Assignment 3: SIEM, Firewall and Security as a Service
OBJECTIVES:
Objective#1 Use a demo SIEM to explore the function of SIEM
If you are concerned about installing any of the software in these projects on your regular computer you can instead install the software in the Windows virtual machine
or AWS.
Using AlienVault SIEM Tools Security and Information Event Management (SIEM) product consolidates real-time monitoring and management of security information along with an analysis and reporting of Security events. In this activity, you access online AlienVault, a SIEM product 1. Use your web browser to go to cybersecurity.att.com. Click on the ONLINE DEMO button in top right of the screen. You will need to fill in a form before you can get to the demo. The system will create a login for you.
Enter the Live Site to check out the demo.
Mini-activity 1: Explore the attacks
The Alienvault online demo appears. Click on the Dashboards Overview and you will see the overview. Go to the Alarms by Intent session and choose one alarm. Click into the event. What is the event about? What is the vulnerability of the event? Please printscreen together with your answers. What are the recommendations for suggestions regarding how to mitigate this attack? Is the information helpful?
Mini-activity 2: Create filtering rules
Then go back to the main page of the demo. Select SETTINGS>RULES and create the following filter rules:
RULE1: Filter all DNS TCP traffic from the source IP 24.114.114.23 to the destination IP 25.123.123.11.
RULE2: Filter all UDP NTP traffic from the source IP 11.11.23.12 to and destination country is CA.
Display each rule setting by screenshot.
Save the rules and go back to the settings to verify if the rules have been created.
Mini-activity 3: Vulnerability scan
Do you know how to do a vulnerability scan using the SIEM tool? If so, please explain the steps and shown the screenshot.
Objective #2 Firewall
(This activity is directly copy from reference the textbook lab 6-2)
In this project, you edit configuration settings on Windows Firewall.
Windows Firewall uses three different profiles: domain (when the computer is connected to a Windows domain), private (when connected to a private network, such as a work or home network), and public (used when connected to a public network, such as a public Wi-Fi). A computer may multiple pro so that a business laptop computer may use the domain profile at work, the private profile when connected to the home network, and the public profile when connected to a public Wi-Fi network. Windows asks whether a network is public or private when you first connect to it.
1. Click Start, click the search icon, and enter Firewall.
2. Click Windows Firewall Control panel.
3. Click Turn Windows Firewall on or off. Be sure that the Windows Firewall is turned on for both private and public networks,
4. Under Public network settings check Block all Incoming connections, including those in the list of allowed apps. This provides an extra level of security when using a public network such as a free Wi-Fi network by preventing a malicious incoming connection from another computer on the network. Click OK
5 To allow an inbound connection from an installed application in the left pane click Allow an app or feature through Windows Firewall.
6 Each program or feature of Windows can be chosen to allow an incoming connection on public or private networks. Click Allow another app.
7 From here you can select an app that will permit an incoming connection. Because this is a security risk, click Cancel and then OK
8. Now check the configuration properties of Windows Firewall. Click Advanced settings.
9. Click Properties in the right pane.
10. Note the settings on each of the profiles by clicking the Domain Profile, Private Profile, and Public Profile tabs. Is there any difference in the settings between theseprofiles? Why?
11. On each tab under Settings, click Customize. Be sure that Display a notification is set to Yes.Why would this be important?
12. Click OK to return to the Windows Firewall with Advanced Security page
13. In addition to being application-aware, Windows Firewall also can be configured firewall rules. Click Outbound Rules in the left pane to block a program from reaching for the Internet.
14. In the right pane, click New Rule.
15. Click Port and then click Next.
Note
In addition to ports, the Windows Firewall also can block by program (Program) or even by program, port, and IP address (Custom).
16. If necessary, click TCP.
17. Next to Specific remote ports: enter 80. Click Next. 18. If necessary, click Block the connect. Click Next.
19. Be sure that this new rule applies to all three domains. Click Next.
20. Under Name: enter Blocking Port 80. Click Finish
21. Now open a web browser and try to connect to a http site. What happens? Why?
22. Now open a web browser and try to connect to a https site. What happens? Why?
22. Click the Back button to return to the Windows Firewall screen and click Action and Restore Default Policy to disable this rule. If a warning dialog box appears, click Yes. Click OK
23. Select Outbound Rules in the left pane. In the right pane, click New Rule
24. Click Custom and Next
25. If necessary, click All programs and Next.
26. Note that you can configure a firewall rule based on protocol, protocol number,
port, and remote port.
27. Click Cancel
28. Close all windows.
Objective #3 Security as a Service
Today a lot of security company offer security as a service in their cloud platform. Do your research and find one vendor who provides security as a service. Describe in you own wordings what services they are offering to the customer. What kind of mitigation they can provide during the attack. Please include all references.
">