Modeling access a remote network system with IDS short using an SSL/SSH multiplexer

Abstract

The article examines the use of an SSL/SSH multiplexer (SSLH proxy) for organizing access to a remote network system with Snort IDS in the preparation of cybersecurity courses. Utilizing the capabilities of the SSL/SSH protocol multiplexer (SSLH proxy), the principles and mechanisms for organizing access to a remote Linux Ubuntu operating system with the Snort IDS system deployed were explored. An analysis of the operation and configuration modes of Snort IDS was carried out to monitor such types of connections using different protocols. Examples of configuration files for both the SSL/SSH multiplexer (SSLH proxy) and the Snort IDS system were provided, and the operation of both software products was tested using different protocols and ports to organize remote access to the Linux Ubuntu 22.04 operating system. The testing was conducted using physical equipment with Windows 10 operating system, a Type 1 hypervisor, and virtual machines with Linux Ubuntu operating systems. The use of an SSL/SSH multiplexer (SSLH proxy) alongside Snort allows for the analysis of encrypted traffic, addressing key security challenges, such as detecting data leaks, malware, suspicious connections, and anomalous activity. This greatly enhances the ability to audit computer networks and equipment, improving the capability of intrusion detection systems to perform their functions in the face of modern threats, where much of the traffic is encrypted either for protection or to hide malicious activity.
The advantages of using virtualization to deploy a test network environment based on the SSL/SSH multiplexer and the Snort intrusion detection system are also highlighted. Snort is not only an intrusion detector, but also a packet logger and sniffer. However, its most important feature is intrusion detection. Snort is rule-based, and you can download basic rules from the Snort website and configure them according to your specific needs. Snort performs intrusion detection using methods based on Anomaly and Signature. It is also useful for deep analysis of the data it collects. Moreover, the basic Snort rules can be used to detect a wide variety of events, including CGI attacks, buffer overflow attacks, and Stealth port scans. For studying the operation of the SSL/SSH protocol multiplexer and Snort IDS as part of organizing a laboratory exercise, a lab assignment was chosen to simulate the deployment of the SSL/SSH protocol multiplexer and analyze network traffic using Snort IDS tools.

Keywords: SSL/SSH protocol multiplexer, Snort IDS, remote access, network traffic analysis.