ANALYSIS OF THE INTRUSION DETECTION SYSTEM (IDS) SECURITY SYSTEM, FIREWALL SYSTEM, DATABASE SYSTEM AND MONITORING SYSTEM USING MOVING AGENTS
Sugiantoro, Bambang1), Eko Istianto, Jazi2)
Abstract
Computer network security as part of an information system is very important to maintain the validity and integrity of data and ensure the availability of services for its users. The system must be protected from all kinds of attacks and attempts to infiltrate or scan by unauthorized parties. The network security method that aims to establish an integrated security system architecture between Intrusion Detection System (IDS), Firewall System, Database System and associated Monitoring System with a moving agent review. This security system aims to protect the network with the ability to respond in accordance with security policies. Produced Architecture of a computer network intrusion detection system that has the ability to detect suspicious network activity, take action to prevent further attacks based on moving agents.
1. INTRODUCTION
Computer networks continue to develop, both from scalability, the number of nodes and the technology used. This requires good network management so that network availability is always high. Network management tasks carried out by network administrators have many problems, including those related to computer network security. Intrusion (intrusion) is someone who tries to damage or abuse the system, or any business that compromises the integrity, trust or availability of a computer resource. This definition does not depend on the success or failure of the action, so it is related to an attack on a computer system. In short, intrusion detection (ID) is an attempt to identify an intruder who enters an unauthorized system (eg a cracker) or a legitimate user but misuses (abuse) system resource primers (eg insider threath). Intrusion Detection System (IDS) is a computer system (can be a combination of software and hardware) that tries to detect intrusion. IDS will make a notification when it detects something that is considered suspicious or illegal. IDS does not prevent infiltration. The observation to notify it depends on how well the IDS is configured. Software Agent (hereinafter referred to as agent only) is a software entity dedicated to certain purposes. Agents can have their own ideas about how to complete a particular job. A number of researches on agents have made various applications, for example for distributed meeting schedulers, network mapping, auction, and searching databases. Problems with security and confidentiality are one of the important aspects of a message, data, or information. In this case it is very related to the importance of messages, data, or information that is sent and received by parties or interested parties, whether the message, data, or information is still authenticated. Messages, data, or information will be useless if in the middle of the information it is tapped or hijacked by someone who is not entitled or interested. (Firrar.U., Riyanto B, 2003).
2. LITERATURE REVIEW
In previous research, a network intrusion detection system has been designed and implemented that has the ability to detect suspicious network activity, take further action to prevent it, and be able to interact with administrators using two-way SMS (Short Message Service) media (Gunawan Adi S , 2003). In this paper, the sensor system will be replaced using a moving framework agent.
3. RESEARCH METHODS
The research method was carried out: data collection from various literatures about the security system and moving agents, the second stage was made system architecture design, IDS design, moving agent design, database server design, system monitoring design and system notification design. The implementation and testing stages of the system have not been carried out.
4. RESULTS AND DISCUSSION
The integrated security system architecture between Intrusion Detection System (IDS), Firewall System, Database System and Monitoring System uses a moving agent approach. This security system aims to protect the network with the ability to respond in accordance with security policies
Then the Slave agent reads the configuration file needed to determine information retrieval and network policy. Then the dispatch of the Slave agent passes to the destination host. The steps can be seen in the collaboration diagram in the picture below
Arriving at the destination host, the Slave agent will collect the necessary intrusion detection information. If there is no destination host then the Slave agent will return to the host from which it was sent.
To realize this method it is necessary to design network security system components in the form of:
1. Intrusion detection system (IDS) Using a moving agent (Aglets)
2. Database system
3. Monitoring system
4. Firewall system
5. SMS system
A moving agent that functions as a sensor will handle data collection and report the results of detection. A mobile agent can perform basic operations as described below. Agent has the ability as described below
1. Creation: the creation of an agent. Creation occurs in the context. The new agent is given an identifier, entered into the context and initialized. Aglet began execution immediately after the successful initialization.
2. Cloning: the process of doubling an agent. Cloning produces a copy that is almost identical to the original aglet in the same context. The difference lies only in the given identifier and the execution of the new clone aglet starts from restart. Note that the execution thread is not cloned.
3. Dispatching: moving an agent from one context to another. Dispatching will move the agent from an ongoing context, enter the context of the destination and then start the execution.
4. Retraction: the process of "pulling" an agent from an ongoing context and entering into the context that requests retraction.
5. Activation: the ability to restore an agent into the context.
6. Deactivation: the ability to temporarily stop aglet execution and store secondary storage agents.
7. Disposal: the process of stopping the course of ongoing aglet execution and removing the agent from the ongoing context.
8. Messaging: between agents includes sending, receiving and handling messages both synchronous and asynchronous.
Intrusion Detection System (IDS) consists of component components:
1. A moving agent that functions as a sensor to collect data
2. Analyzer
3. Database system
A moving agent, mentioned above as a Sensor module, functions to retrieve data from the network. The sensor is part of the early detection system of the designed security system. For this reason, a program is used that functions as an intrusion detector with real-time packet logging and traffic analysis capabilities. Analyzer serves to analyze packets that pass on the network. Information from the analyzer that will be input for other systems.
Database design for network security systems
This security system uses the principle of centralizing the database to store all alerts from sensors and logs from the firewall. Information stored in this data base is also an input for monitoring network security carried out by a firewall system, monitoring system and SMS notification system. The database used is MySQL, which is installed on Linux systems. If this database is installed separately from the host firewall, this database may be installed on Windows-based systems or other operating systems that support MySQL databases. The reasons for choosing MySQL as a database program are: Open source and cheap. Stable on hardware with relatively low specifications. For administration and maintenance of database systems a web-based interface is created with the PHP programming language. The main function of this interface is to edit or update database entries that are used as input for other systems.
System monitoring design
The monitoring system used is a remote monitoring system. This is necessary because in a general situation system monitoring must be carried out without being in the location of the host installed. For this reason, the most flexible monitoring system that can be implemented is a web-based system. This requires a system that has:
a. Linux kernel 2.4.xx
b. PHP
c. Web Server (Apache)
d. Web Client (on the user side)
The remote monitoring system that will be used is designed to be user friendly, so that the issue of ease of users to use this interface is no longer a problem. Therefore the system is implemented with a web interface. The selection of this web interface has the following advantages:
- Makes it easy for system administrator networks to use interfaces
- Users do not need Linux expertise in operating this interface
- On the client side no additional software is needed, only requires a browser and internet connection
- Compatible with various browsers
Analysis Console for Intrusion Databases (ACID) is a PHP-based analysis engine that functions to search and process databases of security network alerts generated by intrusion detection software (IDS). Can be implemented on systems that support PHP such as Linux, BSD, Solaris and other OS. ACID is open-source software and distributed under the GPL license. In this final project ACID-0.9.6b23 and PHP 4.3.3 ACID have the ability to:
- Query-builder and search interface to search for alerts that are compatible with Alert meta information (such as signatures, detection times) as well as data network data (such as: source / destination address, ports, payload or flags).
- Packet viewer (decoder) for displaying layer 3 (Transport: TCP, UDP) and layer 4 information alerts (Network: IP, IPX)
- Alert management (warning management) functions to create alert groups, discard false or fake alerts, send alerts to e-mails and support archiving alerts so that they can be moved between alert databases.
- Chart and statistics generation makes charts and statistics based on time, sensors, signatures, protocols, IP addresses, TCP / UDP ports, classifications.
ACID is a web based application, so that all information on network security information in the form of alerts from sensors and logs from firewalls can be analyzed through web browser applications (such as: Mozilla, Konqueror, Opera). This information will be material for security audits. Security auidit needs to be done so that network security is guaranteed and to get a better network security solution.
For this reason, it is necessary to configure the HTTP server (Apache) that is installed on the host. The HTTP server installed is Apache server 1.3.28. If the encryption feature is desired in the information sent by the monitoring system in the browser, an SSL module can be added to the web server. This will increase the security of the data sent by the monitoring system to the administrator from the possibility of data tapping (man-in-the-middle attack).
ACID serves to provide a management console that can be accessed through a web browser. The management function of this console is an interface for network system administrators (NSA) to be able to make observations on security policies.
Firewall Design
The automatic firewall program created is basically a program that analyzes the output of the Intrusion Detection System (IDS) and decides what actions to take for the sending host of the analyzed package. If the package by IDS is categorized as a dangerous package or contains the risk of network security, the firewall program will automatically trigger the iptables program to add a rule that blocks all packets originating from the suspicious package host. Next is the Flow chart of an automatic firewall system.
No comments:
Post a Comment