Introdução ao Gerenciamento de Redes - parte 3 - IDSs
Summary
TLDRThe script introduces Gustavo, a network administrator at XPTO, who faces structural issues and cyber-attacks on the company's network. After a web server invasion and a tax declaration issue with the Revenue Service, Gustavo explores Intrusion Detection Systems (IDS) like Snort, an open-source tool, to analyze network traffic and generate real-time alerts for potential intrusions. He also considers using Snort with firewall tools to create an Intrusion Prevention System (IPS), aiming to effectively monitor and secure the network.
Takeaways
- 🔍 The Brazilian Federal Revenue Service uses electronic analysis to detect tax fraud by cross-referencing data such as property variations, banking transactions, credit card expenses, and property and vehicle acquisitions.
- 💻 Computer networks also have systems that analyze traffic and generate alerts if the traffic exhibits behavior outside the network's normal patterns.
- 👨💼 Gustavo, a network administrator at a company called XPTO, is dealing with structural issues and lack of organization within the network.
- 🛡️ The XPTO network has recently been targeted by attacks and intrusion attempts, including a web server invasion and defacement of the company's webpage.
- 📋 Gustavo received a notice from the Federal Revenue Service that his last income tax return was retained for further scrutiny due to inconsistencies.
- 🚗 It turned out that Gustavo's tax return issue was a simple mistake in declaring the purchase of his new car, which was resolved with a corrective declaration.
- 🤖 Inspired by the tax analysis process, Gustavo considered implementing a system similar to the Revenue Service's but for analyzing network traffic and generating alerts for intrusion attempts.
- 🔎 He discovered Intrusion Detection Systems (IDS) like Snort, an open-source application that analyzes network traffic in real-time and compares it against known attack patterns and anomalies.
- 🛡️ Snort can be used in conjunction with other tools like SnortSam or Guardian to create firewall rules automatically, blocking IP addresses that are attacking the network, thus acting as an Intrusion Prevention System (IPS).
- 📈 Gustavo realized the importance of strategically placing the IPS in the network, such as monitoring server networks and internet access points first.
- 🔧 He also recognized the need to carefully define the type of traffic to be captured, the rules, and signatures to be used to avoid slowing down the network and increasing false positives.
Q & A
What is the main issue Gustavo is facing as a new network administrator at XPTO?
-Gustavo is dealing with a network full of structural problems and lacking organization, along with recent attacks and attempts at invasion, including a defacement of the company's web server.
What does the term 'malha fina' refer to in the context of the Brazilian Federal Revenue Service?
-The term 'malha fina' refers to a detailed analysis process where the Federal Revenue Service electronically analyzes and cross-references tax declarations with various information about the taxpayer to detect inconsistencies and potential tax crimes.
What was the outcome when Gustavo contacted the Federal Revenue Service regarding his tax declaration?
-Gustavo found out that the issue with his tax declaration was due to a filling error regarding the purchase of his new car, and submitting a corrective declaration resolved the issue.
How did Gustavo's experience with the 'malha fina' inspire him to address network security issues?
-Gustavo's experience with the 'malha fina' led him to consider if there was a system similar to the tax analysis process that could analyze network traffic for anomalies and generate alerts for potential invasions.
What is an Intrusion Detection System (IDS) and how does it work?
-An Intrusion Detection System (IDS) is a security solution that analyzes network traffic, comparing packets to known attack patterns or anomalies, and notifies the network administrator if a threat is detected.
What is Snort and how does it function as an IDS?
-Snort is an open-source Intrusion Detection System that analyzes both the header and content of network packets in real-time, comparing them to configured rules and attack signatures to generate alerts for suspicious activities.
What are some of the challenges in implementing an IDS like Snort in a network?
-Challenges include deciding where to position the IDS in the network, defining the type of traffic to be captured and analyzed, and setting the rules and signatures to avoid a high number of false positives and negatives, which can slow down the network and overwhelm the administrator with alerts.
How can Snort be made more efficient in preventing intrusions?
-Snort can be made more efficient by using it in conjunction with other tools like SnortSam or Guardian, which can create firewall rules automatically based on Snort's analysis to block IP addresses that are initiating attacks.
What is the role of Snort when used as an Intrusion Prevention System (IPS)?
-As an IPS, Snort not only generates alerts but also takes active measures to prevent attacks by blocking traffic from identified malicious sources, thus providing a more proactive approach to network security.
What is Gustavo's plan for implementing an IPS in the XPTO network?
-Gustavo plans to first monitor the server network and internet access points. He will carefully study the placement of the IPS, the type of traffic to be analyzed, and the rules and signatures to be used to ensure the system is effective without causing network slowdowns or generating excessive false alerts.
What additional steps is Gustavo considering to further enhance the network security at XPTO?
-Gustavo is also researching other IDS and IPS solutions, acknowledging that there are many commercial options available, to find the best fit for XPTO's network security needs.
Outlines
🔍 Introduction to Network Management and Tax Evasion Detection
The script introduces the third part of a video series on network management by NIC.br. It compares the process of detecting tax evasion by the Brazilian Federal Revenue Service to network security, where both involve analyzing data for inconsistencies. The protagonist, Gustavo, is a network administrator facing challenges with a problematic and disorganized network at his company, XPTO. The company's web server has been compromised, and Gustavo has received a notice from the Revenue Service about discrepancies in his tax return, which turned out to be a simple mistake that was resolved with a corrective declaration.
🛡️ Seeking a Network Security Solution
Gustavo, inspired by the tax evasion detection system, looks for a similar system to secure his company's network against intrusion attempts. He discovers Intrusion Detection Systems (IDS) like Snort, an open-source application that analyzes network traffic in real-time and alerts administrators to potential threats by comparing traffic against known attack patterns. The script explains the importance of avoiding false positives and negatives and mentions the use of additional tools like SnortSam or Guardian to create firewall rules automatically, enhancing Snort's capabilities to act as an Intrusion Prevention System (IPS).
🚀 Implementing an Intrusion Prevention System
Gustavo considers the strategic placement of the IPS within the network to maximize its effectiveness. He plans to monitor the server network and internet access points first. The script discusses the need to define the type of traffic to be analyzed and the rules and signatures to be used by the IPS to avoid network slowdowns and excessive false positives. Gustavo acknowledges the importance of not being overwhelmed by too many alerts and the need to analyze and address them effectively. The video series promises to explore more IDS and IPS solutions in upcoming videos, inviting viewers to stay tuned for more information.
Mindmap
Keywords
💡Tax Evasion
💡Federal Revenue Service
💡Network Administrator
💡Cyber-Attacks
💡Defacement
💡Inconsistencies
💡Intrusion Detection Systems (IDS)
💡Snort
💡False Positives and False Negatives
💡Intrusion Prevention System (IPS)
💡Network Traffic Analysis
Highlights
The importance of detecting fiscal crimes through the analysis of tax declarations for inconsistencies.
The comparison of tax crime detection systems to computer network systems that analyze traffic for abnormal behavior.
Introduction to the third part of the 'Introduction to Network Management' video by NIC.br.
Gustavo's challenges as a new network administrator at a company with structural issues and lack of organization.
Recent attacks and attempts to invade the XPTO network, including a web server invasion and defacement.
Gustavo's encounter with the 'fine mesh' of the Federal Revenue Service due to an error in his tax declaration.
Explanation of the electronic analysis and data cross-referencing process for tax declarations by the Federal Revenue Service.
Resolution of Gustavo's tax issue with a corrective declaration after being flagged by the 'fine mesh'.
Gustavo's idea to implement a system similar to the tax declaration analysis for detecting network intrusions.
Research on Intrusion Detection Systems (IDS) and their function in analyzing network traffic for threats.
Discovery of Snort, an open-source IDS capable of real-time packet analysis and alerts.
Details on how Snort analyzes both packet headers and content against configured rules and attack signatures.
The importance of avoiding false positives and negatives in network security systems.
Combining Snort with other tools like SnortSam or Guardian to create firewall rules and block attacking IP addresses.
Transformation of Snort into an Intrusion Prevention System (IPS) to actively counter attacks.
Gustavo's considerations for where to implement the IPS in the network for optimal monitoring.
The need to define the type of traffic to be captured and analyzed, as well as the rules and signatures to be used.
The potential downsides of analyzing all traffic, such as network slowdown and increased false positives.
Gustavo's plan to research additional IDS and IPS solutions for the XPTO network.
Anticipation of future videos on network management tools and other internet and network topics on the NICbrVideos YouTube channel.
Transcripts
Nenhum contribuinte quer cair na "malha fina" do Leão, mas para detectar crimes fiscais
a Receita Federal precisa realizar uma série de análises procurando por inconsistências
nas declarações do Imposto de Renda.
Em redes de computadores também existem sistemas que atuam de forma semelhante, analisando
o tráfego de pacotes e gerando alertas caso este tráfego apresente algum comportamento
fora dos padrões normais daquela rede.
Esta é a terceira parte do vídeo "Introdução ao Gerenciamento de Redes" feito pelo NIC.br.
Gustavo está enfrentado algumas dificuldades em seu início como administrador de redes
da empresa XPTO.
Ele assumiu uma rede repleta de problemas estruturais e sem nenhuma organização.
Recentemente a rede da XPTO passou a ser alvo de ataques e tentativas de invasão.
O servidor web chegou a ser invadido e a página da empresa sofreu um defacement, tendo seu
conteúdo modificado pelos invasores.
Como se não bastassem os problemas na rede, Gustavo recebeu um comunicado da Receita Federal
informando que sua última declaração de Imposto de Renda havia ficado retida na "malha
fina".
Ao entrar em contato com a Receita, foi explicado ao Gustavo que todas as declarações enviadas
são analisadas eletronicamente e os dados cruzados com uma série de informações sobre
o contribuinte, existentes no sistema da Receita Federal, como variação patrimonial, movimentação
bancária, despesas com cartões de crédito e aquisição de imóveis e veículos.
E caso seja detectada alguma irregularidade, a declaração vai para a "malha fina", para
averiguar melhor o que realmente ocorreu.
Por sorte, no caso do Gustavo foi apenas um erro de preenchimento ao declarar a compra
de seu carro novo, e o envio de uma declaração retificadora resolveu tudo.
Mas este pequeno contratempo acabou ajudando-o a buscar uma solução às tentativas de invasão
na rede da XPTO.
Ele imaginou se não existiria um sistema parecido com o da Receita Federal que, em
vez de analisar declarações de imposto de renda, analisasse os pacotes trafegando na
rede, e gerasse alertas caso detectasse algum comportamento diferente, indicando uma tentativa
de invasão.
Buscando na Internet, Gustavo achou artigos sobre soluções denominadas IDS, de Intrusion
Detection Systems, ou sistemas de detecção de intrusão, que trabalham exatamente da
forma que ele imaginava, analisando os pacotes e comparando-os com padrões de ataques ou
anomalias já conhecidas, e notificando o administrador da rede caso alguma ameaça
seja detectada.
Ele ficou bastante interessado em uma aplicação chamada Snort, um IDS open source, capaz de
analisar os pacotes trafegados na rede e alertas em tempo real.
O Snort analisa tanto o cabeçalho quanto o conteúdo dos pacotes e os compara a regras
configuradas pelo administrador da rede e a assinaturas de ataque, ou seja, a comportamentos
e características de pacotes pertencentes a ataques já conhecidos.
Isso ajuda a evitar falsos-positivos e falsos-negativos, que ocorrem quando o IDS envia notificações
sobre pacotes que seriam válidos, ou deixa de informar a existência de tráfego impróprio
na rede.
Para tornar o Snort mais eficiente, é comum utilizá-lo junto a outras ferramentas, como
o SnortSam ou o Guardian, que baseados nas análises do Snort, criam regras de firewall
automaticamente para bloquear endereços IP que estejam originando ataques a rede.
Com isso o Snort passa a trabalhar como um IPS, do inglês Intrusion Prevention System,
ou sistema de prevenção de intrusões, passando a tomar ações efetivas em caso de ataques
e não mais apenas gerando alertas.
Gustavo viu que antes de tudo é importante analisar em quais pontos da rede o IPS será
implantado.
Ele já definiu que a rede dos servidores e os acessos à Internet serão os primeiros
a serem monitorados.
Mas é preciso estudar bem ainda onde posicioná-lo, por exemplo, se ele ficará em uma porta do
switch, analisando o tráfego espelhado da rede, ou se a frente do switch, com todo o
tráfego passando por ele antes de ser encaminhado aos destinos.
O tipo de tráfego que será capturado e analisado, assim como as regras a as assinaturas que
serão usadas também precisam estar bem definidas.
Analisar todo o tráfego, principalmente em redes de grande porte, pode deixar a rede
mais lenta, além de aumentar o número de falsos-positivos.
Além do mais, não adianta absolutamente nada ter uma ferramenta gerando alertas demais,
que não se dá conta de analisar e tratar, na prática.
Gustavo ainda irá pesquisar outras soluções de IDS e IPS, pois viu em suas pesquisas que
existem muitas opções comerciais para esses tipos de solução.
Mas pelo menos já há a esperança de ter achado a solução para ao menos um dos muitos
problemas da rede da XPTO.
Para conhecer mais soluções, aguarde os próximos vídeos sobre ferramentas de gerenciamento
de redes.
Assista também nossos outros vídeos sobre Internet e redes no canal NICbrVideos do Youtube.
استعرض المزيد من الفيديوهات ذات الصلة
What OmniVista Network Advisor, AIOps system, can do for your network infrastructure?
Network Time Protocol Physical Clock Synchronization Distributed Systems
Tutup DDOS attack dan port scaning dengan mikrotik firewall
Top 10 Hacking Tools In Kali Linux You Must Know.
Using Technology to Help the Elderly and Their Caregivers | Garett Ho | TEDxMeritAcademy
Lockbit 3.0 Ransomware Attack Demo
5.0 / 5 (0 votes)