Describe at least one type of ruleset you would want to add to a high level security network

Network Architecture.

Questions that need to be answered: this should be 2 pgs

When running Snort IDS, why might there be no alerts?

If you only went to a few websites, why are there so many alerts?

What are the advantages of logging more information to the alerts file?

What are the disadvantages of logging more information to the alerts file?

What are the advantages of using rule sets from the snort web site?

Describe (in plain English) at least one type of ruleset you would want to add to a high level security network and why.

If a person with malicious intent were to get into your network and have read/write access to your IDS log or rule set, how could he or she use that information to his or her advantage?

An intrusion prevention system can either wait until it has all of the information it needs, or can allow packets through based on statistics (guessed or previously known facts). What are the advantages and disadvantages of each approach?

So, the “bad guy” decides to do a denial of service on your intrusion prevention system. At least two things can happen: the system can allow all traffic through (without being checked) or can deny all traffic until the system comes back up. What are the factors that you must consider in making this design decision?

What did you find particularly useful about this lab (please be specific)? What if anything was difficult to follow? What would you change to make it better?

Assignment description:

Network traffic analysis and monitoring helps to distinguish legitimate traffic from malicious traffic that could potentially harm the network. Network administrators need to fortify the network from unwanted intrusions, using tools and techniques that use past traffic data to determine what is allowed or what should be blocked in current and future network operations. The challenge is to keep up network traffic analysis and monitoring technologies, and intrusion detection technologies, with the ever-morphing threats continuously attempting to exploit network vulnerabilities.

In this project, you will use monitoring technologies Wireshark and Snort in the Workspace virtual machine to compile a malicious network activity report for financial institutions and a bulletin to a financial services consortium. The report should be 8 pages double-spaced with citations in APA format. The bulletin should be one to two pages double-spaced.

There are eight steps to complete the project. Most steps of this project should take no more than two hours to complete, and the project as a whole should take no more than two weeks to complete. Begin with the workplace scenario, and then continue to Step 1, “Create a Network Architecture Overview.”

When you submit your project, your work will be evaluated using the competencies listed below. You can use the list below to self-check your work before submission.

1.1: Organize document or presentation in a manner that promotes understanding and meets the requirements of the assignment.

1.2: Develop coherent paragraphs or points to be internally unified and function as part of the whole document or presentation.

1.3: Provide sufficient, correctly cited support that substantiates the writer’s ideas.

1.4: Tailor communications to the audience.

2.1: Identify and clearly explain the issue, question, problem under consideration.

2.2: Locate and access sufficient information to investigate the issue or problem.

2.3: Evaluate the information in logical manner to determine value and relevance.

2.4: Consider and analyze information in context to the issue or problem.

2.5: Develop well-reasoned ideas, conclusions, checking against relevant criteria.

5.3: Uses defensive measures and information collected from a variety of sources to identify, analyze, and report events that occur or might occur within the network in order to protect information, information systems, and networks from threats.

8.1: Demonstrate the abilities to detect, identify, and resolve host and network intrusion incidents.

8.2: Possess knowledge and skills to categorize, characterize, and prioritize an incident as well as to handle relevant digital evidence appropriately.

8.4: Possess knowledge of proper and effective communication in case of an incident or crisis.

8.5 Obtain knowledge and skills to conduct a post-mortem analysis of an incident and provide sound recommendations for business continuity.

9.1: Knowledge of the Information Technology industry, its systems, platforms, tools, and technologies.

Step 1: Create a Network Architecture Overview

You travel to the banks’ locations and gain access to their network operations. They use Wireshark to analyze the packets traveling their networks. Read this Wireshark resource to learn more about the tool. You will provide a network architecture overview in both diagram and written formats. Your overview can be based on fictitious information, or you can model network architecture from research, citing your source using APA format. This overview is outside of the lab requirements but a part of better understanding a network. In the overview, you will describe the various data transmission components. Select the links below to review them:

User Datagram Protocol (UDP)
Transmission Control Protocol/Internet Protocol (TCP/IP)
Internet packets
IP address schemes
well-known ports and applications

You will also address the meanings and relevance of information, such as the sender or source that transmits a message, the encoder used to code messages, the medium or channel that carries the message, the decoding mechanisms that were used, and the receiver or destination of the messages. Your overview will describe the intrusion detection (IDS) and intrusion prevention (IPS) systems used and the firewalls that have been established. Make sure to link the operating systems and the software and hardware components in the network, firewall, and IDS that make up the network defense implementation of the banks’ networks. Identify how the banks are using firewalls and how they are using IDSs, and identify the difference between these technologies. Include the network infrastructure information and the IP address schemes, which will involve the IP addressing assignment model, and the public and private addressing and address allocations. Identify potential risks in setting up the IP addressing scheme. Here are some resources for you to review:

intrusion detection & prevention (IDS/IPS) systems
firewalls

Identify any well-known ports and applications that are being used and the risk associated with those being identified, and possibly targeted. This portion can be made up of fictitious information, or you can use information from research, citing your source using APA format. When your overview is complete, add it to your report. In the next step, you will identify information security attacks and ways to monitor systems to prevent these attacks.

Step 2: Identify Information Security Attacks

In the previous step, you provided an overview of the network architecture. For this step, using the fictitious or the model network architecture and IDS and firewalls, identify possible cyberattacks such as spoofing/cache poisoning attacks, and session hijacking attacks including but not limited to man-in-the-middle attacks. Using knowledge acquired in the previous step, provide techniques for monitoring against these attacks. Review the following resources to gain a better understanding of these particular cyberattacks:

session hijacking: spoofing/cache poisoning attacks
man-in-the-middle attacks

The FS-ISAC representative has asked you to propose a cyber offensive operation and to lure the hackers to honeypots (click the link to read more). escribe what a honeypot is, how to set up an operation using a honeypot, and what security and protections mechanisms would need to be in place if a bank agreed to set up a honeypot. What are some indicators in network traffic that would lead you to conclude that your honeypot trap has worked? Report these from Wireshark. You will use the identified information on security attacks, the techniques for monitoring such attacks, and cyber offensives such as honeypots as part of your report to the FBI and the FS-ISAC. This information, however, should not be included in the bulletin so that the hackers will not be alerted to the defenses. However, add this to your final report.Then, continue to the next step, where you will visit Workspace to identify false negatives and positives.

Step 3: Identify False Negatives and False Positives

You just identified possible information security attacks. Now, identify the risks to network traffic analysis and remediation. Review the resources on false positives and false negatives. Identify what these are, how they are determined, how they are tested, and which is riskier to the health of the network. Note:You will use the tools in Workspace for this step. If you need help outside the classroom, you can register for the CLAB 699 Cyber Computing Lab Assistance (go to Discussions List for registration information) in which you can access resources to enable you to complete this project successfully.Click here to access the instructions for Navigating the Workspace and the Lab Setup.Click here to access the Project 2 Workspace Exercise Instructions. Explore the tutorials and user guides to learn more about the tools you will use. Then, enter Workspace.Describe your analysis about testing for false negatives and false positives using tools such as IDS and firewalls, and include this as recommendations for the banks in your public service Joint Network Defense Bulletin to FS-ISAC. Also include the statistical analyses of false positives and false negatives from the results in Workspace, from the banks’ networks, and how they can reduce these values. Use fictitious values but research possible ways to reduce these events, and include as recommendations in the malicious network activity report to FS-ISAC. In the next step, you will analyze IP network addresses.

Step 4: Analyze IP Network Addresses

In the previous step, you identified and analyzed risks related to false negatives and false positives. For this step, you will analyze IP network addresses.First, enter Workspace. Capture the network IP addresses, the types of protocols that are running, and relate them to the network architecture you provided in the earlier section of the report. Include analysis of the source and destination IP addresses that seem anomalous in nature, the traffic volume patterns with date and time corroborations, and other significant details of the network traffic analysis in your malicious network activity report to FS-ISAC. Include the same information in the Joint Network Defense Bulletin in a way that educates the banking consortium of the threat, and the mitigating activities to take to protect against that threat. Your results from Wireshark, as well as the screenshots obtained from the Workspace exercise, will be included in your report. Note:You will use the tools in Workspace for this step. If you need help outside the classroom, you can register for the CLAB 699 Cyber Computing Lab Assistance (go to Discussions List for registration information) in which you can access resources to enable you to complete this project successfully.After you have finished your activity in Workspace, move to the next step, where you will use Snort for network forensic analysis and to identify malicious IP addresses.

Step 5: Use Snort for Intrusion Detection

Now that you have captured IP addresses and identified their protocols, you will use Snort intrusion detection in Workspace to conduct network forensics analysis and identify malicious IP addresses. Read these resources to further your understanding of network forensics analysis.

Snort
network forensics analysis

Wireshark, which you learned about in previous steps, is typically used together with the Snort intrusion detection system. The identification of the malicious IP addresses can be used to design signatures for the IDS, programming the IDS to block this known bad traffic.Now that you have examined the packet trace for the different types of attacks, enter Workspace, and then develop proposed Snort signatures to prevent against those known bad sites and test these signatures. Track if the signature triggers false positives or false negatives and record these events. Provide some improvements to the performance of the signature and include that in the report but not to the public service bulletin. You do not want to alert the hacker community of the net defense strategy. Note:You will use the tools in Workspace for this step. If you need help outside the classroom, you can register for the CLAB 699 Cyber Computing Lab Assistance (go to Discussions List for registration information) in which you can access resources to enable you to complete this project successfully.After you have completed your Workspace session with Snort and Wireshark and compiled information for your report, move on to the next step, where you will learn about other detection tools and techniques.

Step 6: Explain Other Detection Tools and Techniques

The previous step required you to use Snort and Wireshark in Workspace. This step requires you to explain in a few paragraphs what other tools and techniques you may use to detect these signatures. You may have to do independent research to find these tools and techniques. Be sure to cite your sources in APA format. Provide enough detail so that a bank network administrator could follow your explanation to deploy your system in production. Include this information in your bulletin.After you have researched and compiled the information on other detection tools and techniques, it’s time to move to Step 7, where you will organize and complete your report to the FBI and FS-ISAC.

Step 7: Organize and Complete Your Report

Now that you have gathered all the data for your report, it is time to organize it. Conclude the report and organize your report in sections. The following is a suggestion, but use what is best for the FBI chief and the FS-ISAC representative:

Event: the types of information attacks you have been tasked to examine.

Target and Profile: Here, you will describe FS-ISAC and the bank institution.

Overview of Network Architecture: Explain in a few paragraphs what other tools and techniques you may use to detect this signature. Provide enough detail so that a campus network administrator could follow your explanation to deploy your system in production.

Network Traffic Monitoring and Results

Recommended Remediation Strategies

The report should be an eight- to 10-page double-spaced Word document i with citations in APA format. The page count does not include figures, diagrams, tables or citations.Submit your report in the assignment folder. You are now ready for the final step, the Joint Net Defense Bulletin.
Before you submit your assignment, review the competencies below, which your instructor will use to evaluate your work. A good practice would be to use each competency as a self-check to confirm you have incorporated all of them in your work.