?? 270-273.html
字號:
<option value="/reference/dir.multimediaandgraphicdesign1.html">Multimedia
<option value="/reference/dir.networkservices1.html">Networks
<option value="/reference/dir.operatingsystems.html">OS
<option value="/reference/dir.productivityapplications1.html">Prod Apps
<option value="/reference/dir.programminglanguages.html">Programming
<option value="/reference/dir.security1.html">Security
<!-- <option value="/reference/dir.ewtraining1.html">Training Guides -->
<option value="/reference/dir.userinterfaces.html">UI
<option value="/reference/dir.webservices.html">Web Services
<option value="/reference/dir.webmasterskills1.html">Webmaster
<option value="/reference/dir.y2k1.html">Y2K
<option value="">-----------
<option value="/reference/whatsnew.html">New Titles
<option value="">-----------
<option value="/reference/dir.archive1.html">Free Archive
</SELECT>
</font></td>
</tr>
</table>
</form>
<!-- LEFT NAV SEARCH END -->
</td>
<!-- PUB PARTNERS END -->
<!-- END LEFT NAV -->
<td rowspan="8" align="right" valign="top"><img src="/images/iswbls.gif" width=1 height=400 alt="" border="0"></td>
<td><img src="/images/white.gif" width="5" height="1" alt="" border="0"></td>
<!-- end of ITK left NAV -->
<!-- begin main content -->
<td width="100%" valign="top" align="left">
<!-- END SUB HEADER -->
<!--Begin Content Column -->
<FONT FACE="Arial,Helvetica" SIZE="-1">
To access the contents, click the chapter and section titles.
</FONT>
<P>
<B>Intrusion Detection: Network Security beyond the Firewall</B>
<FONT SIZE="-1">
<BR>
<I>(Publisher: John Wiley & Sons, Inc.)</I>
<BR>
Author(s): Terry Escamilla
<BR>
ISBN: 0471290009
<BR>
Publication Date: 11/01/98
</FONT>
<P>
<form name="Search" method="GET" action="http://search.earthweb.com/search97/search_redir.cgi">
<INPUT TYPE="hidden" NAME="Action" VALUE="Search">
<INPUT TYPE="hidden" NAME="SearchPage" VALUE="http://search.earthweb.com/search97/samples/forms/srchdemo.htm">
<INPUT TYPE="hidden" NAME="Collection" VALUE="ITK">
<INPUT TYPE="hidden" NAME="ResultTemplate" VALUE="itk-full.hts">
<INPUT TYPE="hidden" NAME="ViewTemplate" VALUE="view.hts">
<font face="arial, helvetica" size=2><b>Search this book:</b></font><br>
<INPUT NAME="queryText" size=50 VALUE=""> <input type="submit" name="submitbutton" value="Go!">
<INPUT type=hidden NAME="section_on" VALUE="on">
<INPUT type=hidden NAME="section" VALUE="http://www.itknowledge.com/reference/standard/0471290009/">
</form>
<!-- Empty Reference Subhead -->
<!--ISBN=0471290009//-->
<!--TITLE=Intrusion Detection: Network Security Beyond the Firewall//-->
<!--AUTHOR=Terry Escamilla//-->
<!--PUBLISHER=John Wiley & Sons, Inc.//-->
<!--IMPRINT=Wiley Computer Publishing//-->
<!--CHAPTER=9//-->
<!--PAGES=270-273//-->
<!--UNASSIGNED1//-->
<!--UNASSIGNED2//-->
<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="268-270.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="273-276.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>
<P><BR></P>
<H4 ALIGN="LEFT"><A NAME="Heading10"></A><FONT COLOR="#000077">Network Sniffers Do Not See All Packets</FONT></H4>
<P>A network IDS works by running a network adapter in promiscuous mode to capture all of the packets coming into and going out of a particular subnet<I>. Notice that this is not the same as watching all of the network traffic that appears on a subnet</I>. Look at Figure 9.2. Here, the physical arrangement of the nodes is in a ring with node B sitting between node A and the node running the IDS. The packet “Hello B” is sent from node A to node B. However, because A and B are directly adjacent, B grabs and processes the packet sent by A. The node running the IDS never has a chance of seeing the packet.</P>
<P><A NAME="Fig2"></A><A HREF="javascript:displayWindow('images/09-02.jpg',499,472 )"><IMG SRC="images/09-02t.jpg"></A>
<BR><A HREF="javascript:displayWindow('images/09-02.jpg',499,472)"><FONT COLOR="#000077"><B>Figure 9.2</B></FONT></A> An IDS does not see all packets on a subnet.</P>
<P>This means that a network IDS is not designed to track all the network activities on a subnet. Instead, the IDS is positioned to look for inbound and outbound packets at the entry/exit of the subnet. Following terminology introduced earlier in the book, the network IDS catches intruders, but it does not always catch internal misuse. If the packet from A to B had been a misuse or internal hack, the IDS node would miss it. To catch attacks between nodes, an intelligent IDS sniffer would need to be run on each node.
</P>
<H4 ALIGN="LEFT"><A NAME="Heading11"></A><FONT COLOR="#000077">Network Sniffers Are Blinded by Encryption</FONT></H4>
<P>Many sites rely on encryption for privacy of network traffic. In some cases, two corporate sites are connected by an IP tunnel. A firewall at each site implements the IP tunnel so that all traffic is encrypted as it passes across the unsecure Internet. After a firewall receives an encrypted packet from another site, the packet is decrypted and sent on to the target node in the secure network. A configuration like this <I>does not</I> hinder network intrusion detection. The packet appears in the clear as it leaves the firewall. Because the network IDS is the first node after the firewall (see Figure 9.1), the encryption does not impact the solution.</P>
<P>In some cases, though, an IP tunnel is established between two <I>arbitrary</I> nodes in a network. The nodes could be in the same subnet, or they could be communicating across the Internet. The IP traffic is not decrypted until the receiving node reads the packet from its network adapter. The network IDS has no way of seeing the cleartext version of the packets. Any attack signatures that require cleartext packets will not work when two nodes use an IP tunnel. Again, one possible solution to this problem is to run a sniffer on each node. Note that the sniffer must be in the OS network stack <I>after</I> the packets are decrypted.</P>
<P>When you connect from a browser to a Web server using <I>secure sockets</I> (SSL), the packets from your computer are not decrypted until they reach the Web server application itself. SSL packets flow through the firewall and remain encrypted. The packet arrives at the Web server node, moves up through the kernel stack, and is read by the Web server program from a socket. It is not until this last step, which only the Web server program itself controls, that the packet is decrypted. This type of application-level encryption also blinds network sniffers to many attacks such as the “phf” hack.</P>
<H4 ALIGN="LEFT"><A NAME="Heading12"></A><FONT COLOR="#000077">Missed System-Level Attacks</FONT></H4>
<P>As mentioned in Chapter 6, “Detecting Intruders on Your System Is Fun and Easy,” system-level monitoring has access to important events such as privilege transition. A <I>new</I> attack that causes a buffer overflow and gives root privileges to a remote user will not be seen by a network IDS. If the attack signature is written properly, the system-level IDS will detect and respond to this type of situation.</P>
<P>Two general classes of attacks exist that a network IDS cannot detect, but a system-level IDS can. You can think of the first class as <I>unknown side effects</I>. When an activity on the system happens as the result of receiving a network packet, it’s possible that a side effect will occur that violates your security policy. Examples include the following:</P>
<DL>
<DD><B>•</B> Creation of a world-writable file by a privileged program as a result of processing a network packet
<DD><B>•</B> Downgrading the security of an existing resource, such as making /etc/passwd world writable
<DD><B>•</B> Upgrading the privilege of a user, such as changing the UID of a normal user to zero in /etc/passwd
<DD><B>•</B> Creation of a back door, such as any program that can lead the user to a root shell
</DL>
<P>Unless the hacks that led to these breaches already are known in the security community, the network IDS will not see these events, but the system-level IDS will. If you have a scanner, some of these problems will be caught the next time it runs. In some sense this argument seems unfair because it merely states that if the attack is not known in the community, the network IDS vendor cannot build a signature to catch the attack. However, even if the initiation sequence for the attack is unknown, a system-level IDS <I>can detect</I> that a SUID root program was created. What this says to you is that you need both types of IDSs—system and network—to catch all of the attacks you face.</P>
<P>The other class of system-level problems that a network IDS misses <I>are attacks that are not based on sending or receiving network packets</I>. Examples include any hacks launched by directly attached terminals or TTYs. If you are connected to the computer system with a terminal, you can start a nasty brute force password guessing program, and no network sniffer will be able to detect it. Most midrange hardware vendors still sell a significant number of dumb terminals to customers. Naturally, these threats are posed mostly by insiders rather than intruders.</P><P><BR></P>
<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="268-270.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="273-276.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>
<!-- all of the reference materials (books) have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->
<!-- BEGIN SUB FOOTER -->
<br><br>
</TD>
</TR>
</TABLE>
<table width="640" border=0 cellpadding=0 cellspacing=0>
<tr>
<td align="left" width=135><img src="/images/white.gif" width=100 height="1" alt="" border="0"></td>
<!-- END SUB FOOTER -->
<!-- all of the books have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->
<!-- FOOTER -->
<td width="515" align="left" bgcolor="#FFFFFF">
<font face="arial, helvetica" size="1"><b><a href="/products.html"><font color="#006666">Products</font></a> | <a href="/contactus.html"><font color="#006666">Contact Us</font></a> | <a href="/aboutus.html"><font color="#006666">About Us</font></a> | <a href="http://www.earthweb.com/corporate/privacy.html" target="_blank"><font color="#006666">Privacy</font></a> | <a href="http://www.itmarketer.com/" target="_blank"><font color="#006666">Ad Info</font></a> | <a href="/"><font color="#006666">Home</font></a></b>
<br><br>
Use of this site is subject to certain <a href="/agreement.html">Terms & Conditions</a>, <a href="/copyright.html">Copyright © 1996-1999 EarthWeb Inc.</a><br>
All rights reserved. Reproduction whole or in part in any form or medium without express written permision of EarthWeb is prohibited.</font><p>
</td>
</tr>
</table>
</BODY>
</HTML>
<!-- END FOOTER -->
?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -