10. Intrusion Detection and Prevention Systems

Matthias Paul, at the end of his graveyard shift, was reviewing and finalizing the automated intrusion event recognition report for one of ATIs many customers, the Springdale Independent School District (SISD), for whom ATI provided hosting services and limited intrusion prevention services. SISD had its own in-house information security group, but the work of screening the automated intrusion detection and prevention system had been outsourced to ATI.

Matthias opened up the intrusion event resolution application. The system correlated all of the various system logs and event recordings from the many services that ATI provided to SISD. As he worked his way through the false alarms, he came across a log entry from a Web server indicating that an external network location had tried to connect to the intranet-based student records application. The system had refused entry. Since Matthias knew that SISD allowed only remote access to student records using a VPN connection with two-factor authorization, he thought he would look at the log files from the VPN concentrator, and also at the log from the VPN authentication server.

The logs showed that the user who had tried to connect to the student records system had not attempted to set up a VPN connection. Either someone was trying to hack the system, or an authorized user had forgotten all of their training about security policy and remote access.

Matthias looked at the connection attempt and found the TCP/IP address of the person who had tried to access the student records system. It was registered to a pool of addresses used by the biggest Internet service provider (ISP) in the city where SISD was located. It would take a court order to get access to the detailed ISP records to find out who had tried to access the system. On the other hand, it was easy to identify the user account that had been used to attempt access.

Matthias mumbled, Hmmm looks like a user just forgot to follow the rules.

He pulled up the screen in the intrusion event resolution system to escalate the event from a candidate incident to an actual incident. He provided all of the facts he had discovered and then moved on to the next item. He knew someone would be getting an unpleasant contact from the SISD security group in the near future.

Review the earlier scenario titled Packet Filtering, which describes the events that led to the IDPS alert that Matthias deals with in the opening scenario of this chapter. Review also the earlier scenario Authenticating Users, which describes the consequences of Niki Simpsons habit of posting her password on sticky notes.

Questions

1. What type of IDPS system is ATI using for this contract?
2. Was this event the result of a honeypot or honeynet? Why or why not?
3. How realistic do you think this case is? Can and do events like this happen in real net- worked applications?

NOTE: It is a case study. Kindly give answers in detail. Answers should be in the context of Internet Security and detailed according to the questions demand.