
05/24/2023
 Honeypot
25

 A honeypot is an information system resource

whose value lies in unauthorized or illicit use of
that resource

 Honeypot is a well-designed system that attracts

hackers into it. By luring the hacker into the
system, it is possible to monitor the processes that
are started and running on the system by hacker

05/24/2023
 Goals of honeypot
26

 Should look as real as possible!

 Should be monitored to see if it is being used to
launch a massive attack on other systems.
 Should include files that are of interest to the
hacker

05/24/2023
 Types of honeypot
27

 Physical honeypot - is a real machine on the

network with its own IP address

05/24/2023
 Cont…
28

 Virtual honeypot - is the software as tool to provide

honeypot functionality runs above Operating
systems and simulated to responds to network
traffic sent into it
 Examples are honeyBot,Kfsens40

05/24/2023
 Honeypot location within a Network
29

05/24/2023
 Honeynet
30

 Honeynet - a collection of honeypots under the

control of one person or organization

05/24/2023
 Example of honeypot tools
31

 Deception Toolkit6
 Honeywall CDROM8
 Kfsens40
 HoneyBot
 Honeyd
 Honeytrap
 HoneyC
 Phpmyadmin honeypot

05/24/2023
 Conclusion
32

05/24/2023