You are on page 1of 5

Running Head: Intrusion Detection

Anja Both Intrusion Detection 1

Unit 2 Intrusion Detection and Incidence Response

IT390

Anja Both Professor Scott Paetzold Kaplan University April 14, 2012

Anja Both Intrusion Detection 2

Project Unit 2 Defense in depth improved process document The purpose of a defense in depth strategy is to delay an attack and gain time to contain or eliminate the threat completely. A defense in depth strategy presents a layered security approach. It includes basic security features, such as a firewalls, anti-virus programs, and password protection, furthermore, defense in depth strategies are often set up with packet- filtering routers, application gateways, and intrusion detection systems (IDS). Layering security in such a way will require additional work for the attacker. Breaching the firewall, the intruder will still face many more security features before he is able to access any data. During this time, after the initial firewall breach, while the attacker is trying to overcome the next security feature to intrude deeper into the network, the IT department will have been alerted, and taken steps to prevent further damage. Yet, even if the first breach goes unnoticed, the numerous security layers of a defense in depth strategy, commonly constructed on 4 levels, will provide a better level of protection,. The first level, the perimeter defenses, is where we find firewalls and IDS’s, on the second level, the network integrity system layer, policy-driven traffic management systems are implemented to catch and block traffic anomalies in real time. Level 3 of the defense in depth strategy presents the application gateway layer, such as e-mail spam filters or VPNs. The final defense takes place on the host, in the fourth layer, the host integrity layer. This is where we apply HIDS (host intrusion detection system), intrusion prevention software, and personal firewalls for example (Ogren, E., 2004). All layers together provide a much more mature level of protection then a firewall alone.

Anja Both Intrusion Detection 3

No network is ever 100% secure, but we have managed to implement a layered security defense that will provide us with great protection. Please view the figure below to get a visual understanding of the multiple layers.

Perimeter (Network Layer) Firewall, Network IDS/IPS, Gateway Anti-Virus Host (Platform Layer) Host IDS/IPS, Desktop Anti-Virus, Server
Perimeter (Network Layer) Firewall, Network IDS/IPS, Gateway Anti-Virus
Host (Platform Layer) Host IDS/IPS, Desktop Anti-Virus, Server Anti-Virus,
Patch Management, Server Certificates
Software (Application Layer) Web Service Security, Database Security,
Content Filter, Data Encryption, Input Validation
Personnel (User Layer) Authentication &
Authorization, PKI, Biometrics
Software (Application Layer) Web Service Security, Database Security,
Content Filter, Data Encryption, Input Validation
Host (Platform Layer) Host IDS/IPS, Desktop Anti-Virus, Server Anti-Virus,
Patch Management, Server Certificates
Perimeter (Network Layer) Firewall, Network IDS/IPS, Gateway Anti-Virus

Assuming our IDS generated an alert that the firewall has been breached, we will refer to our attack response model, which will guide us through the steps of identification, control, recovery, and anticipation. Under the step of identification we will monitor our bandwidth to see if a sudden increase in traffic has occurred, review firewall logs to determine if an unusual amount of packets have been caught by the router, and investigate if the port scan activity has increased.

Anja Both Intrusion Detection 4

Once we have identified the attack, necessary steps to contain it have to be taken. Depending on the attack and how far it has advanced, these steps can include an enumeration of the entire infrastructure. To properly understand the entry points, we can use network device logs, OS Event logs, Web Logs, database logs, FTP logs, and IDS logs to identify them. Knowing where the entry has occurred, we now have to determine the threat we are facing, identify all the services that are disabled on the affected host, and all other hosts that require those services. The next step is to review and update access control lists on the firewall and routers, possibly blocking certain ports. Most importantly, when the attack is identified in detail, the IDS should be configured to alert our administrators on a possible next occurrence.

References

Anja Both Intrusion Detection 5

Fadia, A. & Zacharia, M. (2011). Network Intrusion Alert: An Ethical Hacking Guide to Intrusion Detection. Thomson Learning Inc., Boston, MA. Ogren, E., 2004. Using a layered security approach to achieve network integrity. Retrieved on July 15, 2011 from: