Modern distributed data communication systems are comprised of hardware and software that facilitate the creation, manipulation, and transmission of data across multiple computers, networks, and servers. With so many components that make up these complex systems come numerous vulnerabilities that can be exploited to compromise the integrity or availability of the data they were designed to support. These multiple attack vectors require a multi-tiered defense strategy, known as defense in-depth (Stewart, Tittel & Chapple, 2013). Data communication networks have multiple ingress and egress points throughout the design where data enters and leaves the network. These boundaries exist between different segments of a corporate network. One such boundary is between the network backbone and the remote sites. Other examples are between the backbone and Internet-facing demilitarized zones (DMZs) where resources such as web servers exist, and between the backbone and the Internet.
This logical segmentation is necessary to define limitations for broadcast communication protocols, to isolate types of systems and data, and also to apply security policy specific to those systems and data (Oppenheimer, 2011). The Open Systems Interconnection (OSI) model of data communication is a model that defines how computers communicate with one another, agnostic of specific hardware, software, and protocols. Purpose-built computers known as ‘firewalls’ are deployed at the ingress and egress points of a network to monitor traffic at the lower layers (one through three) of the OSI model. Network Intrusion Detection/Prevention Systems (NIDS/NIPS) are also purpose-built computers that inspect network data more closely at layers four through seven of the OSI model. Once traffic has been permitted through the firewall, IDPS appliances inspect the actual contents of the data packet, and match those contents against vendor-provided signatures (Beale, Baker, Esler & Northcutt, 2009).
Firewalls and NIDS/NIPS systems are deployed to monitor data-in-motion as it traverses the network. Workstations and servers are the final destination of most network traffic. Once the data arrives at these hosts, the information is considered data-at-rest. Here too, the data must be protected. Host-based Intrusion Detection Systems (HIDS) and Antivirus (AV) solutions are installed on these hosts to ensure no malicious code has made it to the host and is actively compromising its data. The purpose of this paper is to inform the reader of the multiple layers of data communication technology, and how deploying an multiple layers of defense mechanisms provide the best protection against malicious software pervasive on the Internet. Introduction
Since the advent of the computer, programmers have realized that software can be manipulated for purposes other than it was originally created. All programmers have a bit of a hacker mentality. In fact, the word ‘hacker’ did not begin as a negative term. The word originated in early computing communities such as that at the Massachusetts Institute of Technology in the 1960’s (Raymond, 2001).
It referred to someone who was skilled in computers and enjoyed solving problems and pushing the limits of what was possible. It was hackers who created the Internet, the World Wide Web, and the Linux operating system. (Raymond). Not all hackers were benevolent, however. Some wanted to create chaos or gain access to data for which they were not authorized. In the early days, this required physical access to the computer. When computers were first networked with the Department of Defense-designed Advanced Research Projects Agency Network (ARPANet) in the 1960s, suddenly hackers could exploit weaknesses on remote computers (McQuade, 2009).
As computers at colleges and universities throughout the country became interconnected, more reports of computer pranks and abuses came rolling in to administrators (McQuade). From ARPAnet grew the Internet, and with it, more hackers with more connections to other computers. New methods for violating the integrity of hardware and software were devised. At first, malicous software (later known as malware) came in the form of viruses, called such due to their ability to replicate themselves initially via floppy disk, and later over networks. Soon, trojans, which disguise themselves as legitimate programs, became prevalent. The concept of network security was a reaction to these attacks, and was born of necessity (Newman, 2010).
Data Communications – the OSI Model
The original model of network communications upon which ARPANet was based was called, appropriately enough, the DoD Internet Architecture Model (Cerf & Cain, 1983). From those early beginnings, new applications were created that made use of the new-found interconnectivity between computers. Out of the DoD model came a new model that better represented the new uses. This new model was called the Open Systems Interconnection (OSI) model. There are seven layers of the OSI model that describe different functions of data communication (see Figure 1). Layers one through seven are, in order: Physical, Data Link, Network, Transport, Session, Presentation, and Application (Stewart, Tittel & Chapple, 2013). Media Layers
The first three layers are referred to as the media layers (McMillan, 2012). The bottom layer is the Physical layer and consists of computers, cabling, leased data communication lines such as T1s and DS3s, and historically, plain old telephone service (POTS) lines. The second layer is called Data Link, and is responsible for formatting the data from the physical layer into a transmission format, called frames. Third is the Network layer which takes the frames and forms packets with source and destination address information. This is where network routing protocols such as Open Shortest Path First (OSPF) and Routing Information Protocol (RIP) do their work (Stewart, Tittel & Chapple, 2013).
The top four layers of the OSI model are considered host layers, and are handled by the computers on either end of the communication (McMillan, 2012). The fourth layer is the Transport layer, and it defines standards for how communication and error correction will occur. Fifth is the session layer, and it is responsible for carrying out the standards defined by the Transport layer. The Presentation layer is layer six, and it defines standards for file types including JPEG, MP3, and DOC files. Last is the Application layer, which determines how to present the documents to the user. Each layer of the OSI model is potentially a target for hackers and malicious code. To provide end-to-end protection, a multi-tiered security approach must be taken. Firewalls, Intrusion Detection/Prevention Systems, Host-based Intrusion Detection Systems (HIDS), and antivirus software all play a key role in providing defense in-depth.
Firewalls operate at the second and third layer of the OSI model, known as the Data Link and Network layers, respectively. Firewalls do not care what type of data is contained within the data packets, only the source, destination, and encapsulation protocol being used to transmit the data. Firewall administrators define a specific set of rules, known as a policy, that determine whether traffic is permitted inbound or outbound of the network boundary. A good firewall policy is the first line of defense for data entering and leaving a network. Network Intrusion Detection/Prevention Systems (IDPS)
Network Intrusion Detection/Prevention Systems (NIDS/NIPS) are deployed on the inside of the firewall, and inspect the host layers of the packet before they actually reach the host, where they can do damage . When the IDPS device is deployed ‘inline’, the appliance is able to block the traffic interactively (see Figure 2). This is known as Intrusion Prevention Mode, and the system is an Intrusion Prevention System (IPS). When the traffic is copied from a network switch to the device (spanned) and only alarms but does not block traffic, it is considered to be in Intrusion Detection Mode, and is referred to as an IDS (Intrusion Detection System). IPS deployments are considered ‘active’ while IDS deployments are ‘passive’.
Each malicious piece of code or network traffic has its own fingerprint. This permits IDPS vendors to create and maintain thousands of signatures that search for these known characteristics in the data stream. The sensor looks for properties of the data that are indicative of malicious traffic like Denial-of-Service (DoS) attacks, malware such as worms and viruses, and exploitation of vulnerabilities in common software packages and operating systems. These attacks are created for various purposes ranging from simply causing havoc on a network, to stealing company or state secrets, and gathering personally-identifiable information (PII) such as social security numbers, credit card numbers, and banking information. New vulnerabilities and malicious code to exploit those weaknesses are discovered and created every day. For this reason, IDPS vendors are constantly creating new signatures, updating old ones, and releasing updates to their customers.
User-defined Custom Signatures IDPS platforms also support the creation of custom user-defined signatures that provide a way for security engineers to block or alarm on traffic that is important to their organization, though it may not warrant inclusion in the signatures released by the vendors. While each IDPS platform provides an interface for creating custom signatures, their functionality is proprietary to that vendor, and is not universal.
This does not make it easy to share known signatures throughout the security community. SNORT is an open source language created specifically for custom IDPS signatures, and is supported by all major IDPS vendors. When new threats are discovered, the security community shares their latest signatures in SNORT format. An IDPS administrator is able to download the SNORT signature and import it into their IDPS solution even before the vendor is able to release a signature designed specifically for their platform. Host-based Intrusion Detection Systems
Host-based Intrusion Detection Systems (HIDS) are software agents that run locally on laptops, workstations and servers that monitor the internals of operating systems for evidence of suspicious or malicious activity (Newman, 2010). While the network IDPS is monitoring the datastream as it traverses the network (data-in-motion), HIDS agents monitor the host systems themselves for anything that was able to get past the firewall and IDPS device (data-at-rest), providing defense in-depth against malicous software.
Like network IDPS platforms, vendors of HIDS software release regular signature updates for their applications that facilitate the discovery of the latest threats and vulnerabilities that could affect the operating system on which the HIDS agent is installed. Security engineers taylor their HIDS policies based on the operating systems deployed within their organization by disabling signatures that are not relevant to their infrastructure. Antivirus
Antivirus (AV) software has a role very similar to HIDS agents. The primary difference between the two centers around what each focuses on to detect malware. The HIDS agent monitors system files and logs for unauthorized changes to those files. Antivirus software scans the computer for files that do not belong on a system, and for changes to known application files (Greensmith & Aickelen, 2005). Like NIDS and HIDS platforms, AV vendors release regular signature updates for their software that look for characteristics of files that are known to contain malicious code. Summary
Defense in-depth involves inspecting computer data at every opportunity. Firewalls provide the first level of support, inspecting traffic at the media layers as soon as it attempts to cross a network boundary. Network Intrusion Detection/Prevention Systems (NIDS/NIPS) inspect data within network traffic for known malicious fingerprints before it gets to the host. IDPS is deployed right after the firewall as traffic is entering the network, and can be deployed in monitoring mode (IDS), or blocking mode (IPS). IDS or passive mode receives a copy of data from a network switch, and alarms if something malicious is detected. IPS or blocking mode puts the sensor behind the firewall in the data stream, where it can proactively block any traffic that matches a known fingerprint. Firewalls and NIDS/NIPS systems provide protection for data-in-motion.
Data-at-rest is monitored and scanned by Host-based Intrusion Detection Systems (HIDS) to monitor system files and logs, and Antivirus (AV) software that scans files for known characteristics of malware. Implementing all of these solutions across the data enterprise is the best defense against the onslaught of malware that traverses the Internet. I actually will echo my feedback from the white paper draft – however, the penalties are more severe because you did not respond to feedback regarding APA citations. Since you did not respond to feedback, the 33 points in this area are substantially impacted (-20). Since some content was discredited, another 15 points will be deducted. From white paper draft:
” Good writing approach – neutral, objective and professional. You need some in text citations in several areas, and this is actually this largest source of point deductions in this paper. Aside from that, it is a good foundation for the final paper – build on current methods, practices and software for protecting software in this area.” Final grade: 65/100; D
Beale, J., Baker, A. R., Esler, J., & Northcutt, S. (2009). Snort, ids and ips toolkit. Syngress Media Inc. Cerf, V. G., & Cain, E. (1983). The DoD internet architecture model. Computer Networks (1976), 7(5), 307-318. doi:10.1016/0376-5075(83)90042-9 Greensmith, J., & Aickelen, U. (2005). Firewalls, intrusion detection systems and anti-virus scanners. School of Computer Science and Information Technology, University of Nottingham, Jubiliee Campus, Nottingham, UK. , Available from Academia.edu. Retrieved August 3, 2013 from http://www.academia.edu/780147/Firewalls_Intrusion_Detection_and_Anti-virus_Scanners
McMillan, T. (2012). Cisco networking essentials. Indianapolis, Ind: John Wiley & Sons.
McQuade, S. C., & ebrary, I. (2009). Encyclopedia of cybercrime. Westport, Conn: Greenwood Press. Newman, R. C. (2010). Computer security: Protecting
digital resources. Sudbury, Mass: Jones and Bartlett Publishers.
Oppenheimer, P. (2011). Top-down network design. (3rd ed.). Indianapolis, Ind: Cisco Press.
Raymond, E. S. (2001). How to become a hacker. Retrieved from http://catb.org/~esr/faqs/hacker-howto.html Stewart, J. M., Tittel, E., & Chapple, M. (2013). Cissp, certified information systems security professional study guide. (5th ed. ed.). Indianapolis: Sybex.