Penetration Testing ACME Software Solutions Ltd - Report Example

Running Head: Penetration Testing ACME Software Solutions ltd Penetration Testing ACME Software Solutions ltd Insert Name: Tutor: Introduction Securing and managing today’s multifaceted computer based network systems is not only demanding and challenging. Organizations’ of all sizes have to safeguard their company resources and business information and or transactions from foreign intruders and competition. They are aware of information risk in an interconnected collaborative computing environment. Software and hardware manufacturers have sought to have the products meet some if not all requirements of securing computing resources.Many organizations would find it hard to function successfully devoid of the added effectiveness and interactions enabled by the Internet. Simultaneously, the Internet has added new security challenges occasioned by intruder attacks, manual and automated. This assignment report details process of intrusion detection of the ACME Software Ltd Network and computer System. First the document identifies and describes security flow in the ACME Software Limited systems, CVE snort signatures. Evaluation and illustration of the System Vulnerability is explained. Finally a correlation of the snort rules in operation is given as extracted from the provided VMware files of the whole network and computer resources. A corrected and new and secure design of the network is also provided and illustrated in a diagram. ACME network limited consist of the following network and computing resources a firewall that is kept up-to-date, a Network based Intrusion detection System (NIDS), A web server running Microsoft Windows 2000 server Service Park 4 and Microsoft Internet Information server (IIS) version 5.0, numerous All employee workstations running a standard Windows XP service pack 2 installation, FTP server running Microsoft Windows 2000 Server sp4 operating system and FTP 5.0 (part of IIS 5.0). . Identification & Description of Security Flaws The central challenge of Network Technician is in securing the network and its related computing assets. Network penetration and or hacking process start by locating the preferred target host and then scanning it to mark its weaknesses. Various tools and applications exist at the disposal of the security administrator or Network technician to diagnose network based host from the Internet .All the tools used in port scanning and intrusion test use well known processes and exploit known weaknesses in the TCP/IP protocol to expose computer resources in the desired target. Commonly used weaknesses in the protocol are through: ICMP echo enquiries, ICMP sweep, TCP ping scan, DOS attack (McClure et al. 1999, pp. 31-6) Network diagnostic tools such as port scanners and applications that probe the network inform the security or Network administrator that a foreigner is able to target their computing resources. It is common for anyone to suggest that all ICMP echo requests aimed at the network perimeter security device be blocked. This however would block the network from gaining the benefit of getting connected in the first place. It will deny the organization benefit of collaboration and utilization of current web 2.0 social networking tools. It is therefore imperative that an organization keeps its network open for specific datagram packets. In other situation the network intruder may send many automated requests, that in effect flood the target hosts network adapters with datagram packets. These results in disabling the actual request leading to phenomena called denial of service attacks. The most common types of such attacks are ICMP echo request/reply, ACK and RST flags, TCP floods with SYN, ping floods and or UDP floods (Houle & Weaver 2001, p. 3). With increase in automation and readily available probes and tools in form of Malware and network monitoring applications hackers are able to find weak system. They would alternatively launch automated scripts or programs and then distribute across the internet using port listener application or an SMTP server or other web server application thereby compromising the network host computer. Currently we are having Microsoft windows based malware or scripts spreading the network attacks. Internet service providers hosting large windows based server farms have been a target. Virtual private networks using ADSL broadband and or cable connected to the local telecommunication, that are automatically assigned IP addresses through dynamic configuration may at times assign a IP addresses of the Virtual private network. The net effect of this is to bypass the firewall protection. The security policy of the controlling end of the VPN will dictate the exposure of the VPN client system. (Houle & Weaver 2001, p.13-4). Another weakness comes through the passwords supplied by default to managed network assets and resources such as switches, routers, and concentrators. Routers have been known to be safe, but attacks have been known to infiltrate the routing protocol. This could have very serious implications to the Internet itself. . Snort Signatures Upon evaluation and investigation of the network I have evaluate six snort signatures from the ACME Software Solutions ltd network. This follows a detailed study of the same network and implementation of TCP/UDP/ICMP packets with our snort system in the network based on images from the college course website. This is a clear evidence of the system vulnerabilities that exist in this network as explained in each of the snort signatures. In the same as we evaluate the snort signature we will be able to notice the vulnerabilities that exist in the system, these are clearly explain in the description of each snort signature and the action that may need to be taken. This clearly explain the evidence of system vulnerability Snort Signature (1) SID – 222 DDOS ACME ICMP possible communication .This happens when ICMP traffic is sent between ACME Software Solutions ltd network hosts. When ACME hosts communicate using ICMP, they most often use an ICMP echo reply with an ICMP ID number of 0 and with a series of A's in the datagram payload. Denial of service is the only plausible explanation as to why the datagram packets are transported. In network we are able to see that ACME especially the employee workstations communicate with each other for various reasons .To alleviate this and further improve on the overall system security a packet-filtering firewall and an Intrusion Detection System is configured to prevent unwanted traffic to the network . Snort Signature (2) SID – 504 MISC source port 53 to 1024 This is brought about when non-legitimate traffic is noticed by the Intrusion Detection System. Traffic from Transmission Control Protocol port 53 is used by Dynamic Named servers. Normal dynamic server’s traffic uses the UDP datagram   a foreign intruder could use a Transmission Control Protocol source port of 53 to pass through a inadequately configured protection firewall.   Snort Signature (3) SID – 521 MISC large UDP packet.UDP packets are used for small data payloads. In many cases UDP packets payloads are typically less than 4000. In this network (ACME) denial of service attacks could be one of the reasons for such datagram payloads. Snort Signature (4) SID – 522 MISC Tiny Fragments .This is generated when dubiously small IP version 4 data fragments are detected by the Intrusion detection system. Typically a router linking dissimilar networks with different MTU would fragment data packets so that communication of relatively bigger packets across the network of smaller MTU. Network devices including firewall and intrusion detection system appliances are prone to fragmented TCP or UDP data headers. This at times allows interchange which should have been filtered to pass through. Any IDS or firewall lacking proper IPv4 fragment reassembly could be affected by such attacks. To remedy this condition it is suggested that packet-filtering rules be set to prevent unsuitable traffic to the network. Snort Signature (5) SID – 523 BAD- TRAFFIC IP Reserved bit set This event is generated when packets on the network that have the reserved bit set are detected by the IDS. In normal scenarios packets do not use the IP Reserved bit. One explanation for the scenario could be that an attacker is trying to instigate covert channel communications. It may be an indication of unauthorized network use, reconnaissance action or system compromise. All system are susceptible to such attacks. A hacker could create packets with IP set aside bit set using packet generator tools. The way to avoid this attack is to disallow packets that have the reserved bit set in IP. Snort Signature (6) SID – 524 BAD TRAFFIC TCP port 0 traffic .This happens when TCP packets with target port field 0 is detected by the IDS. In normal scenarios TCP packets are not destined to port 0.It may be an indication of illegal network use, exploration activity or system compromise. The hacker may well send packets to port 0 on the target host. This abnormality may be the result of an attacker trying to verify the existence of a host at a particular address which is listening to requests as a prelude to an attack. This attack can be avoided by not allowing TCP traffic to port 0. Network Redesign & Diagram In order to improve the security of the ACME network a new network design will be needed. Considerations on the new network design and any new devices that need to be introduced will be based on the perimeter security as controlled by the NIDS and also the specific resources that need to be secured in the network hosts. The new network will have a careful consideration of the access and equipment security protection, who has access to the system, purpose of gaining access, the switches in use will be fully managed layer four based integrated with routing capabilities, VLAN and switched network based security practices on the configuration of switches and their trumping to avoid flooding caused by denial of service broadcasts. Another aspect of the new design will be the media in use and ensuring that it is protected from .Data link and wireless network security of the bridge will need to be improved through wireless access points. Internet routing security and Internet protocols configurations and monitoring will be factored in the new design. TCP/IP services will need to be configured in a secure manner. The network ID systems have several limitations, including the need to synchronise with the host system’s behaviour in particular handling of IP and TCP protocol exceptions (Ptacek & Newsham 1998, p. 21-2) Timm (2001, 2001a) suggests that adequate NIDS management will reduce false positives and false negatives. Signature-based NIDS are efficient in detecting known attacks but may not detect unknown or modified attacks. In anomaly-based NIDS unusual activity, out of the normal pattern of network traffic, triggers the alarm. Even though false negatives are reduced, this method is not flexible. Original Network Diagram Redesigned Network Diagram Design Explanations Layer 4 to 7 based Router: Router that operate from OSI Layer 4 to Layer 7 NIDS /Concentrator: Network intrusion Detection System Wireless Bridge and Switch: A switching bridge for Wireless access Point Workgroup Switch: OSI layer 3 and layer 4 Switch with VLAN, and Trunking protocol Server 1: FTP SERVER, Server2: Web server Employee Workstation: Host workstations in the Network for Employees work. Firewall: A firewall Appliances with access controls Cloud: (Service provider network for Internet connection) REFERENCES Allen, J., Christie, A., Fithen, W., McHugh, A., Pickel, J. & Stoner, E. 1999, State of the Practice of Intrusion Detection Technologies [Online], Available: http://www.sei.cmu.edu/publications/documents/99.reports/99tr028/99tr028abstract.html , [Accessed 31 12 2009] Axelsson, S. 1998, Research in Intrusion-Detection Systems: A Survey [Online], Available: http://www.ce.chalmers.se/staff/sax, [Accessed 31 12 2009] Axelsson, S. 2000, Intrusion Detection Systems A Survey and Taxonomy [Online], Available: http://www.ce.chalmers.se/staff/sax/, [Accessed 31 12 2009] Bellovin, S., Leech, M. & Taylor, T. 2001, ICMP Traceback Messages [Online], Available: http://www.ietf.org/internet-drafts/draft-ietf-itrace-01.txt, [Accessed 31 12 2009] Carver, A., Hill, J., Surdu, J. & Pooch, U. 2000, ‘A Methodology for Using Intelligent Agents to provide Automated Intrusion Response’, Proceedings of the 2000 IEEE Workshop on Information and Security, United States Military Academy, West Point, NY, pp. 110-6 Cerf, V., Burleigh, S., Hooke, A., Turgerson, L., Durst, R., Scott, K. , Traveis, E. & Weiss, H. 2001, Interplanetary Internet (IPN): Architectural Definition [Online], Available: http://www.ietf.org/internet-drafts/draft-irtf-ipnrg-arch-00.txt, [Accessed 31 12 2009] CERT 2001, CERT/CC Statistics 1988-2001 [Online], Available: http://www.cert.org/stats/cert_stats.html, [Accessed 31 12 2009] Read More