4.03-Deploy Network Intrusion Detection System
Task Deploy Network Intrusion Detction System¶
Conditions¶
Deploy: IR Team supporting a mission partner or Guardnet/DoDIN enclave without appropriate Network IDS or IPS installations.
Evaluate: IR Team supporting a mission partner or Guardnet/DoDIN enclave with access to appropriate systems / capabilities to evaluate existing Network IDS or IPS installations.
Standards¶
Deploy: Same as Evaluate (below) with the exception of assessing mission partner or Guardnet/DoDin enclave networks for placement of IDPS capabilities. Additionally, as requested or directed deploy IDPS capabilities. Once deployed, conduct the Evaluate process to assess operational effectiveness.
* Identify and prepare Detection Systems.
* Find what systems are available or what is necessary to Mission (likely to be directed if Unit is not allowed).
* Identify/Rate strengths and weaknesses of systems.
* Install necessary programs/systems critical to Mission.
* Identify or Obtain login credentials
* Obtain IP path to login.
* Obtain/create User ID to login.
* Obtain/create Password (ensure strong password creation).
* Test accessibility.
* Connect to the system with credentials.
* Report inconsistencies
* Develop the detection scheme.
* Establish detection plan following the evaluation of the network (see below).
* Re-evaluate and continue to develop improved detection throughout the mission.
Evaluate (and assess):
* Identify and correlate current system to typical components and network architectures. Build or utilize a Common Operating Picture for the team. (see Figures 4-2 and 4-3, below)
* Identify/locate potential entry points to network.
* Identify Internet entry points.
* Identify “contained” wireless connections within the network.
* Identify/locate choke points and fire walls.
* Identify locations on the network where information traffic must travel.
* Identify fire wall control points and what is "protected by" the wall.
* Grade firewalls on placement. (use Figures 4-2 and 4-3 to determine standards)
* Grade protection of zones with independent fail conditions as safer. (i.e. if Zone A’s Firewall is lost is Zone B compromised as well? Does compromise fail a switch/router critical to multiple Zones?)
* Identify/locate current detection systems, and sensors.
* Identify where detection systems are located on the network.
* Identify where on the system sensors are installed.
* Identify path(s) from the IR Team entry point to the detection system(s).
* Identify paths from the detection system(s) to the network sensors.
* Grade said sensors based on choke point vulnerabilities and Zones covered.
* Identify full system maintenance schedule.
* Patch schedule for network component firmware (routers, switches, etc.).
* Patch schedule for each firewall.
* Patch/update schedule for detection system.
* Grade how often each related patch update is available and equivalent components are capable thereof.
Components and Architecture
* Typical Components
* Network Architectures
Security Capabilities
* Information Gathering Capabilities
* Logging Capabilities
* Detection Capabilities
* Prevention Capabilities
Management
* Implementation
* Operation and Maintenance
Considerations include both Wired and Wireless network IDPS capabilities