Introdução ao Gerenciamento de Redes - parte 3 - IDSs

NICbrvideos
10 Oct 201404:49

Summary

TLDRThe script introduces Gustavo, a network administrator at XPTO, who faces structural issues and cyber-attacks on the company's network. After a web server invasion and a tax declaration issue with the Revenue Service, Gustavo explores Intrusion Detection Systems (IDS) like Snort, an open-source tool, to analyze network traffic and generate real-time alerts for potential intrusions. He also considers using Snort with firewall tools to create an Intrusion Prevention System (IPS), aiming to effectively monitor and secure the network.

Takeaways

  • 🔍 The Brazilian Federal Revenue Service uses electronic analysis to detect tax fraud by cross-referencing data such as property variations, banking transactions, credit card expenses, and property and vehicle acquisitions.
  • 💻 Computer networks also have systems that analyze traffic and generate alerts if the traffic exhibits behavior outside the network's normal patterns.
  • 👨‍💼 Gustavo, a network administrator at a company called XPTO, is dealing with structural issues and lack of organization within the network.
  • 🛡️ The XPTO network has recently been targeted by attacks and intrusion attempts, including a web server invasion and defacement of the company's webpage.
  • 📋 Gustavo received a notice from the Federal Revenue Service that his last income tax return was retained for further scrutiny due to inconsistencies.
  • 🚗 It turned out that Gustavo's tax return issue was a simple mistake in declaring the purchase of his new car, which was resolved with a corrective declaration.
  • 🤖 Inspired by the tax analysis process, Gustavo considered implementing a system similar to the Revenue Service's but for analyzing network traffic and generating alerts for intrusion attempts.
  • 🔎 He discovered Intrusion Detection Systems (IDS) like Snort, an open-source application that analyzes network traffic in real-time and compares it against known attack patterns and anomalies.
  • 🛡️ Snort can be used in conjunction with other tools like SnortSam or Guardian to create firewall rules automatically, blocking IP addresses that are attacking the network, thus acting as an Intrusion Prevention System (IPS).
  • 📈 Gustavo realized the importance of strategically placing the IPS in the network, such as monitoring server networks and internet access points first.
  • 🔧 He also recognized the need to carefully define the type of traffic to be captured, the rules, and signatures to be used to avoid slowing down the network and increasing false positives.

Q & A

  • What is the main issue Gustavo is facing as a new network administrator at XPTO?

    -Gustavo is dealing with a network full of structural problems and lacking organization, along with recent attacks and attempts at invasion, including a defacement of the company's web server.

  • What does the term 'malha fina' refer to in the context of the Brazilian Federal Revenue Service?

    -The term 'malha fina' refers to a detailed analysis process where the Federal Revenue Service electronically analyzes and cross-references tax declarations with various information about the taxpayer to detect inconsistencies and potential tax crimes.

  • What was the outcome when Gustavo contacted the Federal Revenue Service regarding his tax declaration?

    -Gustavo found out that the issue with his tax declaration was due to a filling error regarding the purchase of his new car, and submitting a corrective declaration resolved the issue.

  • How did Gustavo's experience with the 'malha fina' inspire him to address network security issues?

    -Gustavo's experience with the 'malha fina' led him to consider if there was a system similar to the tax analysis process that could analyze network traffic for anomalies and generate alerts for potential invasions.

  • What is an Intrusion Detection System (IDS) and how does it work?

    -An Intrusion Detection System (IDS) is a security solution that analyzes network traffic, comparing packets to known attack patterns or anomalies, and notifies the network administrator if a threat is detected.

  • What is Snort and how does it function as an IDS?

    -Snort is an open-source Intrusion Detection System that analyzes both the header and content of network packets in real-time, comparing them to configured rules and attack signatures to generate alerts for suspicious activities.

  • What are some of the challenges in implementing an IDS like Snort in a network?

    -Challenges include deciding where to position the IDS in the network, defining the type of traffic to be captured and analyzed, and setting the rules and signatures to avoid a high number of false positives and negatives, which can slow down the network and overwhelm the administrator with alerts.

  • How can Snort be made more efficient in preventing intrusions?

    -Snort can be made more efficient by using it in conjunction with other tools like SnortSam or Guardian, which can create firewall rules automatically based on Snort's analysis to block IP addresses that are initiating attacks.

  • What is the role of Snort when used as an Intrusion Prevention System (IPS)?

    -As an IPS, Snort not only generates alerts but also takes active measures to prevent attacks by blocking traffic from identified malicious sources, thus providing a more proactive approach to network security.

  • What is Gustavo's plan for implementing an IPS in the XPTO network?

    -Gustavo plans to first monitor the server network and internet access points. He will carefully study the placement of the IPS, the type of traffic to be analyzed, and the rules and signatures to be used to ensure the system is effective without causing network slowdowns or generating excessive false alerts.

  • What additional steps is Gustavo considering to further enhance the network security at XPTO?

    -Gustavo is also researching other IDS and IPS solutions, acknowledging that there are many commercial options available, to find the best fit for XPTO's network security needs.

Outlines

00:00

🔍 Introduction to Network Management and Tax Evasion Detection

The script introduces the third part of a video series on network management by NIC.br. It compares the process of detecting tax evasion by the Brazilian Federal Revenue Service to network security, where both involve analyzing data for inconsistencies. The protagonist, Gustavo, is a network administrator facing challenges with a problematic and disorganized network at his company, XPTO. The company's web server has been compromised, and Gustavo has received a notice from the Revenue Service about discrepancies in his tax return, which turned out to be a simple mistake that was resolved with a corrective declaration.

🛡️ Seeking a Network Security Solution

Gustavo, inspired by the tax evasion detection system, looks for a similar system to secure his company's network against intrusion attempts. He discovers Intrusion Detection Systems (IDS) like Snort, an open-source application that analyzes network traffic in real-time and alerts administrators to potential threats by comparing traffic against known attack patterns. The script explains the importance of avoiding false positives and negatives and mentions the use of additional tools like SnortSam or Guardian to create firewall rules automatically, enhancing Snort's capabilities to act as an Intrusion Prevention System (IPS).

🚀 Implementing an Intrusion Prevention System

Gustavo considers the strategic placement of the IPS within the network to maximize its effectiveness. He plans to monitor the server network and internet access points first. The script discusses the need to define the type of traffic to be analyzed and the rules and signatures to be used by the IPS to avoid network slowdowns and excessive false positives. Gustavo acknowledges the importance of not being overwhelmed by too many alerts and the need to analyze and address them effectively. The video series promises to explore more IDS and IPS solutions in upcoming videos, inviting viewers to stay tuned for more information.

Mindmap

Keywords

💡Tax Evasion

Tax evasion refers to the illegal act of willfully failing to report income, deductions, or credits, resulting in not paying the full amount of taxes owed to a government. In the video, the character Gustavo's company's tax declaration was caught in the 'fine mesh' of the Brazilian Federal Revenue Service, which is a metaphor for a detailed analysis to detect tax crimes. This highlights the importance of accurate tax reporting to avoid legal issues.

💡Federal Revenue Service

The Federal Revenue Service, in Brazil known as 'Receita Federal', is the government agency responsible for tax collection and ensuring compliance with tax laws. In the script, Gustavo receives a communication from the Receita Federal about his tax declaration, emphasizing the role of this institution in monitoring and analyzing financial declarations for inconsistencies and potential fraud.

💡Network Administrator

A network administrator is a professional responsible for managing a company's computer network, ensuring its security and efficiency. Gustavo, as the network administrator in the video, faces challenges in managing a problematic network and has to deal with cyber-attacks, illustrating the critical role of network administrators in maintaining network integrity.

💡Cyber-Attacks

Cyber-attacks are attempts to damage, disrupt, or gain unauthorized access to computer systems or networks. In the script, Gustavo's company's network is targeted by cyber-attacks, including a web server invasion and defacement of the company's webpage, which underscores the ongoing threat of cybercrime to businesses.

💡Defacement

Defacement in the context of cybersecurity refers to the act of modifying the visual appearance or content of a website without the owner's permission, often as a form of protest or to demonstrate the vulnerability of the site. The script mentions that the company's webpage was defaced by invaders, highlighting the impact of cyber-attacks on a company's online presence.

💡Inconsistencies

Inconsistencies refer to discrepancies or irregularities that do not conform to expected patterns or standards. The video script discusses how the Receita Federal looks for inconsistencies in tax declarations, such as changes in property or bank transactions, to identify potential tax evasion. This concept is central to detecting both tax fraud and network security breaches.

💡Intrusion Detection Systems (IDS)

An Intrusion Detection System (IDS) is a security technology that monitors network traffic for suspicious activities or policy violations. In the video, Gustavo researches IDS as a solution to the network attacks, such as Snort, which analyzes network traffic and generates alerts for abnormal behavior indicative of an intrusion attempt.

💡Snort

Snort is an open-source intrusion detection system capable of real-time traffic analysis and packet inspection. It is highlighted in the script as a tool that Gustavo considers implementing to improve his network's security by detecting and alerting on malicious activities, showcasing its role in modern cybersecurity practices.

💡False Positives and False Negatives

False positives and false negatives are terms used in the context of security systems to describe incorrect results. A false positive occurs when an IDS incorrectly flags legitimate traffic as malicious, while a false negative fails to detect actual malicious activity. The script mentions the importance of avoiding these in the context of using Snort, emphasizing the balance needed in security systems to ensure accurate threat detection.

💡Intrusion Prevention System (IPS)

An Intrusion Prevention System (IPS) is a network security technology that not only detects but also responds to malicious activities by taking preventive actions, such as blocking IP addresses. The script describes how Snort can be used in conjunction with other tools to function as an IPS, providing a proactive approach to network security by not only detecting threats but also mitigating them.

💡Network Traffic Analysis

Network traffic analysis involves examining the flow of data within a network to identify patterns, potential security threats, or performance issues. In the script, Gustavo's consideration of where to implement the IPS is part of a broader strategy of network traffic analysis, which is essential for understanding and securing the network against attacks.

Highlights

The importance of detecting fiscal crimes through the analysis of tax declarations for inconsistencies.

The comparison of tax crime detection systems to computer network systems that analyze traffic for abnormal behavior.

Introduction to the third part of the 'Introduction to Network Management' video by NIC.br.

Gustavo's challenges as a new network administrator at a company with structural issues and lack of organization.

Recent attacks and attempts to invade the XPTO network, including a web server invasion and defacement.

Gustavo's encounter with the 'fine mesh' of the Federal Revenue Service due to an error in his tax declaration.

Explanation of the electronic analysis and data cross-referencing process for tax declarations by the Federal Revenue Service.

Resolution of Gustavo's tax issue with a corrective declaration after being flagged by the 'fine mesh'.

Gustavo's idea to implement a system similar to the tax declaration analysis for detecting network intrusions.

Research on Intrusion Detection Systems (IDS) and their function in analyzing network traffic for threats.

Discovery of Snort, an open-source IDS capable of real-time packet analysis and alerts.

Details on how Snort analyzes both packet headers and content against configured rules and attack signatures.

The importance of avoiding false positives and negatives in network security systems.

Combining Snort with other tools like SnortSam or Guardian to create firewall rules and block attacking IP addresses.

Transformation of Snort into an Intrusion Prevention System (IPS) to actively counter attacks.

Gustavo's considerations for where to implement the IPS in the network for optimal monitoring.

The need to define the type of traffic to be captured and analyzed, as well as the rules and signatures to be used.

The potential downsides of analyzing all traffic, such as network slowdown and increased false positives.

Gustavo's plan to research additional IDS and IPS solutions for the XPTO network.

Anticipation of future videos on network management tools and other internet and network topics on the NICbrVideos YouTube channel.

Transcripts

play00:00

Nenhum contribuinte quer cair na "malha fina" do Leão, mas para detectar crimes fiscais

play00:04

a Receita Federal precisa realizar uma série de análises procurando por inconsistências

play00:09

nas declarações do Imposto de Renda.

play00:11

Em redes de computadores também existem sistemas que atuam de forma semelhante, analisando

play00:16

o tráfego de pacotes e gerando alertas caso este tráfego apresente algum comportamento

play00:21

fora dos padrões normais daquela rede.

play00:23

Esta é a terceira parte do vídeo "Introdução ao Gerenciamento de Redes" feito pelo NIC.br.

play00:29

Gustavo está enfrentado algumas dificuldades em seu início como administrador de redes

play00:33

da empresa XPTO.

play00:34

Ele assumiu uma rede repleta de problemas estruturais e sem nenhuma organização.

play00:39

Recentemente a rede da XPTO passou a ser alvo de ataques e tentativas de invasão.

play00:43

O servidor web chegou a ser invadido e a página da empresa sofreu um defacement, tendo seu

play00:48

conteúdo modificado pelos invasores.

play00:50

Como se não bastassem os problemas na rede, Gustavo recebeu um comunicado da Receita Federal

play00:55

informando que sua última declaração de Imposto de Renda havia ficado retida na "malha

play01:00

fina".

play01:01

Ao entrar em contato com a Receita, foi explicado ao Gustavo que todas as declarações enviadas

play01:04

são analisadas eletronicamente e os dados cruzados com uma série de informações sobre

play01:08

o contribuinte, existentes no sistema da Receita Federal, como variação patrimonial, movimentação

play01:14

bancária, despesas com cartões de crédito e aquisição de imóveis e veículos.

play01:17

E caso seja detectada alguma irregularidade, a declaração vai para a "malha fina", para

play01:22

averiguar melhor o que realmente ocorreu.

play01:25

Por sorte, no caso do Gustavo foi apenas um erro de preenchimento ao declarar a compra

play01:29

de seu carro novo, e o envio de uma declaração retificadora resolveu tudo.

play01:33

Mas este pequeno contratempo acabou ajudando-o a buscar uma solução às tentativas de invasão

play01:38

na rede da XPTO.

play01:39

Ele imaginou se não existiria um sistema parecido com o da Receita Federal que, em

play01:44

vez de analisar declarações de imposto de renda, analisasse os pacotes trafegando na

play01:48

rede, e gerasse alertas caso detectasse algum comportamento diferente, indicando uma tentativa

play01:54

de invasão.

play01:55

Buscando na Internet, Gustavo achou artigos sobre soluções denominadas IDS, de Intrusion

play02:00

Detection Systems, ou sistemas de detecção de intrusão, que trabalham exatamente da

play02:05

forma que ele imaginava, analisando os pacotes e comparando-os com padrões de ataques ou

play02:11

anomalias já conhecidas, e notificando o administrador da rede caso alguma ameaça

play02:16

seja detectada.

play02:18

Ele ficou bastante interessado em uma aplicação chamada Snort, um IDS open source, capaz de

play02:23

analisar os pacotes trafegados na rede e alertas em tempo real.

play02:28

O Snort analisa tanto o cabeçalho quanto o conteúdo dos pacotes e os compara a regras

play02:33

configuradas pelo administrador da rede e a assinaturas de ataque, ou seja, a comportamentos

play02:39

e características de pacotes pertencentes a ataques já conhecidos.

play02:43

Isso ajuda a evitar falsos-positivos e falsos-negativos, que ocorrem quando o IDS envia notificações

play02:49

sobre pacotes que seriam válidos, ou deixa de informar a existência de tráfego impróprio

play02:54

na rede.

play02:55

Para tornar o Snort mais eficiente, é comum utilizá-lo junto a outras ferramentas, como

play03:01

o SnortSam ou o Guardian, que baseados nas análises do Snort, criam regras de firewall

play03:06

automaticamente para bloquear endereços IP que estejam originando ataques a rede.

play03:11

Com isso o Snort passa a trabalhar como um IPS, do inglês Intrusion Prevention System,

play03:18

ou sistema de prevenção de intrusões, passando a tomar ações efetivas em caso de ataques

play03:23

e não mais apenas gerando alertas.

play03:26

Gustavo viu que antes de tudo é importante analisar em quais pontos da rede o IPS será

play03:31

implantado.

play03:32

Ele já definiu que a rede dos servidores e os acessos à Internet serão os primeiros

play03:36

a serem monitorados.

play03:37

Mas é preciso estudar bem ainda onde posicioná-lo, por exemplo, se ele ficará em uma porta do

play03:42

switch, analisando o tráfego espelhado da rede, ou se a frente do switch, com todo o

play03:48

tráfego passando por ele antes de ser encaminhado aos destinos.

play03:51

O tipo de tráfego que será capturado e analisado, assim como as regras a as assinaturas que

play03:56

serão usadas também precisam estar bem definidas.

play04:00

Analisar todo o tráfego, principalmente em redes de grande porte, pode deixar a rede

play04:04

mais lenta, além de aumentar o número de falsos-positivos.

play04:08

Além do mais, não adianta absolutamente nada ter uma ferramenta gerando alertas demais,

play04:13

que não se dá conta de analisar e tratar, na prática.

play04:16

Gustavo ainda irá pesquisar outras soluções de IDS e IPS, pois viu em suas pesquisas que

play04:22

existem muitas opções comerciais para esses tipos de solução.

play04:26

Mas pelo menos já há a esperança de ter achado a solução para ao menos um dos muitos

play04:30

problemas da rede da XPTO.

play04:32

Para conhecer mais soluções, aguarde os próximos vídeos sobre ferramentas de gerenciamento

play04:37

de redes.

play04:38

Assista também nossos outros vídeos sobre Internet e redes no canal NICbrVideos do Youtube.

Browse More Related Video

What OmniVista Network Advisor, AIOps system, can do for your network infrastructure?

Network Time Protocol Physical Clock Synchronization Distributed Systems

Tutup DDOS attack dan port scaning dengan mikrotik firewall

Top 10 Hacking Tools In Kali Linux You Must Know.

Breaking The Kill Chain: A Defensive Approach

Setup Share Folders with NTFS Permission in Windows Server 2019

Rate This

5.0 / 5 (0 votes)

Summary
Outlines
Mindmap
Keywords
Highlights
Transcripts
Related Tags
Network SecurityCyber AttacksTax ComplianceIDS SolutionsIntrusion DetectionOpen Source ToolsSnort IDSNetwork ManagementSecurity AlertsDigital Forensics