Question

Case Project 4-1: Using System-Monitoring Tools

You recently became the server administrator for a company. As soon as you walked in the door, users were telling you the network is running slowly quite often, but they couldn't tell you when it happened or how much it slowed down. What tests and measurements could you use to try to determine what's going on?

Case Project 4-2: Protecting the Network

You work for a company that hasn't been too concerned about network security and performance, but as more employees are hired, management is beginning to worry that employees are using the Internet for purposes that aren't work related. What types of network monitoring could you do to make sure Internet access is being used correctly in the company?

Case Project 4-3: Auditing Sensitive Data Access

You're the network administrator for a company that has contracts to store sensitive data for other companies, and clients want reassurance that you're protecting their data. The company has groups of employees who will be working with clients, and several contractors need access to the data, too. To make managing data easier, each client has been assigned his or her own disk volume. What types of auditing can you set up to reassure clients their data is protected and to check which files employees and contractors are accessing?

Answer 1

4.1 The following Test & Measurment can be determine when the network is running slow:

• Test basic connectivity with ping, check the map if the ports are open 20 and 21. check if firewall is restricting traffic to the server.
• Ping the DNS server and check the response. check the Wireshark if DNS request and response packets are being send and received.
• Check the connectivity with the default gateway. check if the DNS server is configured on the PC. check if the appropirate port number is active using nmap on the DNS Server.
• Check the IP connectivity with the DHCP server from a system configured on the network. Test if the DHCP client and server service is started on the DHCP server and the client. Test if the DHCP server service is reachable using nmap.
• check the IP connectivity using ping. check if port 23 is open on the router using nmap.

Network administrators hane many different ways to find out what happening on networks:

• Port scanners - gathers information across the network, no special permission required, determine up/down status by ping, check for open ports may indicate available service, scan operating system determine without logging in, scan service for version inforamtion.
• Interface monitoring - the most important statistics, no special right or permission required, it will show alarming and alerting, provides short term and long term reporting.
• Packet flow monitoring - gather traffic monitoring, netflow, problem collector, usually separate reporting app.
• SNMP - it is stands for simple network management protocol, its information will be very detailed.

4.2 To successfully defend against the network to defend our network against attacks as system administrators need to consider lots of different things:

• Physical controls - if somebody have attacks our power or systems that can be effect on servers as well as networks well. the physical controls can be done following ways:
  • reduce unauthorised access
  • mantraps
  • keypads
  • locked facilites
  • Authentication access
  • Badges, Biometrics, Key fobs, Pins, Password
• User Training - the users are one of our biggest problems for insuring the networks. users presents one of the greater vulnerabilities to the network. Training should include:
  • Social engineering awareness
  • Virus Transmission dangers
  • Password security
  • E-mail Security
  • Physical security
• Patching - we have to patch our systems and update our operating systems as well as network gear, if there is know vulnerability and you don't patch for it the hacker already know the way in, and just give them to keys. it is designed to correct a known bug or fix to known vulnerability in an application or program. Patches should be implemented so they become available. Updates add new features, patches fix vulnerabilites.
• Security Policies - it is usually handled by management and they're can be the polices and procedures that are in place for us to follow the secure our networks better and ensure that we're doing thing properly. lack of security policy, or lack of enforcement of an existing policy, is one reason of security breaches, Accepting use polices are common component of a corporate security policy, it contains a myraid of other complmentary policies. the large organization, the more complex the security policy is. security policies server multiple purposes:
  • Protecting an organization assets.
  • identifying specific security solutions
  • Making employees aware of their orgranization
  • Acting as baseline for ongoing security monitoring
• Security Policy parts are:
  • Governing Ploicy - Focused toward managerial and technical employees, high level document that focuses the organization
  • Technical policies - E-mail, wireless, Remote access, and bring your own devices. the devices brings new vulnerabilities such as bluejacking which is sending of unauthorized message over Bluetooth, Bluesnarfing which provides unauthorised access to wireless through Bluetooth and Bluebugging which is unauthorised backdoor to connect Bluetooth back to attacker.
  • End user policy - acceptable use policy, consent to monitoring, cellular devices
  • Standar, guidelines and procedures.
• Incident response - with instant response, dealing with how are we going to respond when an exit, when an incident happens, if a hackers get into your systems how you are going to stop them and how you are going to recover form it.the incident response is how an organization reacts to a security violation, prosecuting computer crimes can be very difficult, successful prosecution relies on:
  • Means - Does the suspect have the technical skill to perform the attack?
  • Motive - Why would they perform the attack?
  • Opportunity - Do they have time and access?
• Vulnerability scanners - about finding what vulnerabilities have finding those unpatched systems and finding the ways to hackers are going to get into your networks. Peroidically test the network to verify the network security components are behaving as expected and to detect known vulnerabilities, they are application that conduct these tests.
• Honey pots and Honey nets - those are distractors for the attackers going to put those in our network so that the attackers go after those instead of going after our actual resources. they are the systems designed to appears to be alternative target that is distractor for the attackers. Attackers user their resources attacking the honey pot and leave the real servers alone. Honey pot is a single machine which is a network of multiple honey pots, it can be used to study how attackers conduct their attacks.
  • Remote-access security - how can protect network then do allow remote access to of users. it controls access the network devices such as routers, switchers, servers and clients.

    Method	Discription
    SSH	Secure Remote access via terminal emulaor
    RADIUS	Open standard, UDP-based authentication protocol
    TACACS+	Cisco prosperity, TCP-based authentication protocol
    IEEE 802.1X	Permits or denies a wired or wireless client access to a LAN
    Two-factor authentication	Requires two types of authentication; something you know, something you or something you are
    Single sing-on	Authenticate once and access multiple systems.

4.3 The auditing can be set up in following types:

• Establish user Accountability : This is a difficult challenge as many applications use connection-pooling which masks the true identity of the end user.
• Provide Detailed Audit Event information : Capturing the raw access query and system response attributes is essential for effective forensic investigation and incident response.
• Customize compliance reports, alterts and Analytics tools : Real-time alerts and audit analytics tools enable efficient and comprehensive forensic investigations and incident response. Predefined reports provide a starting point and help address the specific audit requirements of each regulation, while customizability supports unique technical and business needs
• validate that all system in scope are audited : Automated discovery and classification capabilities enable quick identification of regulated systems and reduce the cost required to maintain compliance.
• Audit all access to sensitive data - to ensure all systems hosting regulated data are in audit scope, audit all the data systme containing containg data which is on regular basis. privilaged access to data including local system access, and non provilage network access. the data access events whether the access is read only, a data modification transaction or provilage operations.