TheTao of Network Security Monitoring



Similar documents
The principle of Network Security Monitoring[NSM]

Network Intrusion Analysis (Hands-on)

Network Security Monitoring Theory and Practice

Architecture Overview

Practical Intrusion Analysis

Contents. vii. Preface. P ART I THE HONEYNET 1 Chapter 1 The Beginning 3. Chapter 2 Honeypots 17. xix

You Don t Know What You Can t See: Network Security Monitoring in ICS Rob Caldwell

Richard Bejtlich / taosecurity.blogspot.com BSDCan 14 May 04

THE ROLE OF IDS & ADS IN NETWORK SECURITY

Missing the Obvious: Network Security Monitoring for ICS

Intrusion Detection Systems. Darren R. Davis Student Computing Labs

IDS / IPS. James E. Thiel S.W.A.T.

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Don t skip these expert tips for making your firewall airtight, bulletproof and fail-safe. 10 Tips to Make Sure Your Firewall is Really Secure

Course Title: Penetration Testing: Security Analysis

Network Security: A Practical Approach. Jan L. Harrington

Intrusion Detection and Prevention System (IDPS) Technology- Network Behavior Analysis System (NBAS)

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Cyber Attacks. Protecting National Infrastructure Student Edition. Edward G. Amoroso

INTRUSION DETECTION SYSTEMS and Network Security

NETWORK SECURITY (W/LAB) Course Syllabus

Overview. Firewall Security. Perimeter Security Devices. Routers

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Network Security Monitoring

Introduction of Intrusion Detection Systems

Malicious Network Traffic Analysis

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

Linux Network Security

Network Security Monitoring

Guide to Computer Forensics and Investigations, Second Edition

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

DMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch

Intrusion Detection Systems

Intrusion Detections Systems

Defense-in-Depth Strategies for Secure, Open Remote Access to Control System Networks

INTRUSION DETECTION SYSTEM (IDS) by Kilausuria Abdullah (GCIH) Cyberspace Security Lab, MIMOS Berhad

INCIDENT RESPONSE CHECKLIST

Open Source Security Tools

CONTENTS AT A GMi#p. Chapter I Ethical Hacking Basics I Chapter 2 Cryptography. Chapter 3 Reconnaissance: Information Gathering for the Ethical Hacker

Intrusion Detection Systems (IDS)

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík

FIREWALLS & CBAC. philip.heimer@hh.se

Network Instruments white paper

INCIDENT RESPONSE & COMPUTER FORENSICS, SECOND EDITION

Intrusion Detection and Intrusion Prevention. Ed Sale VP of Security Pivot Group, LLC

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

Glasnost or Tyranny? You Can Have Secure and Open Networks!

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

Netflow Collection with AlienVault Alienvault 2013

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Security Metrics. A Beginner's Guide. Caroline Wong. Mc Graw Hill. Singapore Sydney Toronto. Lisbon London Madrid Mexico City Milan New Delhi San Juan

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

Passive Logging. Intrusion Detection System (IDS): Software that automates this process

Tim Bovles WILEY. Wiley Publishing, Inc.

Performance Evaluation of Intrusion Detection Systems

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

Assessing Network Security

Network Monitoring and Forensics

Lesson 5: Network perimeter security

Keyword: Cloud computing, service model, deployment model, network layer security.

How To Protect Your Firewall From Attack From A Malicious Computer Or Network Device

Network/Internet Forensic and Intrusion Log Analysis

External Supplier Control Requirements

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

How To Protect A Network From Attack From A Hacker (Hbss)

Winning the Hardware-Software Game

Intrusion Detection and Prevention Systems (IDS/IPS) Good Practice Guide

Introduction Open Source Security Tools for Information Technology Professionals

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Advancement in Virtualization Based Intrusion Detection System in Cloud Environment

Network Security Demonstration - Snort based IDS Integration -

Attacks and Defense. Phase 1: Reconnaissance

IBM Security QRadar QFlow Collector appliances for security intelligence

Deploying Firewalls Throughout Your Organization

International Journal of Enterprise Computing and Business Systems ISSN (Online) :

Delivery. Enterprise Software. Bringing Agility and Efficiency. Global Software Supply Chain. AAddison-Wesley. Alan W. Brown.

IBM. Vulnerability scanning and best practices

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP

Fuzzy Network Profiling for Intrusion Detection

Firewalls and Intrusion Detection

Chapter 9 Firewalls and Intrusion Prevention Systems

Guideline on Firewall

Network Security Forensics

WHITE PAPER PROCESS CONTROL NETWORK SECURITY: INTRUSION PREVENTION IN A CONTROL SYSTEMS ENVIRONMENT

Cisco Secure PIX Firewall with Two Routers Configuration Example

Information Technology Career Cluster Introduction to Cybersecurity Course Number:

Protecting Critical Infrastructure

Computer Security. Introduction to. Michael T. Goodrich Department of Computer Science University of California, Irvine. Roberto Tamassia PEARSON

SE 4C03 Winter 2005 Firewall Design Principles. By: Kirk Crane

Many network and firewall administrators consider the network firewall at the network edge as their primary defense against all network woes.

Transcription:

TheTao of Network Security Monitoring BEYOND INTRUSION DETECTION Richard Bejtiich A Addison-Wesley Boston San Francisco New York Toronto Montreal London Munich Paris Madrid Capetown Sydney Tokyo Singapore Mexico City

Contents Foreword Preface About the Author About the Contributors xvii xix xxxi xxxjii PART 1 Chapter 1 INTRODUCTION TO NETWORK SECURITY MONITORING The Security Process What Is Security? What Is Risk? Threat Vulnerability Asset Value A Case Study on Risk Security Principles: Characteristics of the Intruder Some Intruders Are Smarter Than You Many Intruders Are Unpredictable Prevention Eventually Fails Security Principles: Phases of Compromise Reconnaissance Exploitation Reinforcement Consolidation Pillage 1 3 4 6 6 8 9 9 12 12 12 13 14 IS 16 17 18 18 VII

Security Principles: Defensible Networks 20 Defensible Networks Can Be Watched 20 Defensible Networks Limit an Intruder's Freedom to Maneuver 21 Defensible Networks Offer a Minimum Number of Services 23 Defensible Networks Can Be Kept Current 2 3 24 Chapter 2 What Is Network Security Monitoring? 25 Indications and Warnings 25 Collection, Analysis, and Escalation 28 Detecting and Responding to Intrusions 29 Why Do IDS Deployments Often Fail? 3 0 Outsiders versus Insiders: What Is NSM's Focus? 3 I Security Principles: Detection 34 Intruders Who Can Communicate with Victims Can Be Detected 35 Detection through Sampling Is Better Than No Detection 35 Detection through Traffic Analysis Is Better Than No Detection 36 Security Principles: Limitations 37 Collecting Everything Is Ideal but Problematic 3 7 Real Time Isn't Always the Best Time 3 8 Extra Work Has a Cost 3 9 What NSM Is Not 40 NSM Is Not Device Management 40 NSM Is Not Security Event Management 40 NSM Is Not Network-Based Forensics 41 NSM Is Not Intrusion Prevention 41 NSM in Action 42 43 Chapter 3 Deployment Considerations 45 Threat Models and Monitoring Zones 45 The Perimeter 48 The Demilitarized Zone 49 The Wireless Zone 50 The Intranet 50 Accessing Traffic in Each Zone 5 I Hubs 52 SPAN Ports 56 VIII

Taps Inline Devices Wireless Monitoring Sensor Architecture Hardware Operating System Sensor Management Console Access In-Band Remote Access Out-of-Band Remote Access 63 76 85 93 94 96 98 99 100 101 102 PART II Chapter 4 Chapter 5 NETWORK SECURITY MONITORING PRODUCTS The Reference Intrusion Model The Scenario The Attack Full Content Data A Note on Software Libpcap Tcpdump Basic Usage of Tcpdump Using Tcpdump to Store Full Content Data Using Tcpdump to Read Stored Full Content Data Timestamps in Stored Full Content Data Increased Detail in Tcpdump Full Content Data Tcpdump and Berkeley Packet Filters Tethereal Basic Usage of Tethereal Using Tethereal to Store Full Content Data Using Tethereal to Read Stored Full Content Data Getting More Information from Tethereal Snort as Packet Logger Basic Usage of Snort as Packet Logger Using Snort to Store Full Content Data Using Snort to Read Stored Full Content Data 103 105 105 106 118 119 120 121 122 124 125 126 132 134 135 140 140 141 144 146 149 149 152 153 IX

Finding Specific Parts of Packets with Tcpdump, Tethereal, and Snort 154 Ethereal 162 Basic Usage of Ethereal 162 Using Ethereal to Read Stored Full Content Data 164 Using Ethereal to Rebuild Sessions 167 Other Ethereal Features 169 A Note on Commercial Full Content Collection Options 171 172 Chapter 6 Additional Data Analysis 173 Editcap and Mergecap 173 Tcpslice 174 Tcpreplay 179 Tcpflow 182 Ngrep 185 IPsumdump 189 Etherape 191 Netdude 193 Using Netdude 193 What Do Raw Trace Files Look Like? 196 POf 205 209 Chapter 7 Session Data 211 Forms of Session Data 212 Cisco's NetFlow 214 Fprobe 220 Ng_netflow 222 Flow-tools 224 Flow-capture 225 Flow-cat and Flow-print 229 sflow and sflow Toolkit 232 Argus 234 Argus Server 236 Ra Client 238 Tcptrace 242 246

Chapter 8 Statistical Data 247 What Is Statistical Data? 248 Cisco Accounting 249 Ipcad 255 Ifstat 257 Bmon 258 Trafshow 260 Ttt 264 Tcpdstat 266 MRTG 271 Ntop 278 283 Chapter 9 Alert Data: Bro and Prelude 285 Bro 286 Installing Bro and BRA 287 Interpreting Bro Output Files 292 Bro Capabilities and Limitations 297 Prelude 298 Installing Prelude 299 Interpreting Prelude Output Files 307 Installing PIWI 309 Using PIWI to View Prelude Events 31 I Prelude Capabilities and Limitations 3 13 315 Chapter 10 Alert Data: NSM Using Sguil 317 Why Sguil? 318 So What Is Sguil? 319 The Basic Sguil Interface 3 21 Sguil's Answer to "Now What?" 323 Making Decisions with Sguil 329 Sguil versus the Reference Intrusion Model 3 3 I SHELLCODE x86 NOOP and Related Alerts 332 FTP SITE Overflow Attempt Alerts 339 SCAN nmap TCP Alerts 340 MISC MS Terminal Server Request Alerts 342 344 XI

PART III Chapter 1 1 - NETWORK SECURITY MONITORING PROCESSES Best Practices Assessment Defined Security Policy Protection Access Control Traffic Scrubbing Proxies Detection Collection Identification Validation Escalation Response Short-Term Incident Containment Emergency Network Security Monitoring Back to Assessment Analyst Feedback 345 347 347 348 349 350 351 351 354 355 360 371 377 380 381 381 383 383 384 Chapter 12 Case Studies for Managers Introduction to Hawke Helicopter Supplies Case Study 1: Emergency Network Security Monitoring Detection of Odd Orders System Administrators Respond Picking Up the Bat Phone Conducting Incident Response Incident Response Results Case Study 2: Evaluating Managed Security Monitoring Providers HHS Requirements for NSM HHS Vendor Questionnaire Asset Prioritization Case Study 3: Deploying an In-House NSM Solution Partner and Sales Offices HHS Demilitarized Zone Wireless Network Internal Network 385 385 386 386 388 389 389 390 393 394 394 396 396 398 398 398 399 xii

"But Who Shall Watch the Watchers?" Other Staffing Issues 399 401 402 PART IV Chapter 13 Chapter 14 NETWORK SECURITY MONITORING PEOPLE Analyst Training Program Weapons and Tactics Definition Tasks References Telecommunications Definition Tasks References System Administration Definition Tasks References Scripting and Programming Definition Tasks References Management and Policy Definition Tasks References Training in Action Periodicals and Web Sites Case Study: Staying Current with Tools Discovering DNS Normal Port 53 Traffic Normal Port 53 UDP Traffic Normal Port 53 TCP Traffic 403 405 410 410 410 412 414 414 414 415 415 415 416 416 418 418 419 419 421 421 421 421 422 426 427 431 433 434 434 442 XIII

Suspicious Port 53 Traffic Suspicious Port 53 UDP Traffic Suspicious Port 53 TCP Traffic Malicious Port 53 Traffic Malicious Port 53 UDP Traffic Malicious Port 53 TCP and UDP Traffic 448 448 455 459 459 466 472 Chapter 15 Harnessing the Power of Session Data The Session Scenario Session Data from the Wireless Segment Session Data from the DMZ Segment Session Data from the VLANs Session Data from the External Segment 473 474 475 476 479 488 490 Chapter 16 Packet Monkey Heaven Truncated TCP Options SCAN FIN Chained Covert Channels 491 491 498 505 518 PART V Chapter 17 THE INTRUDER VERSUS NETWORK SECURITY MONITORING Tools for Attacking Network Security Monitoring Packit IP Sorcery Fragroute LFT Xprobe2 Cisco IOS Denial of Service Solaris Sadmin Exploitation Attempt Microsoft RPC Exploitation 519 521 521 530 534 548 558 567 570 575 580 XIV

Chapter 18 Tactics for Attacking Network Security Monitoring Promote Anonymity Attack from a Stepping-Stone Attack by Using a Spoofed Source Address Attack from a Netblock You Don't Own Attack from a Trusted Host Attack from a Familiar Netblock Attack the Client, Not the Server Use Public Intermediaries Evade Detection Time Attacks Properly Distribute Attacks Throughout Internet Space Employ Encryption Appear Normal Degrade or Deny Collection Deploy Decoys Consider Volume Attacks Attack the Sensor Separate Analysts from Their Consoles Self-inflicted Problems in NSM 583 584 584 589 597 599 600 601 602 603 604 607 618 634 639 639 641 643 647 647 649 Epilogue The Future of Network Security Monitoring Remote Packet Capture and Centralized Analysis Integration of Vulnerability Assessment Products Anomaly Detection NSM Beyond the Gateway 651 652 653 654 656 658 PART VI APPENDIXES 661 Appendix A Protocol Header Reference 663 Appendix B Intellectual History of Network Security Mohitoring 685 Appendix C Protocol Anomaly Detection 757 Index 765 xv

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information