Abstract
This project designs and implements a Network Intrusion Prevention System (NIPS) for a Microsoft Windows-based network environment using security best practices in the design and leveraging existing infrastructure and open sourced software in the implementation to prevent the spread of malicious software (malware) inside a computer network. The project implements the three components that form the basis for network security to achieve Information Assurance. These components are firewalls and software restriction policy for preventing malware attacks, network Intrusion Detection System (IDS) for detecting malware activities in the network, and Group Policy for
distributing security policies when responding to malware threats. Firewalls and Software Restriction Policy form the prevention component in preventing. Software Restriction Policy is a security feature in Windows to deny unapproved software such as malware from execution. A host-based firewall is used to guard each host and contain the malware from spreading to other hosts when Software
Restriction Policy and the virus scanner fail. Windows XP client operating systems are configured by Group Policy to enable Software Restriction Policy and Windows Firewall to keep malware from successfully spread. In addition, another security layer is formed between the client and server network to prevent attacks against servers from. client computers. This preventative layer reduces the attack surface of servers with firewalls while actively monitoring network traffic for attacks. Attackers are blocked by the firewall to prevent them from trying different attack methods or to attacking other servers. A Linux based operating system with iptable, fwsnort, and psad forms the basis of this firewall - an active detection and prevention system. The detection component is designed to monitor the client and server side networks for malicious activities. It actively collects network traffic communications and detects malicious activities in the network that preventative measures may have failed. Malicious network traffics are logged to a central database for further
investigation and analysis of network trends or incidents. Open sourced software such as Snort for network intrusion detection, MySQL to collect data from Snort for analysis, and BASE for analyzing network traffic trends are used. The graphs generated by the IDS is used to confirm the attacks used in the testing our implementation. The response component is using Group Policy as a mechanism to distribute security policies to client machines in a consistent manner; especially, in response to
new threats. Group Policy comes with Microsoft Active Directory and is used to enable Software Restriction Policies, Windows Firewall, and disable unnecessary services to prevent the execution and spread of malicious software to other hosts as well as reducing the surface of attack of each client computer joined to the domain. This project is implemented in a virtualized environment. Virtualization allows this project to build virtual machines and switches with port mirroring at no additional cost. It would have been cost prohibit if real physical equipments were to be acquired.
As more companies move toward virtualization, this implementation for the protection of systems in a virtualized environment will fit right in nicely.