?? 265-268.html
字號:
<option value="/reference/dir.webmasterskills1.html">Webmaster
<option value="/reference/dir.y2k1.html">Y2K
<option value="">-----------
<option value="/reference/whatsnew.html">New Titles
<option value="">-----------
<option value="/reference/dir.archive1.html">Free Archive
</SELECT>
</font></td>
</tr>
</table>
</form>
<!-- LEFT NAV SEARCH END -->
</td>
<!-- PUB PARTNERS END -->
<!-- END LEFT NAV -->
<td rowspan="8" align="right" valign="top"><img src="/images/iswbls.gif" width=1 height=400 alt="" border="0"></td>
<td><img src="/images/white.gif" width="5" height="1" alt="" border="0"></td>
<!-- end of ITK left NAV -->
<!-- begin main content -->
<td width="100%" valign="top" align="left">
<!-- END SUB HEADER -->
<!--Begin Content Column -->
<FONT FACE="Arial,Helvetica" SIZE="-1">
To access the contents, click the chapter and section titles.
</FONT>
<P>
<B>Intrusion Detection: Network Security beyond the Firewall</B>
<FONT SIZE="-1">
<BR>
<I>(Publisher: John Wiley & Sons, Inc.)</I>
<BR>
Author(s): Terry Escamilla
<BR>
ISBN: 0471290009
<BR>
Publication Date: 11/01/98
</FONT>
<P>
<form name="Search" method="GET" action="http://search.earthweb.com/search97/search_redir.cgi">
<INPUT TYPE="hidden" NAME="Action" VALUE="Search">
<INPUT TYPE="hidden" NAME="SearchPage" VALUE="http://search.earthweb.com/search97/samples/forms/srchdemo.htm">
<INPUT TYPE="hidden" NAME="Collection" VALUE="ITK">
<INPUT TYPE="hidden" NAME="ResultTemplate" VALUE="itk-full.hts">
<INPUT TYPE="hidden" NAME="ViewTemplate" VALUE="view.hts">
<font face="arial, helvetica" size=2><b>Search this book:</b></font><br>
<INPUT NAME="queryText" size=50 VALUE=""> <input type="submit" name="submitbutton" value="Go!">
<INPUT type=hidden NAME="section_on" VALUE="on">
<INPUT type=hidden NAME="section" VALUE="http://www.itknowledge.com/reference/standard/0471290009/">
</form>
<!-- Empty Reference Subhead -->
<!--ISBN=0471290009//-->
<!--TITLE=Intrusion Detection: Network Security Beyond the Firewall//-->
<!--AUTHOR=Terry Escamilla//-->
<!--PUBLISHER=John Wiley & Sons, Inc.//-->
<!--IMPRINT=Wiley Computer Publishing//-->
<!--CHAPTER=9//-->
<!--PAGES=265-268//-->
<!--UNASSIGNED1//-->
<!--UNASSIGNED2//-->
<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="263-265.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="268-270.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>
<P><BR></P>
<H4 ALIGN="LEFT"><A NAME="Heading5"></A><FONT COLOR="#000077">Other Network IDS Features</FONT></H4>
<P>Like any other application that you run in a distributed environment, a network IDS needs to provide useful systems management capabilities. Features needed include the following:
</P>
<DL>
<DD><B>•</B> Configuration of multiple network IDSs from a central console
<DD><B>•</B> Centralized reporting from network IDSs to a central console
<DD><B>•</B> Secure communications between distributed components
<DD><B>•</B> Configurable sets of attack signatures to monitor
<DD><B>•</B> Easy-to-read reports
<DD><B>•</B> Real-time alerts and optional responses
<DD><B>•</B> Integration with system management frameworks, such as Tivoli TME
</DL>
<P>Depending on your level of sophistication, you might also be interested in designing your own attack signatures. Not all network IDSs provide a simple way for you to create signatures.
</P>
<H3><A NAME="Heading6"></A><FONT COLOR="#000077">Network IDS Attack Recognition</FONT></H3>
<P>What can a network IDS detect? First, because the source of information is network packets, network IDSs look for <I>attacks that are targeted at network protocols</I>. Examples include Ping of Death and SYN Flood because both of these are attacks against weaknesses in TCP/IP itself. Problems in other protocols, such as Novell IPX and Microsoft SMB, also are found.</P>
<P>Protocol problems result in other attacks such as the following:</P>
<DL>
<DD><B>•</B> Sequence number guessing attempts
<DD><B>•</B> IP address impersonation
<DD><B>•</B> Session hijacking
<DD><B>•</B> IP fragmentation
<DD><B>•</B> Other well-known denial-of-service attacks (the “Pizza” attack mentioned earlier in the book)
</DL>
<P>Next, by analyzing packet data content (as opposed to header fields) a network IDS can look for attacks such as the AIX “rlogin -froot” bug. Other example <I>application attacks and vulnerabilities</I> detected by network IDSs are as follow:</P>
<DL>
<DD><B>•</B> Various sendmail bugs (EXPN, VRFY, debug)
<DD><B>•</B> phf, test.cgi, and other CGI bugs
<DD><B>•</B> Buffer overflows in finger and DNS
<DD><B>•</B> Various NFS, FTP, and TFTP bugs
</DL>
<P>Unlike scanners that occasionally probe your systems for these weaknesses, network IDSs look for evidence of someone mounting one of these attacks against your systems in real time. The evidence is found by inspecting the contents of packets.
</P>
<P>Finally, scanning packet data for unauthorized strings such as “confidential”, “proprietary”, “secret”, and other <I>potential leakages</I> is another feature found in some network IDSs. A list of keywords can be configured into the IDS. Naturally, performance concerns arise if the list is too long.</P>
<P>Chapter 7, “Vulnerability Scanners,” described useful scanner tools that can be used to probe your systems for weaknesses. If a hacker is scanning your system with ISS or SATAN, a network IDS should be able to detect the activity. Of course, looking for patterns such as port scanning of TCP/IP ports is a process that also is affected by time. What if an attacker scans one port per day? Is this something that a network IDS can detect? Most network IDSs have a time-out setting that you can configure to determine the interval, which constitutes a group of related events such as sequential port scans. If you set this value too small, you could miss sequential port scans across days, for example.</P>
<H4 ALIGN="LEFT"><A NAME="Heading7"></A><FONT COLOR="#000077">Fragmented IP Packets</FONT></H4>
<P>Breaking down packets into smaller chunks and reassembling them into the proper format is something that happens often in network communications. You saw how this happens between network layers on the same system, and between peer layers on different systems when you read Chapter 4, “Traditional Network Security Approaches.”
</P>
<P>A well-known attack called IP Fragmentation tries to inject or form bogus IP packets so that when they are reassembled at the target node, there is a chance for a successful hack. Various operating systems handle reassembly of fragmented packets differently. So, the attack will not always succeed.</P>
<P>Recall that sequence numbers are included in TCP/IP packets so that the receiving node can reassemble packets received out of order into the proper format. By messing around with sequence numbers in injected or forged packets, an attacker can trick the receiving system into overlaying already received data with something else. For example, if the target node received a packet with the sequence number for bytes 1–5 and data “smith.” The hacker could send another packet with the same sequence number but data “root.” Depending on how the receiving OS handles this condition, it will either overlay the first packet or discard the new (hacked) packet. The behavior of the OS determines whether the hack succeeds or not.</P><P><BR></P>
<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="263-265.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="268-270.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>
<!-- all of the reference materials (books) have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->
<!-- BEGIN SUB FOOTER -->
<br><br>
</TD>
</TR>
</TABLE>
<table width="640" border=0 cellpadding=0 cellspacing=0>
<tr>
<td align="left" width=135><img src="/images/white.gif" width=100 height="1" alt="" border="0"></td>
<!-- END SUB FOOTER -->
<!-- all of the books have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->
<!-- FOOTER -->
<td width="515" align="left" bgcolor="#FFFFFF">
<font face="arial, helvetica" size="1"><b><a href="/products.html"><font color="#006666">Products</font></a> | <a href="/contactus.html"><font color="#006666">Contact Us</font></a> | <a href="/aboutus.html"><font color="#006666">About Us</font></a> | <a href="http://www.earthweb.com/corporate/privacy.html" target="_blank"><font color="#006666">Privacy</font></a> | <a href="http://www.itmarketer.com/" target="_blank"><font color="#006666">Ad Info</font></a> | <a href="/"><font color="#006666">Home</font></a></b>
<br><br>
Use of this site is subject to certain <a href="/agreement.html">Terms & Conditions</a>, <a href="/copyright.html">Copyright © 1996-1999 EarthWeb Inc.</a><br>
All rights reserved. Reproduction whole or in part in any form or medium without express written permision of EarthWeb is prohibited.</font><p>
</td>
</tr>
</table>
</BODY>
</HTML>
<!-- END FOOTER -->
?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -