Research On Intrusion Prevention System And Hogwash Light BR

The network environment becomes more and more complex, and the new methods of attacks occur increasingly, therefore single security technology can't satisfy the need for network security of corporations. Intrusion prevention system (IPS) is fresh info-security technology to make up for the inabilities of firewall and intrusion detection system (IDS). Firewall is able to defense attack actively, and IDS has the ability to detect network traffic. IPS implements tightly interactions between firewall and IDS by integrating their advantages to provide more effective security protection. At the same time, honey pot is capable to detect unknown attack and vicious behavior through attracting the attacks from Internet. Thus, it can reduce the rate of positive negative and false negative.HLBR (Hogwash Light BR) is a free IPS, developed in Brazil, based in Jason Larsen's Hogwash, which captures data directly from layer 2 of the OSI model (link layer). It works as a bridge, being able to detect and handled malicious traffic. HLBR is invisible to attackers, since it doesn't change the packets' headers.The project initial goal was to refine Hogwash's code, in order to make it more functional. Some planned enhancements were already implemented, including the use of regular expressions. This document will describe HLBR's main features and uses, as well as all the research work done to enhance it and make it an efficient IPS.Networks of computers suffer constant attacks seeking a denial of service, the intrusion on servers and the theft of information that, according to Chapman, Cooper and Zwich (2000), are the three basic categories of attacks remote. It is a large quantity of people without any knowledge on the area of security that tries to achieve malicious actions against the networks. Even without the clarification, these People represent a potential danger because seek use against the networks, Exploits and procedures malignant, easily found on the Internet, may cause Lethal damage. There is also the possibility for the attacker in question is experienced. The need of protect the networks of computers brings the systems Firewall. A firewall system is composed of several elements that act in order different but with the common goal of providing security. The most common elements in firewall systems are packet filters, the filters of states, the proxies and IPS.The IDS (Intrusion Detection System) is an element which detects and records in log malicious traffic without treating it. Some years ago, came the concept of reactive IDS, to detect malicious traffic, sent a signal to reset both sides of the connection (Attacker and attacked). However, when the reset signal was sent at least one malicious package would have reached its destination. Therefore, this type of detection combined with reaction was quickly rejected by the community of security in networks. The solution was the creation of the IPS (Intrusion Prevention System), a in-line system in the topology capable of detecting and treating abnormalities in traffic with a Higher level of safety and efficiency.The Hogwash, developed by Jason Larsen, emerged as a project that university used the mechanism of detection of the IDS Snort, acting on layer 2 of the OSI model. Over time, many changes have occurred, leading to a format itself, rules and detection. The big problem is that, although there is still the Project Hogwash, its development was abandoned there are about 2 years. With that, some bugs not were resolved and new deployments were not made. The HLBR is free software that uses as a basis Hogwash.The project, founded in November 2005, initially withdrew bugs and some of the Hogwash features deemed not as important to the new project. The final version 0.1, launched on December 26, 2005, implemented, among other innovations, a system automated installation and a document of the type README with all basic information necessary for the operation of the IPS. Version 0.2, released in the 09 de February 2006, made several corrections and changes to a better operation of the system. Version 1.0, launched on 05 March 2006, implemented the use of regular expressions in the rules, giving more HLBR flexibility and power to detect anomalies in traffic. Version 2.0, to be launched by the end of 2006, will implement the use of artificial intelligence on the traffic that already has been examined by conventional rules and has been considered normal.The technology of intrusion prevention system (IPS) is introduced base on the fact that both firewall and intrusion detection system (IDS) technologies are defectively. IPS can fetch up the flaws of the firewall and I DS technologies.All of the current intrusion detection technologies are imperfectly. Misuse detection technology has high false negatives; anomaly detection technology has high false positives.Secure operation system is the secure foundation of IPS. In order to improve the security of IPS, several methods are introduced, including modify network protocol stack and intercept system call, etc.A prototype of IPS basing on network is designed. It's functionality reference model comprises of packet filter, intrusion detection, intrusion prevention, and audit. All modules manipulate data such as static rules, dynamic rules and anomaly information table, and thus cooperate with each other. Secure operation system is implemented on linux-2.4 operation system.Finally the description of the system evaluation procedures is reported, performance analysis is made on the DoS attack on networks. When the traffic of DoS reaches 80MB, successful ratio of the legal request obtains 100%, the delay interval is less than 3s.