The Design And Implementation Of Intrusion Prevention System

Now Internet is attacked more and more frequently because of the vulnerabilities of computer security and the high technique of hackers. Newly mixed attack techniques always cause huge damage. Traditional firewall and intrusion detection system do not work effectively enough.When we are using traditional firewall, attackers may round the firewall by forging the data or find the back door in the firewall. Firewall can not prevent the attack inside the network. Because of the capability limit of firewall, it doesn't have the ability of real time controlling the attack. Firewall can't detect and prevent the attack of the spiteful code and the virus which set in the common data stream. Intrusion detection system monitors the security of the whole system. But intrusion detection system often does not provide enough time for an administrator to respond before the intrusion has damaged the system, and therefore there are problems in the security maintenance. We usually make out the disposal after attacking.In order to make up the defects of present security systems (firewall and intrusion detection) and prevent the system from being attacked, I combine firewall with intrusion detection techniques to form a dynamic intrusion prevention system. Intrusion preventions system need not only identify all kinds of attacking precisely accurately, but also interdict the intrusion immediately. The design notion of intrusion prevention system is: combining with the different security prevention technology to implement the integrative security prevention technology which is more effective than the separateness prevention technology. The multilayer and interwork security preventiontechnology increases the cost and difficulty of the hacker's attack, and therefore it deeply decreases their attacking the system in the network.The design of network intrusion prevention system in this paper is based on Snort_inline and Netfilter firewall of IPtables. NIPS detects suspicious network stream and picks out spiteful data packets, or interdicts spiteful data stream. The structure of intrusion prevention system is based on layered system structure. The three layers of intrusion prevention system are: layer of intrusion prevention, layer of server, and layer of controlling. It is consisted of four parts: module of intrusion prevention, module of log record, module of central controlling, and the connections between the modules. The module of intrusion prevention is the key part of the implementation of network intrusion prevention system. It was made of IPS which consists Snort_inline and Netfilter firewall of IPtables.Network intrusion prevention system should be flexible and quickly used in majority of network environments. Thus it could effectively prevent from the core to the fringe of network. The disposition of intrusion prevention system can be categorized into boundary prevention disposition, emphasis disposition and mixed disposition according to the specific instance.My implementation of the module of intrusion of network intrusion prevention system is to combine intrusion detection system and firewall. That is to detect data with intrusion detection system, transmit the result to firewall and deal with the data packets by firewall. Intrusion detection system of Snort_inline and Netfilter firewall of IPtables could combine to be an intrusion prevention system. Snort_inline which is the revision of Snort is in charge of the detecting of data packets. Netfilter is a firewall instrument under Linux which could deal with the IPtables orders. Intrusion preventionsystem uses Netlink socket as a convection and read and write by libipq. The process of managing data packets by intrusion prevention system is as the followings: transmitting the data packets to user's space, reading the data packets, intrusion detecting, and dealing with the data packets. Userspace packet queueing, which is provided by Netfilter, transfers data packets to user's space and receives the data packets from user's space and also the results. After loading ip_queue, ordering data packets would send to ip_queue. Then Snort_inline deals with these data packets and detects them, and sends the results back to Netfilter firewall of IPtables. Firewall would deal with each data packets according to the rules. Dealing with data packets include pass, log, alert, drop, sdrop, reject and replace.Because of the character of intrusion prevention system, it could only be connected in the network is series. This kind of connection position could lead to potential problems. The resource of intrusion detection technique of intrusion prevention system is intrusion detection system. Therefore, the misinformation and vulnerabilities of intrusion detection system would also appear in intrusion prevention system. The misinformation of intrusion detection system would not affect on system while the misinformation of intrusion prevention system would. Intrusion prevention system would be out of order under the high speed of network stream. For the present status, the condition in which intrusion prevention system adapt to work includes un-mending server, new vulnerabilities, high security server and un-misinforming rules. Intrusion prevention system need establish the intrusion prevention strategy in the different conditions. In order to solve these problems, this paper offers an improving project including function improvement and quality improvement. Function improvement is to addanomaly detection function in intrusion prevention system. Quality improvement consists of lowing the cost of intrusion prevention system, using pre-processing plug-in in intrusion detection, and improving strategies and system disposition.This paper implemented the intrusion prevention module of network intrusion prevention system which bases on intrusion detection system Snort_inline and Netfilter firewall of IPtables and improved the possibility of its function through testing. Intrusion prevention system provides real time and active prevention ability, prevents the attack effectively and assures the normal data stream. It is important to keep the system's continuity and integrality. Further research of this paper would be on the functions of other modules of network intrusion prevention system and implement these functions.