Intrusion Detection and Incident Response Concepts Coursework

Introduction

As computer systems continue in advancement, security has continued to be a big challenge during this progression. Security breaches in the form of intrusions are becoming harder to detect due to the nature of the activities. The intention is to advance these clandestine activities within the system unnoticed by levels where irreversible damage is registered. Therefore, intrusions remain one of the most hazardous yet subtle activities on any computer setup. Because of such threats, concerted research has been going on for some time now and continues to try to address the emerging threats and work on ways to eliminate them. However, these efforts continue to be less effective, mainly because the initiators of such clandestine activities continue to focus on every opportunity available to exploit known and unknown system weak points.

Intrusion detection and incident response principles and concepts

One of the credible ways available to identify system intrusion involves a study of the file system status at various checkpoints. Unexplained variations in the status of these files will most likely indicate a breach of the system and as such should catch the eye of the system administrator. Many operating systems are incorporating tools in their software package to address a number of known threats. Typical in this list of threats would be the following:

1. Worms, which are a virus type that hides their actions within a system except to self-replicate. A known example was the MSBlaster in 2003 that targeted the RPC DCOM buffer overflow as a weak point in the Windows Hex reader.
2. Trojan horse programs present themselves in the systems as utility or harmless programs. Their main purpose is to cover up system defense abilities thereby allowing other harmful and illegal applications to take over and operate the vulnerable systems. The Trojan horse program must be running on the target system to advance these effects.
3. Denial of service attacks is meant to completely interrupt the functioning of a network device. A known example is the SYN flood, which uses the TCP handshake process to overload a network with traffic. Broadcast amplification attacks will involve broadcasting ICMP echo requests thereby causing traffic flooding on the network. In such an attack, a suspect request packet is transmitted to a target causing the file services.exe to flood and cripple all the memory resources.
4. On the other hand, distributed denial of service attacks is launched from numerous devices consisting of the attacker who is the application initiating the attack, the victim who is the targeted system, the handler, and the agent.
5. Spoofing is another intrusion activity that involves borrowing identity information to camouflage the attack activities. Ingress filtering is one of the effective ways used today to counter this kind of intrusion.
6. The TCP session hijacks present a masquerader as an authorized user eventually gaining access to a system. After a session has been hijacked, the attacker sends packets or executes commands or even changes system passwords.
7. A more subtle attack known today is network sniffing. This passive network attack makes use of eavesdropping and uses a protocol analyzer or other sniffing software tools. Examples of such tools include TCPdump for UNIX, Ethereal, or AiroPeekWireless for Windows. One of the most reliable ways for an administrator to recognize an intrusion is by being able to recognize attack signatures. Each attack has a typical attack signature for identity purposes. These signatures are important for identifying an intrusion.

Specifics of the IDS architecture

An intrusion detection system (IDS) is an invaluable asset for any organization today. The IDS will broadly cover two main categories (Ankit & Manu, 2007). This system secures the organization’s information and maintains its integrity. IDS system implementation can be carried out on several fronts depending on the organizational structure. A networked-based system can be set up to monitor traffic over the network and all the segments and devices. This system will examine the network protocol activities to address any malicious activity. Host-based systems can be implemented to monitor single host activities. An IDS will monitor every activity on the network and provide a report on suspect activities that need to be addressed. The IDS will also address intrusion prevention, which is the process of attempting to stop typical incidences after performing an intrusion (Shimonski, 2004).

This formed part of the amalgamation of tools known as the intrusion detection system. The IDS constitute an application software and associated hardware that is capable of monitoring network activities. This is for the sake of detecting malicious activities or any other violations relating to policy and procedures. The system actively monitors and reports to the network administrator. An IDS will also address intrusion prevention, which is the process of attempting to stop likely incidences after an intrusion (Shimonski, 2004). Generally, an IDS besides establishing a record of intrusion activities and generating an appropriate notification to the administrator, this system can also rebuff threats causing the intended threats to fail. IDS will broadly cover two main categories (Ankit & Manu, 2007).

The network intrusion detection system (NIDS) consists of an infrastructure of hardware as well as software that can identify intrusions through the examination of host activities as well as network traffic. This is possible through established connections to a network hub or switch or otherwise a configuration that can enable network tapping or the establishment of port mirrors. Often the administrator will establish network borders using sensors or set up choke points. These are used to capture traffic on the network. Snort is an example of a NIDS used to capture and analyze individual packet content to establish malicious traffic. The host-based IDS defines a system type involving an agent. Here the agent will analyze system calls as well as application logs.

Specifics of TCP/IP for IDS

Transmission control protocol and internet protocol (TCP/IP) are the foundation of the internet. Typical of this TCP/IP protocol stack is four layers, the network interface that defines the network interface standards such as Ethernet, token ring, ATM, FDDI among other interface standards. The other layer is an internet layer that consists of the internet protocol as well as the address resolution protocol ARP to ensure datagram transfer over the network. The transport and application layers form the remaining part of the TCP/IP protocol stack. The transport layer is controlled by a transmission control protocol (TCP), UDP, internet configuration management protocol (ICMP), and open shortest path first (OSPF). The network administrator must, therefore, demonstrate competence in the configuration of this layered protocol where each of the protocol’s layers is suited to support some defined functionality. The topmost, which is the application layer, caters to tasks such as file transfer and email. Routing and transmission reliability are handled at the network and transport layers. The bottom-most level is implemented within the hardware to offer the link.

In order to capture data packets over the network for the purpose of analysis, the network administrator will focus on the functionalities provided by the transport and network layers of the TCP/IP. The intention here is to understand the network data structure and thus understand its composition. TCP/IP enables the administrator to employ tools such as traceroute to monitor internet traffic routes. A diversion of routes from the defined paths may be further analyzed to identify any anomalies, which must be resolved. Such a process defines the data packet capture and reading process. The administrator can use specialized tools such as the packet analyzer, in this case, to carry out an analysis. The analyzer will intercept and record all traffic within a network (Warren & Heiser, 2001). Packet analyzers can also be used on their own to detect intrusion attempts on the network.

Recommended approach at IDS tool installation

The internet security authentication server (ISA) by Microsoft is one example of an IDS tool. The installation of the ISA server also covers the configuration of the internet authentication service (IAS). This is vital so that the two can communicate properly. The following steps are performed on the domain controller on an internal network while installing the ISA server 2004.

1. On the option administrative tools, choose the internet authentication service (IAS).
2. Expand the IAS local and right clicking the RADIUS client option, click the option new RADIUS client.
3. Type a name and address as well as the domain name for the server and client.
4. Verify and resolve the IP and DNS settings for both the RADIUS client and the ISA server 2004 firewall.

Recommended use of TCPdump and WinDump as network security tools

TCPdump as an IDS tool captures and displays all packets transmitted over a network. The TCPdump can also debug the network set up to ensure proper routing. This tool causes the network card to capture all packets over a transmission medium. Connection establishments and termination can be determined using this tool. WinDump provides the porting for TCPdump on a windows platform and is used to carry out a diagnosis of the network traffic.

Recommended use of the snort network intrusion detection system

A snort is a tool that is an open source used to implement IDS. It can, therefore, be used as a detection and prevention tool for various kinds of intrusions. It is also able to carry out network traffic analysis, which is real-time while performing packet logging as well. Content searching and matching, and protocol analysis are also carried out by snort. Three modes of the application can be implemented. The sniffing mode allows the tool to examine and show network packets. The intrusion detection mode allows the tool to scrutinize all the network traffic. The packet logging mode enables the tool to register packets onto a resident disk.

While establishing the overall business strategy, is vital. Therefore, consider establishing an overall network security policy as part of the strategy. This policy must effectively address intrusion detection and prevention strategy as well as the tools in use today. This will ensure that the firm’s network and information resources are secured from internal and external threats.

References

Ankit, F., & Manu, Z. (2007). Network intrusion alert an ethical hacking guide to intrusion detection. London: Cengage

Shimonski, R.J. (2004). What you need to know about Intrusion detection systems. Web.

Warren, G.K., & Heiser, J.G. (2001). Computer forensics incident response essentials. Muchen: Addison-Wesley.