Lab 2 – CSEC630
1. When running Snort IDS why might there be no alerts?
When using Snort IDS, there are several modes that if configured properly, will generate alerts. Alerts are set by the user within the command prompt when initiating a rule set. There are five alerting options available with Snort IDS. According to (Roesch, 1999), Alerts may either be sent to syslog, logged to an alert text file in two different formats, or sent as Win-Popup messages using the Samba smbclient program. If there has been no alerts, the selected rule set was set may not have been enabled by the user. Another scenario where alerts may not occur is when another task is being performed. According to (Roesch, 1999) when alerting is unnecessary
…show more content…
5. What are the advantages of using rule sets from the snort web site?
There are several advantages of using the existing rule sets already created on the Snort web site. One advantage of using the existing rules is that they have been created to work effectively against the common vulnerabilities. Creating your own rule sets require a working knowledge of Snort and having the outcome of the created rule may not yield the desired effect that the administrator is seeking.
6. Describe (in plain English) at least one type of rule set you would want to add to a high level security network and why?
A rule set that I would add to a high level network would be an app-detect rule. With this rule the traffic that occurs in various applications that deal with the network would be controlled. This is especially important because if an application within the network is compromised, it could be utilized to gain access to the network.
7. If a person with malicious intent were to get into your network and have read/write access to your IDS log or rule set how could they use that information to their advantage?
If someone with malicious intent was to gain read/write access to your IDS log or rule set, they could use that information to determine how your IDS was configured. Especially if detailed logging is set up. The information could provide the information of what rule sets are being utilized based on the
The two IDS uses different rulesets and thus a key decision need to be made when using one of them. Emerging Threat (ET) is an open source community that was originally created as sustenance to an open Snort rule set. However, the group produces ruleset that is compatible with both Snort and Suricata currently. The ET rulesets have the capability of producing a professional ruleset (ET-Pro). In professional ruleset, each item contains a rule portion that is enhanced for Snort, a rule portion that is enhanced for Suricata and an aware portion that is shared by both engines. The certified rule set for Snort is created by the Sourcefire Vulnerability Research Team (VRT) (Sikorski & Honig, 2012). The rules are sold immediately after release
Individual users play an important role in any form of institution or organization but concerns are raised about the security. The network administrators clearly lay down a set of rules, regulations and protocols that an individual user has to agree accordingly upon which part of the resources and what class of service that the user can obtain.
There are multiple aspects of security in this network, which I have tried to implement as much as possible. This is where the CIA triangle comes into play, confidentiality, rules and limits to access information; Integrity, making sure the data is accurate and trustworthy; Availability, having reliable access to the information. I am going to talk about each aspect in a list format and explain how it’s used in my network. One thing that will be performed on all network devices is system updates and patches. They will happen on a monthly basis, on a weekend when the networks are not being used.
“Security needs to be addressed as a continued lifecycle to be effective. Daily, there are new attack signatures being developed, viruses and worms being written, natural disasters occurring, changes in the organization workplace taking place and new technologies evolving, these all effect the security posture in the organization” (King, 2002). This being said, it is important to evaluate firewall and router rule sets more frequently. The possible threats against this policy include improperly configured network infrastructure which leads to a domino effect that could start with malicious programming which could end in data loss. Many of these threats may be unintentional as some users may not be aware of the risks and how their processes and procedures open the door for such attacks. For this reason alone, a more frequent evaluation is needed. This vulnerability could lead to data loss and the exposure of trade secrets, client lists and product design. The exposure of such information for most companies could mean a financial collapse as it no longer has the competitive edge that makes it the industry leader. While the likelihood of this threat is very high, “security risks to the network exist if users do not follow the security policy. Security weaknesses emerge when there is no clear cut or written security policy document. A security policy meets these goals:
Snort has almost more than 3000 predefined set of rules that are free to download from the snort.org website, these rules are precise and can vary from a wide ranges of
Security is almost certainly the most difficult aspect of a network to perfect. It is important to have the correct procedures and components in place to make certain network security is being accounted for and addressed on any given network. The journal, “Future Generation Computer Systems” elaborates on this necessity for an information system. “Future Generation Computer Systems”, this component of a network is discussed thoroughly. “Essentially securing an Information System (IS), involves identifying unique threats and challenges which need to be addressed by implementing the appropriate countermeasures” (Dimitrios Zissis, Dimitrios Lekkas, 2012). This was achieved through configuring access lists as well as CHAP configuration on the routers connecting to the edge
5. What are the three primary methods for implementing security on this network, as well as the advantages and disadvantages each?
What services are to be permitted and denied access to your network or computer? Make a list of what enters and leaves your network. Discuss
Provide at least 3 examples of Network Architecture Controls that help enforce data access policies at LAN-to-WAN Domain level.
Firewalls are set up on computers to help protect computers and other devices from attacks from potentially harmful websites and other resources. Proxies are servers that act as a middle man for computers. They allow users to make indirect connections to other servers. The LAN-to-WAN domain is where the infrastructure connects to the Internet. Updates, firewalls and proxies will help to keep things running and help to keep it protected.
Finally, gathering all this information would enable the network administrator adjust the IDS to attacks specific to the network.
The goal of intrusion detection is to monitor network assets, detect anomalous behavior, and identify misuse within a network (Ashoor, Gore, 2011). An intrusion detection system (IDS) is a device or software application that monitors network system activities for malicious activity or policy violations and produces reports to a management station (Kashyap, Agrawal, Pandey, Keshri, 2013), additionally there are three types of IDS:
Firewalls is categorized as a preventive control which is used as a defense shield around IT systems to keep intruders and hacking from occurring, whereas, an Intrusion Detection System (IDS) which is categorized as a detective control is used to detect intrusions that have already occurred (Cavusoglu, Mishra, & Raghunathan, 2005). However, IDSs are not
The technique can detect DDoS attacks as well and blocking complete botnets (Amna Riaz 2017). However, NIDS is going to face issues processing all packets in large virtual network and it may fail to detect attacks in time as SNORT is single threaded.
Most open source IDS are working as a result of multiple software and conditions. As example, Snort can run as a daemon (service) or as standalone application, but it may need additional resources and services. It can be enumerate a SQL server for its database logging or a Syslog server for log output, a Web Server for its GUI and multiple other library dependences. Usually the commercial IDS are able to retrieve and analyse data form multiple sources and platforms. The essential point is the fact an IDS can be hosted on one machine with all dependencies or the services can be hosted on several machines that configured work as a unitary system. Nevertheless, when the IDS services are deployed on multiple machines all of those must be secured