BCSE354E Information Security

Management
Lecture 10
Dr. Saritha Murali
(SCOPE, VIT Vellore)
21-03-2024
 Common Router problems and
solutions (from ref page 385)
• Use these troubleshooting guidelines to
isolate and fix network issues relevant to
your router.
• You can encounter more than one problem
at the same time.
• When your Wi-Fi is down, you can restore
connectivity on your own by
troubleshooting some of these common
problems.
 Common Router problems and
solutions
1. Correct your Wi-Fi Security Settings
2. Update your Hardware or Firmware
3. Fix Overheating or Overloading
4. Remove MAC Address Restrictions
5. Check Wireless Signal Limitations
 Common Router problems and
solutions
1. Correct your Wi-Fi Security Settings
– Network Mode: The router must be allowed to
accommodate all Wi-Fi models used by network
clients. For example, routers designed to run in
802.11g mode only will not support 802.11n or old
802.11b devices.
• Adjust the router to run in mixed mode to remedy this kind
of network failure.
– Security mode: Most Wi-Fi devices support
several network security protocols (typically different
variations of WPA and WEP).
• All Wi-Fi devices, including routers belonging to the same
local network, shall use the same protection mode.
 Common Router problems and
solutions
– Security key: Wi-Fi security keys are phrases or
sequences of letters and digits. All devices that
enter the network must be configured to use the
Wi-Fi key recognized by the router (or wireless
access point).
 Common Router problems and
solutions
2. Update your Hardware or Firmware
– To take benefit of any additional features and
improvements of the new version of the firmware.
– Also, your router will normally receive any critical
security updates.
– Typically, you will have the choice of checking,
evaluating, downloading, and installing the latest
firmware on your router's administration tab. The
exact steps depend on the make and model of
your router, so check the specifics of the router
manufacturer's support site.
 Common Router problems and
solutions
3. Fix Overheating or Overloading
– You can set up a different Wi-Fi router or allow the
"Guest Network" option for your router.
– You can also set up a separate SSID and password
for your host network to avoid issues with your
main network.
– This segregation would also work with your smart
appliances and secure your key devices from
attacks on the Internet of Things.
 Common Router problems and
solutions
• You can also use QoS (Quality of Service)
• QoS is a feature on some routers that lets you
prioritize traffic according to the type of data
being transmitted.

• For example, an FTP application used for

backups of large files might require a lot of
bandwidth but delay and jitter won’t matter
since it’s not an interactive application.
 Common Router problems and
solutions
4. Remove MAC Address Restrictions
– A number of network routers support a function
called MAC address filtering.
– While disabled by default, router administrators
can turn this function on and limit connections to
only those devices by their MAC address number.
– Check the router to ensure that either the MAC
address filtering is off or the MAC address of the
computer is included in the list of allowed
connections.
 Router Troubleshooting Tools
• Using Router Diagnostic Commands
– Cisco routers provide numerous integrated
commands to assist you in monitoring and
troubleshooting your internetwork.
 Router Troubleshooting Tools
• Using show Commands
– The show commands are powerful monitoring
and troubleshooting tools.
• Monitor router behaviour during initial installation
• Monitor normal network operation
• Isolate problem interfaces, nodes, media, or
applications
• Determine when a network is congested
• Determine the status of servers, clients, or other
neighbours
 Commonly used show commands
• show interfaces
• Displays statistics for all interfaces configured on the
router or access server. The resulting output varies,
depending on the network for which an interface has
been configured.
– show interfaces ethernet
– show interfaces tokenring
– show interfaces fddi
– show interfaces atm
– show interfaces serial
 Commonly used show commands
• show controllers
• displays statistics for interface card controllers.
– show controllers mci
– show controllers token
– show controllers FDDI
– show controllers LEX
– show controllers ethernet
– show controllers E1
– show controllers cxbus
 Commonly used show commands
• show running-config— Displays the router
configuration currently running
• show startup-config —Displays the router
configuration stored in nonvolatile RAM (NVRAM)
• show flash—Group of commands that display the
layout and contents of flash memory
• show buffers—Displays statistics for the buffer pools
on the router
• show memory—Shows statistics about the router’s
memory, including free pool statistics
 Commonly used show commands
• show processes—Displays information about the active
processes on the router
• show stacks—Displays information about the stack utilization
of processes and interrupt routines, as well as the reason for
the last system reboot
• show version—Displays the configuration of the system
hardware, the software version, the names and sources of
configuration files, and the boot images

• There are hundreds of other show commands available.

 Using debug Commands

– The debug privileged exec commands can provide

a wealth of information about the
• traffic being seen (or not seen) on an interface,
• error messages generated by nodes on the network,
• protocol-specific diagnostic packets, and
• other useful troubleshooting data.
 Router Diagnostic Commands
• Using the ping Command
– To check host reachability and network connectivity,
use the ping exec (user) or privileged exec command.
– After you log in to the router or access server, you are
automatically in user exec command mode. The exec
commands available at the user level are a subset of
those available at the privileged level.
– In general, the user exec commands allow you to
connect to remote devices, change terminal settings
on a temporary basis, perform basic tests, and list
system information.
– The ping command can be used to confirm basic
network connectivity on AppleTalk, ISO
Connectionless Network Service (CLNS), IP, Novell,
Apollo, VINES, DECnet, or XNS networks.
 Router Troubleshooting Tools
• Using the trace Command
– The trace user exec command discovers the
routes that a router’s packets follow when
traveling to their destinations.
– The trace privileged exec command permits the
supported IP header options to be specified,
allowing the router to perform a more extensive
range of test options.
Configuring Suricata
 Suricata
• Open-source Next Generation Intrusion
Detection and Prevention Engine.
• utilises externally developed rule sets to
monitor network traffic and provide alerts to
the system administrator when suspicious
events occur
• As a multi-threaded engine, Suricata offers
increased speed and efficiency in network
traffic analysis.
 Installing Suricata
1. Add the Suricata PPA
2. Install Suricata
3. Add a 'suricata' user
4. Edit Suricata default mode and configure Suricata
run as service user
5. Ensure that Suricata log directory is owned by
'suricata' user
6. Start Suricata
7. Verify that Suricata is running as the 'suricata'
user
 Add the Suricata PPA

First add the Suricata PPA and update the apt-

cache:
# apt-get install software-properties-common
# add-apt-repository ppa:oisf/suricata-stable
# apt-get update
 Install Suricata

# apt-get install suricata

 Add a 'suricata' user

• When you run Suricata, you don't want to run

it as root because if the Suricata daemon gets
compromised, you don't want the attacker to
have 'root' privileges, this is referred to as
'dropping privileges’
• So, add a user named 'suricata
# useradd -r -s /usr/sbin/nologin suricata
 Edit Suricata default mode and
configure Suricata run as service user
# editor /etc/default/suricata
 Ensure that Suricata log directory is
owned by 'suricata' user
# chown -R suricata:suricata /var/log/suricata
 Start Suricata
# service suricata start
 Verify that Suricata is running as the
'suricata' user
• # ps aux | grep suricata suricata

28296 107 59.9 366140 304160 ? Ssl 22:47 0:05

/usr/bin/suricata -c /etc/suricata/suricata.yaml --
pidfile /var/run/suricata.pid -i eth0 -D -v --
user=suricata
Configuring Snort
 Snort
• Open Source Network IDS
• Packet sniffer
• monitors network traffic in real time,
scrutinizing each packet to detect a dangerous
payload or suspicious anomalies.
 Snort
Snort can run in 4 modes:
• sniffer mode: snort will read the network traffic and
print them to the screen.
• packet logger mode: snort will record the network
traffic on a file
• IDS mode: network traffic matching security rules
will be recorded
• IPS mode: also known as snort-inline
 Configuring Snort
• Setting up Snort on Ubuntu from the source
code consists of a couple of steps:
• downloading the code,
• configuring it,
• compiling the code,
• installing it to an appropriate directory, and
• configuring the detection rules.
 1. Configuring Snort to run in NIDS
mode
• Editing some configuration files
• Downloading the rules that Snort will follow
• Taking Snort for a test run

1. update the shared libraries

sudo ldconfig

2. Snort on Ubuntu gets installed

to /usr/local/bin/snort directory. Create a symbolic link
to /usr/sbin/snort.
sudo ln -s /usr/local/bin/snort /usr/sbin/snort
 2. Setting up username and folder
structure
• To run Snort on Ubuntu safely without root access, you
should create a new unprivileged user and a new user
group for the daemon to run under:
sudo groupadd snort
sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g
snort
• Create the folder structure to house the Snort config
sudo mkdir -p /etc/snort/rules
sudo mkdir /var/log/snort
sudo mkdir /usr/local/lib/snort_dynamicrules
 Setting up username and folder
structure
• Set the permissions
sudo chmod -R 5775 /etc/snort
sudo chmod -R 5775 /var/log/snort
sudo chmod -R 5775
/usr/local/lib/snort_dynamicrules
sudo chown -R snort:snort /etc/snort
sudo chown -R snort:snort /var/log/snort
sudo chown -R snort:snort
/usr/local/lib/snort_dynamicrules
 Setting up username and folder
structure
• Create new files for the white and blacklists
sudo touch /etc/snort/rules/white_list.rules
sudo touch /etc/snort/rules/black_list.rules
sudo touch /etc/snort/rules/local.rules

• copy the configuration files from Downloads

sudo cp ~/snort_src/snort-2.9.16/etc/*.conf* /etc/snort
sudo cp ~/snort_src/snort-2.9.16/etc/*.map /etc/snort
 3. Download the detection rules
• Download the detection rules Snort will follow to
identify potential threats
• Snort provides three tiers of rule sets
•Community rules are freely available although
slightly limited.
•By registering for free on their website you can
download the registered users rule sets.
•subscriber rules are available to users with an
active subscription to Snort services.
 4. Configuring the network and rule sets

- Open the configuration file snort.conf in

text editor
- Setup the network addresses to protect
- Setup the external network addresses
- Set path to rule files

5. Validating Settings
Test the configuration using the parameter -T to
enable test mode.
sudo snort -T -c /etc/snort/snort.conf
 6. Running Snort in Detection Mode
• To start Snort in network intrusion detection
mode, use the following command:
• sudo snort -q -A console -i [your-interface] -c
/etc/snort/snort.conf