?? 299-302.html
字號:
<option value="/reference/dir.operatingsystems.html">OS
<option value="/reference/dir.productivityapplications1.html">Prod Apps
<option value="/reference/dir.programminglanguages.html">Programming
<option value="/reference/dir.security1.html">Security
<!-- <option value="/reference/dir.ewtraining1.html">Training Guides -->
<option value="/reference/dir.userinterfaces.html">UI
<option value="/reference/dir.webservices.html">Web Services
<option value="/reference/dir.webmasterskills1.html">Webmaster
<option value="/reference/dir.y2k1.html">Y2K
<option value="">-----------
<option value="/reference/whatsnew.html">New Titles
<option value="">-----------
<option value="/reference/dir.archive1.html">Free Archive
</SELECT>
</font></td>
</tr>
</table>
</form>
<!-- LEFT NAV SEARCH END -->
</td>
<!-- PUB PARTNERS END -->
<!-- END LEFT NAV -->
<td rowspan="8" align="right" valign="top"><img src="/images/iswbls.gif" width=1 height=400 alt="" border="0"></td>
<td><img src="/images/white.gif" width="5" height="1" alt="" border="0"></td>
<!-- end of ITK left NAV -->
<!-- begin main content -->
<td width="100%" valign="top" align="left">
<!-- END SUB HEADER -->
<!--Begin Content Column -->
<FONT FACE="Arial,Helvetica" SIZE="-1">
To access the contents, click the chapter and section titles.
</FONT>
<P>
<B>Intrusion Detection: Network Security beyond the Firewall</B>
<FONT SIZE="-1">
<BR>
<I>(Publisher: John Wiley & Sons, Inc.)</I>
<BR>
Author(s): Terry Escamilla
<BR>
ISBN: 0471290009
<BR>
Publication Date: 11/01/98
</FONT>
<P>
<form name="Search" method="GET" action="http://search.earthweb.com/search97/search_redir.cgi">
<INPUT TYPE="hidden" NAME="Action" VALUE="Search">
<INPUT TYPE="hidden" NAME="SearchPage" VALUE="http://search.earthweb.com/search97/samples/forms/srchdemo.htm">
<INPUT TYPE="hidden" NAME="Collection" VALUE="ITK">
<INPUT TYPE="hidden" NAME="ResultTemplate" VALUE="itk-full.hts">
<INPUT TYPE="hidden" NAME="ViewTemplate" VALUE="view.hts">
<font face="arial, helvetica" size=2><b>Search this book:</b></font><br>
<INPUT NAME="queryText" size=50 VALUE=""> <input type="submit" name="submitbutton" value="Go!">
<INPUT type=hidden NAME="section_on" VALUE="on">
<INPUT type=hidden NAME="section" VALUE="http://www.itknowledge.com/reference/standard/0471290009/">
</form>
<!-- Empty Reference Subhead -->
<!--ISBN=0471290009//-->
<!--TITLE=Intrusion Detection: Network Security Beyond the Firewall//-->
<!--AUTHOR=Terry Escamilla//-->
<!--PUBLISHER=John Wiley & Sons, Inc.//-->
<!--IMPRINT=Wiley Computer Publishing//-->
<!--CHAPTER=10//-->
<!--PAGES=299-302//-->
<!--UNASSIGNED1//-->
<!--UNASSIGNED2//-->
<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="296-298.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="../ch11/303-307.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>
<P><BR></P>
<P><FONT SIZE="+1"><B>Security Dynamics’ KSA and KSM</B></FONT></P>
<P>As part of the rush of IDS vendor acquisitions, Security Dynamics picked up KSA and KSM when it acquired Intrusion Detection, Inc. KSA is a vulnerability assessment tool, and KSM is an NT event log monitor.
</P>
<P>KSA is built upon the consulting theme of <I>Best Practices</I>. A sound security policy states guidelines such as password composition rules, login failure thresholds, password assignments, file access rights, and logging. KSA scans systems for adherence to best practices guidelines and impressively reports results. Six major areas that KSA investigates are: account restrictions, access control, password strength, system monitoring, data integrity, and data confidentiality. Some of the vulnerabilities evaluated by KSA are as follows:</P>
<DL>
<DD><B>•</B> Weak password subject to cracking
<DD><B>•</B> Proper registry settings
<DD><B>•</B> Which NT services are enabled
<DD><B>•</B> Configuration of the auditing subsystem
<DD><B>•</B> Shared network drive configurations
<DD><B>•</B> Trust relationships
<DD><B>•</B> Known down-level versions of programs
</DL>
<P>KSA supports distributed analysis of target nodes with reporting to a central system. Another feature reads the event log and looks for violations such as failed login attempts and other security activities (administrator login events). Interesting events are counted and displayed in graphical bar charts or in printed reports.
</P>
<P>One of the useful additions to KSA is an inverse ACL map. Knowing the resources a user or group can access, and the access rights associated with that resource are both useful reports. Operating systems easily display the object along with the subjects and access rights for that object. However, displaying the opposite view is tedious when attempted manually. KSA provides a view of ACLs from the <I>subject’s perspective</I>, thus showing all resources that a subject can access. This feature, long part of RACF on mainframe computers, is not always available on other operating systems.</P>
<P>The KSM concentrates on event log analysis and alerts. Like eNTrax, the log is read in intervals as short as one minute. Multiple target nodes can have their event logs consolidated on a central console. Because KSM uses the event log, activities such as SYN Flood or Ping of Death are not detected. Network packets are the source of data for these attacks. Events that KSM monitors include logins, logouts, service starts, auditing configuration changes, and file accesses.</P>
<P>KSM ships with alerting capabilities today but does not currently support countermeasures, such as killing processes. This feature is likely to be supported in the future. Like other NT IDSs, the set of attack signatures is limited to those provided by the vendor. The capability to add signatures in the future also will be available. A number of predefined reports are provided with KSM including Most Targeted Machines, Suspicious User Activity, and a Top 10 Most Wanted Users. Data for reports can be limited to date and time ranges as well. Attack patterns analyzed include password cracking attempts, browsing, denial of service, privilege violations, ghost IDs, failed logins or file accesses, masquerading, and Administrator ID abuse.</P>
<H3><A NAME="Heading14"></A><FONT COLOR="#000077">For Further Thought</FONT></H3>
<P>As you’ve seen in this chapter, NT is a favorite target of hackers. Many of the internals for NT are not publicly available for review. At a 1997 DEFCON conference, Microsoft representatives asked a team of NT security experts what could be done to improve the security of NT. Most of the panel members remarked that documenting and publishing information would be a significant step forward.
</P>
<P>Echoing the sentiments of other DEFCON participants, the panel members pointed out that it was difficult to securely configure NT systems for customers because the internal workings remained a mystery. Undocumented registry entries can lead to exposures because the consequences of ACL changes for those entries are not well understood by the public. Hackers, though, always find a way to <I>discover</I> the hidden secrets. In response to this request, Microsoft has sought advice from several independent security companies on the best way to document and make available this information. Hopefully, the knowledge will soon be shared.</P>
<P>One important message delivered over the last year or two is that a system evaluated at C2 level is not necessarily <I>secure</I>. True, Microsoft NT received its C2 evaluation with a nonnetwork attached system, but some of the attacks that have been announced against NT did not require remote access. Many weaknesses could be exploited by a user who might rely on a shared NT computer in the corner of a lab. A stamp of approval is only as good as the humans who build the system and those carrying out the evaluation. People make mistakes, and improperly protected registry entries in out-of-the-box configurations of NT show that even government-evaluated systems can still have flaws.</P>
<P>The popularity of NT is growing along with its install base. The market for NT IDSs is strong and also should grow during the next several years. One could predict that the marketplace for NT IDSs will be more competitive because the NT event log is easier to access and understand than UNIX audit logs. However, any of the IDS vendors currently working in the NT space will quickly point out that many mysteries lurk in the event log. Changes between service packs have caused more than one IDS vendor to rewrite code because events were no longer reported or the format of an event had changed.</P>
<P>Because Microsoft is planning major changes to NT security in its next major release (Microsoft 1997), you can expect the market to churn some more. Early access to NT V5.0 is a must for IDS vendors. Changes including support for Kerberos, moving registry entries into a directory service, and X.509 will push vendors to adjust their tools to incorporate and monitor new features.</P><P><BR></P>
<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="296-298.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="../ch11/303-307.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>
<!-- all of the reference materials (books) have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->
<!-- BEGIN SUB FOOTER -->
<br><br>
</TD>
</TR>
</TABLE>
<table width="640" border=0 cellpadding=0 cellspacing=0>
<tr>
<td align="left" width=135><img src="/images/white.gif" width=100 height="1" alt="" border="0"></td>
<!-- END SUB FOOTER -->
<!-- all of the books have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->
<!-- FOOTER -->
<td width="515" align="left" bgcolor="#FFFFFF">
<font face="arial, helvetica" size="1"><b><a href="/products.html"><font color="#006666">Products</font></a> | <a href="/contactus.html"><font color="#006666">Contact Us</font></a> | <a href="/aboutus.html"><font color="#006666">About Us</font></a> | <a href="http://www.earthweb.com/corporate/privacy.html" target="_blank"><font color="#006666">Privacy</font></a> | <a href="http://www.itmarketer.com/" target="_blank"><font color="#006666">Ad Info</font></a> | <a href="/"><font color="#006666">Home</font></a></b>
<br><br>
Use of this site is subject to certain <a href="/agreement.html">Terms & Conditions</a>, <a href="/copyright.html">Copyright © 1996-1999 EarthWeb Inc.</a><br>
All rights reserved. Reproduction whole or in part in any form or medium without express written permision of EarthWeb is prohibited.</font><p>
</td>
</tr>
</table>
</BODY>
</HTML>
<!-- END FOOTER -->
?? 快捷鍵說明
復(fù)制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -