Discussion I

Career Relevancy

Being familiar with Intrusion Detection Systems, firewalls, and honeypots will benefit your career in information security through making you aware of oncoming and evolving threats. Penetration testing will be an important skill to have as a cyber security analyst. Penetration tests can tell if any network security perimeters were bypassed by attackers' attempts. The cyber security analyst will have to ensure that firewall/IDS rules have been enforced and network security policies are enacted.

Background

The ethical hacker should have an idea about their functions, role, placement, and design implemented to protect an organization’s network to understand how an attacker evades the security of firewalls, IDS, and honeypots. This section provides an overview of these basic concepts.

An Intrusion Detection System (IDS) is a security software or hardware device used to monitor, detect, and protect networks or systems from malicious activities; it alerts security personnel immediately upon detecting an intrusion. Intrusion detection systems are highly useful as IDS monitors both inbound/outbound traffic of the network and checks for suspicious activities continuously that may indicate a network or system security breach. The IDS checks traffic for signatures that match known intrusion patterns and signals an alarm when a match is detected. An IDS is used to detect intrusions while an Intrusion Prevention System (IPS) is used to detect and prevent the intrusion on the network.

Main Functions of IDS:

· An IDS gathers and analyzes information from within a computer or a network, to identify the possible violations of security policy, including unauthorized access, as well as misuse.

· An IDS is also referred as a “packet-sniffer,” which intercepts packets traveling along various communication mediums and protocols, usually TCP/IP.

· The packets are analyzed after they are captured.

· An IDS evaluates traffic for suspected intrusions and signals an alarm after detection.

Where the IDS resides in the network?

One of the most common places to deploy IDS is near the firewall. Depending on the traffic to be monitored, IDS is placed outside/inside the firewall to monitor suspicious traffic originating from outside/inside the network. Placed inside, the IDS will be ideal if it is near a DMZ; however, the best practice is to use a layered defense by deploying one IDS in front of the firewall and another one behind the firewall in the network.

Before deploying the IDS, it is essential to analyze the network topology to understand how the traffic flows to and from the resources that an attacker can use to gain access to the network, and identify the critical components that will be a possible target by many of the attacks against the network. Even after deciding the position of the IDS in the network, its configuration would maximize the effectiveness of network protection.

A honeypot is a computer system on the Internet intended to attract and trap people who try unauthorized or illicit utilization of the host system to penetrate into an organization’s network. It is a fake proxy run in an attempt to frame attackers by logging traffic through it, and then sending complaints to victims’ ISPs. It has no authorized activity, does not have any production value, and any traffic to it is likely a probe, attack, or compromise. Whenever there is any interaction with a honeypot, it is most likely to be a malicious activity. Honeypots are unique; they do not solve a specific problem. Instead, they are a highly flexible tool with many different security applications. Honeypots help in preventing attacks, detecting attacks, and for information gathering and research. A honeypot can log port access attempts, or monitor an attacker's keystrokes. These could be early warnings of a more concerted attack. It requires considerable amount of attention to maintain a honeypot.

It is necessary to deploy and configure them securely to avoid attacks on network security perimeters. This section discusses various countermeasures and best practices for hardening these network security perimeters.

To defend against IDS evasion, first shut down switch ports associated with the known attack hosts. Next, perform an in-depth analysis of ambiguous network traffic for all possible threats. You should use the TCP FIN or Reset (RST) packet to terminate malicious TCP sessions. Look for the NOP, or "no operation code" other than 0x90 to defend against the polymorphic shellcode problem. Train users to identify attack patterns and regularly update/patch all the systems and network devices. Deploy IDS after a thorough analysis of network topology, nature of network traffic, and the number of hosts to monitor. Use a traffic normalizer to remove potential ambiguity from the packet stream before it reaches to the IDS. Ensure that IDSs normalize fragmented packets and allow those packets to be reassembled in the proper order. Define DNS server for client resolver in routers or similar network devices. Harden the security of all communication devices such as modems, routers, etc. If possible, block ICMP TTL expired packets at the external interface level and change the TTL field to a considerable value, ensuring that the end host always receives the packets. Regular update of antivirus signature database. Use a traffic normalization solution at the IDS to prevent the system against evasions. Store the attack information (attacker IP, victim IP, timestamp) for future analysis.

To defend against a firewall evasion, the configuration of the firewall should be performed in such a way that the IP address of an intruder should be filtered out. Set the firewall ruleset to deny all traffic and enable only the services required. If possible, create a unique user ID to run the firewall services. Rather than running the services using the administrator or root IDs. Configure a remote syslog server and apply strict measures to protect it from malicious users. Monitor firewall logs at regular intervals and investigates all suspicious log entries found. By default, disable all FTP connections to or from the network. Catalog and review all inbound and outbound traffic allowed through the firewall. Run regular risk queries to identify vulnerable firewall rules. Monitor user access to firewalls and control who can modify the firewall configuration. Specify the source and destination IP addresses as well as the ports. Notify the security policy administrator on firewall changes and document them. Control physical access to the firewall. Take regular backups of the firewall ruleset and configuration files. Schedule regular firewall security audits.

Penetration testing is the process of analyzing a system to determine its weaknesses. Penetration tests should be conducted on network security perimeters to ensure that they can withstand attackers’ bypassing attempts. Penetration testing involves simulating all the possible attacks on network security perimeters in an effort to bypass them. This section describes and explains the steps required to perform an IDS/firewall/honeypot penetration test.

Why Firewall/IDS Pen Testing?

· To check if firewall/IDS properly enforces an organization’s firewall/ IDS policy.

· To check if the IDS and firewalls enforce organization’s network security policies.

· To check if the firewall/IDS is good enough to prevent the external attacks.

· To check the effectiveness of the network’s security perimeter.

· To check the amount of network information accessible to an intruder.

· To check the firewall/IDS for potential breaches of security that can be exploited.

· To evaluate the correspondence of firewall/IDS rules concerning the actions performed by them.

· To verify whether the security policy is enforced correctly by a sequence of firewall/IDS rules or not.

A penetration tester needs to examine the organization’s network perimeters such as firewalls, IDS systems to reduce the risks to the network from outside threats. Firewall/IDS penetration testing helps in evaluating the firewall and IDS for ingress and egress traffic filtering capabilities.

Checking and updating the firewall and IDS rules is an essential component of penetration testing. Depending upon these rules traffic coming from outside the network is filtered and analyzed against various threats. A pen-tester can even craft malicious packets to test firewall and IDS rules which can help in the security assessment. After obtaining the security assessment report, changes in the firewall and IDS rules can be made to enhance the network security.

Prompt

When is it appropriate for organizations to not use countermeasures to protect against IDS/Firewall evasions? Consider limits of liability, data exposure, consumer confidence, etc. in your response and secondary responses.

For your citation, you might use articles that show examples of different countermeasure techniques for avoiding intrusions in information security.

Your initial and reply posts should work to develop a group understanding of this topic. Challenge each other. Build on each other. Always be respectful but discuss this and figure it out together.

Reply Requirements

You must submit:

· 1 main post of 200+ words with 2 in-text citations and references (follow the Institution Writing Guidelines)

Unique (no repeating something you already said)

Substantial in nature, which means there has to be some meat to the reply not something like: "Good job, Rasha, your post is excellent." A substantial post will do one of the following:

1. Extend the conversation deeper,

2. Challenge the post being responded to, or

3. Take the conversation in a career-relevant tangent

Remember that part of the discussion grade is submitting on time and using proper grammar, spelling, etc. You're training to be a professional—write like it.