TS5990 Integrative Project
The advent of information technology has made it easier for organizations to store, share and transmit information. However this has not come without its own problems. The main area of concern is data integrity and confidentiality of information within a network. These issues cannot be taken for granted. Every organization has to ensure that its data and network that supports its operations is secured from outside intruders.
Hospitals are not an exception and especially now that a lot of their data is being transmitted electronically. It is therefore not only paramount but also mandatory that security should be put into consideration in every phase of a hospital’s network design. The wired network is the backbone of a hospital’s Information Systems and therefore it must be properly secured. Besides the wired network, the wireless network and remote access must also be secured.
Securing the hospital’s network is also a requirement of the law. The Health Insurance Portability and Accountability Act (HIPAA) has made the enforcement of security measures in healthcare environments a legal requirement. Failure of which may attract a fine or imprisonment.
This paper begins by discussing in detail how the boundaries of a network can be secured through firewalls. This is usually the organization’s first line of defense. If an intruder cannot penetrate the network’s perimeter, then it is impossible for the whole network to be brought down. Network segmentation and traffic isolation is also discussed. Segmentation and isolation increases the security boundaries.
Network Access control (NAC) is also discussed. NAC helps to restrict outside users who might try to access the network without being authorized. NAC involves allowing or denying access to the network on the basis of certain criteria. A lot of users usually access network resources. Therefore there must be a way to identify and restrict who is allowed on the network. Network Intrusion Detection Systems (NIDS) is also discussed. NIDS detect various malicious behaviors that may compromise the security as well as the trust of a computer system.
The paper concludes by discussing the security of the network equipment. The network is only functional if the network equipment is operational. The securing of equipment is therefore an important part of any security strategy.
It is practically not possible to fully secure the network without affecting the proper functioning of the entire network. Nevertheless many threats to the network can be reduced to manageable levels without affecting the smooth running of the network.
Table of Contents
2. Network Architecture………………………………………………………………….23
3. Intrusion Detection Systems (IDS)……………………………………………………24
4. Remote Access…………………………………………………………………………24
5. Network Segmentation…………………………………………………………………25
6. Network Access Control (NAC)………………………………………………………26
7. Cisco Access Control Server (ACS)…………………………………………………..27
8. Posture Validation Server…………………………………………………………..…29
9. Network Intrusion Detection Systems (NIDS)………………………………………..30
10. Types of Intrusion Detection Systems…………………………………………….…31
11. Methods of Intruder Detection………………………………………………………..32
12. Patch Management……………………………………………………………………35
13. GFI LAN guard Patch Manager………………………………………………………37
14. Silent Installation Support…………………………………………………………….37
15. Network Infrastructure equipment……………………………………………………39
List of Figures
Figure 1: Hardware firewall ………………………………………………………………7
Figure 2: Computer firewall software …………………………………………………….8
Figure 3: Basic Firewall Operations………………………………………………………10
Figure 4: The OSI and TCP/IP models……………………………………………………12
Figure 5: Professional Firewalls…………………………………………………………..12
Figure 6: Packet Filtering Firewall………………………………………………………..14
Figure 7: Circuit level Gateway………………………………………………………….15
Figure 8: Application level Gateway…………………………………………………….16
Figure 9: Stateful Multilayer Inspection Firewall…………………………………………18
Figure 10: Cisco ACS Server………………………………………………………….…28
Figure 11: Posture validation server……………………………………………………….30
Figure 12: GFI LAN guard Patch Manager main screen…………………………………36
Figure 13: Easily deployed patches network-wide……………………………………….38
The aim of this project is to provide a guideline on the possible security measures that a hospital may employ to guard against data as well as network intrusion. This is important as any tampering with the data may lead to death or serious health problems of patients. This may result in litigations which may impact on operations of the hospital as a going concern.
The project will be done through gathering relevant materials from various research sources. This will include: Cappella University online library, the local library as well as personal book collection and research materials from the internet.
The output of this project should be a comprehensive document which can be used by any hospital to establish a secure and well functioning network that is free from intrusion and corruption.
What is a firewall?
A firewall acts as a perimeter security as it safeguards the hospital’s network from unauthorized and unauthenticated intrusion that could compromise the entire network. The term firewall is derived from the fact that through network segmentation the entire network is divided into different physical sub networks. This limits the damage could spread from one subnet to another just like fire doors or firewalls (Wilson S.B. 2002).
A firewall may be a hardware device or a software program configured on a secure host computer. It must be made up of at least two network interfaces, one for the host network it is intended to protect, and one for the other network it is exposed to.
A firewall is usually located at the gateway between a private network and a public network such as the Internet.
Figure 1: Hardware Firewall
Hardware firewall providing protection to a Local Network
Figure 2: Computer with Firewall Software
Computer running firewall software to provide protection
A firewall examines all the traffic routed between the two networks (private and public) and verifies whether it meets the required security checks. If it does, it is routed between the networks, otherwise it is stopped. This helps to monitor the traffic entering or leaving a hospital’s internal network. As mentioned earlier modern day hospitals transmit a lot of data electronically and therefore it is necessary to have a system monitoring this traffic. A firewall does this by filtering both external and internal traffic. It also manages public access to private networked resources for instance host applications. It logs all attempted access to the private network and generates alerts in case it detects any attempted unauthorized or unauthenticated access. (Kincaid P. 2004).
Firewalls as filters:
Firewalls filters network packets on the basis of their source, destination addresses and port numbers. This is known as address filtering. In addition firewalls can also filter particular types of network traffic. This is also known as protocol filtering as accepting or reject traffic is determined by the protocol used, for example HTTP, ftp or telnet. This is vital in a hospital’s network set up as it safeguards the hospital’s internal network from intrusion. The individual users in a hospital who are allowed to access the internet may expose the network to intrusion. By filtering the incoming traffic, firewalls help to minimize the risk of unwanted traffic.
What can’t a firewall do?
A firewall is an effective way of controlling and monitoring network access. However just like any other system it has its limitations. To start with a firewall cannot prevent intruders with modems from dialing into or out of the network hence bypassing the firewall altogether.
Firewalls cannot also monitor the activities of the users within the network such as employees. There must be clear cut policies on the use and misuse of passwords and user accounts must be strictly enforced by the hospital’s network administrator. These are management issues that should be addressed during the planning of any security policy but that cannot be solved with firewalls alone.
The need for a firewall:
Any private network connected to a public network should have firewall protection. In addition any individual PC connected to the Internet through a modem should have personal firewall software. This is necessary as malicious intruders may attack the computer which may force one to reinstall their operating system.
How a firewall functions
Firewalls utilize two access denial methodologies to protect the network. Through the first methodology the firewall only allows traffic into the hospital’s network if it meets certain criteria. The criteria used to determine whether traffic should be allowed through varies depending on the type of firewall.
Firewalls may monitor the traffic entering the hospital’s network or the source or destination addresses and ports (Kincaid P, 2004). The latter is the second methodology used by firewalls to protect the network. This is done through the use complex rule bases that analyze the source data to determine if the traffic should be allowed through. How a firewall determines what traffic to let through is dependent on which network layer it operates in.
Figure 3: Basic Firewall Operation
OSI and TCP/IP Network models
In order to understand how firewalls work it is necessary to understand how the different layers of a network function. The network architecture is built around a seven layer model. Each layer is assigned its own set of responsibilities, and performs them in a well-defined manner. As a result the network is able to mix and match network protocols and physical supports (Wilson S.B, 2002).
A single protocol can travel beyond one physical support (layer one) due to the fact that the physical layer has been dissociated from the protocol layers (layers three to seven). Likewise a single physical cable can carry more than one protocol.
The lowest layer at which a firewall operates is layer three. In the OSI model this is the network layer. In TCP/IP it is the Internet Protocol layer. This layer is concerned with routing packets to their destination. At this layer a firewall determines whether a packet is from a trusted source or not. However at this layer, no concerns are raised about what the packet contains or what other packets it is linked to. This is performed by firewalls operating at the transport layer as they seek to know more about a packet and thereby grant or deny access using more sophisticated criteria. At the application level, firewalls are conversant about what is going on and are therefore very selective in granting access. (Kincaid P. 2004).
Figure 4: The OSI and TCP/IP models
From the above diagram it easy to conclude that firewalls at higher levels are more superior as compared to those in the lower levels. However it should not be interpreted as such. The ideal firewall to install in a hospital’s network should be able to detect and deny access to unauthorized packets through the lower layers. This makes it more effective in securing the hospital’s network. If an intruder is unable to go beyond level three then it is impossible to gain control of the hospital’s operating system. (www.infosewriters.com)
Figure 5: Professional Firewalls
Professional firewall capture each network packet before the operating system does. This means it by passes the direct path from the Internet to the operating system’s TCP/IP stack. This makes it extremely difficult for an intruder to gain control of the hospital’s host computer.
Unfortunately, traditional firewall technology is usually vulnerable to misconfiguration on non-hardened operating systems. However, in recent times, the operating system has replaced its role as that of a bootstrap loader, GUI and file system leaving the firewall with the primary role of prohibiting potentially hostile traffic from entry into the system. Newer firewalls do this by using their code to bypass the operating system’s IP layer thus preventing hostile entry into the operating system’s protocol stack.
Types of firewalls:
Firewalls are classified into four broad categories: packet filters, circuit level gateways, application level gateways and Stateful multilayer inspection firewalls.
Packet filtering firewalls are based at the network level of the OSI model, or the IP layer of TCP/IP. They are usually part of the router. A router is a device that receives packets from one network and forwards them to another network. Most routers support packet filtering.
The packet filters compare each packet to a set of criteria before forwarding it. The firewall then rejects the packet, forwards it or sends a message to the originator depending on whether the packet fulfills the required criteria.
The packet filters verify the source and destination IP address, source and destination port number and protocol used as the criteria of rejecting or accepting a packet.
The packet filtering firewalls are cost effective and have a low impact on network performance. A hospital with a low IT budget may install this firewall to safeguard its network. Even with the existence of other firewalls in the network, a packet filtering at the router level reinforces the security at the low network layer. This type of firewall only works at the network layer however and does not support sophisticated rule based applications.
Figure 6: Packet Filtering Firewall
Circuit Level Gateways:
Network Address Translation (NAT) routers have packet filtering firewalls and can also hide the IP addresses of computers behind the firewall thereby introducing circuit level filtering.
Circuit level gateways are located at the session layer of the OSI model, or the TCP layer of TCP/IP. They monitor TCP handshaking between packets and determine whether the requested access is legitimate. Information passed to a remote computer through a circuit level gateway originates from the gateway. This may be used effectively by the hospital to hide the information contained in its network. Circuit level gateways are not very expensive to install and they also hide information contained in a hospital’s private network. However, they do not filter individual packets.
Figure 7: Circuit level Gateway
Application level gateways:
Application level gateways, also referred to as proxies, are similar to circuit-level gateways except that they are application specific. They examine packets at application layer and filter application specific commands such as http: post and get. They filter packets at the application layer of the OSI model.
They deny access to incoming or outgoing packets access to services for which there is no proxy. In other words, an application level gateway configured to be a web proxy does not allow any ftp, gopher, telnet or other traffic through.
Packet filtering and circuit level firewalls differ from the application level gateways in that they do not use application level information to judge whether to allow or reject traffic into a hospital’s network.
Apart from this application level gateways can also monitor the hospital’s log user activity and logins. This increases the level of security in the hospital’s network. However this may affect the normal functioning of the network. This is mainly as a result of context switches which slow down network access. Context switches cannot be viewed by end users and therefore require manual configuration of each client computer. (www.infosewriters.com)
Figure 8: Application level Gateway
Stateful Multilayer Inspection Firewall:
The Stateful multilayer inspection firewall is a hybrid of the other three types of firewalls. It performs multiple tasks including filtering packets at the network layer, determining whether session packets are legitimate and evaluating contents of packets at the application layer.
Through a Stateful multilayer inspection firewall direct connection between the client and the host is achievable. This eliminates the hurdle caused by the lack of transparency of application level gateways which impacts on the smooth running of the hospital’s network.
This type of firewall relies on algorithms to recognize and process application layer data as opposed to running application specific proxies.
Stateful multilayer inspection firewalls increase the level of security, improves performance and allows transparency to end users. However they are more expensive and their complexity increases their vulnerability if they are not managed by highly competent personnel.
This is the best kind of firewall to install in a hospital’s network. It is a combination of the other three firewalls and therefore it contains all the necessary features that may be used to effectively safeguard the hospital’s network.
Figure 9: Stateful Multilayer Inspection Firewall
Installing a firewall:
The following steps if carefully implemented can successfully lead to the installation of an effective firewall.
- Access denial methodology to use.
A methodology that denies all access by default is most appropriate to use at this stage. A good example is a gateway that routes no traffic and acts like a brick wall with no doors in it.
- Establishing an inbound traffic access policy.
This is simple if all of the hospital’s internet traffic originates from the LAN. This will basically entail installing a NAT router which blocks all inbound traffic that does not respond to requests originating from within the LAN. As mentioned earlier a NAT router hides the true IP addresses of the hospital’s network behind the firewall making intrusion extremely difficult (Wilson S.B, 2002).
Moreover local host IP addresses in this type of configuration are normally non-public addresses, and this makes it difficult to route traffic to them from the Internet.
Packets entering the hospital’s LAN from the Internet in response to requests from local hosts are sent to allocated port numbers on the public side of the NAT router. This takes place at an extremely fast pace making it difficult or impossible for an intruder to guess which port numbers to use.
If the hospital’s operations require access to LAN based services from Internet based hosts, it is important to establish the criteria to be used in deciding which packets originating from the Internet may be allowed into the LAN. The more detailed the criteria, the more secure the network.
It is important to determine which public IP addresses may initiate communication. Through this one can limit inbound traffic to only packets originating from these addresses. This goes a long way in decreasing the likelihood of hostile intrusion. It is also possible to limit inbound traffic to certain protocol sets such as ftp or http. (www.infosewriters.com)
All of these can be done by packet filtering on a NAT router. If it is impossible to know the IP addresses that initiate inbound traffic, a more complex rule based model may be used and this where a Stateful multilayer inspection firewall comes in.
- Establishing an outbound access policy.
A proxy server may give a high level of security where internet access is given selectively to appropriate users for example those in the management level of the hospital. In addition, outbound protocol filtering can be transparently achieved with packet filtering and without comprising on security. If a NAT router is in use with no inbound mapping of traffic originating from the Internet, then LAN users may be permitted to access the Internet with no security compromise. The risk of the hospital’s staff misusing the internet is a management issue and must be dealt with as such. However, as stated earlier, this type of firewall requires manual configuration of each web browser on each machine.
- 4. Dial-in or dial-out access
Dial-in requires a secure remote access PPP server which should be located outside the hospital’s network firewall. If dial-out access is required by individual users, individual dial-out computers should be secure to the extent that hostile access to the LAN via the dial-out connection becomes impossible. This can be achieved by physically isolating the computer from the LAN. Alternatively, personal firewall software can be used to isolate the LAN network interface from the remote access interface.
Selecting a Firewall:
Once the above issues have been addressed, it is easy to decide the most appropriate firewall to set up. One can choose whether to buy a complete firewall product or to configure one from multipurpose routing or proxy software. This will depend on the availability of in-house expertise as well as the needs of the hospital. A basic firewall can be built with minimal expertise if the requirements of the hospital are not complex.
The firewall is a vital component of any security program. Nevertheless it is not a security program par-se. However, complete network security involves looking into other aspects such as data integrity, service or application integrity, data confidentiality and authentication (Wilson S.B, 2002).
Firewalls basically address the issues of data integrity, confidentiality and authentication of data that is behind the firewall. Any data that is outside the boundaries of the firewall is vulnerable to corruption by intruders. The integrity of such data is essential to the smooth running of an organization hospitals included. Therefore it is important for an organization to have a carefully planned and strictly implemented security program which includes but is not limited to firewall protection.
Organization and network structure influence the type of firewall that is put in place. For most hospitals, a Stateful firewall is the ideal firewall to use. Stateful firewalls keep track of actual communications state tables which are vital for Identity Detection Server (IDS) and various types of communications required in a hospital environment. In addition, its ability to track connectionless protocols such as User Datagram Protocol (UDP) further asserts its position as the best firewall to use in hospitals.
Apart from selecting a suitable firewall, the configuration of the firewall is important. The first step in securing a firewall is turning off all unneeded services. This is a basic yet vital step of the perimeter security.
The next step is changing default settings. Passwords, Simple Network Management Protocol (SNMP), services and http should be changed from their default settings. A firewall operating on default settings increases its vulnerability to hackers.
Another step in configuring the firewall is to make device management internal. Allowing the device management to be done outside makes it susceptible to being reconfigured which may downplay its purpose.
Many firewalls analyze the source IP addresses of packets to determine their legitimacy. Firewalls are configured to allow traffic through if it originates from a specific trusted host.
A malicious cracker may try to bypass this process by spoofing the source IP address of packets sent to the firewall such by disguising it as a trusted source. If the firewall judges that the packets originate from a trusted host, it lets them through unless other criteria have not been met. For this to occur, the cracker must be conversant with the firewall’s rule base to exploit this kind of weakness.
This shows that technology alone will not solve all security problems. It is the responsibility of the hospital’s management to ensure that the integrity of data is maintained. One of Courtney’s laws sums it up: “There are management solutions to technical problems, but no technical solutions to management problems”.
The risk of IP spoofing can be mitigated if the hospital employs Virtual Private Network (VPN) protocol such as IPSec. This involves encryption of the data in the packet as well as the source address. The VPN software or firmware decrypts the packet and the source address besides performing a checksum. If either the data or the source address is found to have been tampered with, the packet will be dropped. Without access to the encryption keys, an intruder would be unable to penetrate the firewall.
Benefits of a firewall
Firewalls protect the hospital’s private local area networks from hostile intrusion. Through the use of firewalls, LANs can be safely connected to the Internet. Otherwise Internet connectivity would be too risky.
Through firewalls, selected users can be allowed to access specific types of Internet services without the risk of corruption of network data. This selectivity is essential for the hospital’s information management purposes and involves protecting private information assets as well as restricting access to only selected users. This privilege can be accorded with respect to job description and need rather than on a rule of thumb basis.
If the perimeter security of the hospital is to be effective, the type of network architecture must be put into consideration when designing the network perimeter. NAT conceals the internal network which is useful fro increasing security at certain levels.
External sources should also not be allowed to start communication (design). If the servers and devices are external a Demilitarized Zone (DMZ) network should be employed. DMZ allows the access of external devices without allowing them access to the organizational network. This contains the effects of a comprised device in the DMZ network or the organizational network (Alomary, 2004).
Intrusion Detection Systems (IDS)
Intrusion Detection Systems (IDS) and monitoring must be considered in designing the hospital’s perimeter firewall. Many firewalls have inbuilt IDS which must be used and configured properly.
The effectiveness of the IDS must also be monitored otherwise the hospital’s network may be at risk of intrusion and go unnoticed if the IDS is not monitored. Monitoring allows connective action to be taken easily enough before the whole system crumbles.
Remote Access is an integral part of a modern day hospital operations. This means that measures must be taken to secure the remote access.
Devices used to facilitate remote access include Virtual Private Network (VPN) concentrators, VPN routers and Dial-In-Servers. These devices act as a gateway to the organization’s network and they must therefore be secure.
Remote Access gateways should be secured through access control and auditing. With different users from outside trying to gain access to the network, you must ensure that the users are authenticated and their access is audited.
Centralizing the administration of the authentication and auditing of remote access helps to make it streamlined and more efficient. If users are added from one place and logs also viewed in one place, the likelihood of security vulnerabilities due to missed configuration or unviewed logs is minimized.
A Cisco Access Control Server is one device that can assist in this. Through the Cisco Access Control server, Authentication, Authorization and Accounting for remote access can be done from one central location.
The vulnerability of remote access devices requires that they be configured and monitored carefully so that they can be exploited fully. Setting up a firewall at the perimeter is not enough. Design, implementation and maintenance must also be taken into consideration.
Network segmentation is a vital aspect to the security of a hospital’s wired network security. Network segmentation is commonly used to increase efficiency as opposed to security. Segmentation increases perimeter security through path isolation and increasing the boundaries.
Virtual Local Area Networks (VLANS) can also be used in securing the hospital’s wired network infrastructure. This can be achieved by placing or segmenting devices into separate VLANS. Devices on the same VLAN have access to each other and Access Control Lists (ACLs) and firewalls are put on the edge of each VLAN to block access by other VLANS with which do not share the same devices. This increases the boundaries and consequently the security of the wired network both internally and externally.
Radiology equipment can be secured through this kind of segmentation as it lacks the ability for protection at the endpoint so it must be placed on a secure network segment.
Another way of increasing security through network segmentation is path isolation. The use of VLAN facilitates traffic segmentation on the layer 2 network. Traffic gets mixed up as it passes through some layer 3 devices. Traffic should be isolated in both layer 2 and 3 segments. For example, guest traffic should be segmented and isolated fully from the hospital’s traffic. This can be achieved through network virtualization where traffic in both layer 2 and layer 3 network segments is isolated completely.
Network segmentation and isolation are difficult to design and implement apart from requiring more funds. However, the benefits outweigh the costs as they are an invaluable asset to the wired network security of a hospital.
Network Access Control
Network Access Control entails allowing or denying access to the hospital’s network on the basis of certain criteria. NAC was for a long time thought to be applicable only to wireless networks and remote access networks. However, it has been discovered that NAC can be used at the switch port level of the hospital’s wired infrastructure. (Olzak T, 2006).
The most commonly used NAC is Identity Based Network Services (IBNS) and 802.1X. Port Based NAC utilizes the physical characteristics of IEEE 802 LAN infrastructure in order to provide a means of authenticating and authorizing devices connected to LAN port that has point-to-point connection characteristics and of preventing access to that port in cases which the authentication and authorization process fails.
802.1X facilitates network access based on credentials from either the user or the device. Therefore, network access is restricted to the legitimate users at the switch port which is basically the frontline. This is a more effective security measure as in most network access control is only placed on devices such as servers. Placing access controls right from the switch port increases the boundaries and only authentic devices and users are permitted to access the network.
The security posture of the device connecting to the network must be taken into consideration. This is part of the Network Access Controls as it institutes checks for viruses and patches which reinforce the security of the network. The Cisco Network Access Control and Juniper Universal Clean Access are examples of systems that can be employed in this process. Through these systems devices as well as users accessing the hospital’s network cab have their security compliance verified. Only those devices and users that are compliant are allowed access to the network.
LAN connections should also have higher security settings. As much as they are referred to as trusted networks, the possibility of sabotage cannot be ignored. Even the hospital’s staff with malicious intentions can bring down the network and thus affect the smooth running of the hospital.
LAN connections, traditionally considered trusted networks now also require higher levels of security. In fact, internal threats are ten times more financially damaging than external threats.
The Cisco ACS Server
The Cisco Server Access Control Server (ACS) offers authentication, accounting and authorization services to devices on the network. It includes routers, switches, CISCO PIX firewalls and network access servers (www.cisco.com).
Cisco Secure Access Control Servers support two major AAA protocols: TACACS+ and RADIUS.
Figure 10: Cisco ACS Server
The above figure illustrates how CISCO ACS plays a vital role in wireless network authentication.
Cisco ACS server has been mainly used for VPN and dial-up authentication, authorization and accounting. However, the CISCO ACS server can also be used as the central posture server when constructing a Cisco’s Network Access Control (CNAC).
Cisco’s NAC depends on the RADIUS authorization protocol to communicate the authorization information to ACS. The RADIUS request contains vendor specific attributes. The ACS server contains a Network Access Profile (NAP) that determines what action to take as a result of the RADIUS request.
The ACS server then checks the authentication credentials vis-à-vis its own internal database. Next, the Type Length Value (TLV) and posture of the host requesting access is verified against the posture validation rules. The rules are a series of policies with multiples rules inside each policy.
The ACS server judges the posture of the host based on a first-match basis. Therefore, the network administrator must make rules in such a way that the most common rule is matched first. Conventionally, the prime rule is that the client be healthy and therefore is allowed to access the network.
The ACS server has the ability to send credentials to a third party posture validation server. This can be useful if the third party validation server uses other types of validation and features that are not supported by the Cisco ACS.
Posture Validation Server
The Cisco ACS acts as the posture validation server. It verifies the security credentials of the devices as well as that of users trying to access the hospital’s network. This consequently enforces policy items like antivirus signature, file version and operating system.
Cisco Secure ACS plays a vital role in Cisco Network Access Control as a policy decision point. It connects with the Cisco Trust Agent to build a significant part of the Network Access Control framework.
Figure 11: Posture validation server.
Network Intrusion Detection Systems:
A network intrusion detection system (NIDS) is used to detect various malicious behaviors that may compromise the security as well as the trust of a computer system. The NIDS detects network attacks against vulnerable and unused services, attacks on applications, host based attacks, unauthorized logins and access to sensitive files. In addition, it also detects viruses, Trojans, horses and worms. (www.robertgraham.com)
NIDS may run either on the target machine which monitors its own traffic or on an independent machine which constantly monitors the entire network.
A NIDS is made up of three key components; the sensors, the console and the central engine. The sensors produces security events, the console monitors events and thereafter generates alerts. The console is able to perform these tasks by controlling the sensors. The third component is the central engine which records events generated by the sensors. From these security events the engine is able to generate alerts using a system of rules.
In addition to NIDS, System Integrity Verifiers (SIV) and Log File Monitors (LMF) are other systems which can be used to detect the hospital’s network intrusion.
The System Integrity Verifiers monitors the system files to detect any intrusion. The most commonly used SIV is Tipture. In addition the SIV may monitor other components including Windows registry and Chron configuration. It also detects cases of a normal user acquiring administrator/management level privileges.
The Log File Monitors (LFM) monitors files generated by the network services. Just like Network Intrusion Detection Systems, the LFM looks for trends in the log files that may imply an intruder attack.
Types of Intrusion Detection Systems:
There are two types of intrusion detection systems: the network based intrusion detection system (NIDS) and the host based system.
The network intrusion detection system listens to all the available network packets with the aim of detecting any intrusion pattern based on the information in the packets. The position of this system on the hospital’s network is very crucial. This is because it lacks the ability to analyze network packets behind routers, bridges or switches (Lundell J, 2001).
The appropriate position to place the NIDS is the Demilitarized zone (DMZ) or at the borders of the hospital’s network. From this position the sensors are able to monitor all the traffic and analyze the contents of the individual packets.
The host based system protects a specific host such as a web server. Through this system, the files generated by the network are monitored and alerts generated incase any intrusion is detected. The host based intrusion detection system is ideal if the server is in an area outside the perimeter security such that it is neither on the internet or the demilitarized zone
Methods of intruder detection:
Intruders also known as hackers or crackers try to gain access to the system. Intruders may gain access to the network through physical intrusion, system intrusion and remote intrusion.
Physical intrusion takes place if the intruder has physical access to network equipment and devices. If the console is properly configured physical intrusion is easily detected.
System intrusion occurs if the intruder has established a low privilege user account on the system.
In remote intrusion, the intruder tries to gain access to the hospital’s network remotely. Initially the intruder has no special privileges as he tries to access the network. Firewalls help mitigate such a risk.
How intruders get into systems
One of the ways through which intruders can easily gain access to hospital’s system is through software bugs. A good number of software is likely to have bugs. It is not possible to eliminate all possible bugs. Intruders use these bugs to compromise the system.
Software bugs can be exploited in the server daemons, the client applications, the operating system, and the network stack.
Software bugs are of different types and they are classified as follows:
When a programmer assigns a given number of characters to hold a login username, he/she reasons that it will be difficult for an intruder to correctly estimate the exact number of characters and therefore gain unauthorized access. However an intruder may enter in a false username with more characters including code that will be executed by the server and thus gain access to the system.
There are a number of ways through which hackers are able to find bugs. To begin with, the source code for a lot of services is available on the net and hackers usually look through this code to locate programs that have buffer overflow problems. This may be managed by hiding the hospital’s source code such that it cannot be viewed from the internet. This can be achieved by using circuit level gateways. Hackers may also look at the programs with the aim of exploiting any holes. This however may prove to be difficult as reading assembly output is not easy. Finally, hackers may overflow a program’s input points with random data. In case the program crashes and the intruder’s input is well constructed, there is a high possibility that the intruder will be able to break in. This problem is common in programs written in C/C++, but rare in programs written in Java.
Programs are usually made up of many layers of code with the underlying operating system as the bottom-most layer. Sending meaningless input to one layer, but meaningful input to another layer is a method commonly used by intruders to gain access to the system. The basic language for processing user input on the web is PERL. Programs written in PERL normally send input to other programs for further evaluation. This gives hackers a field day as any input entered is likely to be executed as PERL asks the operating system to launch an additional program with that input. The operating system reads the pipe character and launches the mail program, which results in the password file being emailed to the intruder. (Lundell J, 2001).
Most programs are usually written to handle valid input only. They do not have adequate capacity to handle invalid input. This is risky as the consequences of invalid input which does not match specification might be far reaching and of great harm to an organization.
Most modern systems today have the ability to multitask which basically implies that they are able to run more than one program at a time. This poses a danger if two programs need to access the same data at the same time. For example two programs X and Y, need to modify the same file. In order to modify the file, each program must first read the file into memory, then alter the contents in memory and finally copy the memory back out into the file.
The race condition occurs when program A reads the file into memory, then makes the change. However, before X gets to write the file, program Y comes in and does the full read/modify/write on the file. Now program X writes its copy back out to the file. Since program X started with a copy before Y made its changes, all of Y’s changes will be lost. You need to get the sequence of events in the perfect order for this to take place. This makes race conditions extremely rare. Intruders usually have to try numerous numbers of times to crack it, and hack into the system.
Patch management entails controlling the deployment and maintenance of interim software releases into the hospital’s network environments. Patch management if carried out properly, increases the network’s efficiency and effectiveness, assists in overcoming security vulnerabilities and generally facilitates a stable network environment for the hospital. According to the FBI, one out of every nine network security breaches is as a result of software or hardware vulnerability caused by a missing patch. The GFI LAN guard Patch Manager minimizes this threat by facilitating the deployment of the latest and recommended software. In addition to install and manage patches on all the hospital’s devices using Windows operating systems and in 38 languages supported by Microsoft.
GFI LAN guard Patch Manager facilitates the automatic download of missing patches as well as patch roll-back. Custom software can also be deployed. Due to its sophisticated automatic patch management tools, it is not necessary to manage patching on each machine individually. This innovative solution not only works perfectly with Microsoft WSUS server, but also gives the added advantage of deploying patches to ISA server machines, machines running on Windows NT and deploys third party software patches and software. Moreover, through GFI LAN guard Patch Manager it is possible to push patches to each individual computer and have patches installed immediately. Microsoft WSUS does not have this function. Basically the GFI LAN guard Patch Manager provides the tools and functionality to patch machines across your network.
Figure 12: GFI LAN guard Patch Manager main screen
GFI LAN guard Patch Manager
GFI LAN guard Patch Manager may help the hospital’s IT administrator in installing patches to secure the hospital’s network more effectively. The LAN guard Patch Manager helps in checking whether Microsoft WSUS is functioning properly as well as performing tasks properly. GFI Patch Manager also comes with new features such as patch auto-download and patch rollback.
It Integrates perfectly with WSUS server and deploys patches to ISA Server and Windows NT machines It also provides reports of scans performed across the whole network including applications and resources.
GFI LAN guard Patch Manager enables one to easily install third party software or patches in the hospital’s entire network. This feature allows one to deploy client software, update custom or non-Microsoft software, virus updates and more. The custom software deployment feature allows one to do without Microsoft SMS, which is too complex and expensive for small to medium sized networks (Alomary A.Y, 2004).
GFI LAN guard Patch Manager detects missing Microsoft security updates and their deployment on both English and non-English Windows operating systems. It is also Unicode compliant and able to support patch management in all the 38 languages currently supported by Microsoft.
Silent installation support
You can perform an unattended default installation of GFI LAN guard Patch Manager on multiple computers in the background without interrupting the individual users who might be busy working. Customization of the deployment parameters is also possible through the creation of Microsoft Transform (MST) files.
Figure 13: Easily deployed patches network-wide
The GFI LAN guard patch manager is compatible with the following programs.
· Windows 2000 (SP4), XP (SP2), 2003, VISTA operating system
· Internet Explorer 5.1 or higher
· Client for Microsoft Networks component – included by default in Windows 95 or higher
· Secure Shell (SSH) – this is included by default in every Linux OS distribution pack.
Network Infrastructure Equipment Security
The hospital’s network cannot be functional when the equipment supporting it is not working properly. This can be as a result of a number of reasons including theft or tampering of the equipment. Therefore, it is not enough to secure the hospital’s network infrastructure only, the security of the equipment is also paramount.
The most first important step in securing the hospital’s network equipment is controlling access to the equipment. According to the HIPAA requirements, the equipment should be housed in a secure place. The place where the equipment is kept should be locked and under 24 hour surveillance (Lundell, J.2001).
Those who are allowed to access the network and manage equipment should be authenticated and authorized. An authentication server such as TACACS+ or Radius can help make this process more meaningful.
Access to the equipment should be through protocols such as Secure Shell (SSH) and HTTPS. Insecure protocols such as Telnet and Http should be done away with. Moreover, access to the network should be restricted to only known device IP addresses via access control list. Network segments and subnets should be denied access to the network equipment as they have no need to manage network equipments.
Out-of-band management should be utilized wherever possible so as to separate the normal traffic from the network traffic. The network equipment should be secure as this is vital to the overall security posture of the network infrastructure.
Unused services on the hospitals as in the case of perimeter firewalls should be disabled to increase the security of network devices. Disabling unused services does not affect the smooth running of the network, rather security is increased. The unused services vary depending on the manufacturer. Besides, most of the unused services are usually documented by the manufacturer. Therefore in case one is unsure of what to switch off, you can refer to the user’s manual. Unused ports should also be disabled. Unused ports which are turned on can increase the vulnerability of the hospital’s network to external attacks.
Alomary A.Y., Jamil, M.S. (2004). New trends on security infrastructure for Computer networks.
Cisco Secure Access Control Server for Windows. As retrieved on September 6th, 2008 from http://www.cisco.com/en/US/customer/products/sw/secursw/ps2086/index.html
Gue, D, The HIPAA Security Rule (NPRM): Overview. As retrieved on September 6th, 2008 from http://www.hipaadvisory.com/regs/securityoverview.htm
IEEE standard for local and metropolitan area networks – Port-based network access Control (2004). As retrieved September 5th, 2008 from http://ieeexplore.ieee.org
Kincaid, P. (2004). Protection at the Perimeter – One Link in the Defense-in-Depth Chain
Lundell, J. (2001). A fault-tolerant approach to network security. IEEE International Symposium on Network Computing and Applications, 2001, pp.22
Olzak, Tom. (2006). Strengthen Data Protection with Network Access Controls.
Wilson, S.B. (2002). What is a Firewall? A high level explanation of Firewall technologies and their features.
http://www.infosewriters.com/text_resources/pdf/802.1x.pdf As retrieved on 4th September, 2008.
http://www.infosecwriters.com/text_resources/pdf/PRS.pdf As retrieved on 4th September, 2008.
http://www.mmcctlc.com/hipaa.htm As retrieved on 5th September, 2008.