The TCO of the Web Servers and Database Servers are calculated by multiplying the numbers of servers in to cost of purchase. The support contracts, on the other hand, cost is calculated annually. The cost of the contract is multiplied by the number of years for which TCO is calculated. Support costs are fixed amounts spent to keep the system in running condition and up-to-date.
The company has two Web Administrators, working full-time. Their salaries are also expenditures that are spent towards the upkeep of the IT systems. These costs are calculated by multiplying number of years into number of administrators by annual salary.
The part-time admin and the infrastructure admin cost also spent towards IT support. So, these are calculated by multiplying their respective salaries by number of years.
Finally, all of the totals are added to calculate the final Total Cost of Ownership (TCO).
The exposure factor is shown to 0.2. This value into the calculated TCO will give the amount for Single Loss Expectancy (SLE). The ARO or the rate of occurrence is also given as 20%.
The Annualized Loss Expectancy (ALE) is calculated by multiplying the SLE into ARO values.
Assignment - TASK 2
Network Architecture
*The network area between the two firewalls is a DMZ (Demilitarized Zone)*
Report & Justifications
*The explanation starts from top to bottom of the diagram.*
At the top level, the network should be connected to the internet, using an Internet Router.
Moving downwards, the network has two firewalls, between which there is a VPN router and company servers (connected through a heavy duty, high bandwidth core switch). The reason for two routers is that, the servers should be placed a DMZ (demilitarized zone). This will provide the security needed for the servers as well as provide an extra layer of protection for the internal network (workstations, etc.).
In order to separate the workload, the servers are kept separated. The Email and proxy servers are kept together while the high bandwidth consuming web servers are on the other side. Each of these servers are connected to their respective switches which are, in turn, connected to the core switch that forwards traffic to the internet and back.
Out of the DMZ, the inner network is connected to a gigabit switch. This is again connected to two firewalls, providing traffic filtering, etc. Below the final firewall, there is a router that forwards the internal network's traffic to the outer network.
Large numbers of switches are connected to the router on one side. These switches connect to the companies' internal workstations. On the other side, the database servers are connected to its respective gigabit switch. The database servers are connected to the inner network rather than outer because the database servers will most be used in the inner network.
It is also worth noting, the proxy server provides another layer of protection as it does web caching and filtering for the inner network traffic. The Email server stores all the company emails in-house.
Specifications:
Switch - Generic 10/100Mbps
Firewall - Packet Filtering
Proxy Server - Proxy firewall
Web Servers - High spec. servers
Gigabit switch - Generic 10/100/1000Mbps
Database Servers - High capacity, high spec. servers
Assignment - TASK 3
Security Test and Auditing Report
Security testing and auditing is extremely important in maintaining the integrity of the system. The network administrators stress their own network or system to ensure that they secure against attacks. These tests allow them find out weaknesses in their own security procedures and policies. Trusted people from the organization take the role of a hacker or attacker. This kind of activity which helps secures a network or system is called Ethical Hacking. There are various tools that help hacker and administrators alike:
Ping:
Integrated in all versions of windows (via command prompt), ping is a basic network testing tool. Ping is used to check if a device is correct connected to a network and if it is sending and receiving traffic. Ping is only able to run an IP or domain address at a time, so a Ping sweep can be used to verify which devices are functioning and which aren't. [Figure shows a ping from the current system to www.google.com.]
TraceRoute:
The traceroute or 'tracert' show you the 'hops' it takes or the route a packet takes from the current system to a target domain or IP address. This tool shows all the devices between the current machine and the target system, their IP address, device name, etc. [Figure shows a traceroute from the current system to www.google.com. Some timeouts can be seen as well.]
These two are windows integrated tools that can help diagnose network and gather information. However, there are many other specialized tools that can diagnose, gather information on the network and detect vulnerabilities.
Port scanner
Ports scanners, as the name suggest are tool that query a target system to know all the port that are open. The amount of information a port scanner can gather is quite large in comparison to other tools. It also shows what services the target machines are running on each port and their operating system. Port scan sweeps can also be performed to get results for a range of IP addresses, running services and vulnerabilities in each port. The large amount of result can cause sudden bandwidth spikes and might prompt the IDS to record the event.
Figure: Nmap with Zenmap GUI.
Nmap is the most popular port scanner. Earlier versions were command line based and current versions come with a GUI called Zenmap. With the new Nmap, customized scan are now possible for e.g. through scan which discovers all open TCP and UDP ports, search for only TCP or only UDP, pingscans etc. After a scan, various results are shown in the different tabs.
Sniffer
Sniffers are able to intercept and copy packet that are travelling in the network media. They can also reassemble to get the original data. The data has to be in plaintext, for example usernames and passwords. Sniffers are also known as packet analyzers or network analyzers. Figure: Sniffem
With Sniffem, it is possible to monitor the network for data capturing. The figure shows how data is intercepted and the some of the data is shown in readable format. It can capture from both UDP and TCP protcols.
Vulnerability scanner
A vulnerability scanner is more power type of port scanner that can not only perform the features of port scanner but also shows what known vulnerability the target system has. It is a higher level port scanner. Since the sudden bandwidth spikes caused by the port scanner were already quite high, the spikes caused by vulnerability scanner are so high that it is almost impossible for the scanner to escape unnoticed by IDS. Figure: Nessus
Nessus can generate various reports after the port scan regarding vulnerability of the target system. As with port scanners, Nessus can scan both TCP and UDP ports for running services and other information. Nessus's vulnerability scan report can be quite vital for comparing the current security state of the system to how it was before.
Assignment - TASK 4
Intrusion Detection and Prevention Techniques
Suggested Intrusion detection system diagram, containing all the IDS components:
*The network area between the two firewalls is a DMZ (Demilitarized Zone)*
Intrusion Detection systems are used in majority of IT companies with large, important databases, web servers, etc. The use of IDS is vital for these companies to keep their IT assets safe.
Intrusion Detection is the technique of detecting malicious activity in a network. The attacker's motive is usually an attempt at compromising the Confidentiality, Integrity, or Availability (CIA) of the target system. This technique can be performed automatically, using sophisticated hardware and software solutions, or manually.
Automatic intrusion detection involves the system alerting the user after detecting a possible security breach and logging the information. This can be described as a "passive system". The more sophisticated techniques automatically detect malicious activity from whether inside the network or from outside, reset the connection line or block the target port using a firewall to disrupt the attack.
This is considered an "active system" or an IPS (Intrusion Prevention System).
New Intrusion Detection System Techniques use both network-based and host-based methods.
Network Intrusion Detection System (NIDS) - These are the primary network-based IDS. These devices are installed directly at the entry points of the network where these devices scan through all the packets that pass through the network. These devices are using NIC cards that are configured in to be 'promiscuous mode'. Usually, a NIC card allows only those packets that have their own mac address as destination, but when a NIC is in promiscuous mode, it can go through all packs, regardless whether it is intended for it or not. When these devices detect malicious packets, they notify the firewall to block a target port or the device itself may reset the connection. NIDS devices require an IDS manager system that records all the information regarding intrusions or suspicious activity. IDS can create a comprehensive database by analyzing normal packets in the day to day operations of a network. All the incoming and outgoing packets are then compared to this database and determined whether the packet are normal or malicious.
Host Intrusion Detection System (HIDS) - Unlike NIDS, which utilize special hardware and software, the HIDS is based only on software platform. The HIDS agent is installed on a target server so that malicious activities can be detected and prevented. While the NIDS scans network packets, the HIDS monitors the workstation behaviors and states. Like the NIDS, the HIDS also creates a database on the IDS manager system to compare and determine whether a behavior is suspicious or not. Suspicious activities include for e.g. a software that is a performing task that is it not meant to or is not even programmed for. The HIDS can monitor what applications, services the system is running, what resources are being accessed at the time of an incident. This can happen even before an incident which, if timely detected, can call for incident prevention. This is an example, but the HIDS is not limited to this alone. HIDS detects trails that maybe left behind by a potential malicious user. The HIDS also records this as evidence and also reports these to the network security administrators.
The NIDS and HIDS have their own method of protection against attacks on their own database. Without such measures, the database's integrity will be destroyed and the IDS systems will be rendered useless.
The HIDS uses large amounts of system resources during operation. Thus, unlike the NIDS, the HIDS affects the system performance adversely. The network administrator responsible for the configuration should find a good balance between incident detection security features and system performance.
Honeypots - HIDS and NIDS makeup for most of the Intrusion Detection Systems techniques, but an additional step may be taken to thwart a potential attacker from outside the network. A former web server with the main purpose of attracting a potential attacker to itself can be used to divert the attacker's attention from the rest of the network, hence the name, honeypot. Administrators use honeypots in order to monitor the attacker's activities, analyze his/her methods and also buy time to come up with a response in light of an attack. A honeypot is programmed to function as though it is a fully function web server, offers seemingly valuable but fake resources, and during potentially suspicious incidents it can stall the attacker buy using these fake resources.
The honeypot appears as though it is part of the network but it is actually completely isolated from the network and constantly under constant surveillance. Honeypots should be configured in such a way that any activity it records should be malicious. No one should be able to use the honeypot normally and it shouldn't generate any traffic by itself. A honeypot should always be closely monitored; otherwise it can become an entry point in the network.
IDS log some of the following information regarding attacker:
Source IP
Destination IP
Port used for access
Time/date of incident
Some description of running services and details of attack, etc.
It is also worth noting that IDS cannot directly block network communication during incidents. They have to use the firewall in order to manager communications. IDS are strictly used for monitoring, detecting and notifying the firewall or an operator while firewalls read and block incoming traffic (depending on configuration).
Assignment - TASK 5
Encryption Mechanisms
Encryption is the process of hiding the information from the unauthorized access. This is done through running the unencrypted or plaintext information through a cipher algorithm to convert it into unreadable format (ciphertext). This unreadable format can only become readable once if it is decrypted using the 'key' that was created during the encryption process. This key is usually with the owner of the information
There are two types of input ciphers:
Block cipher - encrypts the blocks of data in fixed size. (More secure than stream)
Stream cipher - encrypts data in a continuous stream.
There are two different types of encryption keys:
Symmetric - Has a single key which used for both encryption and
Asymmetric - Has two key; a public key and a private key. Public key is used for encryption while the private key is used for decryption.
Whichever method of encryption key is selected, the method of key management is always the issue. Anyone can read the information (symmetric) if they have the key. The key can be intercepted from emails and can later be used to decrypt the data. Information encrypted with asymmetric keys is less prone to this kind of attack. But it also has its own share of problems. Although it has two key, it is less secure than symmetric, simply because, the private key can be generated by using the ciphertext and the public key (although it is not as easy as it sounds). Still asymmetric is less likely to fall into the wrong hands and is usually used for key transfers.
RSA, Digital Certificates and Digital Signatures are of asymmetric key type. SSH or SSL are encrypted protocols that used the same type of key.
Certificate Authority (CA) is third that has come up with a solution for key management. The CA is trust organization that handles the key management by providing key to whoever is authorized for it. CA provides un-forgeable digital certificates to the participants after analyzing and verifying their identities.
Recommendation: The Company can hire a trusted third like CA for key verification and distributing. The RSA algorithm is most suitable of the encryption methods as it uses asymmetric and is more secure than using symmetric based algorithm.
