Lab2- Snort and Wireshark Samba Lompo CSEC630 1. When running Snort IDS why might there be no alerts? There are couple reasons when running Snort IDS there might be no alerts. The first one could be related to settings because the administrator has to set Snort IDS to its optimum settings in order to get any alerts. Since Snort works by ruleset, it can be mistakenly set up to a port other than what the network is using. The mistake can be done by either keeping the Snort default settings, or when users try to adjust them to their own network requirements. The point is when changing Snort default settings to rules other than what the website provided, the administrator might have disabled a packet sniffing on a specific port …show more content…
Finally, gathering all this information would enable the network administrator adjust the IDS to attacks specific to the network. 4. What are the disadvantages of logging more information to the alerts file? The disadvantage of logging more information to the alerts file is that it would reveal all the weaknesses and defenses of the network to an attacker. Also having that information, the attacker can tailor his attack by using all other ports that are not being scanned by the IDS. Worst the system can be compromise without anyone noticing. 5. What are the advantages of using rule sets from the snort web site? The advantages of using rule sets from the Snort website is that Snort has a very flexible rule sets configuration which can enable the administrator to write his own rule sets based on previously seen vulnerability. This flexibility therefore can help the administrator insert new rule sets into the rule base for a newly found attack. Also each rule is developed and tested using the same rigorous credentials and standards the VRT uses for Sourcefire customers. 6. Describe (in plain English) at least one type of ruleset you would want to add to a high level security network and why? Couple of rules that can be added to a high level security network could be: Exploit Rules: This Rule is to detect direct exploits and generally if we are looking for a windows exploit, such as Veritas, etc, they
Despite the presence of network security devices such as firewalls and other security appliances, today's corporate networks are still vulnerable to both internal and external attacks by hackers intent on creating havoc. By proactively
Question 1.1. (TCO 1) Security policy contains three kinds of rules as policy clauses. What are they? (Points : 5)
There are multiple aspects of security in this network, which I have tried to implement as much as possible. This is where the CIA triangle comes into play, confidentiality, rules and limits to access information; Integrity, making sure the data is accurate and trustworthy; Availability, having reliable access to the information. I am going to talk about each aspect in a list format and explain how it’s used in my network. One thing that will be performed on all network devices is system updates and patches. They will happen on a monthly basis, on a weekend when the networks are not being used.
This will benefit me while generating a security strategy for the Network and its hardware.
“Security needs to be addressed as a continued lifecycle to be effective. Daily, there are new attack signatures being developed, viruses and worms being written, natural disasters occurring, changes in the organization workplace taking place and new technologies evolving, these all effect the security posture in the organization” (King, 2002). This being said, it is important to evaluate firewall and router rule sets more frequently. The possible threats against this policy include improperly configured network infrastructure which leads to a domino effect that could start with malicious programming which could end in data loss. Many of these threats may be unintentional as some users may not be aware of the risks and how their processes and procedures open the door for such attacks. For this reason alone, a more frequent evaluation is needed. This vulnerability could lead to data loss and the exposure of trade secrets, client lists and product design. The exposure of such information for most companies could mean a financial collapse as it no longer has the competitive edge that makes it the industry leader. While the likelihood of this threat is very high, “security risks to the network exist if users do not follow the security policy. Security weaknesses emerge when there is no clear cut or written security policy document. A security policy meets these goals:
Snort has almost more than 3000 predefined set of rules that are free to download from the snort.org website, these rules are precise and can vary from a wide ranges of
as scan for ports/services. OpenVAS is used to scan for vulnerabilities. It also can perform an
KDDCup99 dataset was introduced at the Third International Knowledge Discovery and Data Mining Tools Competition which was held by DARPA in 1999 .KDDCup99 is a refined data set from DARPA 1998 dataset as it contains only network data[3]. KDDCup99 is commonly used developers and implementers of new IDS to evaluate their systems. IDS systems take the KDDCup99 dataset as an input to train ,test the system and check performance of the IDS in classifying and detecting attack records. KDDCup99 dataset is used by most researchers because it contains 22 different attack types which could be classified into four main attack categories of the network discussed in the previous section. The full DARPA dataset consists of relatively 4,900,000 lines of connection vectors where each single connection vectors consists of 41 features and is marked as either normal or an attack, with exactly one particular attack type [38]. Among the 41 features of the connection, only sixteen significant attributes are considered which are: A1,A5,A6,A8, A9, A10, A11, A13, A16, A17, A18, A19, A23, A24, A32, A33[38] The KDD 99
5. What are the three primary methods for implementing security on this network, as well as the advantages and disadvantages each?
What services are to be permitted and denied access to your network or computer? Make a list of what enters and leaves your network. Discuss
6. Describe (in plain English) at least one type of rule set you would want to add to a high level security network and why?
2. With the possibility of three business computers in his home, and all of his business records possibly vulnerable, this would be a good time to advise Bill on how to set up a routine plan to protect and defend his new network. Provide a list of the five most important concerns for safety and security of the network and the computers in the network. For each concern, specify the action to be taken, and if applicable, what software you recommend be added to the system. Justify each of your recommendations.
The Firewall systems will be used to prevent scanning activity as well as blocking malicious IPs from entering the network. This is critical because being able to block this type of traffic can save a network and the people who watch it a lot of time on incident investigations. When hackers are scanning a network they are looking for reply backs from any port(s) that will respond. This can help them finger print a system and by knowing what is on a network they can use this information for crafting attacks. Once this is identified by a security team they can block the intruding IP at the firewall. This will prevent all traffic coming and going to the suspicious IP in question.
Identification of controls already in place – including policies, firewalls, applications, intrusion and detection prevention systems, virtual private networks, data loss prevention and encryption.
In an e-commerce world, organizations are susceptible to hackers and intruders. Thus creating the information technology protection systems which is used to reduce the possibility of intrusions from occurring. Intrusions occur by uninvited outsiders (sometimes intruders can be internal users like employees) who try to access an organization’s information system using the internet with the intent to gain competitive advantage of some sort. Organizations depend on security technology to avoid loss from security breach, as well as to improve their efficiency and effectiveness. However, firewalls are also vulnerable to errors, and implementing a security technology comes with challenges and critical decisions that can possibly cause a financial burden on the organization if done without seriousness and commitment. “Information security is about managing risk, and managing risk is about discovering and measuring threats to information assets; and taking actions to respond to those threats” (Al-Awadi, & Renaud, 2007, p.3). This paper will discuss a few aspects that are involved with firewalls and intrusion detection systems.