Beruflich Dokumente
Kultur Dokumente
Created By
Fathimah Rahimullah (1506673542)
COMPUTER ENGINEERING
FACULTY OF ENGINEERING
UNIVERSITAS INDONESIA
DEPOK
DECEMBER 2018
Contents
Contents .................................................................................................................. ii
Chapter 1 ................................................................................................................. 1
Introduction ............................................................................................................. 1
Chapter 2 ................................................................................................................. 3
Literature Review .................................................................................................... 3
Chapter 3 ................................................................................................................. 8
Methods and Experiments ....................................................................................... 8
Chapter 4 ............................................................................................................... 12
Conclusion ............................................................................................................ 12
Bibliography.......................................................................................................... 13
ii
Chapter 1
Introduction
1.1 Background
Industrialization played a massive role in the development of society. It
made processes much more structured which resulted in efficiency. The
development of computers and the internet in the 20th century boosted this
development. Now in the 21st century the technology has drastically improved since
the previous era. Now industries rely on automation and connectivity to increase
efficiency. The term used to call this era is Industry 4.0.
1.2 Objective
• Understand the concept of computer networks.
1
• Understand the concept of computer network security.
• Understand how AlienVault OSSIM works.
• Understand components of AlienVault OSSIM.
• Understand how to deploy AlienVault OSSIM.
2
Chapter 2
Literature Review
2.1 Computer Networks
A computer network is defined as a group of computer systems and/or other
hardware devices that can compute which all are linked through a communication
channel. This channel would facilitate the communication that occurs and also the
resource sharing amongst the users of the network. The channels are usually made
of cables, but the development of technology has led to more flexibility where
wireless medias such as Wi-Fi and cellular networks can work as a channel.
One of the earliest uses of computer networks are for military purposes. An
example is the US military implemented the SAGE or Semi-Automatic Ground
Environment radar system which consisted of computers communicating in a
network. Other than military purposes academia also played a big role. Universities
in the USA such as University of California and University of Utah made a research
called ARPANET or Advanced Research Projects Agency Network which has now
evolved to the modern internet.[2]
Categorization of networks are usually based on their characteristics. The
most used one is the scale of the network. Based on the size networks are divided
into local area networks (LAN), personal area networks (PAN), wide area networks
(WAN), metropolitan area networks (MAN), the internet, and much more. This
paper will focus more on the local area network.
In a computer network.
In a computer network each device can communicate using an identifier
known as an IP (internet protocol) address which is unique in each network. There
are two types of IP address they are IP version 4 (IPv4) and IP version 6 (IPv6).
The main difference between the two is the size of the address where IPv4 size is
32 bits long and IPv6 is 128 bits long. As said before the IP addresses are unique in
only one network this means an IP address can be used twice if the devices are in
different networks. This could be done by utilizing a technique called NAT or
network address translations where there would be a public address for a network
and that would be used to connect to other networks in the internet. This technique
3
is also good security wise where someone from an external network would not
know the address of the ones on a local network.
• risk assessment;
• security policy;
• organization of information security;
• asset management;
• human resources security;
• physical and environmental security;
• communications and operations management;
• information systems acquisition, development, and maintenance;
• access control;
• information security incident management;
• business continuity management;
• and compliance. [3]
4
Other than network security also covers the attacks that are done or in other
words the threats to a network. Threats to a network can be classified by the target
of the threat that is network-based or host-based and the location of the threat from
the network that is external or internal.
• mitigating risks;
• identifying vulnerabilities;
• detecting threats;
• and prioritizing response to threats and vulnerabilities that are of high
priority.
For all of this to be able to be achieved risk assessment must be done first.
After that security policies can be designed. OSSIM will help to identify critical
assets which will make it easier for creating policies. Security events are also
analysed by OSSIM, the parameters it takes to judge these events are the value of
the assets associated with the even, the threat the event represents, and the
probability of the occurrence of the event.
The main capabilities and tools that OSSIM utilize to detect threats and
prioritize responses are asset discovery, vulnerability assessment, intrusion
detection, behavioural monitoring, and SIEM. This can be seen in the figure below.
5
Below is a brief description for each process:
• Asset Discovery: Gives information about the devices on the network using
a combination of discovery and inventory technology.
• Vulnerability Assessment: Identifies the vulnerabilities on the network.
Vulnerabilities consists of unpatched software, insecure configuration, etc.
• Intrusion Detection: Detects and then response to the incident and threat
management in the network with the help of built-in security monitoring
technologies, seamless closed-loop workflow for speed of mitigation and
the resources from AlienVault Labs.
• Behavioral Monitoring: Monitors the behaviour of the network which
focuses on the anomalies and suspicious activities of the network which can
develop into threats.
• Security Information and Event Management (SIEM): Threats are
identified, contained, and remediated which uses risk and response as
references.
• Server: Receives information from the sensors and then process them so
they could be used for management, reporting, and administration.
6
• Sensors: Gathers information from the network by being deployed
throughout the network. They process data from devices such as firewalls,
routers, and host servers by using plugins.
• Logger: Stores all the raw event log which can later be used for forensic
research and audits.
The high level architecture of AlienVault OSSIM can be seen in the figure below:
7
Chapter 3
Methods and Experiments
3.1 Deploying OSSIM Server
For this project the OSSIM server will be deployed in VMware.
e) After that the console will open and the dashboard can be accessed by
accessing the IP address of the VM.
a) Make sure that the OS is up to date by executing the apt-get update & apt-
get upgrade commands.
b) Enter the opt directory
8
f) During the installation there will be prompts for the configuration for this
installation we will pick the installation type as agent/sensors and then pick
the default ones for the other configuration.
g) After that there will be key configuration to map the sensor with the server.
[5][6]
3.3 Dashboard
The main dashboard of the application is shown in the figure below.
This dashboard is the first dashboard that the user will access when entering
the server’s IP address. From the picture the overview status of the network can
be seen. This could be customized to each user’s liking. In this case the dashboard
shows the top 5 alarming security events, events that the SIEM scanned which in
this network is authentication and system. Since this is a demo network thus the
results do not have a good variety.
9
Next, we have the alarms information page which is depicted in the figure
above. On this page attacks on the network are put under alarms. The risk of the
attacks will also be analysed to sort out which attack has the highest risk.
The last page that will be discussed in this paper is the assets page. This
page will detect hosts on the network with their details such as IP, device type,
operating system, asset value, if there is vulnerability scan that is done, and HIDS
status. Because the network belongs to a private company therefore the picture must
be censored to comply to the policy of confidentiality of hosts. A brief view of the
hosts can be seen in the figure below.
There are a lot more great features that are implemented in this tool. The
ones discussed in this paper are just a small portion of what there really is. But to
10
maximize those feature it needs to be implemented in a real working network where
production takes place. The open source characteristic is also great so the
community can develop it easier with customizations based on their own style and
needs. But there are some disadvantages to this tool. Such as the agent architecture
which is quite hard to maintain.
11
Chapter 4
Conclusion
• AlienVault OSSIM is a great open source network monitoring tool
with an abundance of features available.
• Users can get creative and customize the application based on their
network’s need.
12
Bibliography
[1] J. Malik, “IoT: Usability Dream or Privacy Nightmare? | AlienVault.”
[Online]. Available: https://www.alienvault.com/blogs/security-
essentials/iot-usability-dream-or-privacy-nightmare. [Accessed: 14-Dec-
2018].
[2] “What is a Computer Network? - Definition from Techopedia.” [Online].
Available: https://www.techopedia.com/definition/25597/computer-
network. [Accessed: 20-Dec-2018].
[3] “CCNA Security.” [Online]. Available: https://static-course-
assets.s3.amazonaws.com/CCNAS2/en/index.html#1.3.2.1. [Accessed: 20-
Dec-2018].
[4] U. March, “USM Appliance TM Deployment Guide,” pp. 1–313, 2018.
[5] “How To Monitor OSSEC Agents Using an OSSEC Server on Ubuntu 14.04
| DigitalOcean.” [Online]. Available:
https://www.digitalocean.com/community/tutorials/how-to-monitor-ossec-
agents-using-an-ossec-server-on-ubuntu-14-04. [Accessed: 21-Dec-2018].
[6] “Install OSSEC on Ubuntu 14.04 | RoseHosting.” [Online]. Available:
https://www.rosehosting.com/blog/install-ossec-on-ubuntu-14-04/.
[Accessed: 21-Dec-2018].
13