4.03-Deploy Network Intrusion Detection System
Task Deploy Network Intrusion Detction System¶
Conditions¶
Deploy: IR Team supporting a mission partner or Guardnet/DoDIN enclave without appropriate Network IDS or IPS installations.
Evaluate: IR Team supporting a mission partner or Guardnet/DoDIN enclave with access to appropriate systems / capabilities to evaluate existing Network IDS or IPS installations.
Standards¶
Deploy: Same as Evaluate (below) with the exception of assessing mission partner or Guardnet/DoDin enclave networks for placement of IDPS capabilities. Additionally, as requested or directed deploy IDPS capabilities. Once deployed, conduct the Evaluate process to assess operational effectiveness.
- Identify and prepare Detection Systems.
- Find what systems are available or what is necessary to Mission (likely to be directed if Unit is not allowed).
- Identify/Rate strengths and weaknesses of systems.
- Install necessary programs/systems critical to Mission.
- Identify or Obtain login credentials
- Obtain IP path to login.
- Obtain/create User ID to login.
- Obtain/create Password (ensure strong password creation).
- Test accessibility.
- Connect to the system with credentials.
- Report inconsistencies
- Develop the detection scheme.
- Establish detection plan following the evaluation of the network (see below).
- Re-evaluate and continue to develop improved detection throughout the mission.
Evaluate (and assess):
- Identify and correlate current system to typical components and network architectures. Build or utilize a Common Operating Picture for the team. (see Figures 4-2 and 4-3, below)
- Identify/locate potential entry points to network.
- Identify Internet entry points.
- Identify “contained” wireless connections within the network.
- Identify/locate choke points and fire walls.
- Identify locations on the network where information traffic must travel.
- Identify fire wall control points and what is "protected by" the wall.
- Grade firewalls on placement. (use Figures 4-2 and 4-3 to determine standards)
- Grade protection of zones with independent fail conditions as safer. (i.e. if Zone A’s Firewall is lost is Zone B compromised as well? Does compromise fail a switch/router critical to multiple Zones?)
- Identify/locate current detection systems, and sensors.
- Identify where detection systems are located on the network.
- Identify where on the system sensors are installed.
- Identify path(s) from the IR Team entry point to the detection system(s).
- Identify paths from the detection system(s) to the network sensors.
- Grade said sensors based on choke point vulnerabilities and Zones covered.
- Identify full system maintenance schedule.
- Patch schedule for network component firmware (routers, switches, etc.).
- Patch schedule for each firewall.
- Patch/update schedule for detection system.
- Grade how often each related patch update is available and equivalent components are capable thereof.
Components and Architecture
- Typical Components
- Network Architectures
Security Capabilities
- Information Gathering Capabilities
- Logging Capabilities
- Detection Capabilities
- Prevention Capabilities
Management
- Implementation
- Operation and Maintenance
Considerations include both Wired and Wireless network IDPS capabilities