Question

A physical security company has an innovative, patented product and critical secrets to protect. For this company, protecting physical security and safeguarding network security go hand in hand. A web application in the data center tracks the serialized keycodes and allows customers to manage their key sets. the customers include everyone from theft-conscious retail chains to security-sensitive government agencies. In this case project, how would the security company go about establishing solid network security to protect them against intrusions?

Answer 1

we will see this step by step.

First what is intrusion?

INTRUSION:An attempt to gain entry or access directed against a system or unauthorised parties

(OR) An attempt to disrupt the normal operations of a system or a network.

So we will see how the company will establish solid network security to protect them against intrusions.

PREVENTION IS IDEAL ,BUT DETECTION IS MUST

INTRUSION DETECTION SYSTEM:

• An Intrusion detection system monitors the system or network and produces reports and alerts.
• Network based IDS does so by watching network traffic
• An IDS Monitors , but does not stop intrusions.

It is best to stop an attacker while still they are at beachhead - before they spread further.

So we have ways to prevent our system/Network from intruders.

The Network Design for small organisation look like:

Network design Small organisation Internet Firewall IPS Router -ForwardIDS Intranet

The Network Design for Largeorganisation look like:

Network design Larger organisation Internet Firewall DS/IPS IDS/IPSRouter DMZ WAP Intranet.eipsip DS/IPS

IPS (Intrusion Prevention Sytsem):

• An intusion pevention system (IPS) is an IDS that proactively reacts to prevent the system from attacks. For Example, resetting a TCP connection(or Resetting a firewall) when it looks like an attack is taking place
• Also known as IDPS( Intusion Detection & Prevention System)

Take automated actions to combat an attack :

--> configure firewall to block IP Address of an intruder

-->Launch a seperate program to handle the event

-->Save the packets in a file for further analysis

-->Terminate the TCP session by forging a TCP FIN packet to force a connection to terminate

An IPS is typically placed inline,So that it can actively respond to the connection

Signature based detection:

• A database of signatures is compared to activity or behaviour
• sting or pattern matching
• similar to way anti malware looks for known milacious files and process (For example:An SQL Injection attack ,buffer overflow exploit)

Anamoly Based detection:

• Anamoly based detection looks for activity or behaviour that is out of ordinary
• statistical anamoly activity that differs from the baseline activity(what normally happens in a network) .For example: different ports,protocols or bandwidths used
• protocol anamoly: traffic that doesnot conform to the protocol specifications.For Example:Something on port 80 that is not http.

SNORT:

So to establish the solid network security we can use IPS

Snort is a very popular IDS(can also be used as IPS)

Snort is an open source network intrusion prevention system, capable of performing real-time traffic analysis and packet logging on IP networks.

It can perform protocol analysis, content searching/matching, and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.

Snort has three primary uses: It can be used as a

1. straight packet sniffer like tcpdump,
2. a packet logger (useful for network traffic debugging, etc), or
3. as a full blown network intrusion prevention system.

• We will have simple signature based rules
• various front ends are available
• other tools share the same rule set

Snort Packet capture Stream reassembly Packet defragmentation Protocol decoding Normalisation Preprocessing rule detection (port scan) Detection engine Check rules for matches If matches are found send to alerts and logging Alerts and logging

So , Snort is one of the industry's top network intrusion-detection tools, but there are plenty of free alternatives

• Security Onion.
• OSSEC.
• OpenWIPS-NG.
• Suricata.
• Bro IDS.

Snort has influenced other IDS/IPS vendors in a huge way, either by the way they develop their software or by directly using Snort modules in their offering.

So to establish solid network security we can use the above mentioned tools to protect them against intrusions.

------------------------------------------------------------------------------------------------------------------------------------------------

Hope this will help