Download presentation
Presentation is loading. Please wait.
Published byGertrude Turner Modified over 9 years ago
1
Network Security Monitoring By Bea Wilds CS 522 6 Dec 06
2
The TAO of Network Security Monitoring: Beyond Intrusion Detection Richard Bejtlich – Blog author TaoSecurity http://taosecurity.blogspot.com/ – Engineer at ManTech International Corp. in the Computer Forensics & Intrusion Analysis division. – Principal consultant at Foundstone performing incident response, emergency security monitoring & research – Senior Security Engineer at Ball Aerospace & Technologies Corp managing network security operations – Leader of the Air Force Computer Emergency Response Team (AFCEPT) from 1998-2001
3
Outline What is NSM? Detection; How Does NSM Differ From IDS What NSM is Not Deployment Considerations NSM Products The Reference Intrusion Model The Future of NSM
4
What is NSM? NSM is the Collection, Analysis, and Escalation of Indications & Warnings to Detect and Respond to Intrusions (1) NSM Subscribes to the FACT that Intrusion Prevention Techniques will FAIL.
5
Network Security Process Assessment Detection Protection Response Preparation for other 3 components -Deals with policies, procedures, laws, regulations, budgeting & other managerial duties Or Prevention is the deployment of countermeasures to mitigate the risk of attacks The process of identifying intrusions “Patch & Proceed” “Pursue & Prosecute”
6
NSM Security Process Assessment Detection Protection Response Implementing products, people & processes most conducive to accurately identify & mitigate intrusions Access Control Traffic Scrubbing Proxies The process of collecting, identifying, validating, & escalating suspicious events Short-term Incident Containment Emergency NSM
7
Detection; How Does NSM Differ From IDS NSM is Event Driven – Relies on Alert, Session, Full Content & Statistical Data to Detect & Validate Events IDS Generate Alerts
8
What NSM is Not Device Management Security Event Management Network-based Forensics Intrusion Prevention
9
Deployment Considerations Determine Which Assets Should be Monitored Who’s the Attacker – Class 1: External Attacker, Launches Intrusion from Internet – Class 2: External Attacker, Launches Intrusion from Wireless Segment – Class 3: Internal Attacker, Launches Intrusion from Wired LAN – Class 4: Internal Attacker, Launches Intrusion from Wireless Segment
10
Deployment Considerations; Monitoring Zones Perimeter (Class 1 Attackers) – Used to Collect Treat Intelligence DMZ (Class 1 Attackers) – Used to Keep an Eye on Hosts Most Likely to be Compromised. i.e. E-mail, Web, DNS, & FTP Wireless Zone (Class 2 Attackers) – Used to Detect Attacks Against Intranet Intranet (Class 3 & 4 Attackers) – Most Difficult for NSM Because These Attackers use Privileges Granted by Their Organization
11
Data Collection & Alert Data Full Content Data: Refers to the Collection of Every Nuanced Bit in a Packet & Saving the Information Passed Above the Transport Layer (2) Session Data: Represents a summary of a Conversation Between Two Parties (3) Statistical Data: Collected to Identify & Validate Intrusions Alert Data: Obtained from tool that are preprogrammed to make judgments on data they inspect
12
NSM Products Full Content Data – Tcpdump – Tethereal – Snort (Packet Logger) – Ethereal Additional Data Analysis – Editcap & Mergecap – Tcpslice, Tcpreplay, Tcpflow – Ngrep – IPsumdump – Etherape – Netdude – P0f Session Data – Cisco’s Netflow – Fprobe – Ng_netflow – Flow-tools – sFlow & sFlow Toolkit – Argus – Tcptrace
13
NSM Products (Continued) Statistical Data – Cisco Accounting – Ipcad – Ifstat – Bmon – Trafshow – Ttt – Tcpdstat – MRTG – Ntop Alert Data – Sguil – Snort – Bro – Prelude
14
Sguil Open Source Suite Designed by Analysts for Analysts Integrates Alert, Session, & Full Content Data into One Graphical Interface Uses Snort as Alert Engine Flash Demo at: http://sguil.sourceforge.net/index.php?page=f lashdemo
15
Future Work Implementing NSM Techniques & Tool – Download Sguil Client http://sourceforge.net/project/showfiles.php?group _id=71220 and connect to sguil daemon at demo.sguil.net on port 7734 http://sourceforge.net/project/showfiles.php?group _id=71220 Attempting Attacks on NSM
16
References (1) Richard Bejtlich, The Tao of Network Security Monitoring, Pearson Education, Inc. 2005, pg 25 (2) Richard Bejtlich, The Tao of Network Security Monitoring, Pearson Education, Inc. 2005, pg 119, 120 (3) Richard Bejtlich, The Tao of Network Security Monitoring, Pearson Education, Inc. 2005, pg 119, 211
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.