TS-301 Case Project Shaun DeRosa

Transcription

1 TS-301 Case Project Shaun DeRosa

2 Case Project 1-1: Defining and Designing a etwork Inventory: 6-24 port 10/100 es 3 - Firewalls to protect Accounting and Payroll/Order Proc., Research and Development and the LAN 1 - Router for Internet connection CAT6 UTP cable with terminations 6 s (one for each switch) 6 - servers running MS Server Web/FTP (outside firewall) - E-commerce (outside firewall) - server - application server - database server - management server with monitor, keyboard and mouse 62 - computers running MS Windows XP Pro SP2 with monitor, keyboard and mouse -Accounting and Payroll: - 4 computers with payroll software, accounting package, MS Office and anti-virus suite -Order Processing - 4 computers with POS software, inventory control, MS Office and antivirus suite -Sales and Marketing - 10 computers with MS Office, anti-virus suite and access to inventory control software -Research and Development - 12 computers with development suite (rendering engine, debugger, compiler, etc.) and anti-virus suite -Shipping and Receiving - 10 computers with Fed-Ex and UPS direct connect software, anti-virus suite and MS Office -Office Management - 4 computers with anti-virus suite and MS Office -Upper Management - 10 computers with anti-virus suite and MS Office -Customer Relations and Support - 6 computers with anti-virus suite, MS Office and Virtual PC -Tech Support - 2 computers with anti-virus suite and Virtual PC

3 Case Project 2-1: Conducting Risk Assessment and Analysis Process Priority Departments Asset Used Web Sales Necessary - Order Processing - Shipping and Receiving - Sales and Marketing - ISP - Server (2) - Router - Firewall Accounts Receivable Critical - Accounting and Payroll - Order Processing Shipping Critical - Shipping and Receiving Tech support Necessary - Customer Relations and Support Receiving Desirable - Shipping and Receiving Order processing Product Development Critical Desirable - Order Processing - Shipping and Receiving - Accounting and Payroll - Research and Development Accounts Payable Critical - Accounting and Payroll Central Management - Workstation (8) -24 port 10/100 -Firewall - Workstation (10) - 24 port 10/100 -Workstation (10) - 24 port 10/100 - Workstation (10) - 24 port 10/100 -Workstation (18) -24 port 10/100 (2) (2) - firewall - Workstation (12) - 24 port 10/100 - firewall - Workstation (4) - 24 port 10/100 - firewall -network printer Necessary - Administrative - Workstation (12) -24 port 10/100 - Server (4)

4 Asset Location/Detail Appox. Value 24 port 10/100 switch (6) Throughout office $ x 6 units Firewall (3) Server room $ x 3 units Router (1) Server Room $ CAT6 UTP cable (500 ) Throughout office $ Network printer (6) Throughout office $ x 6 units Servers (6) Server room $ x 6 units Workstations (62) Throughout office $ x 62 units Electricity ISP Threat Possibility of Assets Affected Consequences Occurrence Act of Nature (rain, snow, fire, 5 All Severe earthquake) Structure collapse/explosion 2 All Catastrophic Unauthorized intrusion 10 - firewall (3) Moderate (external/internal) - router - servers (6) - workstations (62) Complete power outage 7 All Severe Climate control failure 8 - servers (4) Severe Mechanical failure (plumbing, 6 All Severe fire suppression, etc.) Hardware failure 8 - workstations - router - server Insignificant Case Project 3-1: Mapping Risk Analysis to a Security Policy 1. With the website coming online it is important to be sure all current security patches are installed as well as current virus signatures. 2. The employees who were laid off should have their user accounts deactivated as soon as possible to avoid any chance of them using the accounts to do harm to the network. 3. The security policy should include requirements for encryption and strong password protection policies on all computers that contain company data off-site.

5 Case Project 4-2: Researching Security Products Tool Comparison Chart Instructions Look over the examples in the following chart, and then simply run a Google search on log file analysis tools. You might want to revise your search terms to get more specific results. Visit several pages, and enter the information here. (More rows can be added as needed.) You can customize your search to look for specific tools, such as log file analysis tools for Snort, Apache Web Server, IIS, or any other tool you have integrated into your design. Remember that you re looking for tools to use on your network design from Chapter 1. If a tool isn t compatible with the Windows environment and you have designed an exclusively Windows-compatible network, the tool won t be much use to you. If you already know you have an Apache Web server, a tool specifically for Apache is great, but a tool that s compatible with Apache as well as other platforms is better. Those are the rules. Now go have some fun researching tools! Hint: You might want to customize this form for use on other product searches or perhaps find another tool comparison chart that gives more information. If so, remember to cite your sources and attach those pages. Tool Vendor Cost Notes Location Compatibility Updating AWStats Sourceforge Free (open source) Offers log file analysis of Web, e- mail, and some FTP servers. GUI or commandline interface; requires Perl version All platforms Manual to new versions; plug-ins available to expand features Squid Multi Varied Listing of multiple tools and add-ons for Squid scripts Web log analyzers, traffic analyzers, access, and more. Multi/varied Varied

6 Logrep Itef!x Open source SSH, low overhead on clients, HTML reports logrep (Tip: If the actual address is too long, type an identifying name, and insert a hyperlink. Select the text, click Insert, Hyperlink from the menu, and paste the address into the file or Web page address box or select the page from the list of recently used links. You can also browse for the file or link.) Multi/varied Manual reinstall of new versions Sawmill Flowerfire $99 - $30000 hierarchical log analysis tool, extremely flexible and easy to implement All Platforms Manually re-install new versions as they become available. FastStats Mach 5 $199.95/license Extremely fast Varied Manual ELM Log Manager TNT varied Data stored in MS SQL database TNT ELM Log Manager Windows Server Manual W3 Perl Varied Open source Works with many types of servers and log files Varied Manual Case Project 5-1: Planning Remote Access 25 users and 2 vendors is a relatively small group of clients and as such it is unnecessary to spend a large amount of money of hardware and software for this application. 1. SONICWALL SSL VPN x 10/100 Ethernet VPN at $ is good choice for our needs based on cost and features. The unit installs seamlessly behind the firewall and client software is provided. Implementation should be clean and simple. 2. Once the employee is initially trained on how to use the client software additional training and costs should be minimal. 3. The appliance will be installed on the network while the business is closed so as to avoid any possible down time that would affect normal business. Once the appliance is installed and working correctly each client will be tested after the client software is installed but before the machine is issued to a user.

7 4. The unit will simply be added to the network directly behind the firewall and in front of the LAN. Case Project 6-1: Implementing Your Remote Access Solution 1. The only thing that has changed is the addition of a VPN appliance behind the first firewall. Asset Threat Risk Recommendations Sonicwall VPN appliance - attacks attempting unauthorized access to the LAN - fire / flood - high risk - negligible risk Adjust firewall settings and rule base to ensure security, place the appliance with the servers in the locked server room, be sure the server room has fire suppression rated for electronics (ie: not water) 3. The section in the security policy that refers to remote access and acceptable use both need to be revised to account for the change in the network structure. 4. Memo: Now that a VPN appliance has been added to the network additional care must be taken to ensure the security of the network. Users with VPN clients who connect from remote locations must take extra care to ensure the physical safety of their machine. In addition all remote users should take extra care to maintain proper password policies to further secure the data on the client machine. 5. Vendors: LedGrafix has taken steps to allow remote access to our network for your use. We have taken additional steps to reassess and revise our security policies to reflect the change in our network. We expect you to take responsibility of ensuring that our data is kept secure through your own security policies regarding access of our network. Case Project 7-3: Designing an IDS for LedGrafix 1. The goal of the IDS is to provide adequate traffic logging on all segments of the network. The IDS also needs to be able to adapt and change with the network, scalability is important. Sensors will be deployed between each department (ie: shipping and receiving) and the main backbone of the network. These sensors will provide adequate traffic logging for the departments and workstations,

8 7. The IDS administrative program will be installed on the management server reducing the cost of a dedicated IDS server. 8. Seven sensors will be used and the management server will receive the NIDS administrative software. 9. The best NIDS for our particular application is SNORT. Free, highly scalable and with a track record and abundant support it makes a perfect candidate for LedGrafix. 10. Snort offers real time packet analysis as well as traffic logging and analysis; this negates the need for additional logging analysis software. 11. By subscribing to Sourcefire VRT Certified Rules we will automatically receive rulesets in real time keeping our IDS up to date. 12. SNORT.org offers a wealth of information as well as a community of users exchanging information. Along with the annual subscription to Sourcefire, LedGraix will receive professional product support and updates. Case Project 8-4: Designing an Incident Response Strategy SIRT Member Department Assets Help Desk Tech Customer relations and support Direct link with customers, daily experience with current issues customers are having, relates to the common employee. Accountant Accounting and Payroll Familiar with the company s fiscal situation and the impact a breech could have on the company financially. Game developer Research and Development Familiar with the primary product and can help identify any damage that may have been done to the product itself. Network Administrator Administrative Can help pinpoint the access point of an attacker, identify the type of attack and possible targets and suggest changes that can be made to avoid the same problem in the future. Human Resource Manager Accounting and Payroll Can help notify personnel

9 of any loss of function in the network, can also be the direct link between the SIRT team and employees, deciding what information is to be shared with whom. First Team Meeting agenda: Discuss what each member of the team brings to the table, what their capabilities inside the company are and how they can be an important part of the SIRT team. Using an anonymous paper vote select a team leader based on the information shared in the beginning of the meeting. Begin designing a plan by identifying needs and roles needing to be filled in the event of an attack. Once the plan is hatched out, assign responsibilities and roles to each member based on their qualifications and place within the company. Discuss what the response from the SIRT team will be in case of an attack so everyone is on the same page should an attack occur and can act without delay knowing what he other team members are doing. Initial Response checklist: Step Action Explanation Notification Is it IDS, Anti-Virus or How were you alerted? human notification? SIRT involvement Should SIRT be notified? Decide if the notification warrants SIRT response. Personnel Who should be notified specifically? If SIRT is warranted, which SIRT member do you notify, if SIRT is not needed is there anyone else who should be made aware? Assessment of threat Who assess the threat? Can this be assessed yourself or should the threat be passed up the ladder and escalated? Response What will be the response to the threat? If handled alone what will you do to handle the threat? If escalated, what are your responsibilities after handing it off to an upper level responder? Recovery How will you recover? What will be necessary to fully recover from the threat? What needs to be documented?

10 Forensics Are forensic steps needed? Does the threat warrant the need for forensic investigation? If so what is the next step in contacting the proper personnel to conduct the forensic investigation? Meeting with Jon Smith: Discuss the Security Policy and his role in keeping it updated and maintained. Discuss the methods used to develop each portion of the Security Policy and answer any questions he may have. Explain the concepts of risk analysis cycles and awareness training so he can implement these tools in the future. Be sure he has no questions regarding Security Policy maintenance before leaving. Case Project 9-2: Designing a Perimeter etwork for LedGrafix Application or Service Vulnerabilities Solution HTTP Malicious scripts, malware IDS, firewall FTP port scanning, malware IDS, firewall SMTP Malware IDS, firewall POP3 Malware IDS, firewall TCP Fragmentation abuse, IP header tampering, illegal flags, false port or protocol headers IDS, packet filtering Application or Service Internal Host Location Host Security Policy HTTP Windows Any Antivirus, security patches FTP Windows Any Antivirus, Firewall Internal Security Policy permit permit Firewall External Security Policy With user authentication Deny user groups SMTP Windows DMZ Server permit With user authentication POP3 Windows DMZ Server permit deny Future Web Server Windows DMZ Server permit Permit

11 IP list: LAN thru Firewall server Web server DNS server FTP server Rule Source IP Source Destination Destination Action port IP port 1 any any any Deny any Allow to any any Allow any Allow to any any Allow 6 any any any Allow 7 any any any any Deny Expansion can be accomplished using a subnet for the future web and e-commerce servers. Additional rules would need to be made on the new firewall to account for them when they are on-line. In addition to the two servers needed, another IDS sensor and firewall will help keep traffic flowing smoothly. Case Project 10-1: Designing a Test Methodology for the LedGrafix etwork What to test: VPN (remote access) o Be sure remote clients can access the resources they are meant to access and no more. o Be sure the user is aware of security practices when taking a client machine off-site. IDS o Be sure all sensors are running correctly and are sending the proper alerts to the proper machine. o Check log files for redundant entries and unnecessary ones. o Be sure the rule base is still up to date and is not longer than it needs to be. o Attempt to gain access from an external machine that is not an authorized VPN client. Check the logs to be sure the proper alerts went off. Workstations o Be sure the workstations in each department have access to the network resources they are supposed to. (ie. Network printers, server, etc)

12 o Be sure all workstations have up to date security patches and antivirus signatures. Physical Security o Check to be sure the server room is secured with working locks or other means of physical security. o Be sure the server room has proper environmental controls working to keep temperature and airflow where they should be for optimal performance and longevity. Original Configuration Change ew Configuration Test Performed Result Solution if ecessary