Skip to content

4.03-Deploy Network Intrusion Detection System

Task Deploy Network Intrusion Detction System

Conditions

Deploy: IR Team supporting a mission partner or Guardnet/DoDIN enclave without appropriate Network IDS or IPS installations.
Evaluate: IR Team supporting a mission partner or Guardnet/DoDIN enclave with access to appropriate systems / capabilities to evaluate existing Network IDS or IPS installations.

Standards

Deploy: Same as Evaluate (below) with the exception of assessing mission partner or Guardnet/DoDin enclave networks for placement of IDPS capabilities. Additionally, as requested or directed deploy IDPS capabilities. Once deployed, conduct the Evaluate process to assess operational effectiveness.

  • Identify and prepare Detection Systems.
    • Find what systems are available or what is necessary to Mission (likely to be directed if Unit is not allowed).
    • Identify/Rate strengths and weaknesses of systems.
    • Install necessary programs/systems critical to Mission.
  • Identify or Obtain login credentials
    • Obtain IP path to login.
    • Obtain/create User ID to login.
    • Obtain/create Password (ensure strong password creation).
  • Test accessibility.
    • Connect to the system with credentials.
    • Report inconsistencies
  • Develop the detection scheme.
    • Establish detection plan following the evaluation of the network (see below).
    • Re-evaluate and continue to develop improved detection throughout the mission.

Evaluate (and assess):

  • Identify and correlate current system to typical components and network architectures. Build or utilize a Common Operating Picture for the team. (see Figures 4-2 and 4-3, below)
  • Identify/locate potential entry points to network.
    • Identify Internet entry points.
    • Identify “contained” wireless connections within the network.
  • Identify/locate choke points and fire walls.
    • Identify locations on the network where information traffic must travel.
    • Identify fire wall control points and what is "protected by" the wall.
    • Grade firewalls on placement. (use Figures 4-2 and 4-3 to determine standards)
    • Grade protection of zones with independent fail conditions as safer. (i.e. if Zone A’s Firewall is lost is Zone B compromised as well? Does compromise fail a switch/router critical to multiple Zones?)
  • Identify/locate current detection systems, and sensors.
    • Identify where detection systems are located on the network.
    • Identify where on the system sensors are installed.
    • Identify path(s) from the IR Team entry point to the detection system(s).
    • Identify paths from the detection system(s) to the network sensors.
    • Grade said sensors based on choke point vulnerabilities and Zones covered.
  • Identify full system maintenance schedule.
    • Patch schedule for network component firmware (routers, switches, etc.).
    • Patch schedule for each firewall.
    • Patch/update schedule for detection system.
    • Grade how often each related patch update is available and equivalent components are capable thereof.

Components and Architecture

  • Typical Components
  • Network Architectures

Security Capabilities

  • Information Gathering Capabilities
  • Logging Capabilities
  • Detection Capabilities
  • Prevention Capabilities

Management

  • Implementation
  • Operation and Maintenance

Considerations include both Wired and Wireless network IDPS capabilities

End State

Notes

Manual Steps

Running Script

Dependencies

Other available tools

References

Revision History