CYB-220 · Network Security
Network Protection Technologies Evaluation
This project evaluates network protection technologies for a financial institution with segmented networks and limited IT staffing. Using the Defense in Depth principle as a framework, it recommends a layered intrusion prevention strategy that balances security efficacy, operational cost, and implementation complexity.
Scenario
The organization operates four network segments — sales, acquisitions, HR, and IT — and faces ongoing unauthorized access attempts alongside network performance degradation. The IT team recently expanded with two new hires, and the organization has a stated preference for open-source tooling to manage costs.
Framework
The recommendation is grounded in Defense in Depth: the principle that no single control should be the last line of defense. Layered protections ensure that a failure at one level does not expose the entire network. Applied here, this means combining network-level visibility with endpoint-level control.
Recommended solution
Network-Based Intrusion Prevention (NIPS) — Snort
NIPS deployed at segment gateways monitors inter-VLAN traffic in real time, detecting and blocking unauthorized access attempts before they propagate. Snort — a widely adopted open-source NIPS — provides signature-based and anomaly detection with low licensing cost and strong community support. It is well-suited to heterogeneous environments like this one, where traffic patterns vary significantly across departments.
Host-Based Intrusion Prevention (HIPS) — OSSEC
HIPS software runs on individual endpoints, providing granular visibility into host-level activity. OSSEC handles log analysis, file integrity monitoring, and rootkit detection. Critically, HIPS can inspect encrypted traffic that NIPS cannot evaluate at the network layer — a meaningful gap filler in environments handling sensitive HR or financial data.
Technology comparison
| Attribute | NIPS (Snort) | HIPS (OSSEC) |
|---|---|---|
| Deployment point | Network gateways | Individual endpoints |
| Encrypted traffic | Limited visibility | Full inspection |
| Coverage scope | All segment traffic | Per-host activity |
| Cost | Open-source | Open-source |
| Staff skill required | Moderate (rule tuning) | Low–moderate |
| False positive risk | Medium (needs tuning) | Low with proper config |
Implementation plan
Hardware and deployment
- Deploy Snort appliances at critical network gateways between the four segments
- Install OSSEC agents on high-priority endpoints in HR and IT first, then expand
- No significant hardware upgrades required — both tools integrate with existing infrastructure
Staffing
- Senior IT staff lead NIPS configuration and rule management
- Junior hires assist with HIPS agent deployment on endpoints, building hands-on familiarity
- Both roles participate in initial training to establish baseline response procedures
Policies and procedures
- Scheduled rule and signature updates to reduce false positives over time
- Access control policy defining user permissions per segment, especially HR and acquisitions
- Incident response runbook covering alert triage, escalation, and documentation
Risk considerations
| Risk | Mitigation |
|---|---|
| Attackers using encrypted channels to evade NIPS | HIPS inspection fills this gap at the endpoint layer |
| Alert fatigue from excessive false positives | Scheduled tuning cycles and baseline profiling after deployment |
| New IT staff overwhelmed during initial rollout | Phased deployment prioritizing highest-risk segments first |