A Network-Based Intrusion Detection System for ACME Software Solutions - Lab Report Example

Name Tutor Course Date Introduction ACME Software Solutions is an organization that specializes in web development for enterprises that are ether medium or small. They mainly design websites that will enable customers to be introduced to the services and products that are provided by their client. A security analyst has been hired by ACME Software Solutions to redesign the network. This will help in enhancing system security. The incidents that are related to security, such as web defacement, continue to occur despite the salesman assurance as well as a small fortune being spent on the sales man. The networks main element will encompass the following: Firewall; NIDS (Network based Intrusion Detection System); Web Server; Database Server; and installation. My Role ACME Software Solutions have hired me as an external security contractor in order to assist it re-formulates their security design. During consultation at the offices of ACME, the following are pointed out by the ACME CEO: No one appears to have understood how NIDS functions; NIDS has been incapable of controlling web defacement; the OS being used by ACME Software Solutions cannot readily be updated; the security of the database is in making life more difficult and is in real mess; logging of the system is not effectual; the disruption ought to be minimum; the current functionality of NIDS should be extended; and the CEO want to see practical examples that are actual. This paper is going to examine Network based Intrusion Detection System. In doing so, it will look at the following: common disadvantages with NIDS; how the current setup of NIDS is not likely to meet the security requirements of ACME; how the setup of the NIDS and Network can be changed to suit the existing functionality with no any extra expenses on security; how IDS support systems and tools may use NIDS to add the existing functionality of IDS; how the security of the database could be configured to minimize the effect on services in existence as well as maximize security; how the security functionalities that are in existence could tested in future so as to guarantee that everything is functioning as expected; and provision of network diagrams to illustrate the principles of networking. Common limitations with NIDS An IDS (intrusion detection system) refers to an application or device that monitors activities of a system or network for violations of policies or malicious activities. The process whereby events that occur in the network or computer system are monitored and analyzed for probable incidences, which are likely to be threats of violations that are imminent, is called intrusion detection. A NIDS (network based intrusion detection system) is a type of IDS whereby the network to be monitored has its sensors positioned at choke points, often at network borders or in the DMZ (demilitarized zone). The limitations associated with NIDS are many. First of all, the effectiveness of network based intrusion detection system can be hindered by noise. Escaped local packets as well as software bugs can generate bad packets. These generated packets are capable of creating false-alarm rate that is normally significant and high. Moreover, actual attacks are often below the rate of false-alarm. As a result, they are often ignored or missed. It is unlikely that the actual attack rate will fall below the rate of false-alarm (Ross 387). The NIDS are susceptible to strategies that are new because their signature databases are outdated. To that effect, numerous malicious attacks are geared to particular software versions, which are normally out of date. NIDS is incapable of mitigating these risks because it does not have a library of signatures that are constantly changing. Also, if a port spanning on a switched network that is using NIDS is not enabled, a major issue is presented. This means that, the packets will not be transmitted to the entire system network, but only to the intended recipient. Moreover, in view of the fact that port spanning cannot be supported by NIDS, it is incapable of replicating the traffic that is being transmitted on a switch (Ross 388). How the current setup of NIDS is not likely to the security requirements of ACME The NIDS being used in ACME Software Solutions is snort. It is a platform that is independent, which identifies intrusions by monitoring multiple hosts as well as assessing network traffic. In order for this NIDS to access network traffic, it is connected to a network switch (hub) that is configured for network tapping or port mirroring. The security requirements of ACME software solutions cannot be met by this setup of NIDS because it is out of date. As a result, it is vulnerable to new attacks that have been designed to particular software versions. These signature databases are outdated and thus, they are not capable of mitigating threats. The current setup of NIDS in ACME enables port spanning, which is risky especially when an intruder is able to access a spanned port, and acquires network information that is needed by the intruder to access the corporate network. How the setup of NIDS and network can be altered to make use of the NIDS functionality ACME Software Solutions should alter the setup of NIDS and network so as to make use of the NIDS functionality that is in existence with no any extra expenses on new security. Nowadays, hubs are being replaced by switches because of the escalated network sizes, which need to be more efficient and fast. The data in ACME network ought to be timely and dependable. In order to make use of the functionality of NIDS in the organization, network taps ought to be created. This network taps will permit the monitoring of all traffic in a network. Moreover, Amoroso explains that Network taps are useful for analyzing and troubleshooting a network that is passive (46). The taps prevents the NIDS system to be attacked directly by intruders thus, making the NIDS system to be more secure. The figure below demonstrates a 4-port hub. A computer that is connected on port C wants to receive information from a computer on port A. The hub receives the packet after it has been sent, and sends it to all ports of the hub. In this case, NIDS system will not encounter any problem because every port receives traffic. Traffic is able to be detected by NIDS irrespective of where it is being transmitted. Figure 1 Data in a switch is sent in different manner. The data is only sent to port C, but not to each port of the device (Vaccaro 58). Figure 2 below illustrate where the problem is likely to occur. Port D (NIDS system) will not receive any data; thereby no detection of an event can occur. The attack can only be detected by the NIDS system if the malicious attack would be directed the network based intrusion detection system itself. However, this is not acceptable because the purpose on the NIDS on ACME is defeated Figure 2 Taps actually escalate the security of NIDS as it makes intruders to assume that no intrusion detection system is present to track and identify their malicious attacks. The figure below illustrates the NIDS system; it indicates how the NIDS system can be altered so as to compares signature files and rule list (which are stored in the NIDS database) with probable intruder packets. How IDS functionalities that is in existence may be added using support systems and IDS tools The existing IDS functionalities may be added using support systems and IDS tools. Support systems include NIDS, HIDS (Host-based Intrusion Detection System), and IPS (Intrusion Prevention System). Among other tools, an IDS is used to find out whether a server or a computer network has undergone an intrusion that was unauthorized. The IDS that might be used by ACME has been placed in the perimeter between firewall and the border router, or outside the border router. More so, ACME ought to install an Intrusion Detection System outside the border router and the firewall because in order for the organization to have a wider view of attempted malicious attacks. With Intrusion Detection System, ACME is able to confirm the probability of an attack taking place. Also, having an Intrusion Detection System in these locations will provide a tool that analyzes the captured data as well as the forensics as required (Kathleen 133). An Intrusion Detection System is a tool that is used in the provision as well as capturing visibility into a network of a corporate. Thus, ACME ought to install IDS tools at all key network points so as to provide both internal and external visibility. This deployment type normally provides the required data that will be used to track down probable threats than can either be internal or external. It is vital to monitor traffic that is internal. Current implementations of IDS are capable of dropping packets because of today’s network devices, which have a high bandwidth as well as a high throughput. HIDS (Host-based IDS) are IDS tools that are used by ACME to provide a visibility level that is more granular, that is, the visibility that is needed to track and identify the attempts of an intrusion on a particular application or host. A higher level of visibility is provided by HIDS into every node of a network. HIDS has been designed to be fast, modular, and distributed. Snapp and Brentano assert that HIDS software normally runs locally on each server in order to detect alien alterations in functionality of the local configuration services and/or files (169). Host-based Intrusion System software can be categorized into operating system functionalities, system integrity verifiers and log file monitors, which assist in adding functionalities to functions of the operating system. Honeypots are non-commercial IDS tool that are most popular. A honeypot refers to software for emulating network services that permits actions of intruders to be monitored by system administrators. Moreover, the real running of an operating system is emulated by honeypots so as to serve as a lure for probable intruders. The main objective being the analysis of attacks, however, a number of honeypot products employ internal-signatures for attacks that are known in order to block them automatically. Tools that register intruder attempts are normally encompassed by honeypots as they monitor. Honeypot can be configured by a Snort (IDS software) together with Honeyd (honeypot software). For applications in the web, open source prevention engine and intrusion detection will be used for configuration. This will be useful in assessing the queries of the Hyper Text Transfer Protocol so as to guard web applications from attacks that are either unknown or known (Lunt 57). An IPS is used in disconnecting those connections that have unauthorised data or dropping packets actively. An Intrusion Prevention System assists in denying traffic. Thus, its deployment ensures availability and uptime of a network by identifying and probably preventing attacks and intrusions of a network that might cause network downtime. ACME Software Solutions ought to configure the IPS properly using Intrusion Detection System software, such as snort. In doing this, it is likely to save money through identification and prevention of a virus or a worm attack. As ACME is creating matrices that quantify money spent as well as time lost because of an attack or a virus, they ought to have information that is of necessity, and which will justify the expenses that are correlated with deployment of IPS (Lunt 59). The deployment of an Intrusion Prevention System should be configured in the outer sections of a network. This will provide measures that are preventive as well as the control that is required to combat both existing and new threats, while encompassing an Intrusion Detection System inside the firewall, and at internal network nodes that are critical; this will provide confirmation and visibility to an activity that is inside. The expenses linked to this deployment type are for below in comparison to those required in deploying both techniques in parallel. How database security could be reconfigured to maximize security This can be attained through deployment of Information Technology to the degree that ACME Software Solutions critically depends on their Information Technology infrastructure so as to function. A database administrator has a severe challenge of ensuring this IT infrastructure is secure because this can result to implementing controls that are poor as well as higher costs. Nonetheless, the management of ACME solutions is capable of accessing critical information. To that effect, it ought to comply with rules so as to minimize risks. The identity management process should be improved, encompassing the processes that control access, provisioning, and authentication. In order to improve the effectiveness of ACME, the organization should be open to permit customers and partners to be able access information and purchase products securely. Web services at ACME Software Solutions enable the incorporation of partners and workers via the internet. Internal processes and systems are integrated by web services, and then these solutions can be extended to trusted corporate partners. Security requirements that are special are needed in web services. Identities that have been distributed can be possessed by both service providers and service consumers. Various security domains could have different identities. In order for an employee to gain an access to the service he/she wants, he/she should use an identity (Paxson 148). The identities of either a consumer or a provider may be used to sign and encrypt messages they exchange. Trusted transactions can occur whereby identity credentials can be exchanged between a consumer and a provider, and within a milieu of initial messages. Thus, a database administrator in ACME Software Solutions should implement provisions of identities. It is perfectly probable to design a service of a corporate with no identity if it will act in aid of a client. This situation will permit anonymous access because a client does not have an identity. According to Ross, the database security should support the deployment of standards, like Extensible Markup Language (XML), Simple Object Access Protocol (SOAP), Web Services Definition Language (WSDL), Universal Description, Discovery and Integration (UDDI), Security Assertion Markup Language (SAML), and Service Provisioning Markup Language (SPML) (387). In an environment that has on-demand computing, that is, where servers are deployed and configured automatically, it is vital to guarantee that security strategies are maintained and deployed properly. In this computing environment, one cannot guarantee that user identities have been properly provisioned, and that users have an access that is secure and convenient to their applications. To guarantee database security, a database administrator should use a microcomputer to control physical access. To that effect, access to Information Technology Systems as well as physical access will be included in the problems of monitoring, provisioning, reporting, authentication, and de-provisioning (Ross 390). Also, it is of necessity that a single credential is utilized in authenticating both cyber access and physical resources. The digital identity ought to be managed by ACME Software Solutions across the entire firm, authenticating to all assets of the organization, with a single-credential, which will provision all entrance badges, information Technology Systems, devices, Web services and securing access to databases, files and directories while ensuring that this services are monitored. Finally the database administrator should use OSE (open security exchange) to promote standards that are open in ACME for converging both Information Technology and physical management. How security functionality could be tested in order to make sure that everything is operating as expected Functional testing will guarantee that the Network Design for ACME Software Solutions will behave in a manner that is expected. Thus, it is mainly based on the requirements of the software. For instance, if the security requirements indicate that any use inputs ought to be examined, then a part of the process that will determine whether the implementation of this requirement will work properly in future is functional testing. On the other hand, risk based testing is mainly based on the risks of the software, and a particular task will be probed by each test that was identified previously during risk-analysis. For example, in applications that are web based, a probable risk will be injection attacks, where the server is fooled by an attacker to display results of SQL queries that are arbitrary (Sebring and Whitehurst 57). In carrying out risk-based testing in future, an injection attack will actually attempted to be carried out by a risk-based test. In situations where requirements that are ambiguous are determined in risk analysis, testers ought to find out how these requirements that are ambiguous may manifest themselves as susceptibilities. The software used in ACME should be tested so that it can adhere to its requirements that have been well designed. In view of the fact that there is existence of requirements at different abstraction levels during the process of software development, functional testing is likely to occur at different abstraction levels and during the process of testing. In addition, a variety of test plans should in future employ functional testing while referring to a particular test phase. Often, the terminology that is linked to software testing lacks uniformity. For functional testing to be understood, it is of necessity that one understands the functional requirements role in software development. In general, requirements originate from two sources: a number of them stem from improvements, which are defined during risk analysis; others are defines up-front, that is, from information security or regulatory compliance policy issues. In most cases, the following form will be in a requirement: “when a specific thing happens, then the software should respond in a certain way.” For instance, a requirement may indicate that if a GUI window application is closed by a user, then this application ought to be shut down (Heberlein and Wolber 297). This manner of requirement presentation is suitable for the tester, who can just introduce the requirements if part and then verifies that the software that is being used in ACME behaves as expected. For example, a requirement that is typical may indicate that the URL should only permit certain characters, or that account of a user is disabled after three login attempts that have been unsuccessful. Future testing of these requirements can be in ways that are traditional, like trying three login attempts that are unsuccessful. The life of the tester is simplified by the practice that is common of making sure that each requirement is mapped to a particular software artefact that was meant to design that requirement. This will assist in the prevention of chaotic code, but also it means that the software tester, who is questioning a particular requirement, understands the code artefact that has to be tested. In overall, there exists a mapping that is three-way amid functional tests, functional requirements, and code artefacts. Functional testing may be interfered with requirements that are negative. The requirements mapping to particular artefacts of software may be problematic for requirement, for example, “no module may be susceptible to buffer overflows,” because the requirement is not designed in a particular place. These requirements are often referred to as negative requirements. This is because of how they indicate that the software ought not to do, as contrasting to what ought to be done by the software. In most circumstances, as Teng observes, such requirements can be articulated as probable risks, because “there is a risk of certain software modules being compromised with buffer overflow attacks (60).” Network Redesign and diagrams of the proposal Conclusion If ACME Software Solutions is incapable of staying ahead of the intruders, the attacker might realize that, and then he/she will one step the organization. Thus, a Network based Intrusion Detection System ought to be comprehensive so as to cover the organization if it missed that vital step, which intruders were aware about. If the right NIDS strategy is selected, then the corporate network will remain secure. Works Cited Amoroso, Edward, "Introduction to Internet Trace Back, Response, Surveillance, Traps, and Correlation. New Jersey: Sparta, 1999. Heberlein, Todd and Wolber, David. "Monitoring a Network Security.” Security and Privacy, Oakland, (1990): 295–306 Kathleen, Jackson and DuBois, David. An Approach to Network Intrusion Detection. National Computing Security, 1991. Lunt, Teresa. "Detecting Attackers in Computer Systems,” Computer Technology and Auditing, SRI International, 1993. Paxson, Vern. “A System for Detecting Network Attackers in Real-Time," USENIX Security, San Antonio, 1998. Ramstedt, Paul, and Dowell, Cheri. Computer Watch Data Reduction Tool. Washington, DC: National Computer and Security Conference, 1990. Ross, Anderson. Security Engineering. New York: Wiley (2001): 386–390. Sebring, Michael and Whitehurst, Alan. Expert Systems- Intrusion Detection Systems. National Computer Security Conference, 1998. Smaha, Stephen. "Intrusion Detection System-Haystack.Computer Security Applications, Orlando, 1988. Snapp, Steven, and Brentano, James. “Distributed Intrusion Detection System, Architecture and Early Prototype”. National Computer Security Conference, (1991): 166–175. Teng, Henry. Real-time Anomaly Detection-An Inductively Generated Patterns. Security and Privacy, 1990. Vaccaro, Liepins. Detection of Computer Session Activity that is Anomalous. Symposium on Privacy and Security, 1999. Read More