<option value="/reference/dir.security1.html">Security	
			<!-- <option value="/reference/dir.ewtraining1.html">Training Guides -->
			<option value="/reference/dir.userinterfaces.html">UI
			<option value="/reference/dir.webservices.html">Web Services
			<option value="/reference/dir.webmasterskills1.html">Webmaster
			<option value="/reference/dir.y2k1.html">Y2K
			<option value="">-----------
			<option value="/reference/whatsnew.html">New Titles
			<option value="">-----------
			<option value="/reference/dir.archive1.html">Free Archive		
			</SELECT>
			</font></td>
	</tr>
	</table>
	</form>
<!-- LEFT NAV SEARCH END -->

		</td>
		
<!-- PUB PARTNERS END -->
<!-- END LEFT NAV -->

<td rowspan="8" align="right" valign="top"><img src="/images/iswbls.gif" width=1 height=400 alt="" border="0"></td>
<td><img src="/images/white.gif" width="5" height="1" alt="" border="0"></td>
<!-- end of ITK left NAV -->

<!-- begin main content -->
<td width="100%" valign="top" align="left">


<!-- END SUB HEADER -->

<!--Begin Content Column -->

<FONT FACE="Arial,Helvetica" SIZE="-1">
To access the contents, click the chapter and section titles.
</FONT>
<P>
<B>Intrusion Detection: Network Security beyond the Firewall</B>
<FONT SIZE="-1">
<BR>
<I>(Publisher: John Wiley & Sons, Inc.)</I>
<BR>
Author(s): Terry Escamilla
<BR>
ISBN: 0471290009
<BR>
Publication Date: 11/01/98
</FONT>
<P>
<form name="Search" method="GET" action="http://search.earthweb.com/search97/search_redir.cgi">

<INPUT TYPE="hidden" NAME="Action" VALUE="Search">
<INPUT TYPE="hidden" NAME="SearchPage" VALUE="http://search.earthweb.com/search97/samples/forms/srchdemo.htm">
<INPUT TYPE="hidden" NAME="Collection" VALUE="ITK">
<INPUT TYPE="hidden" NAME="ResultTemplate" VALUE="itk-full.hts">
<INPUT TYPE="hidden" NAME="ViewTemplate" VALUE="view.hts">

<font face="arial, helvetica" size=2><b>Search this book:</b></font><br>
<INPUT NAME="queryText" size=50 VALUE="">&nbsp;<input type="submit" name="submitbutton" value="Go!">
<INPUT type=hidden NAME="section_on" VALUE="on">
<INPUT type=hidden NAME="section" VALUE="http://www.itknowledge.com/reference/standard/0471290009/">

</form>


<!-- Empty Reference Subhead -->

<!--ISBN=0471290009//-->
<!--TITLE=Intrusion Detection: Network Security Beyond the Firewall//-->
<!--AUTHOR=Terry Escamilla//-->
<!--PUBLISHER=John Wiley & Sons, Inc.//-->
<!--IMPRINT=Wiley Computer Publishing//-->
<!--CHAPTER=7//-->
<!--PAGES=214-217//-->
<!--UNASSIGNED1//-->
<!--UNASSIGNED2//-->

<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="211-214.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="217-221.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>
<P><BR></P>
<H3><A NAME="Heading7"></A><FONT COLOR="#000077">Improving Your Security with Scanners</FONT></H3>
<P>Dan Farmer introduced COPS while working with Gene Spafford at Purdue University. The popularity of this public domain tool is hard to estimate. Literally thousands of people use COPS today to periodically examine their systems for security weaknesses. Commercial derivatives have appeared over the last several years. This section focuses on the ISS SAFESuite scanners, which are positioned as <I>vulnerability assessment</I> tools.</P>
<P>When Chris Klaus was a graduate student, he put together the Internet Security Scanner and gave it away for free on the Internet. After seeing how much interest the product generated, he decided to start the company with Tom Noonan now known as Internet Security Systems or ISS for short. In addition to delivering security products, ISS sponsors a number of newsgroups (<A HREF="www.iss.net/vd/maillist.html">www.iss.net/vd/maillist.html</A>), provides useful Web site links, and backs security research at universities. Sitting on the fence between target and perpetrator, ISS also provides funding for DEFCON and maintains a good rapport with the underground.</P>
<H4 ALIGN="LEFT"><A NAME="Heading8"></A><FONT COLOR="#000077">ISS SAFESuite</FONT></H4>
<P>Currently ISS scanners come in two main flavors. You can get the <I>System Security Scanner</I> (S3) or the Internet Scanner. Inside the Internet Scanner, you will find separately charged features for a Web scanner, a firewall scanner, and an intranet scanner. Before looking at the features of the product you might be interested in the following details:</P>
<DL>
<DD><B>&#149;</B>&nbsp;&nbsp;The ISS scanners are not invasive&#151;they do not intercept or replace operating system calls.
<DD><B>&#149;</B>&nbsp;&nbsp;Scans are run on an <I>interval</I> basis. This means that they look for problems at the time of the scan. If you also are interested in detecting intrusions <I>when they occur</I>, think about adding a real-time intrusion detection product.
<DD><B>&#149;</B>&nbsp;&nbsp;Both system and network problems are analyzed. For example, checking for weak user passwords is a system probe, while IP port scanning looks for network configuration weaknesses.
<DD><B>&#149;</B>&nbsp;&nbsp;No additional security model is layered into the environment. ISS has not added complexity by introducing its own subjects, objects, ACLs, and reference monitor.
</DL>
<P>The product family supports a client-server and heterogeneous configuration. By now you should automatically wonder how secure communications are handled between nodes. ISS provides shared-secret, challenge-response authentication between nodes. When messages are exchanged between nodes, the traffic is encrypted as well.
</P>
<P><FONT SIZE="+1"><B>System Security Scanner</B></FONT></P>
<P>The important features of S3 to examine are its alternative configurations, its reporting capabilities, and the set of vulnerabilities it handles. The initial screen for S3 is shown in Figure 7.1.
</P>
<P><A NAME="Fig1"></A><A HREF="javascript:displayWindow('images/07-01.jpg',467,257 )"><IMG SRC="images/07-01t.jpg"></A>
<BR><A HREF="javascript:displayWindow('images/07-01.jpg',467,257)"><FONT COLOR="#000077"><B>Figure 7.1</B></FONT></A>&nbsp;&nbsp;Initial S3 screen.</P>
<P><FONT SIZE="+1"><B><I>Local and Remote Scan Configurations</I></B></FONT></P>
<P>S3 can be run on a single node to scan for and report on security weaknesses on that node. Each system in the network that requires scanning must be installed with a separate copy of S3. If the number of scanned nodes is small, this might be a preferred configuration because network traffic is minimized during scanning and reporting. This design tradeoff is desirable.
</P>
<P>If the administrative model at the site is centralized, one or more scanning <I>engine</I> workstations can be configured to control distributed target nodes. Each target requires the sssd daemon. Luckily, ISS also does not introduce its own software distribution framework for propagating these daemons. Note that S3 does not scan the node remotely. Instead, the distributed configuration enables you to manage S3 configuration files remotely and to receive scan results from other nodes. The engine on the central node processes the results files.</P>
<P>Target nodes can be combined into groups, and a node can belong to more than one group. Groups can be scanned at different times, and variations in the vulnerabilities inspected may be specified for each group. This process enables you to scan some nodes <I>deeper</I> than others. If you have many users on some systems, you can look for user configuration weaknesses on those nodes. However, if you have servers with no user accounts, you can configure the scans for that group to omit looking for most user vulnerabilities. Scan options for each node or group are managed through configuration files.</P>
<P>One efficient feature is <I>caching</I>. For example, when password brute force attacks are run, S3 optionally will omit trying passwords that have previously failed. You also can customize the cracking dictionary.</P>
<P>Whether scans are local or remote, activities are controlled via a GUI or CLI. Some of the scans accept parameters, and these values can be entered in the GUI or by editing configuration files directly. Examples of parameters include permission bits for application files that ISS would not know by default.</P>
<P><FONT SIZE="+1"><B><I>Detect and Respond</I></B></FONT></P>
<P>When a system is scanned by S3, a <I>fix script</I> is incrementally composed with recommended corrective actions. You can customize this script or run it as is to eliminate the vulnerabilities identified by the scan. S3 also creates an unfix script that enables you to <I>undo</I> the fix script.</P>
<P><FONT SIZE="+1"><B><I>Internode Authentication in S3</I></B></FONT></P>
<P>In distributed mode, S3 is installed on a central engine that performs the scan, and a separate daemon (sssd) is configured on each target node. To establish trust for remote communications between the engine and the target, a shared authentication secret is defined. The secret also is used as a key for encrypting results transmitted back to the engine for reporting.
</P>
<P>An authentication file on the engine declares the shared secret and host name association. A different shared secret can be configured for each host. The recommendation is to pick a pass phrase rather than a simple password. On each target node, a corresponding authentication file must contain the same shared secret entered on the engine. Because the same secret controls information flowing in both directions, the authentication protocol could be open to replay attacks and reflection attacks assuming IP address impersonation is possible (see Chapter 4, &#147;Traditional Network Security Approaches&#148;).</P><P><BR></P>
<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="211-214.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="217-221.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>


<!-- all of the reference materials (books) have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->

<!-- BEGIN SUB FOOTER -->
		<br><br>
		</TD>
    </TR>
	</TABLE>

		
	<table width="640" border=0 cellpadding=0 cellspacing=0>
		<tr>
		<td align="left" width=135><img src="/images/white.gif" width=100 height="1" alt="" border="0"></td>
		
		
<!-- END SUB FOOTER -->

<!-- all of the books have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->

<!-- FOOTER -->
			
		<td width="515" align="left" bgcolor="#FFFFFF">
<font face="arial, helvetica" size="1"><b><a href="/products.html"><font color="#006666">Products</font></a>&nbsp;|&nbsp; <a href="/contactus.html"><font color="#006666">Contact Us</font></a>&nbsp;|&nbsp; <a href="/aboutus.html"><font color="#006666">About Us</font></a>&nbsp;|&nbsp; <a href="http://www.earthweb.com/corporate/privacy.html" target="_blank"><font color="#006666">Privacy</font></a> &nbsp;|&nbsp; <a href="http://www.itmarketer.com/" target="_blank"><font color="#006666">Ad Info</font></a> &nbsp;|&nbsp; <a href="/"><font color="#006666">Home</font></a></b>
		<br><br>
		
		Use of this site is subject to certain <a href="/agreement.html">Terms &amp; Conditions</a>, <a href="/copyright.html">Copyright &copy; 1996-1999 EarthWeb Inc.</a><br> 
All rights reserved.  Reproduction whole or in part in any form or medium without express written permision of EarthWeb is prohibited.</font><p>
</td>
		</tr>
</table>
</BODY>
</HTML>

<!-- END FOOTER -->