Table of Contents
Network Architecture Overview
Bank Being Examined
Network Architecture Overview
Many commercial and community banks have set up their own networks. Strenuous initiatives have been launched to protect these networks from unwarranted and unauthorized intrusion (Hannan, Ray, Bakkre, & Hannan, 2015). Mechanisms and strategies put in place are meant to protect customers’ confidentiality and to avert manipulation and distortion of data that may affect the running of the corporation. Hardware components and software are used simultaneously to ensure that the network is safe from any form of intrusion and attacks.
Data Transmission Components
User Datagram Protocol (UDP)
User Datagram Protocol is an integral part of the Internet Protocol Suite. It acts as a connectionless protocol and an alternative to the Transmission Control Protocol (TCP). Datagrams are transmitted through the UDP. These datagrams contain header information and the message in the data. In the Open System Interconnection (OSI), the UDP acts as a transport layer that facilitates the application networks between a client and a server
Transmission Control Protocol/Internet protocol (TCP/IP)
Transmission Control Protocol or the Internet Protocol is used to connect devices to the internet. In private network, the TCP/IP is used to define how various data is transmitted over the network. Primarily, it defines how the data will be disintegrated into packets, what addresses will be used, routing mechanisms and transmission of the packets to the intended destination.
Internet Packets
Business corporations and individuals send a huge bulk of messages daily. Both parties expect the messages to be delivered at a high rate despite their volume. Small groups referred to as Internet Packets are formed to facilitate high speed of data transmission
IP addresses schemes
Each device used to access the internet has an IP address. This is a numerical identification address assigned to every device over a certain network. A network administrator has to ensure that assigning IP addresses is done in an articulate manner to avert confusion. IP addresses are allocated in a 4-byte 32-bit mechanism or the latest 6-byte 128 bit.
Well-known ports and applications
Every application is assigned a well-known port number. The Internet Corporation for Assigned Names and Numbers (ICAAN) assigns port numbers. This usually ranges from 0-1023. However, the existing registered ports range from 1023-49152. It will be prudent to note that private ports are allocated ports on a different range. That is from 49152-65535.
Address
Sender or source that transmits a message
The sender has to ensure that their address is in the header of the message. The sender has to identify the recipients’ address over a network. The message sent is encoded and transmitted over a medium. When the message’s recipient gets the message, it is decoded and read and the process begins all over again.
Encoder used to code messages
Messages are transmitted over the networks via various media. The Address Resolution Protocol (ARP) is used by the host to identify the second host by the first host. A host can request for the IP address of the recipient from the DNS server and then the ARP protocol enables the request to be reflected across all networks available.
Medium or channel that carries message
A multiplexed medium can transmit signal. A radio channel may be used in a connectionless system. In the manual format, cables and wires were used vastly. Channels may have varying capacities. They are measured in terms of bandwidths. Cables may be used to transmit messages or messages can be broadcasted by using bandwidth.
Decoding mechanisms used
American Standard Code for Information Interchange whereby numbers, alphabets, uppercase and lowercase characters are used interchangeably in a systematic manner. Others include Neural Machine Translation encodes and decodes messages between two endpoint and guarantees security from any form of intrusion or interception.
Receiver or destination of signals
The IP address of sender has to be entailed in the packet sent.
Just like the sender, receiver’s address has to be indicated to create the medium of transportation.
Describe
Intrusion Detection and Prevention Systems (IDS/IPS)
Numerous activities occur over the internet. Intrusion detection occurs when relevant authorities monitor what type of activities occur over the network and scrutinizing for any unauthorized and unwarranted intrusions by unscrupulous characters. The network has to detect imminent system violations and serious threats. Prevention systems ensure that all access points available to the customer are safe and secure. Insecure occurrences are detected, analyzed and reports to the system administrators.
Firewalls that have been established
Firewalls are key security features in network architecture. They prevent threats and intrusions into the system. However, attacks have become sophisticated over recent times. Firewalls can monitor and scrutinize all incoming traffics coming in and out of the network to detect any security threats.
Operating Systems and Software/Hardware Components
Threats are imminent in most private networks. This because the private networks need to have a connection from various sources especially over the internet (Launius, 2009). There exist two forms of firewalls. That is software and hardware oriented firewalls. In the former, they protect the operating systems used in the network architecture. Hardware firewalls use appliances to use to secure the perimeter of the network (Launius, 2009).
ID
How banks use firewalls
Banks engage in multifarious web-related applications. As a system administrator of a bank network, it is prudent to use a proxy firewall to filter and spam malicious websites, and links. Softwares cannot detect all malicious activities and threats. Here, log management is used whereby experts can view various log activities over the network. Internet gateway acts as a firewall between the private and public networks
How banks use IDS/IPS
Private networks have gained widespread use. Virtual Private Network (VPN) can be used to access any VPN from anywhere in the world. Customers and employees can use their devices to access the VPN. IDS and IPS can be used to detect any intrusion while at the same time monitoring traffic. The IDS and IPS access the traffic through the devices used by various parties.
Difference between these technologies
Firewalls control the flow of traffic and ensure malicious traffic does not pass through the network. Additionally, it enforces network protocols such as the recipient’s or sender’s address and their respective ports. Packets that fail to adhere to the set protocols are immediately rejected. On the hand, IDS or IPS primarily report when an intrusion has occurred.
Inclusions
Network infrastructure information
Network infrastructure comprises of many elements that are interconnected. It facilitates the internal and external communication. Network hardware and software are integrated to come up with an efficient network infrastructure. Operating systems, software and hardware components are part of the network infrastructure. These components facilitate not only communication but also the management of the network system.
IP address schemes
IP address schemes are allocated to the various devices available in a network. This makes identification easier for various parties. Subnets should be created to facilitate the network and host connection. The IP address scheme makes it easier for communication to occur.
Involve IP addressing assignment model information
IP addressing scheme should offer flexible conditions in the running of the bank. Routing becomes easy across all subnets. IP addresses make it easier for customers to use latest formats in networking technology. For instance, VoIP is made easier due to the existence of the IP addressing scheme.
Public and private addressing and addressing allocations
A public IP address is unique to a certain device. On the other hand, private address belongs to devices that are available on a certain network and cannot be allowed to gain access to the internet. According to Cisco (2009), Public addresses are assigned by the Internet Assigned Numbers Authority (IANA)
ID potential risks in setting up IP address scheme
If not addressed properly conflicts may arise brought about by ghost IP addresses that are similar. Messages may get mixed up. Also, attacks on a network may arise if traffic and IP addresses are not allocated well. Firewalls may block such packets from accessing the network f the address is not allocated appropriately.
Firewalls and IDS/IPS
Proxies are used to control what enters and leaves the bank’s network framework. They also protect customers’ and employees’ details and information. This is through filtering spam emails and other precautionary security measures. Firewalls control the traffic to ensure hacking does not occur. Unusually high traffic represents this.
Well-known Ports and Applications being used by Banks
These are port numbers assigned by various application endpoint used to communicate as facilitated by the Transport Communication Protocol or the User Datagram Protocols. Port numbers make it possible for applications on different computers to communicate by identifying each other through the port numbers.
Risk
Sophisticated modes of attack have been developed. Attacks are random and may overwhelm the firewalls, IDS, and IPS. Current attacks may be a bit complicated for the current software, hardware, and operating systems. There are cases whereby the set security parameters do not even detect the attacks. By the time an attack is detected, a lot of harm has already occurred.
We can do it today.
ID Information Security Attacks
Model Network Architecture and IDS/Firewalls
Firewalls have to control the traffic entering a certain network. The packets also need to adhere to the set network policy by ensuring they have head and payrolls. IDS detect any form of intrusion and failure of a packet to record a known event
Possible Cyberattacks
Spoofing/cache poisoning attacks
It is a type of conducting unauthorized intrusions in a network systems. Corrupt domain names are introduced into caches. The caches reverse the corrupt domain names which in turn cause traffic to the computer being hacked. Firewalls become overwhelmed and cannot restrict the flow of traffic.
Session hijacking
In TCP, a hacker can secretly take over a web session and use it like the legitimate user. The hacker achieves this by gaining the session ID and can thereafter launch any activity in the network. A user loses control of their computer and has no control over what the hacker does.
Man-in-the-middle attacks
Two communication ends need to be protected. The reason being that an attacker can launch in to a communication medium between two parties. The encrypted messages can be deciphered, altered, encrypted and re-sent. It means that one receives distorted messages.
Provide techniques for monitoring against these attacks
- Having a two-factor authentication whereby one verifies their credentials from another device.
- Updating operating systems and software on a regular basis
- Visiting valid websites only. Strong and valid passwords. Using white hacks to test the network’s vulnerability and conducting penetration test to strengthen the system
Cyber Offensive Operation – Honeypots
What are they?
These are parameters that have been put in place to prevent the cyber-attacks from occurring. Cyber offensives define mechanisms to be used in approaching cyber-attacks. Researching on how to combat cyber-attacks, Offering operational and tactical support and also the intelligence revolving around cyber-attacks.
How to set up an operation using one
- Having white hackers test the strength and vulnerability of the system.
- Initiating counter-attack mechanisms by a group of experts in case of an attack.
- A robust defense mechanism needs to be put in place.
- Attacking the hackers before they do is also an appropriate remedy.
What security and protection mechanisms need to be in place?
Regular update of the network system, both software and hardware. Researching on various attack mechanism and how to avert or control them. Experts need to have valuable intelligence and viable tactical support. Log in management should be put in place to detect unusual activities that the software may be unable to detect and prevent.
What are indicators of network traffic would lead you to believe they are working
The firewall controls network traffic. If the traffic is massive and uncontrollable, it means that the firewall is overwhelmed and therefore an attack is underway. Additionally, traffic symbolizes malware infection in the hardware parts of the computer. Corrupted Domain names act in a similar manner overwriting all network policies set by the firewall while bombarding the target device with abnormal requests.
False Negatives and False Positives
Risks to Network Traffic Analysis and Remediation
Packets are involved in the network traffic. Traffic analysis deals with analyzing the communication between two parties and trying to look for any abnormality. Patterns are derived from the communicating packets. Since different vendors offer different products, a customer may decide to use different products for the same task. Additionally, the network security configurations have to be reconstituted regularly.
Resources on False Positives and False Negatives
They occur in the performances of Intrusion Detection System and Intrusion Prevention System in a network. False Negatives and False Positives collect and analyze their data from traffic in the real world. FP and FN were put in place since not all traffic detected and prevented by IDS/IPS are real attacks. Sometimes it could be traffic caused by poorly coded software and not necessarily an intrusion.
What are they?
When the Intrusion Detection System and the Intrusion Prevention System detect traffic in a network and identify it as a malicious attack whereas it is typical traffic, then it is a False Positive. On the other hand, malicious traffic may be defined as a normal one. This is referred to as a False Negative.
How they are determined
In incidences where the Intrusion Detection System detects an abnormality, it triggers the Intrusion Prevention System to act and prevent the system. However, some traffic experienced in the network could be due to outdated software that is yet to be updated. This causes unnecessary preventive measures to be taken. In the False Negative, an attack may masquerade as a regular activity in the network. In False Negative, the overwhelming of the IDS/IPS may cause these systems to fail to detect traffic even when an attack is occurring.
How they are tested
A network expert is tasked with the mandate of accessing all ports and addresses in the system. If the TCP/UDP are handling various datagrams and packets than they are supposed to, then an attack is underway. The IDS/IPS may not be accurate all the time especially when attackers launch a snow-attack, then it becomes hard to detect any abnormality.
Which is riskier to health of the network
A False Negative may cause detrimental damage to the network. This is because an attack can occur, but no initiative or precautionary measure is taken. By the time the network security experts act, a lot of damage will have happened. Additionally, a False Negative may cause numerous attacks to be launched on different occasions which can go undetected.
Testing for False Negatives and False Positives
Using tools such as IDS and firewalls
IDS and Firewalls play a pivotal role in network security. However, in estimating the probability of having either a False Negative or False Positive, IDS and Firewalls play a significant role. Calculation drawn from IDS/IPS and firewalls indicate the most likely occurrence. It will be pivotal to note that False Negatives and False Positives are triggered by the functionalities of both the IDS/IPS and firewalls.
Recommendations for the banks in your bulletin
Network software plays an indispensable role in network architecture and security. However, there is need to ensure constant updates of software to match the sophisticated attacks used by hackers. Network administrators have to ensure that they can detect False Positives or False Negatives especially the latter. Proxy servers and firewalls should be used extensively to filter spam messages and protect the customers and employees from attacks.
Statistical analyses of false positives and false negatives from results in the lab
The attack on SQL servers causes most False Negatives, worm attacks and buffer overflows. This means that most frequent occurrences are the False Negatives. The False Positive account for 92.5% of the false cases of which management issues cause half of these cases. 93% of False Negative have been recorded (Ho et al., 2012).
How they can reduce these values
Coming up with neural networks and algorithms that estimate the probability of an intrusion being either a False Negative or False Positive based on the mode of cyber-attacks and statistical data from recent cyber events.
- CISCO. (2009). Cisco IP addressing policy. Retrieved from http://www.cisco.com/c/dam/en_us/about/ciscoitatwork/downloads/ciscoitatwork/pdf/Cisco_IT_IP_Addressing_Best_Practices.pdf
- Ho, C., Lin, Y., Lai, Y. C., Chen, I., Wang, F. Y., & Tai, W. T. (2012). False positives and negatives from real traffic with intrusion detection /prevention systems. International Journal of Future Computer and Communication, 1(2), 87-89.
- Hossain, S., Ray, R. C., Bakkre, J., & Hannan, A. (2015). Design and simulation of a banking system. American Journal of Engineering and Research, 4(11), 79-91.
- Launius, L. M. (2009). Securing the network perimeter of a community bank. Retrieved from http://www.sans.org/reading-room/whitepapers/firewalls/securing-network-perimeter-community-bank-33248