IDS Solutions
After thoroughly analyzing the events of the situation involving the slow network, it was determined that a DDoS attack had been occurring on the Cube Farm’s main routing device that was acting as the gateway to the entire business’ internet connection. Unfortunately, this attack was not identified right away, hurting the business financially by cutting it off from the rest of the business world. At one point, they system administrator has to call the ISP to request a dump file of all traffic that was transferring on their internet connection, costing the business even more time. This could have been resolved much more efficiently if an Intrusion Detection Device (IDS) was installed.
With an IDS placed between the gateway router and the internet connection itself, all traffic passes through the IDS device, allowing all information to be inspected for suspicious activities as it carries on to its destination address. All activities that are deemed suspicious are written to the log with a detailed description of how each captured packet triggered that specific alert. This would allow the system administrator to view a log of recent activities to determine the issue without having to wait on the ISP’s dump file, which didn’t even specify what the specific issue with the connection was.
There are two different methods to implement an IDS; a hardware and a software based version. The hardware version offers many features like remote management, dedicated resources, and new alert definitions to detect the newest threats for about $4000. But all those features can be replicated for a much lower price by using a software based IDS. The software version consists of a new server computer for $1379, any extra gigabit ethernet cards that may be needed for $38, and the software program Snort, which is an open source program that has become the industry standard.
Besides the obvious savings, the software version can outperform the hardware versions in many other areas. Remote management can easily be done by either an available log file that can be accessed remotely so that traffic can be analyzed anywhere, or by a virtual desktop installed on the router, giving the system administrator full access to a graphical interface to allow for efficient management of the system. The hardware in the server can also easily be upgraded to ensure that the IDS is not inhibited by the hardware since all traffic going to or from the internet will be passing through the device.
Another major consideration is updates, as different exploits are being created all the time and all business should ensure their networks are secure from attacks. Depending on what brand of hardware IDS was purchased, certain exploits may not be released by the manufacturer immediately. With Snort, it is ensured that the updates are always being released as they are considered the standard and must meet the needs of countless users and corporations. With a graphical interface running through a virtual desktop, Snort can easily be updated simply by replacing the old rule files with the newly downloaded ones. Although all rules are eventually released for free, it is a good idea to buy a enterprise subscription for $499 to ensure that the company has access to the newest rules for detecting exploits. If the administrator is very familiar with the Snort output, they also have the option to create their own alerts based on the information about specific traffic that the administrator wants to keep a close watch on. This traffic information can then be put in the log file as a new alert.
With this new IDS on the outside of the network, checking all internet traffic, the network is much less likely to be crippled by being unaware of ongoing attacks like the DDoS attack on it earlier. If this system was implemented before the attack on Cube Farm, the administrator would have been aware that it was a DDoS attack and could have attempted to fix this issue himself instead of wasting time trying to determine the source of the issue by calling the ISP and analyzing the router’s configuration.