Advanced Digital Forensic Investigations, Essay Example

IDS/IPS Practices

Security is an essential factor in every aspect of life. Likewise, it is related to every activity, process, procedures, technologies, methods, decisions etc. In the context of information technology, again, security has a significant impact on every process or procedure related to information exchange, acquisition, transfer or maintenance. As we are in the information age, manual processes are transformed in to a digital form. Likewise, information is digitized and is handled by security technologies. Traditional technological devices related to information security are a firewall. Organizations possessing information in a digitized form, must install a firewall, otherwise, it is impossible to secure the digital information located in the information systems. Previously, firewall was giving answers for security, but in the information age, where information is widespread in millions of systems worldwide and also includes interfaces via which users have to access the information, it is impossible to incorporate a single firewall, as an all-in-one solution for information security. Moreover, threats are far more significant and intelligent as compared to the previous. Hackers develop threats that are efficient in bypassing firewalls and compromise networks and consequently, intrusion/host/network intrusion detection systems were introduced. These security appliances provide advanced monitoring and sensing facilities that may alert concerns before an incident takes place. A complete and comprehensive definition of an IDS is available in network dictionary which says “set up to detect illegal actions within the host. Most IDS programs typically use signatures of known cracker attempts to signal an alert. Others look for deviations of the normal routine as indications of an attack. Intrusion detection is very tricky. Too much analysis can add excessive overhead and also trigger false alarm”

Activities

In order to cope up with the configuration aspects, network engineers or users have to follow a criterion. Likewise, for monitoring internal or external events that may lead to an identification of threats, procedural steps must be considered for effective monitoring. However, these steps can be duplicated (Paquet, n.d):

• Procedures for denying inline attacker: inline attacker is referring to a threat that may come from a wireless source that may try to intrude in the system at a particular time and will also demonstrate the processes that are triggered for removing the threat from the network, in case of a compromise. Moreover, the likelihood of inbound and outbound attacks will facilitate the network engineer to identify the methods, technology and algorithms that are integrated in the threat by the creator.
• Procedures for denying inline connection: this procedure provides the transmission control protocol (TCP) stream for both inbound and outbound channels of data transmission. The provision of these streams on the application layer will provide the indication of an attack that is using any one of these streams and consequently, network engineers will terminate the relevant stream.
• Procedures for denying packet inline: network engineers can set the criteria that will be stated as ‘any data packet that is originating from a wireless stream will be terminated it any anomaly is detected against it’ .Therefore, any data packet from a wireless network, behaves abnormally will be terminated or destroyed.
• Procedures for Log attacker packets: for detecting suspicious packets, logs must be maintained and alerts will be generated as per the defined criteria.
• Procedures for Log pair packets alignment: Apart from the above procedure, network engineers can also log the entries against the source and the affected workstation or system.
• Procedures for block connection request: After analyzing all the procedures, IDS will instruct the firewall to block a suspicious data stream that is already evaluated and identified.
• Procedures for blocking host: this procedure is similar to the above one except blocking the access of the host, if identified, instead of blocking a data stream.

Snort

Snort will allow the network engineers to construct a foundation of a tracing mechanism within the network that will organize raw data packet collection from all interfaces. ‘Lipcap’ provides a preprocessing mechanism that is located in the decoder of a data packet (Kumar, Bhaskari, Avadhani, & Kumar, 2010). Preprocessor makes these data packets compatible for applying rules (packet defragmentation), detecting engine and examine headers for generating alerts related to any suspicious activity originating from a wireless network source.

Only those protocol rules will be applied that are currently operational by a hacker and the detection engine will acts on the basis of defined criteria for a specific rule. Furthermore, collection engine in Snort will organize information from the source that will acts as an input for digital forensic investigations (Kumar, Bhaskari, Avadhani, & Kumar, 2010).

Windump

This tool is used to identify any malwares that may reside in any workstation or server within the network. Moreover, it also provides identification of unknown broadcasting that may occur in case of an active malware trying to send any confidential information to the hacker. Likewise, the tool also represents the IP addresses that are translated from the information retrieved from packet headers. However, there is a limitation i.e. windump only provides information that is associated with secure socket layer (SSL)

References

Ids. (2011). Computer Desktop Encyclopedia, , 1.

Paquet, C.Implementing cisco IOS network security (IINS): (CCNA security exam 640-553) (authorized self-study guide) Cisco Press.

Kumar, T. P., Bhaskari, L., Avadhani, P., & Kumar, P. V. (2010). Digital evidence collection in cyber forensics using snort. Proceedings of the International Conference on Information Warfare & Security, , 216-222.