Network Monitoring and Defense

Introduction

Safeguard 13 - Network Monitoring and Defense

Procedures

13.1 - Centralize Security Event Alerting

Utilize a SIEM to implement security event alerting. A SIEM is a piece of software that collects, aggregates, and analyzes data from an organizations devices in real time, doing so will help prevent and block attacks on your system.

Virginia Tech utilizes a 24x7 Security Operations Center for network monitoring, alerting, analyzing, prevention, and response services.

Windows

Microsoft recommends the use of Microsoft Sentinel, a cloud based SIEM solution. To use Microsoft sentinel you must set up and use Microsoft azure on your system, information on how to do so can be found here: Microsoft Azure getting started page

Windows also has access to a free open source option in SNORT, to install SNORT, do the following:

  1. Navigate to the Snort Website
  2. Go to Downloads
  3. Download the Snort installer
  4. Run the executable
  5. Follow the on screen instructions to install Snort

Linux

Linux utilizes a number of open source SIEM solutions, SNORT being one of the most popular. Information on how to set up and install SNORT can be found on the VT Knowledge base Server Intrusion Detection Page here

13.2 - Deploy a Host-Based Intrusion Detection Solution

Use a host-based intrusion detection solution to monitor a device.

Windows

Utilizing Windows logs to monitor changes on a system can be a good way to monitor a host device. To access windows logs, do the following:

  1. Press the start button
  2. Search “Event Viewer”
  3. Select Event Viewer

From here you are able to view changes on a system and add alerts to automate and detect changes and intrusions.

macOS

macOS has a built in network monitoring tool knows as the Activity Monitor. To access the Activity Monitor, do the following:

  1. Open the Activity Monitor App
  2. Click Network
  3. You can monitor the following network activities:
    • Packets in, Packets out
    • Data Received, Data sent
    • Data received/sent over time (seconds)

Linux

Linux has a number of Host-Based Intrusion Detection Solutions, one being SNORT. To set up and use snort, do the following:

Debian/Ubuntu/Fedora
  1. wget https://github.com/snort3/snort3/archive/refs/heads/master.zip
  2. unzip master.zip
  3. cd snort3-master
  4. ./configure_cmake.sh –prefix=/usr/local –enable-tcmalloc
  5. cd build
  6. make
  7. sudo make install

13.3 - Deploy a Network Intrusion Detection Solution

Deploy a Network Intrusion Detection Solution (NIDS). The NIDS will monitor the network and can provide alerts for unusual activity.

Windows

Much like with Host based intrusion detection, SNORT is a great solution for Network intrusion detection. To install SNORT on Windows do the following:

  1. Navigate to the Snort Website
  2. Go to Downloads
  3. Download the Snort installer
  4. Run the executable
  5. Follow the on screen instructions to install Snort

Linux

Much like with Host based Intrusion Detection, SNORT is a great solution for Network Intrusion Detection. See 13.2 - Deploy a Host-Based intrusion detection solution for instructions on installing SNORT on Linux

13.4 - Perform Traffic Filtering Between Network Segments

Network trafficking will allow you to monitor and control the traffic the moves between network segments.

Windows:

Windows Defender Firewall allows you to perform 2 way network traffic filtering. To set this up, do the following:

  1. Select the Start button
  2. Search “Windows Defender Firewall”
  3. On the left hand side, select “Turn Windows Defender Firewall on or off”
  4. Ensure Windows defender firewall is turned one

Linux:

Snort is a great solution for traffic filtering on Linux. To install SNORT, see 13.2 - Deploy a Host-Based intrusion detection system.

13.5 - Manage Access Control for Remote Assets

This safeguard is being treated as a “future requirement” until additional standardization is defined and capabilities established.

13.6 - Collect Network Traffic Flow Logs

Collect network traffic flow logs to review and notify when a new device is connected.

Windows Server:

This can be done via the Azure network watcher. Information on how this is done can be found on the Microsoft Learn Website

Linux:

This can be done on Linux via ntop, a high speed web based network traffic and flow collection system. Information on how to install this software can be found here:

Ubuntu/Debian:

  1. Go to packages.ntop.org
  2. Download The Debian/Ubuntu/CentOS/Rocky packages
  3. Open the zipped file
  4. Run the executable
  5. Follow the on screen instruction to install Ntop

Other

If you have questions that are not covered in these procedures, please contact the VT IT Security Office itso@vt.edu for a consultation.