Executive summary
Security has become a big problem in today’s organizations setting. Intruders of al kinds have managed to successfully break into many companies’ web services as well as their networks. Several trials have been developed to curb the same from and secure companies’ infrastructural networks and exchange of information through secure channels, among these are firewall setups, encryption technology, and VPNs. Intrusion Detection is a new mechanism of instilling security in organizations’ networks. Application of this technique assists IT security manager to gather and utilize information resulting from recognized attacks and check if someone is attempting to break into your network or specific work station. Gathered information can be used to strengthen security for your network and for legal use. In the market also are tools used for assessing vulnerabilities in a network. A proper network security system comprises of many tools like firewalls to block undesired traffic entry and exit of data, Intrusion Detection system (IDS) for checking if there is someone sitting in your network, and tools for analyzing vulnerabilities.
Introduction
Intrusion Detection refers to an array of techniques and schemes that detect any suspicious action in the network as well as at the host. IDS fall into signature-based and anomaly detection systems. The hackers that try to hack networks use signatures that are detectable using specific software program. You make an attempt of finding packets of data containing known anomalies or signatures that are associated with intrusion related to protocols of internet. Basing on an array of signatures and principles, IDS is capable of finding and logging suspected proceedings and automatically produces alerts. For anomaly-based detection, anomalies in the protocol header are checked and this scheme produce reliable results compared to the IDS based on signature. The basic idea in the IDs is that the IDS system capture network data and checks it against its rules to detect presence of anomalies.
Intrusion Prevention system have a capability of detecting the network security threats and also are also capable of dropping noncompliant data packets inline.
Depending on the network topology one has employed, intrusion system may be positioned in one or more locations (Gregg 92). Position of IDS also depends on the type of intrusion actions that you want to capture, whether external, internal or both. For a case whereby you want to detect external intrusion with single router at hand, you may consider placing the IDS inside the router to the internet or a firewall. For multiple outlets to internet, you may consider placing the IDS ate every point of entry. However, for detecting internal intrusion, the IDS may be placed at every segment of the network.
In many occasions, there is no need of having detection action in all segments of the network; limit it to sensitive areas of the network so that the work and cost of maintenance is reduced. What determines the places that one wants to place intrusion detection systems depend on the policy specifies the resources to protect.
For ECME, the Intrusion Detection activity is to be carried out at every entry point. So the IDS will be placed at every entry point so as to prevent external attack. Below is a network topology for ACME.
The type of IDPS technology to be used in ACME is wireless whereby wireless network observes interchange and assess its wireless (no physical connection) networking protocols to spot doubtful actions.
Here the IDS are placed behind firewalls and routers.
Wireless IDPS Architecture
Infrastructure required supporting IDS/IPS
The following are the key infrastructural components that have to be made available to facilitate the IDS/IPS network security design for ACME. They include:
Network routers (wireless), bridges and WAN connection
Network hubs
IDS box
Firewall program
Wireless sensors
Network switch
Network operating system
License
Servers – for FTP, mail and web activities
DNS, RADIUS
TCI/IP ports
Drive space
Event log entries
Topology and architecture
A very important step in designing our secure network is defining the topology of the network. Talking of the topology of the network, this refers to the logical layout of the network. On the physical side, we will need to provide a network distribution if the offices which are located in the different departments in the company. The network will also need to provide connectivity to the servers, to the Internet, to remote sites, to business partners or even to other companies through telephone lines. As much as we are considering the physical topology, the logical topology must be considered also. The logical topology is affected to some degree by the physical topology, but with the advent of technologies like Virtual Local Area Networks (VLANs) and Virtual Private Networks (VPN), there has been considerable flexibility in the coming up of the logical design of the network.
When we are laying out the logical topology of the organization, we need to put into much consideration the policy that we set up for the organization, and we have to decide what our trust model is. We also have to decide which parts of the networks are less trusted and which ones are more trusted. We should also come up with a list of the groups of users on the network which needs to be grouped because of the fact that they are related in the nature of their work. We should also come up with a list of users and network devices which should be separated. The figure below shows a graphic representation of our initial network design:
The design which is illustrated above shows a connection to the Internet with a border router and firewall, and the organization’s extranet servers which are connected to a third interface on the firewall. The firewall is a 4s switch and will be upgraded to a 3s switch if higher performance is required. The other connections to our core router constitute of the floor or building switches whose main task is to provide connectivity to the various departments in the organization and also to the intranet servers which are available in the organization.
This topology illustrates how devices which have similar functionalities can be grouped together to provide the required security measures for the organization. The various devices include extranet servers, workstations for the various users, and the intranet servers. Our creation of separate zones of security, we will be in a position to enforce the organization security policy with the firewall rules which are appropriate and layer 3 access lists.
One of the key element that our network design still lacks is the framework/infrastructure that we will use to manage the network. for thsis to be achieved, we will need to have in place at least one management workstation, one tftp servers, and at least one syslog servers. It is evident that we also need to have a password management servers that will be used to manage the passwords that will be used for authentication purposes. For this purpose, we will need RSA SecurID or Axent Defender, or RADIUS server. These servers will be used to manage the security of the organization; this will therefore mean that we create a separate VLAN for these servers which will be different from the rest of the devices on the network. For this isolation to be achieved, we will need to have a firewall that will isolate the management servers from the rest of the network. The traffic which will be allowed into the management network is those from the managed devices or which are protected by encryption.
One of the goals in our design is to make sure that the management traffic will be kept away from the production network so that the chances of being intercepted when on transit are eliminated by all means. The ideal way that this could be achieved is that we could make sure that each device should have a physical port on the management VLAN. This is not always easy to achieve due to physical limitations. If this is the case, management network should have an encryption through the use of ssh or IPSEC. The diagram below gives a representation of the management network.
Securing routers and switches
After we have made sure that the topology has been defined, it is high time we examine at how we can build security into our network elements and configurations. The network that we are going to design will require that we segment it into smaller networks called subnets based on function and probably based on location also. We are going to implement routing at the network core; this will therefore mean that our segments are isolated into individual broadcast domains. By this implantation we get improved performance in the network and also security is improved by preventing sniffing or attacks based on arp which takes place between segments.
The hosts in each subnet will be connected to the network through an Ethernet switch. A switch has the advantage that it provides a high network performance in that each host is put on its own collision domain, and also this setup enhances security because of the fact that arp based attacks is made impossible. Sniffing is also made impossible with this setup. Another option instead of deploying a switch is the use of a hub but this is not desired by many designers because it has less security features and also low performance compared to switches.
Layer 3 design and access lists
Our design that we will use in layer 3 is simplified; w will have a central router which we will use it to connect to the different departments from the organization. Due to the fact that we have mapped out our trust model and security policies, we can then use access lists at layer 3 to implement the organization security policy. For the traffic that will be entering into a particular subnet, the packets which will be allowed into that network will be based on the security policy for that particular subnet. In the same case we will make sure that outbound traffic is filtered so that chances of spoofing is eliminated and the chances of having malicious or illegitimate activities. at this point I will consider some good examples of access lists based on the Cisco IOS command set.
Intrusion detection systems
There are other advanced ways of building a secure network using the advanced technologies line Network Intrusion Detection Systems (NDIS) and how they are used to detect activities are not desirable in the network. This technology can give alerts to system administrators every time there is a suspected activity which is happening on the network. These alerts are made possible by the IDS which are placed strategically on the network. NDIS make use of the sensors within the network that are used to make the necessary alerts. Because our infrastructure is a switched one, we will then require that the NIDS sensors are configured in a special way so that they act as the monitoring port where all the traffic from the NIDS sensors is mirrored.
The diagram, that is shown below helps to bring this out clear.
Justification and proposal
Background information
ACME is a company that has thrived over the past two years. It is a dealer in widgets and has been very successful in marketing its products where its main clients are the middle-class working professionals. At the moment ACME is processing fifty three retail outlets. It is also generating income from its E-commerce website that was put into operation in 2010.
Problem definition
Currently there is a very weak protection mechanism for the ACME network whereby attackers may take advantage and break into the network and cause damage to sensitive information and other valuables. Not long ago the organization’s information was stolen by unknown attackers stealing information from credit cards of the customers. Such instances should not reoccur and to ensure the same the proposed system of IDS/IPS should be considered most imperative by the management. The loyal clients of ACME may shun away if their information continues to be unprotected.
Problem justification
The proposed network security using the Intrusion Detection Systems and Prevention Systems is one of the most promising security techniques in use by many organizations today. ACME network is at risk if this security measure is overlooked. This model of security is cost effective since few hardware and software programs will be used. A snort-based IDS is going to be implemented, and the components of snort-based IDS work together to track specific attacks and to generate output in a required format from the detection system. Components of snort-based IDS include packet decoder, detection engine, preprocessors, output modules, and logging and alerting system. The network-based intrusion detection system to be implemented in the ACME will have the following benefits:
1. Zero latency prevention
2. 2. Effective network hygiene
3. management of security will be Simplified due to centralization of security services
Budget
The following expenses will be required to complete the project
Device/software
Price (USD)
Network routers (wireless)
IDS box
Firewall program
Network operating system
Network switch
Network hubs
Wireless sensors
Miscellaneous expenses
license
Signatures
ACME organization has to employ a variety of signatures with associated actions to ensure network security. Every time a signature finds an activity configured in a manner to detect, the signatures pass a call of action or more actions. Actions are categorized into various categories:
Generating an alert,
Dropping or preventing the activity,
Logging the activity
Resetting a TCP connection
Blocking future activity
Allowing the activity
Alert signature action
This is crucial for scrutinizing the alerts that are produced by ACME’s network. This lets the IT security manager to get a better insight of attacks that are intended to cause havoc in the organization. The ACME IT security manager is able to observe the operation of the network efficiently through two types of alerts: atomic and summary alerts. Atomic alerts are produced every moment a signature triggers. Summary alert is a sole alert that specifies several occurrences of the similar signature from alike basis address and/or port.
Drop signature
The ability to drop a packet or thwart occurrence of an activity is the main dominant action demonstrated by the IPS device. Through this signature the IT security manager in ACME will be able to stop attackers from performing malicious actions in the network.
Log signature
In situations whereby enough information is not available to discontinue an action, logging is necessary so that the logged information can be reviewed in details. By performing detailed assessment of logged information, the ACME IT security manager can know the exact action taking place and decide whether to allow it or deny in future.
Block signature action
Most IPS devices are capable of blocking prospect traffic through letting the IPS appliance update the ACLs on one of infrastructural appliances. This ACL bars traffic from a malicious system without having IDS spend many resources (Kizza 83).
TCP Reset Signature Action
A packet for connection with the TCP RST flag is produced so that it can be used to stop the TCP connections. IT security manger in ACME will exploit this kind of signature whenever unwanted TCP connection occurs.
Allow signature Action
Through the use of this signature the IT security manager is able to define exceptional cases. This is applicable in situations where the IT department of ACME may be using vulnerability scanner to scan the network because this action of scanning will produce a lot of alerts
Appendix
IDS policy
Having designed a network security for ECME, it is important to develop an Intrusion Detection System policy to give guidelines regarding the use of the system. This policy defines actions that must be taken against an intruder intruding the ACME network. In the policy are the following components:
1. Who will monitor the ACME’s IDS? The IDS in ACME provides alerts regarding the intrusion actions. The alerts are in form of text files. This is the responsibility of an IT security manager. Real time monitoring of intrusion in ACME is done using pop-up windows. This requires the IT security manager of ACME to be conversant with these pop-ups so that effective actions are taken without any delay.
2. Routine maintenance for ACME is done by the IT security manager. Duties include administration, and log rotation.
3. Any intruder found will be prosecuted for illegally breaking into ACME network and causing damage to the infrastructure and/or causing harm to information stored. In such situations the IT security manager is the one concerned about carrying out the whole process of prosecution and ensuring justice is done.
4. IT security manager of ACME should ensure proper and reliable generation of daily, weekly and monthly reports. The reports must be comprehensive to enhance readability and possible steps to undertake to improve the security.
5. Daily updates for IDS must be installed by the ACME’s IT security manager. This is because the hackers are working round the clock to come up with signatures related signatures that they may use to break into networks. Attack nature is dynamically changing and so the need for updates.
6. ACME’s IT security manger must produce documentation of projects carried out. The documentation includes a simple log of intruder actions.
Work cited
Gregg, Michael. Build Your Own Security Lab: A Field Guide for Network Testing. London: John Wiley & Sons, 2010.
Kizza, Joseph Migga. A Guide to Computer Network Security. Austrakia: Springer, 2009.
Noonan, Wesley J. Hardening network infrastructure. New York: McGraw-Hill Professional, 2005.
