ANATOMY OF A CODE RED II ATTACK

Size: px
Start display at page:

Download "ANATOMY OF A CODE RED II ATTACK"

Transcription

1 ANATOMY OF A CODE RED II ATTACK IMPROVING FIREWALL SECURITY USING PATROL FOR CHECK POINT FIREWALL-1 BILL KENNON, SENIOR SOFTWARE CONSULTANT BMC SOFTWARE, INC 1

2 The Surprise Attack As the NT Systems Administrator for the XYZ Widget Corporation, you ve had a typically busy week. In between the numerous phone calls, staff/status/planning meetings, assisting the DBA staff with a database upgrades, testing changes to the DNS server, installing additional user account licenses for a Sales support application, and assisting the Network Administrator with remote dialup access to the Web site, you re still tuning the new Web-based Commerce application and server environment to handle a steady rise in widget sales. You noticed that the primary IIS Web Server is operating a little slower than usual today. However, since the new Commerce site went live, Web Server transaction volume normally peaks in the early afternoon and slower CPU and memory performance isn t unusual during this time period. You make a mental note to take a closer look after lunch, just to be sure. It s 2:50 PM and you ve finally taken a moment to eat your lunch when your phone rings again. Only this time it s the Vice President of Sales wanting to know why the new Commerce site suddenly can t be accessed for the customer demonstration that is going to take place in exactly 10 minutes! You have to put her on hold to check your beeper it s the Chief Security Officer and no sooner do you promise the Vice President that you ll get right on it than who should appear at your door but your boss wanting to know What s wrong with the Web site?. Together, you conference in the Chief Security Officer only to find that the Firewall Administrator is reporting a significant spike in log entries affecting memory and CPU consumption on the firewall node protecting the primary IIS Server. Within the past 15 minutes, the Network Administrator detected router problems including a large number of ARPs/ARP storms in the network, excessive ARP Input memory use, and high CPU utilization. An urgent call from Operations confirms that the primary IIS server is rapidly grinding to a halt, and two other IIS servers are quickly reaching critical CPU and memory saturation levels. It appears that somehow a virus is resident within your secure perimeter and your new Commerce system is under hostile attack. How could this be? XYZ Widget Corporation takes security very seriously. The latest firewall and virus detection technologies are deployed and regularly maintained. You know that attacks can t be prevented, but XYZ Widget Corporation has been able to fend off previous intrusion attempts (from script kiddies as they re known within the industry) with little to no negative impact. Is it possible that this attack may have been carried out by a professional, known within the industry as a blackhat? More importantly, how do detect and stop this attack? It s at that moment that you recall this morning s warning about a brand new Denial of Server (DoS) attack called Code Red II. In fact, your To-Do list includes a new entry to search for patches from Microsoft. A quick scan of the Code Red II warning gives you several options to prevent the attack, such as blocking all traffic to port 80, the well known WWW port, but it will take precious time to locate the infected device(s), build the access-list to deny IP packet access to port 80, and apply it inbound on the interface 1

3 facing the infection source. Every minute that it takes to identify and respond means another minute of downtime, unhappy customers, distressed Vice Presidents, and lost business. Regardless of your reaction time and the resultant level of impact to XYZ s bottom line, this is an event you won t soon forget. This time the attacker wins, and you ll resign yourself to learning a painful, timeconsuming, expensive lesson. But you resolve that next time you ll be ready. You realize that budget constraints and the pressure to bring critical systems back online as quickly as possible will make it tough to diagnose hacker attacks. But if you could only understand how this attack occurred and, even better, if you could track the violator s actions as they happened, you could develop the forensics to prevent this scenario in the future 2

4 PATROL Detecting Code Red II Code Red II represents one of the latest in a series of increasingly devious and malicious threats to systems and networks worldwide. Simply perform an Internet search for Code Red II or Nimda to view a list of various organizations that were affected by these two recent attacks despite significant investments in firewall and related security protection. In today s climate of rapid technical evolution, constant environment changes, and malicious hackers, Code Red II, Nimda, and similar threats are successful despite the most stringent measures. These measures include enterprise Security Policies, the latest firewall technology, and strictest adherence to test, upgrade, and maintenance procedures. Although attacks cannot be prevented, technology is available that provides the detection, notification, and recovery capabilities not only to reduce Code Red II (and similar) threats but to also gather knowledge about the attack that can be used to frustrate and/or trap attackers in the future. PATROL for Check Point FireWall-1 from BMC Software, Inc., provides comprehensive firewall health management, detection and notification of unusual activity and problems, as well as the ability to automatically recover from detected impacts. BMC recently released PATROL for Check Point FireWall-1 v1.3 containing enhanced Denial of Service (DoS) capabilities to notify administrators of early DoS symptoms and help administrators prevent these attacks from causing network and system problems. The following is a real-life example of BMC Software, Inc. s PATROL performance in a network environment that was threatened by Code Red II. The Setting On Friday, August 3, 2001, one or more computers inserts the Code Red II virus into the internal network of a large corporation. Kennon2.xyz.com is the NT server where the Check Point FireWall-1 v4.1 management module and PATROL for Check Point FireWall-1 v1.3 are installed. This server is a 300mhz Pentium II processor with 128mb of memory and 16gb IDE hard drive, and runs NT 4.0 service pack 6. It is triple homed, with defined as the external / real IP address and defined as an internal / NAT address range (SCDEMO and 2815A domains) is the second internal / NAT address range and is largely idle. What is unique about this firewall is that it performs as a honeypot, positioned inside the network to look at the corporate network as the outside or untrusted Internet zone. The remainder of this paper presents the attack in total as witnessed and documented by PATROL. There are numerous points during the attack where unusual activity is detected, normally leading to immediate preventive action. However, the attack was allowed to complete its activities for the purpose of documenting the entire procedure. The SCDEMO domain comprises a test lab of roughly 20 servers including Web servers that is used for testing and education. It is typically never accessed by any outside/external contacts and is not published as an available resource. Normally, the 3

5 SCDEMO Web servers are very lightly loaded except for programmed tests, which were not taking place during the attack. The Attack Begins Based on traffic analysis, at approximately 2:30PM, the virus initiates port scans and intrusion attempts on specific networked machines. Normally kennon2.bmc.com runs at about 10% CPU utilization, 70mb memory free, and about 200 log entries (Firewall events) per minute. Refer to Chart 1 below. During normal activity the log entries appear rhythmic, with predictable peaks and valleys reflecting business activity levels and traffic patterns on the network. Most networks display a similar rhythmic activity cycle, making it possible to extrapolate the baselines needed to understand variances from normal behavior. Chart 1: Normal Activity, average of 200 log entries per minute 4

6 On Saturday morning August 4, the log entries spike to over 200,000 per minute in about 20 minutes. This indicator alone is enough to warn an administrator of attack. In addition, for the next several days kennon2.xyz.com continues to report unusually high levels of log activities, occasional spikes in port scan attacks, and abnormally high levels of accepted and dropped packets to port 80. Chart 2: Anomalous Log Entry Behavior begins Saturday morning 5

7 Chart 3. The firewall anomaly tracks with Port 80 activity Web Servers are Probed While there are web servers in the SCDEMO domain, there is no reason for Port 80 traffic to be going to those servers from the other side of the firewall (the XYZ corporate network). Clients accessing the Web servers in the SCDEMO domain normally originate within that domain, so no URLs in the domain are explicitly published for external use. During the attack, port 80 inbound activities increases from 0 to about 50 packets dropped (Refer to Chart 3). There are no firewall policy rules stating that port 80 traffic should be dropped except for traffic directed at the firewall itself. The firewall explicitly drops all traffic defined to its own IP address ( ) except for that originating from certain management workstations, so the excessive amount of traffic directed at port 80 is highly suspect. During the same period the firewall shows several thousand port 80 packets accepted per discovery cycle. So, while it appears that the high volume of port 80 traffic directed at the firewall represents attempts to breach the firewall host itself, the accepted port 80 6

8 traffic indicates the same sort of scanning against the hosts inside the firewall. In Charts 5 and 6, we see the accepted port 80 packets correlating well with the log entries, and showing an activity level well above average. Again, port 80 packets are generally near zero for this network, so settings for each network should be baselined in order to detect what type of activity would be considered abnormal. Chart 4: These are port 80 packets accepted 7

9 Chart 5: Chart of port 80 inbound (accepted) and log entries show perfect correlation Chart 5 shows both the port 80 inbound (accepted) and log entries. The correlation in the time line is perfect and indicates that port 80 was the targeted port in this particular case. Note that log entries indicate an increase of 400% to 500% of actual port 80 traffic during peak periods probably machines scanning for servers to attack. After the ferocious period of scanning, the log entries and port 80 traffic merge (Refer to Chart 6). 8

10 Chart 6: Activity during worm activity merge of log entries and port 80 inbound Chart 6 shows a time slice from a period of less activity. It is possible to see the sawtooth pattern of the port activity and log activity which at this time is a perfect 1 to 1 correlation. Apparently scans have all but ceased and now infected machines are trying to insert the worm into other servers. Attempts to infect three patched machines behind the firewall fail but apparently continue for some time. This is one persistent worm. Finding the Culprits Interestingly, when the first attack hit on Saturday morning, only a few directed port scans were recorded by the firewall as such. As Chart 7 indicates, the attacks occurred in singular fashion, and were destined to specific ports inside the firewall. However, any port scan by a machine on the inside should be considered cause for alarm. Several scans are by the same machine an absolute cause for alarm. 9

11 Chart 7: DoS attacks for timeline (Port Scan) The annotated datapoints in Chart 8 show how PATROL traps and displays specific IP addresses that originate the port scan. If XYZ Corporation had installed PATROL on the firewall management machine, PATROL would have detected this activity, alerted on it, and issued a recovery action, such as turning off a segment on a switch that owned the attacking machine. This action alone could have thwarted or at least delayed the attack. 10

12 Chart 8 Chart 9 To maximize the forensic capability of PATROL, it is important to be able to analyze history of at least 4 days, so that an attack over a period of time (a weekend) can be dissected. With the use of annotation and an effective notification system, such as PATROL Event Manager, operations support staff can receive immediate detailed notification of anomalous activity during off hours. Chart 9 shows the first machine that committed a port scan, in this case a spoof attack where a machine in the external (172.x.x.x) network uses an internal ( ) IP address to call itself. 11

13 Chart 10: Infected machine inside SCDEMO network Chart 10 shows an infected machine behind the firewall. PATROL detection demonstrates that a machine inside the network is attempting an outbound scan. Again, this represents a point where a recovery action could shut down the attack. This is obviously an infected machine. Summary As noted previously, there is no method to prevent attacks like Code Red II. However, had the XYZ security management personnel deployed PATROL in a honeypot implementation as described in this paper, this attack could have been detected and stopped before it could run its course. When the DoS attack started, the honeypot would attract packets sent at the abnormally high level. PATROL would have satisfied critical security management requirements quickly notify and identify the attacking source, and immediately identify the location of the attack. By setting alarm thresholds to trigger notification, and utilizing annotation to trap source/location information, PATROL would have provided rapid assistance to determine the addresses and networks of the attackers. With this information in hand, administrators could isolate the internal machine/s that are sending packets, or, if they are coming from the Internet, to program the router to drop those packets from the networks where the attacks were originating. 12

Network Management and Monitoring Software

Network Management and Monitoring Software Page 1 of 7 Network Management and Monitoring Software Many products on the market today provide analytical information to those who are responsible for the management of networked systems or what the

More information

Network Instruments white paper

Network Instruments white paper Network Instruments white paper USING A NETWORK ANALYZER AS A SECURITY TOOL Network Analyzers are designed to watch the network, identify issues and alert administrators of problem scenarios. These features

More information

THE VALUE OF NETWORK MONITORING

THE VALUE OF NETWORK MONITORING THE VALUE OF NETWORK MONITORING Why It s Essential to Know Your Network Sponsored by Ipswitch I. Introduction All companies are different, but the value of their network to their business varies little.

More information

Security Toolsets for ISP Defense

Security Toolsets for ISP Defense Security Toolsets for ISP Defense Backbone Practices Authored by Timothy A Battles (AT&T IP Network Security) What s our goal? To provide protection against anomalous traffic for our network and it s customers.

More information

Introduction of Intrusion Detection Systems

Introduction of Intrusion Detection Systems Introduction of Intrusion Detection Systems Why IDS? Inspects all inbound and outbound network activity and identifies a network or system attack from someone attempting to compromise a system. Detection:

More information

Network Security: A New Perspective. NIKSUN Inc.

Network Security: A New Perspective. NIKSUN Inc. Network Security: A New Perspective NIKSUN Inc. Security: State of the Industry Case Study: Hacker University Questions Dave Supinski VP of Regional Sales Supinski@niksun.com Cell Phone 215-292-4473 www.niksun.com

More information

Using Application Response to Monitor Microsoft Outlook

Using Application Response to Monitor Microsoft Outlook Focus on Value Using Application Response to Monitor Microsoft Outlook Microsoft Outlook is one of the primary e-mail applications used today. If your business depends on reliable and prompt e-mail service,

More information

Don t skip these expert tips for making your firewall airtight, bulletproof and fail-safe. 10 Tips to Make Sure Your Firewall is Really Secure

Don t skip these expert tips for making your firewall airtight, bulletproof and fail-safe. 10 Tips to Make Sure Your Firewall is Really Secure Don t skip these expert tips for making your firewall airtight, bulletproof and fail-safe. 10 Tips to Make Sure Your Firewall is Really Secure Security studies back up this fact: It takes less than 20

More information

OfficeScan 10 Enterprise Client Firewall Updated: March 9, 2010

OfficeScan 10 Enterprise Client Firewall Updated: March 9, 2010 OfficeScan 10 Enterprise Client Firewall Updated: March 9, 2010 What is Trend Micro OfficeScan? Trend Micro OfficeScan Corporate Edition protects campus networks from viruses, Trojans, worms, Web-based

More information

5 Steps to Avoid Network Alert Overload

5 Steps to Avoid Network Alert Overload 5 Steps to Avoid Network Alert Overload By Avril Salter 1. 8 0 0. 8 1 3. 6 4 1 5 w w w. s c r i p t l o g i c. c o m / s m b I T 2011 ScriptLogic Corporation ALL RIGHTS RESERVED. ScriptLogic, the ScriptLogic

More information

Second-generation (GenII) honeypots

Second-generation (GenII) honeypots Second-generation (GenII) honeypots Bojan Zdrnja CompSci 725, University of Auckland, Oct 2004. b.zdrnja@auckland.ac.nz Abstract Honeypots are security resources which trap malicious activities, so they

More information

INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS

INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS WHITE PAPER INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS Network administrators and security teams can gain valuable insight into network health in real-time by

More information

Monitoring Microsoft Exchange to Improve Performance and Availability

Monitoring Microsoft Exchange to Improve Performance and Availability Focus on Value Monitoring Microsoft Exchange to Improve Performance and Availability With increasing growth in email traffic, the number and size of attachments, spam, and other factors, organizations

More information

Global Network Pandemic The Silent Threat Darren Grabowski, Manager NTT America Global IP Network Security & Abuse Team

Global Network Pandemic The Silent Threat Darren Grabowski, Manager NTT America Global IP Network Security & Abuse Team Global Network Pandemic The Silent Threat Darren Grabowski, Manager NTT America Global IP Network Security & Abuse Team The Internet is in the midst of a global network pandemic. Millions of computers

More information

Fifty Critical Alerts for Monitoring Windows Servers Best practices

Fifty Critical Alerts for Monitoring Windows Servers Best practices Fifty Critical Alerts for Monitoring Windows Servers Best practices The importance of consolidation, correlation, and detection Enterprise Security Series White Paper 6990 Columbia Gateway Drive, Suite

More information

White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act

White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK With organizations rushing to adopt Voice over IP (VoIP) technology to cut costs and integrate applications designed to serve customers better,

More information

INTRUSION DETECTION SYSTEMS and Network Security

INTRUSION DETECTION SYSTEMS and Network Security INTRUSION DETECTION SYSTEMS and Network Security Intrusion Detection System IDS A layered network security approach starts with : A well secured system which starts with: Up-to-date application and OS

More information

Signal Customized Helpdesk Course

Signal Customized Helpdesk Course Signal Customized Helpdesk Course This course is a combination of modules taken from two Microsoft Courses: 50311A and 50331A. It is geared toward staff who handle helpdesk calls and troubleshoot end user

More information

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief ForeScout CounterACT Device Host and Detection Methods Technology Brief Contents Introduction... 3 The ForeScout Approach... 3 Discovery Methodologies... 4 Passive Monitoring... 4 Passive Authentication...

More information

1. Thwart attacks on your network.

1. Thwart attacks on your network. An IDPS can secure your enterprise, track regulatory compliance, enforce security policies and save money. 10 Reasons to Deploy an Intrusion Detection and Prevention System Intrusion Detection Systems

More information

E-Guide. Sponsored By:

E-Guide. Sponsored By: E-Guide Signature vs. anomaly-based behavior analysis News of successful network attacks has become so commonplace that they are almost no longer news. Hackers have broken into commercial sites to steal

More information

HoneyBOT User Guide A Windows based honeypot solution

HoneyBOT User Guide A Windows based honeypot solution HoneyBOT User Guide A Windows based honeypot solution Visit our website at http://www.atomicsoftwaresolutions.com/ Table of Contents What is a Honeypot?...2 How HoneyBOT Works...2 Secure the HoneyBOT Computer...3

More information

pc resource monitoring and performance advisor

pc resource monitoring and performance advisor pc resource monitoring and performance advisor application note www.hp.com/go/desktops Overview HP Toptools is a modular web-based device management tool that provides dynamic information about HP hardware

More information

technical brief Optimizing Performance in HP Web Jetadmin Web Jetadmin Overview Performance HP Web Jetadmin CPU Utilization utilization.

technical brief Optimizing Performance in HP Web Jetadmin Web Jetadmin Overview Performance HP Web Jetadmin CPU Utilization utilization. technical brief in HP Overview HP is a Web-based software application designed to install, configure, manage and troubleshoot network-connected devices. It includes a Web service, which allows multiple

More information

Firewalls, Tunnels, and Network Intrusion Detection

Firewalls, Tunnels, and Network Intrusion Detection Firewalls, Tunnels, and Network Intrusion Detection 1 Part 1: Firewall as a Technique to create a virtual security wall separating your organization from the wild west of the public internet 2 1 Firewalls

More information

Taxonomy of Intrusion Detection System

Taxonomy of Intrusion Detection System Taxonomy of Intrusion Detection System Monika Sharma, Sumit Sharma Abstract During the past years, security of computer networks has become main stream in most of everyone's lives. Nowadays as the use

More information

Chapter 9 Firewalls and Intrusion Prevention Systems

Chapter 9 Firewalls and Intrusion Prevention Systems Chapter 9 Firewalls and Intrusion Prevention Systems connectivity is essential However it creates a threat Effective means of protecting LANs Inserted between the premises network and the to establish

More information

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA Firewalls Securing Networks Chapter 3 Part 1 of 4 CA M S Mehta, FCA 1 Firewalls Learning Objectives Task Statements 1.3 Recognise function of Telecommunications and Network security including firewalls,..

More information

PROFESSIONAL SECURITY SYSTEMS

PROFESSIONAL SECURITY SYSTEMS PROFESSIONAL SECURITY SYSTEMS Security policy, active protection against network attacks and management of IDP Introduction Intrusion Detection and Prevention (IDP ) is a new generation of network security

More information

Data Security Incident Response Plan. [Insert Organization Name]

Data Security Incident Response Plan. [Insert Organization Name] Data Security Incident Response Plan Dated: [Month] & [Year] [Insert Organization Name] 1 Introduction Purpose This data security incident response plan provides the framework to respond to a security

More information

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst INTEGRATED INTELLIGENCE CENTER Technical White Paper William F. Pelgrin, CIS President and CEO Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst This Center for Internet Security

More information

Endpoint Security Console. Version 3.0 User Guide

Endpoint Security Console. Version 3.0 User Guide Version 3.0 Table of Contents Summary... 2 System Requirements... 3 Installation... 4 Configuring Endpoint Security Console as a Networked Service...5 Adding Computers, Groups, and Users...7 Using Endpoint

More information

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence Chris Poulin Security Strategist, IBM Reboot Privacy & Security Conference 2013 1 2012 IBM Corporation Securing

More information

Secure Network Access System (SNAS) Indigenous Next Generation Network Security Solutions

Secure Network Access System (SNAS) Indigenous Next Generation Network Security Solutions Secure Network Access System (SNAS) Indigenous Next Generation Network Security Solutions Gigi Joseph, Computer Division,BARC. Gigi@barc.gov.in Intranet Security Components Network Admission Control (NAC)

More information

Stephen Coty Director, Threat Research

Stephen Coty Director, Threat Research Emerging threats facing Cloud Computing Stephen Coty Director, Threat Research Cloud Environments 101 Cloud Adoption is Gaining Momentum Cloud market revenue will increase at a 36% annual rate Analyst

More information

Lab 5.2.5 Configure IOS Firewall IDS

Lab 5.2.5 Configure IOS Firewall IDS Lab 5.2.5 Configure IOS Firewall IDS Objective Scenario Topology: Estimated Time: 15 minutes Number of Team Members: Two teams with four students per team. In this lab, the student will learn how to perform

More information

Banking Security using Honeypot

Banking Security using Honeypot Banking Security using Honeypot Sandeep Chaware D.J.Sanghvi College of Engineering, Mumbai smchaware@gmail.com Abstract New threats are constantly emerging to the security of organization s information

More information

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam JK0 015 CompTIA E2C Security+ (2008 Edition) Exam Version 4.1 QUESTION NO: 1 Which of the following devices would be used to gain access to a secure network without affecting network connectivity? A. Router

More information

Firewalls Overview and Best Practices. White Paper

Firewalls Overview and Best Practices. White Paper Firewalls Overview and Best Practices White Paper Copyright Decipher Information Systems, 2005. All rights reserved. The information in this publication is furnished for information use only, does not

More information

THE ROLE OF IDS & ADS IN NETWORK SECURITY

THE ROLE OF IDS & ADS IN NETWORK SECURITY THE ROLE OF IDS & ADS IN NETWORK SECURITY The Role of IDS & ADS in Network Security When it comes to security, most networks today are like an egg: hard on the outside, gooey in the middle. Once a hacker

More information

1. Firewall Configuration

1. Firewall Configuration 1. Firewall Configuration A firewall is a method of implementing common as well as user defined security policies in an effort to keep intruders out. Firewalls work by analyzing and filtering out IP packets

More information

Datasheet. Cover. Datasheet. (Enterprise Edition) Copyright 2015 Colasoft LLC. All rights reserved. 0

Datasheet. Cover. Datasheet. (Enterprise Edition) Copyright 2015 Colasoft LLC. All rights reserved. 0 Cover Datasheet Datasheet (Enterprise Edition) Copyright 2015 Colasoft LLC. All rights reserved. 0 Colasoft Capsa Enterprise enables you to: Identify the root cause of performance issues; Provide 24/7

More information

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 1. Obtain previous workpapers/audit reports. FIREWALL CHECKLIST Pre Audit Checklist 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 3. Obtain current network diagrams

More information

Why Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation www.lumeta.

Why Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation www.lumeta. Why Leaks Matter Leak Detection and Mitigation as a Critical Element of Network Assurance A publication of Lumeta Corporation www.lumeta.com Table of Contents Executive Summary Defining a Leak How Leaks

More information

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013 CS 356 Lecture 17 and 18 Intrusion Detection Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists

More information

Managed Intrusion, Detection, & Prevention Services (MIDPS) Why E-mail Sorting Solutions? Why ProtectPoint?

Managed Intrusion, Detection, & Prevention Services (MIDPS) Why E-mail Sorting Solutions? Why ProtectPoint? Managed Intrusion, Detection, & Prevention Services (MIDPS) Why E-mail Sorting Solutions? Why ProtectPoint? Why? Focused on Managed Intrusion Security Superior-Architected Hardened Technology Security

More information

WatchGuard Technologies, Inc. 505 Fifth Avenue South Suite 500, Seattle, WA 98104 www.watchguard.com

WatchGuard Technologies, Inc. 505 Fifth Avenue South Suite 500, Seattle, WA 98104 www.watchguard.com SMALL BUSINESS NETWORK SECURITY GUIDE WHY A REAL FIREWALL PROVIDES THE BEST NETWORK PROTECTION AUGUST 2004 SMALL BUSINESS NETWORK SECURITY GUIDE: WHY A REAL FIREWALL PROVIDES THE BEST NETWORK PROTECTION

More information

Network Security Policy

Network Security Policy Network Security Policy I. PURPOSE Attacks and security incidents constitute a risk to the University's academic mission. The loss or corruption of data or unauthorized disclosure of information on campus

More information

Presenting Mongoose A New Approach to Traffic Capture (patent pending) presented by Ron McLeod and Ashraf Abu Sharekh January 2013

Presenting Mongoose A New Approach to Traffic Capture (patent pending) presented by Ron McLeod and Ashraf Abu Sharekh January 2013 Presenting Mongoose A New Approach to Traffic Capture (patent pending) presented by Ron McLeod and Ashraf Abu Sharekh January 2013 Outline Genesis - why we built it, where and when did the idea begin Issues

More information

Monitoring Web Applications with Application Response

Monitoring Web Applications with Application Response Monitoring Web Applications with Application Response For time-critical Web-based applications, even a short-term performance problem can cause lost revenue when customers cannot place orders or they become

More information

10 Configuring Packet Filtering and Routing Rules

10 Configuring Packet Filtering and Routing Rules Blind Folio 10:1 10 Configuring Packet Filtering and Routing Rules CERTIFICATION OBJECTIVES 10.01 Understanding Packet Filtering and Routing 10.02 Creating and Managing Packet Filtering 10.03 Configuring

More information

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls Firewalls, Tunnels, and Network Intrusion Detection 1 Firewalls A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system.

More information

G/On. Basic Best Practice Reference Guide Version 6. For Public Use. Make Connectivity Easy

G/On. Basic Best Practice Reference Guide Version 6. For Public Use. Make Connectivity Easy For Public Use G/On Basic Best Practice Reference Guide Version 6 Make Connectivity Easy 2006 Giritech A/S. 1 G/On Basic Best Practices Reference Guide v.6 Table of Contents Scope...3 G/On Server Platform

More information

TNT SOFTWARE White Paper Series

TNT SOFTWARE White Paper Series TNT SOFTWARE White Paper Series Event Log Monitor White Paper: Architecture T N T Software www.tntsoftware.com TNT SOFTWARE Event Log Monitor Architecture 2000 TNT Software All Rights Reserved 1308 NE

More information

Firewall Firewall August, 2003

Firewall Firewall August, 2003 Firewall August, 2003 1 Firewall and Access Control This product also serves as an Internet firewall, not only does it provide a natural firewall function (Network Address Translation, NAT), but it also

More information

Sorting out SIEM strategy Five step guide to full security information visibility and controlled threat management

Sorting out SIEM strategy Five step guide to full security information visibility and controlled threat management Sorting out SIEM strategy Five step guide to full security information visibility and controlled threat management This guide will show you how a properly implemented and managed SIEM solution can solve

More information

State of Vermont. Intrusion Detection and Prevention Policy. Date: 11-02-10 Approved by: Tom Pelham Policy Number:

State of Vermont. Intrusion Detection and Prevention Policy. Date: 11-02-10 Approved by: Tom Pelham Policy Number: State of Vermont Intrusion Detection and Prevention Policy Date: 11-02-10 Approved by: Tom Pelham Policy Number: 1 Table of Contents 1.0 Introduction... 3 1.1 Authority... 3 1.2 Purpose... 3 1.3 Scope...

More information

Intrusion Detection Systems Submitted in partial fulfillment of the requirement for the award of degree Of Computer Science

Intrusion Detection Systems Submitted in partial fulfillment of the requirement for the award of degree Of Computer Science A Seminar report On Intrusion Detection Systems Submitted in partial fulfillment of the requirement for the award of degree Of Computer Science SUBMITTED TO: www.studymafia.org SUBMITTED BY: www.studymafia.org

More information

AlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals

AlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals AlienVault Unified Security Management (USM) 5.x Policy Management Fundamentals USM 5.x Policy Management Fundamentals Copyright 2015 AlienVault, Inc. All rights reserved. The AlienVault Logo, AlienVault,

More information

Network Security. Tampere Seminar 23rd October 2008. Overview Switch Security Firewalls Conclusion

Network Security. Tampere Seminar 23rd October 2008. Overview Switch Security Firewalls Conclusion Network Security Tampere Seminar 23rd October 2008 1 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. Contents Overview Switch Security Firewalls Conclusion 2 Copyright 2008 Hirschmann

More information

The Evolution of Information Security at Wayne State University

The Evolution of Information Security at Wayne State University The Evolution of Information Security at Wayne State University Nathan W. Labadie ab0781@wayne.edu Sr. Systems Security Specialist Wayne State University A Bit of Background Covers mid-2000 to present.

More information

Building Your Firewall Rulebase Lance Spitzner Last Modified: January 26, 2000

Building Your Firewall Rulebase Lance Spitzner Last Modified: January 26, 2000 Building Your Firewall Rulebase Lance Spitzner Last Modified: January 26, 2000 Building a solid rulebase is a critical, if not the most critical, step in implementing a successful and secure firewall.

More information

FIREWALL CLEANUP WHITE PAPER

FIREWALL CLEANUP WHITE PAPER FIREWALL CLEANUP WHITE PAPER Firewall Cleanup Recommendations Considerations for Improved Firewall Efficiency, Better Security, and Reduced Policy Complexity Table of Contents Executive Summary... 3 The

More information

KERIO TECHNOLOGIES KERIO WINROUTE FIREWALL 6.4 REVIEWER S GUIDE. (Updated April 14, 2008)

KERIO TECHNOLOGIES KERIO WINROUTE FIREWALL 6.4 REVIEWER S GUIDE. (Updated April 14, 2008) KERIO TECHNOLOGIES KERIO WINROUTE FIREWALL 6.4 REVIEWER S GUIDE (Updated April 14, 2008) WHO IS KERIO? Kerio Technologies provides Internet messaging and firewall software solutions for small to medium

More information

WHITE PAPER PROCESS CONTROL NETWORK SECURITY: INTRUSION PREVENTION IN A CONTROL SYSTEMS ENVIRONMENT

WHITE PAPER PROCESS CONTROL NETWORK SECURITY: INTRUSION PREVENTION IN A CONTROL SYSTEMS ENVIRONMENT WHITE PAPER PROCESS CONTROL NETWORK SECURITY: INTRUSION PREVENTION IN A CONTROL SYSTEMS ENVIRONMENT WHAT S INSIDE: 1. GENERAL INFORMATION 1 2. EXECUTIVE SUMMARY 1 3. BACKGROUND 2 4. QUESTIONS FOR CONSIDERATION

More information

Environmental Management Consolidated Business Center (EMCBC) Subject: Cyber Security Incident Response

Environmental Management Consolidated Business Center (EMCBC) Subject: Cyber Security Incident Response Date 06/10/10 Environmental Management Consolidated Business Center (EMCBC) Subject: Cyber Security Incident Response 1.0 PURPOSE Implementing Procedure APPROVED: (Signature on File) EMCBC Director ISSUED

More information

PATROL From a Database Administrator s Perspective

PATROL From a Database Administrator s Perspective PATROL From a Database Administrator s Perspective September 28, 2001 Author: Cindy Bean Senior Software Consultant BMC Software, Inc. 3/4/02 2 Table of Contents Introduction 5 Database Administrator Tasks

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

2. From a control perspective, the PRIMARY objective of classifying information assets is to: MIS5206 Week 13 Your Name Date 1. When conducting a penetration test of an organization's internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected

More information

Unit 3 Research Project. Eddie S. Jackson. Kaplan University. IT540: Management of Information Security. Kenneth L. Flick, Ph.D.

Unit 3 Research Project. Eddie S. Jackson. Kaplan University. IT540: Management of Information Security. Kenneth L. Flick, Ph.D. Running head: UNIT 3 RESEARCH PROJECT 1 Unit 3 Research Project Eddie S. Jackson Kaplan University IT540: Management of Information Security Kenneth L. Flick, Ph.D. 10/07/2014 UNIT 3 RESEARCH PROJECT 2

More information

Important Facts. Small & Medium size businesses report an average of 50 hours lost productivity per employee per year due to IT related problems.

Important Facts. Small & Medium size businesses report an average of 50 hours lost productivity per employee per year due to IT related problems. Your information systems are at the heart of your businesses daily operation. System down time costs businesses a significant amount of money each year. Most problems that cause down time can be prevented

More information

Observer Analyzer Provides In-Depth Management

Observer Analyzer Provides In-Depth Management Comprehensive Wireless Network Management Made Simple From deploying access points to baselining activity to enforcing corporate security policies, the Observer Performance Management Platform is a complete,

More information

74% 96 Action Items. Compliance

74% 96 Action Items. Compliance Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated

More information

Firewalls & Intrusion Detection

Firewalls & Intrusion Detection Firewalls & Intrusion Detection CS 594 Special Topics/Kent Law School: Computer and Network Privacy and Security: Ethical, Legal, and Technical Consideration 2007, 2008 Robert H. Sloan Security Intrusion

More information

GFI White Paper PCI-DSS compliance and GFI Software products

GFI White Paper PCI-DSS compliance and GFI Software products White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption

More information

Zoo Atlanta installs an IBM Proventia Network Multi-Function Security system to guard against Internet threats and spam.

Zoo Atlanta installs an IBM Proventia Network Multi-Function Security system to guard against Internet threats and spam. IBM Global Technology Services Zoo Atlanta installs an IBM Proventia Network Multi-Function Security system to guard against Internet threats and spam. Making information security a priority Zoo Atlanta,

More information

Security Event Management. February 7, 2007 (Revision 5)

Security Event Management. February 7, 2007 (Revision 5) Security Event Management February 7, 2007 (Revision 5) Table of Contents TABLE OF CONTENTS... 2 INTRODUCTION... 3 CRITICAL EVENT DETECTION... 3 LOG ANALYSIS, REPORTING AND STORAGE... 7 LOWER TOTAL COST

More information

Intrusion Detection. Tianen Liu. May 22, 2003. paper will look at different kinds of intrusion detection systems, different ways of

Intrusion Detection. Tianen Liu. May 22, 2003. paper will look at different kinds of intrusion detection systems, different ways of Intrusion Detection Tianen Liu May 22, 2003 I. Abstract Computers are vulnerable to many threats. Hackers and unauthorized users can compromise systems. Viruses, worms, and other kinds of harmful code

More information

IBM. Vulnerability scanning and best practices

IBM. Vulnerability scanning and best practices IBM Vulnerability scanning and best practices ii Vulnerability scanning and best practices Contents Vulnerability scanning strategy and best practices.............. 1 Scan types............... 2 Scan duration

More information

Network Security Forensics

Network Security Forensics Network Security Forensics As hacking and security threats grow in complexity and organizations face stringent requirements to document access to private data on the network, organizations require a new

More information

Windows 7, Enterprise Desktop Support Technician

Windows 7, Enterprise Desktop Support Technician Course 50331D: Windows 7, Enterprise Desktop Support Technician Page 1 of 11 Windows 7, Enterprise Desktop Support Technician Course 50331D: 4 days; Instructor-Led Introduction This four-day instructor-ledcourse

More information

Name. Description. Rationale

Name. Description. Rationale Complliiance Componentt Description DEEFFI INITION Network-Based Intrusion Detection Systems (NIDS) Network-Based Intrusion Detection Systems (NIDS) detect attacks by capturing and analyzing network traffic.

More information

Overview. Firewall Security. Perimeter Security Devices. Routers

Overview. Firewall Security. Perimeter Security Devices. Routers Overview Firewall Security Chapter 8 Perimeter Security Devices H/W vs. S/W Packet Filtering vs. Stateful Inspection Firewall Topologies Firewall Rulebases Lecturer: Pei-yih Ting 1 2 Perimeter Security

More information

Microsoft Software Update Services and Managed Symantec Anti-virus. Michael Satut TSS/Crown IT Support m-satut@northwestern.edu

Microsoft Software Update Services and Managed Symantec Anti-virus. Michael Satut TSS/Crown IT Support m-satut@northwestern.edu Microsoft Software Update Services and Managed Symantec Anti-virus Michael Satut TSS/Crown IT Support m-satut@northwestern.edu Introduction The recent increase in virus and worm activity has created the

More information

Secure Software Programming and Vulnerability Analysis

Secure Software Programming and Vulnerability Analysis Secure Software Programming and Vulnerability Analysis Christopher Kruegel chris@auto.tuwien.ac.at http://www.auto.tuwien.ac.at/~chris Operations and Denial of Service Secure Software Programming 2 Overview

More information

Ohio Supercomputer Center

Ohio Supercomputer Center Ohio Supercomputer Center Intrusion Prevention and Detection No: Effective: OSC-12 5/21/09 Issued By: Kevin Wohlever Director of Supercomputer Operations Published By: Ohio Supercomputer Center Original

More information

The methodology. Interne. 1 Introduction

The methodology. Interne. 1 Introduction 1 Introduction The methodology In an ideal world, firewall infrastructures are designed by people with experience, people who have the experience to intuitively know what they are doing. Ideally, these

More information

How to build and use a Honeypot. Ralph Edward Sutton, Jr. DTEC 6873 Section 01

How to build and use a Honeypot. Ralph Edward Sutton, Jr. DTEC 6873 Section 01 How to build and use a Honeypot By Ralph Edward Sutton, Jr DTEC 6873 Section 01 Abstract Everybody has gotten hacked one way or another when dealing with computers. When I ran across the idea of a honeypot

More information

Network- vs. Host-based Intrusion Detection

Network- vs. Host-based Intrusion Detection Network- vs. Host-based Intrusion Detection A Guide to Intrusion Detection Technology 6600 Peachtree-Dunwoody Road 300 Embassy Row Atlanta, GA 30348 Tel: 678.443.6000 Toll-free: 800.776.2362 Fax: 678.443.6477

More information

Presentation Title: When Anti-virus Doesn t Cut it: Catching Malware with SIEM

Presentation Title: When Anti-virus Doesn t Cut it: Catching Malware with SIEM LISA 10 Speaking Proposal Category: Practice and Experience Reports Presentation Title: When Anti-virus Doesn t Cut it: Catching Malware with SIEM Proposed by/speaker: Wyman Stocks Information Security

More information

Windows 7, Enterprise Desktop Support Technician Course 50331: 5 days; Instructor-led

Windows 7, Enterprise Desktop Support Technician Course 50331: 5 days; Instructor-led Lincoln Land Community College Capital City Training Center 130 West Mason Springfield, IL 62702 217-782-7436 www.llcc.edu/cctc Windows 7, Enterprise Desktop Support Technician Course 50331: 5 days; Instructor-led

More information

Network Service, Systems and Data Communications Monitoring Policy

Network Service, Systems and Data Communications Monitoring Policy Network Service, Systems and Data Communications Monitoring Policy Purpose This Policy defines the environment and circumstances under which Network Service, Systems and Data Communications Monitoring

More information

Using a Firewall General Configuration Guide

Using a Firewall General Configuration Guide Using a Firewall General Configuration Guide Page 1 1 Contents There are no satellite-specific configuration issues that need to be addressed when installing a firewall and so this document looks instead

More information

White Paper. The Ten Features Your Web Application Monitoring Software Must Have. Executive Summary

White Paper. The Ten Features Your Web Application Monitoring Software Must Have. Executive Summary White Paper The Ten Features Your Web Application Monitoring Software Must Have Executive Summary It s hard to find an important business application that doesn t have a web-based version available and

More information

CSCI 4250/6250 Fall 2015 Computer and Networks Security

CSCI 4250/6250 Fall 2015 Computer and Networks Security CSCI 4250/6250 Fall 2015 Computer and Networks Security Network Security Goodrich, Chapter 5-6 Tunnels } The contents of TCP packets are not normally encrypted, so if someone is eavesdropping on a TCP

More information

Understand Troubleshooting Methodology

Understand Troubleshooting Methodology Understand Troubleshooting Methodology Lesson Overview In this lesson, you will learn about: Troubleshooting procedures Event Viewer Logging Resource Monitor Anticipatory Set If the workstation service

More information

Intrusion Detection Systems (IDS)

Intrusion Detection Systems (IDS) Intrusion Detection Systems (IDS) What are They and How do They Work? By Wayne T Work Security Gauntlet Consulting 56 Applewood Lane Naugatuck, CT 06770 203.217.5004 Page 1 6/12/2003 1. Introduction Intrusion

More information

Information Technology Services

Information Technology Services Information Technology Services 2011 Services Guide 77 Accord Park Drive, Suite A10 Norwell, MA 02061 (781) 871-3662 A proactive, preventative approach to IT management. System downtime, viruses, spyware,

More information

PLUMgrid Toolbox: Tools to Install, Operate and Monitor Your Virtual Network Infrastructure

PLUMgrid Toolbox: Tools to Install, Operate and Monitor Your Virtual Network Infrastructure Toolbox: Tools to Install, Operate and Monitor Your Virtual Network Infrastructure Introduction The concept of Virtual Networking Infrastructure (VNI) is disrupting the networking space and is enabling

More information