Business X has recently had been growing in their field of expertise. Along with this growth is a larger market awareness of their company, which had increased their exposure to possible network, attacks, from both external sources and possibly internal threats such as disgruntle employees. CEO Bob has expressed this concern to the current information security department and it had decided that an Intrusion Detection System or an Intrusion Prevention System would be an ideal upgrade to the network infrastructure. The purpose of this device was to provide real-time monitoring and alerts of active threats against the integrity of the network and the data that resides on it.
There was no current solution in place at that time that matched the needs requested by Business X. It was then determined, through discussions between the finance department and the information security department that an open source solution running on current virtual server infrastructure would provide the necessary requirements and constraints. This product must not cost anything, have some level of support, and provided regular updates to its core capabilities in order to stay ahead of any future threats and provide a way for acceptable risk mitigation.
Requirements requested include a Network Intrusion Detection System (NIDS) engine, Network Intrusion Prevention System (NIPS) engine, and a Network Security Monitoring (NSM) engine. Offline analysis of PCAP network traffic capture files and possible integration with current network firewalls were also requested features. It must also have a broad operating system support as it is yet to be determined which operating system it would lie on, but the IT department was leaning toward a Linux deployment.
In order to prepare for the future growth of the company, IPv6 support was needed along with current protocols including IPv4, IPv6, TCP, and UDP. It must be able to monitor HTTP traffic along with SSL/TLS, SMB file transfer protocol, SMTP/POP email protocols, along with FTP and DNS.
Suricata meet nearly all the requested features from the provided list. As an open source solution, it is a well-maintained protection engine and current staff will deploy it. This is to be deployed with a new virtual server, using provided documentation from the Suricata website, and with support on hand. Training was available from the Suricata staff through conferences as well as on-site training upon request. This will be a later consideration if it is determined it would be a necessity.
Suricata hardware requirements match with current virtualization setup. Two 1GB/s LAN connections will provide for an inline deployment method. Other requirements were a dual CPU setup in order to assist in traffic analysis. 2GB of RAM was the starting point in the virtualization with the option of upgrading in the future to 8GB as the company grew. Hard drive space requirements were little; therefor 20GB of hard drive space would suffice. The above requirements match current VMware deployment solution and no other hardware requirements were going to be added to the current systems.
The Suricata PPA bundle had the necessary packages and library dependencies included with the installation for functionality. This would shorten deployment time and easy complexity with mismatching library versions. Ease of deployment was the primary goal, as a junior information security engineer was to be the primary personal assigned.
The implementation of Suricata on Business X’s computer network was done with no major issues. The issues that were present were minor and easily correctable. Several dependencies for the program itself needed to be correct as the guide used on the developers’ website had not been maintained. Additional time had to be allocated for the development of the test network, as unplanned operating system updates arose. Additional delays occurred with the technical documentation of the IT staff due to family emergencies but did not provide any significant delays as the Chief Information Officer made a speedy signing off of the project, resulting in the Suricata development being well ahead of schedule
Full text can be read here
