?? 276-279.html
字號:
</SELECT>
</font></td>
</tr>
</table>
</form>
<!-- LEFT NAV SEARCH END -->
</td>
<!-- PUB PARTNERS END -->
<!-- END LEFT NAV -->
<td rowspan="8" align="right" valign="top"><img src="/images/iswbls.gif" width=1 height=400 alt="" border="0"></td>
<td><img src="/images/white.gif" width="5" height="1" alt="" border="0"></td>
<!-- end of ITK left NAV -->
<!-- begin main content -->
<td width="100%" valign="top" align="left">
<!-- END SUB HEADER -->
<!--Begin Content Column -->
<FONT FACE="Arial,Helvetica" SIZE="-1">
To access the contents, click the chapter and section titles.
</FONT>
<P>
<B>Intrusion Detection: Network Security beyond the Firewall</B>
<FONT SIZE="-1">
<BR>
<I>(Publisher: John Wiley & Sons, Inc.)</I>
<BR>
Author(s): Terry Escamilla
<BR>
ISBN: 0471290009
<BR>
Publication Date: 11/01/98
</FONT>
<P>
<form name="Search" method="GET" action="http://search.earthweb.com/search97/search_redir.cgi">
<INPUT TYPE="hidden" NAME="Action" VALUE="Search">
<INPUT TYPE="hidden" NAME="SearchPage" VALUE="http://search.earthweb.com/search97/samples/forms/srchdemo.htm">
<INPUT TYPE="hidden" NAME="Collection" VALUE="ITK">
<INPUT TYPE="hidden" NAME="ResultTemplate" VALUE="itk-full.hts">
<INPUT TYPE="hidden" NAME="ViewTemplate" VALUE="view.hts">
<font face="arial, helvetica" size=2><b>Search this book:</b></font><br>
<INPUT NAME="queryText" size=50 VALUE=""> <input type="submit" name="submitbutton" value="Go!">
<INPUT type=hidden NAME="section_on" VALUE="on">
<INPUT type=hidden NAME="section" VALUE="http://www.itknowledge.com/reference/standard/0471290009/">
</form>
<!-- Empty Reference Subhead -->
<!--ISBN=0471290009//-->
<!--TITLE=Intrusion Detection: Network Security Beyond the Firewall//-->
<!--AUTHOR=Terry Escamilla//-->
<!--PUBLISHER=John Wiley & Sons, Inc.//-->
<!--IMPRINT=Wiley Computer Publishing//-->
<!--CHAPTER=9//-->
<!--PAGES=276-279//-->
<!--UNASSIGNED1//-->
<!--UNASSIGNED2//-->
<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="273-276.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="279-282.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>
<P><BR></P>
<H3><A NAME="Heading15"></A><FONT COLOR="#000077">Which Product Has the Best Nose?</FONT></H3>
<P>An <I>Infoworld</I> test reported in the May 4, 1998 issue rated products as follows:</P>
<DL>
<DD><B>1.</B> IBM’s outsourced solution using NetRanger
<DD><B>2.</B> ISS Real Secure
<DD><B>3.</B> Network Flight Recorder (NFR)
<DD><B>4.</B> Abirnet Session Wall
</DL>
<P>The study by the <I>Infoworld</I> team announced a suite of 16 well-known network attacks that they tried against the products. Only NFR caught all of the attacks. The team used the scripting language, with help from Anzen, to build tests that do the following:</P>
<DL>
<DD><B>•</B> Probed for information, tried to gain access
<DD><B>•</B> Launched denial-of-service attacks
<DD><B>•</B> Attempted to overburden the IDS with a combination of the preceding
</DL>
<P>The chosen IDS were challenged with attacks such as the following:
</P>
<DL>
<DD><B>•</B> Ping of Death
<DD><B>•</B> SATAN scanning
<DD><B>•</B> ISS SAFESuite scanning
<DD><B>•</B> Port scanning
<DD><B>•</B> ftp cwd ∼root
<DD><B>•</B> phf
<DD><B>•</B> SYN Flood
</DL>
<P>In all, 23 attacks were attempted individually, with two combinations of attacks completing the full suite of 25. (Some of the 16 attacks have more than one variation that is how one arrives at 23 individual attacks.)
</P>
<P>A three-way tie for first place exists between IBM/NetRanger, RealSecure, and NFR. Abirnet fell into last place for three main reasons—it lacks systems management; it does not have specific IDS reports; and it failed to detect 7 out of 25 attacks. The reviewers nonetheless liked many of SessionWall’s features. The next few sections focus on the three IDSs that tied for first place.</P>
<H4 ALIGN="LEFT"><A NAME="Heading16"></A><FONT COLOR="#000077">IBM and NetRanger</FONT></H4>
<P>As noted previously, NetRanger is a passive network monitor that is offered with an NSC router or as a stand-alone product on a UNIX box. Hierarchical secure remote reporting between sensor stations and a console is one of the key features of NetRanger. The WheelGroup also reports that NetRanger is more scalable than any other network IDS. NetRanger also can detect session hijacking—something that other network IDSs do not claim.
</P>
<P>NetRanger not only detects events but also responds to them as well. Shunning IP addresses for an interval of time is one of the operations that NetRanger can send to the NSC router if you are running that combination. As you might expect, a wide range of response options are available including pager notification, e-mail, and pop-up alerts. Logging and reporting are standard features.</P>
<P>NetRanger allows scanning for administrator-defined strings in network packets—a feature that other network IDSs must soon provide. However, it is not a trivial task to add your own attack signatures to those already supported by NetRanger. This shortcoming is shared by many IDSs.</P>
<P>IBM’s Emergence Response Center offers a fee-based service with NetRanger. Instead of staffing your own team of security experts, you can use IBM’s strength in this area. A network operations center is staffed 7 × 24, and a specific expert is assigned to your account. When an event is detected, IBM’s security experts notify you and help you respond to the event. Up-front planning and response policy design also are available. As hackers become more sophisticated, outsourcing your network intrusion detection seems attractive because you may not be able to staff and maintain your own center of competency.</P>
<P>One final note about NetRanger is worth mentioning. Some of the founders and technical leads for the WheelGroup have worked at the Air Force Warfare Information Center and at the NSA. With contacts like that, it’s not surprising that a number of government sites depend on NetRanger for network intrusion detection. You know NetRanger has been tested substantially in the field.</P>
<H4 ALIGN="LEFT"><A NAME="Heading17"></A><FONT COLOR="#000077">RealSecure</FONT></H4>
<P>ISS is already the market leader in scanning tools with SAFESuite. RealSecure is a widely used network IDS that complements ISS’s other offerings. Like NetRanger, RealSecure supports remote sensing stations, called <I>engines</I>, that report to a central console. Naturally, communication between engines and the console are cryptographically protected using a shared pass phrase. Figure 9.3 shows the initial panel for RealSecure.</P>
<P><A NAME="Fig3"></A><A HREF="javascript:displayWindow('images/09-03.jpg',475,121 )"><IMG SRC="images/09-03t.jpg"></A>
<BR><A HREF="javascript:displayWindow('images/09-03.jpg',475,121)"><FONT COLOR="#000077"><B>Figure 9.3</B></FONT></A> RealSecure’s initial management panel.</P>
<P>Monitoring and response options can be customized for each engine. Recall from the previous discussions that your site should have one monitoring engine per subnet (possibly more for performance gains). In Figure 9.4, you see some of the attack signatures that can be configured by node in RealSecure. As before, a comprehensive list of attacks detected is best obtained from ISS because the product is updated regularly.
</P>
<P><A NAME="Fig4"></A><A HREF="javascript:displayWindow('images/09-04.jpg',553,377 )"><IMG SRC="images/09-04t.jpg"></A>
<BR><A HREF="javascript:displayWindow('images/09-04.jpg',553,377)"><FONT COLOR="#000077"><B>Figure 9.4</B></FONT></A> RealSecure attack signature configuration.</P>
<P>RealSecure also supports a playback mode, which can be used to dig through the network traffic looking for problems. In playback mode, the product does not run attack signature recognition on the playback traffic. This feature probably will be fixed in the near future. Once activated, the console begins receiving data from the remote engines. You can choose from a number of different views on the console including by node or by event severity (high, medium, or low). Data from the engines is logged, and a variety of reports are possible.
</P>
<P>A number of different response options are available, including killing the offending network connection by sending a RST packet. Figure 9.5 gives a snapshot of how one might configure response options in RealSecure. <I>Templates</I> that declare signatures to use and how to respond to events can be applied to different engine nodes. Notifying an administrator is supported as a response along with the more aggressive socket kill option.</P>
<P><A NAME="Fig5"></A><A HREF="javascript:displayWindow('images/09-05.jpg',387,405 )"><IMG SRC="images/09-05t.jpg"></A>
<BR><A HREF="javascript:displayWindow('images/09-05.jpg',387,405)"><FONT COLOR="#000077"><B>Figure 9.5</B></FONT></A> RealSecure response configuration.</P>
<P>RealSecure runs on UNIX and NT platforms. The engines and console can run on different OS platforms, too. Regardless of the platform on which the engine is running, it can detect specific attacks against TCP/IP, NT, NETBIOS, and UNIX. For example, even if the engine is running on an NT workstation, it can detect someone trying to exploit the old AIX “rlogin -froot” bug.
</P>
<P>ISS also relies on its X-Force team of security experts to find new attacks and create (or adjust) signatures. Discoveries can come from the X-Force’s own research or from contacts that it has with the underground. ISS is well known for its NT expertise, with Microsoft often working closely with X-Force team members.</P><P><BR></P>
<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="273-276.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="279-282.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>
<!-- all of the reference materials (books) have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->
<!-- BEGIN SUB FOOTER -->
<br><br>
</TD>
</TR>
</TABLE>
<table width="640" border=0 cellpadding=0 cellspacing=0>
<tr>
<td align="left" width=135><img src="/images/white.gif" width=100 height="1" alt="" border="0"></td>
<!-- END SUB FOOTER -->
<!-- all of the books have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->
<!-- FOOTER -->
<td width="515" align="left" bgcolor="#FFFFFF">
<font face="arial, helvetica" size="1"><b><a href="/products.html"><font color="#006666">Products</font></a> | <a href="/contactus.html"><font color="#006666">Contact Us</font></a> | <a href="/aboutus.html"><font color="#006666">About Us</font></a> | <a href="http://www.earthweb.com/corporate/privacy.html" target="_blank"><font color="#006666">Privacy</font></a> | <a href="http://www.itmarketer.com/" target="_blank"><font color="#006666">Ad Info</font></a> | <a href="/"><font color="#006666">Home</font></a></b>
<br><br>
Use of this site is subject to certain <a href="/agreement.html">Terms & Conditions</a>, <a href="/copyright.html">Copyright © 1996-1999 EarthWeb Inc.</a><br>
All rights reserved. Reproduction whole or in part in any form or medium without express written permision of EarthWeb is prohibited.</font><p>
</td>
</tr>
</table>
</BODY>
</HTML>
<!-- END FOOTER -->
?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -