OfficeServ 7400

1. Enterprise IP Solutions OfficeServ 7400 Quick Install Guide- Data Server –IDS Mar, 2006 OfficeServ Lab1 Samsung Electronics Co., Ltd.

2. Real-time detection and response to network based attacks backdoor, DoS, DDoS, anomalous network access, etc. Using web management Support almost all kinds of protocol used in Internet Intrusion detection according to risk level High, medium, low Correspond to intrusion detection Log audit IP blocking as linked with firewall Report to admin using e-mail about detected attacks 5 categories : Intrusion Type, Source IP, Destination IP, Port, Port scan Rule update IDS functions

3. Sourcefire VRT Certified Rules Official rules of snort.org(www.snort.org) Three ways to obtain these rules: Subscribers (a charge) Online web subscriber Receive real-time rules updates as they are available Registered users (Free) Online web subscriber Can access rule updates 5days after release to subscription users Unregistered users (Free) Receive a static ruleset at the time of each major Snort Release CANNOT use for GWIM (limited to commercial use!) IDS Rule Update

4. Open Community Rulesets Submitted by members of the open source community Release to users without basic tests not to ensure that new rules will not break Snort Distributed under the GPL Freely available to all open source Snort users IDS Rule Update

5. Three main operational modes Sniffer Packet logger Network Intrusion Detection System (Forensic Data Analysis Mode) Using Snort.

6. Network Environment 165.213.109.2 165.213.109.254 165.213.146.134 • • • • • Send an attack packet pattern or packet pattern similar to attack Untrusted Network Mail Server 165.213.88.100 Internet Send a packet pattern similar to attack Trusted Terminal ManagementPC WAN1 165.213.89.238 165.213.87.230 10.0.0.1 LAN Important File Server Internal Network

7. Assumption • A server containing important data exists in the internal network of GWIM. • An attack pattern of packets come from the PC terminal in the untrusted 165.213.109.0/24, 165.213.146.0/24 network which has an external anonymity. • The PC terminal (165.213.87.230) used in a remote area supports an easy maintenance with OfficeServ 7400. In other words, a misdetection by IDS is taken into account. • The mail server supports SMTP with an IP (165.213.88.100).

8. Filtering Setup 1.From the [Firewall][Management] menu, select the ‘Enable’ item and click the ‘OK’ button.

9. Configuration 1. Move to the [IDS][Configuration] menu, and select a device which interface is WAN and the protocol monitors only for a static network, and select whether to restrict an access from the outside according to the level when using the [IDS][Block Config] function.※The higher a level for detecting intrusion is set, the more processing load increases and the more log messages are left in the system. When running in the [IDS]->[Block Config] menu, IDS is executed at only a level set in the window. An access corresponding to Medium Level is notified by only a mail and an access to the remote area is not restricted.

10. 2. Select a required IDS rule and click the [OK] button. The window below has been applied as default:※For further information on each rule, refer to http://www.snort.org/snort-db.

11. Management • From the [IDS][Management] menu, click the [Run] button to execute IDS. • ‘Block time’ is used to set a timeout value to release a restriction of access. If Run is executed, the blocking function of a remote data terminal which generated a type of intrusion detected by IDS is performed. However the blocking function is based on the level set in [IDS][Configuration]. ※ If IDS is running, block module is running. By default IPS is running.

12. Block Config • In the [IDS][Block Config] menu, set whether to restrict an access to the remote data terminal or network which generated a type of intrusion detection set in [IDS][Configuration]. • You can view IP information on the remote data terminal which performs a restriction of access by detecting as a intrusion type in IDS. In the following window, you can view the results of the misdetected IP address of a maintenance PC: IP Address of a Maintenance PC 165 213 87 230 165 87 227 213 Hosts of the Network Where the Administrator is Located 165 87 231 213 165 213 109 189 Hosts of an Untrusted Network 165 213 146 134

13. 3. To register trusted IPs, enter an IP address of a maintenance PC. This allows the maintenance PC restricted to the access to the ‘Blocked IPs’ to enable accessibility. <Figure 1> shows a registration of only a PC and <Figure 2> shows a registration of all network hosts to which an administrator IP belongs. <Figure 1> <Figure 2>

14. Log Analysis 1. If you select the [IDS][Log Analysis] menu, the window below appears that analyzes the left messages whose intrusion type is detected by IDS according to source address, destination address, risk level, service port information and intrusion type. Basically, all categories are set ‘all’, but you can select and check a desired log. Default ‘all’

15. 2. If you set as shown in <Figure 1>below to check a log corresponding to the security level ‘med’ among logs that a host with an IP ‘165.213.87.230’ accesses the IP ‘165.213.89.238’, http(80) port, you can view the results as shown in <Figure 2>. <Figure 1> <Figure 2>

16. Mail Config 1. Click the [IDS][Mail Config] menu to send the result message on intrusion detected by IDS to the set mail address by mail. Set to send a mail at 5 p.m. every day SMTP Port Information Mail Server IP Address Mail Address

17. Rule Update 1. If you click [Rule Config] from the left menu, you can update a ruleset. To update a ruleset click ‘browse’ button and select the desired rule file on your PC. GWIM IDS spec (based v1.25) 

18. Thank you !