Figure 1 LAN Subnet: 192.168.40.0124 LAN Switch Internet External Firewall Internal Firewall DMZ Subnet: 192.168.10.0/24 LAN devices Web Server running on port 80 IDS (Snort VM) Remote Access Server (Nginx VM) (OpenVPN)
Overview Medium to large organisations typically consist of services that are accessed/consumed from external parties for various purposes. As such, a DMZ is a suitable solution to segregate such services from internal networkis). The network diagram provided (Figure 1) illustrates the IT environment of a medium organisation, which consists of a DMZ with perimeter defences that separates the internal from the external environment. The organisation has two servers deployed in its DMZ. 1. Web Server: to serve its external customers. 2. Remote Access Server: for their external vendor to connect remotely using VPN in order to manage the web application hosted on the Web Server. The vendor periodically connects to the Remote Access Server to apply patches and implement upgrades on the web application Customers have complained of performance issues with the web site which has prompted to closely investigate the issue. Preliminary investigations indicate that the source of the problem is from within the DMZ and more specifically from the external vendor. You have recently joined the organisation's IT team as their cyber security analyst and has be tasked to collect required evidence to confirm the preliminary findings An IDS has been implemented in the DMZ and your first job is to configure and tune the IDS so that it can effectively alert attacks against the Web Server. The current implementation of the IDS is using the default configuration provided in the /etc/snort/snort.conf file The current network design diagram for the organisation has been provided to you as a drami으 file. Furthermore, both the Web server and IDS virtual machines have been provided to you in the Box folder share titled Network Security Case Study VMs.
Task You are required to submit a report that includes the following: 1. As described in the case study above, the source of the current problem is the Remote Access Server, which has allowed cyber attacks to be launched from the vendor's network. Given the current business needs of the organisation, eliminating access to the Web Server is not a solution. Explain a potential scenario where a DOS attack could occur from the vendors network against the Web Server. Ensure you explicitly state any assumptions made. You are encouraged to use the network diagram provided to add annotations to support your answer 2. Propose a solution to address the cyber attack described above. Ensure you justify your solutions and substantiate with relevant evidence. You are encouraged to use the network diagram provided to add annotations to support your answer 3. List potential evidence that can be acquired using the IDS to support the preliminary findings. Here evidence means, any information that can be gathered using the snort IDS to assist in identifying the source/nature of the cyber attack. 4. Explain in detail, how you would configure/tune the IDS to effectively serve its purpose as described in the case study. This would include activities such as but not limited to changes to the configuration file, IDS rules, logs generated, etc. 5. Implement the solution you have explained in step 4 in the IDS VM, and demonstrate that it works by performing a DOS attack against the Web Server You may use a separate Kali VM connected to the same subnet as the Web Server and IDS. You can achieve this by putting all three VMs in the same virtual network (e.g. vmnet4) in Vmware.