SNMP

Simple Network Management Protocol, works at the Application layer, uses UDP as a transport protocol to manage or monitor hardware and software in a IP network.
It collect and organize information of the network devices like modem, routers, switches, servers used and able to modify them if needed.

How it work: 
1) SNMP Request via snmp manager (A and B)

This is how it looks in wireshark;

2) SNMP Response via snmp agent

This is how it looks in wireshark;

SNMP Manager:
It is an management system or console, which sends IP related query information to the SNMP agent to manage or to make any configuration.

SNMP Agent:
It monitors any system or any network device and responds to the query back to the SNMP manager. It can also send error messages to the SNMP manager if any illegal access has occur.

Step 1) SNMP manager, Host A send a request to another system,  Host B.

Step 2) SNMP manager will create a SNMP message which will contain the number of active sessions, community of SNMP manager, destination (Host B) IP address.

Step 3) SNMP server will then send this message to the Host B.

Step 4) Host B will then receive the requested message.

Step 5) Host B will then verifies or monitor the message, comparing the community of SNMP manager and Source IP address for access permission.

Step 6) If requested content does not match or if it does not have access permission, SNMP agent will send an request of Authentication Error to the community of SNMP manager. And then Community will response to the SNMP agent.

Step 7) In response, Community give the session information of that request to the SNMP agent.

Step 8) SNMP manager will then retrieve that message which contain the IP address of the source Host A back to Destination to Host B.

Step 9) Host B will now response back to the Host A of it's request. Now both the Hosts will communicate.

Use of SNMP:
It is used to reset passwords remotely.
We can re-configure IP addresses.
We can collect error reports, into a log and also send alerts on error condition.
We can also send alerts for device failure or shortage in Memory use or CPU usage.
We can collect information about how much bandwidth is being used.

IP Tables

IP tables, it's an command line linux firewall utility program which allow a system admin for configuration in a linux environment.  It works by checking the packets crossing the network by following some rules to allow or block the traffic in a network.

Firewall is a piece of software or hardware which is used to protect our system from unsecure or untrusted services over the internet. Firewall are often categorized as Network based or Host Based firewall.

Network based Firewall or a packet filter are the software running on a hardware or hardware based application which provide filtering of traffic between two or more networks. Packet filter operate for TCP/IP, where it will not allow or block the IP addresses or any TCP/UDP port when the match is not found with the existing connections. Host based Firewall is a software to control traffic of a single machine.


IP Tables Chain or Rules:
1) Input
2) Forward
3) Output

Input:
It control the incoming connections or the packets that are addressed to our server.

Forward:
It configure the incoming connections which are not created locally or the packets which are destined for other server and route request to the other machine.

Output:
It controls the out going connections or the the traffic created by our sever.

How IP Table Works:
IP table interface, it works by matching each packets that cross the networking interface against a set of rules to decide what to do with the packets. Packets passing through the firewall are directed through one of the policy rule or Chain, depending upon the source and destination address of the packets.

Step 1) Packet or data request come to the firewall.

Step 2) Firewall goes though the process of checking policy.

Step 3) If the packet is coming from the outside source to our machine, it passes through the Input Chain.

Step 4)  If the packet is going to the outside source from our machine, it passes through the Output Chain.

Step 5)  If the firewall does not know packets source and destination address or port number, it passes through the Forward Chain.

Step 6) If the packet does not match with the packet protocol type or, with the source and destination IP address or UDP/TCP port of the interface that is being used, or it's relation with the previous packet, then firewall will either drop the packet or accept the packet.


Types of IP Table:
Filter Table: This table is responsible for deciding whether to accept or drop the packet.

NAT Table: This table is responsible for modifying the packet source and destination address and port when it's access point is unknown. 

Mangle Table: This table is used to alter the IP header, either shortening or lengthening the header size.

Raw Table: This table is used to evaluate the packets with respect to the previous packets functionality.

Security Table: This table is used to set internal SELinux security context marks on packets. Where SELinux security is a kernal modification user space tool to access control security policies.

SYSLog

Syslog or Syslog Sever is an standard System Logging Protocol which works at the transport layer of the OSI model for network devices to send logging messages to a loading server. It collect all the error messages, debugged information, or any alert. It is used for managing and securing network and systems via sending an alert message based on the security level to the admin.

Syslog Server(s) mostly use 3 components for logging:
1) Syslog Listener
2) Database
3) Managing and Filtering Software

Syslog Listener:
It receives the response message which sent over the network over UDP and TCP.

Database:
It is used to store the syslog data when we wish to retrieve it quickly.

Managing and Filtering Software:
It is used to manage the large amount of data to process and filter out the important log messages.


Syslog Message Format:   PRI  HEADER  MSG

PRI: 
or Priority, it indicate the security level based on the level of the message.

HEADER: 
It contain the timestamp when the message was generated with host IP address.

MSG: 
or MESSAGE, where it contain the process name and content of the message.


How Syslog Works:

Step 1: We install Syslog service in our server.

Step 2: Server will communicate with the application services.

Step 3: Server will listen to the tcp and udp communications between the system and the services using Syslog Listener.

Step 4: Logged these communications into it's Database.

Step 5: Check for Message priority levels using Managing and filtering Software.

Step 6: If any security alert found, send an alert message to the admin.