Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Security Monitoring By Bea Wilds CS 522 6 Dec 06.

Published byGertrude Turner Modified over 8 years ago

Similar presentations

Presentation on theme: "Network Security Monitoring By Bea Wilds CS 522 6 Dec 06."— Presentation transcript:

1 Network Security Monitoring By Bea Wilds CS 522 6 Dec 06

2 The TAO of Network Security Monitoring: Beyond Intrusion Detection Richard Bejtlich – Blog author TaoSecurity http://taosecurity.blogspot.com/ – Engineer at ManTech International Corp. in the Computer Forensics & Intrusion Analysis division. – Principal consultant at Foundstone performing incident response, emergency security monitoring & research – Senior Security Engineer at Ball Aerospace & Technologies Corp managing network security operations – Leader of the Air Force Computer Emergency Response Team (AFCEPT) from 1998-2001

3 Outline What is NSM? Detection; How Does NSM Differ From IDS What NSM is Not Deployment Considerations NSM Products The Reference Intrusion Model The Future of NSM

4 What is NSM? NSM is the Collection, Analysis, and Escalation of Indications & Warnings to Detect and Respond to Intrusions (1) NSM Subscribes to the FACT that Intrusion Prevention Techniques will FAIL.

5 Network Security Process Assessment Detection Protection Response Preparation for other 3 components -Deals with policies, procedures, laws, regulations, budgeting & other managerial duties Or Prevention is the deployment of countermeasures to mitigate the risk of attacks The process of identifying intrusions “Patch & Proceed” “Pursue & Prosecute”

6 NSM Security Process Assessment Detection Protection Response Implementing products, people & processes most conducive to accurately identify & mitigate intrusions Access Control Traffic Scrubbing Proxies The process of collecting, identifying, validating, & escalating suspicious events Short-term Incident Containment Emergency NSM

7 Detection; How Does NSM Differ From IDS NSM is Event Driven – Relies on Alert, Session, Full Content & Statistical Data to Detect & Validate Events IDS Generate Alerts

8 What NSM is Not Device Management Security Event Management Network-based Forensics Intrusion Prevention

9 Deployment Considerations Determine Which Assets Should be Monitored Who’s the Attacker – Class 1: External Attacker, Launches Intrusion from Internet – Class 2: External Attacker, Launches Intrusion from Wireless Segment – Class 3: Internal Attacker, Launches Intrusion from Wired LAN – Class 4: Internal Attacker, Launches Intrusion from Wireless Segment

10 Deployment Considerations; Monitoring Zones Perimeter (Class 1 Attackers) – Used to Collect Treat Intelligence DMZ (Class 1 Attackers) – Used to Keep an Eye on Hosts Most Likely to be Compromised. i.e. E-mail, Web, DNS, & FTP Wireless Zone (Class 2 Attackers) – Used to Detect Attacks Against Intranet Intranet (Class 3 & 4 Attackers) – Most Difficult for NSM Because These Attackers use Privileges Granted by Their Organization

11 Data Collection & Alert Data Full Content Data: Refers to the Collection of Every Nuanced Bit in a Packet & Saving the Information Passed Above the Transport Layer (2) Session Data: Represents a summary of a Conversation Between Two Parties (3) Statistical Data: Collected to Identify & Validate Intrusions Alert Data: Obtained from tool that are preprogrammed to make judgments on data they inspect

12 NSM Products Full Content Data – Tcpdump – Tethereal – Snort (Packet Logger) – Ethereal Additional Data Analysis – Editcap & Mergecap – Tcpslice, Tcpreplay, Tcpflow – Ngrep – IPsumdump – Etherape – Netdude – P0f Session Data – Cisco’s Netflow – Fprobe – Ng_netflow – Flow-tools – sFlow & sFlow Toolkit – Argus – Tcptrace

13 NSM Products (Continued) Statistical Data – Cisco Accounting – Ipcad – Ifstat – Bmon – Trafshow – Ttt – Tcpdstat – MRTG – Ntop Alert Data – Sguil – Snort – Bro – Prelude

14 Sguil Open Source Suite Designed by Analysts for Analysts Integrates Alert, Session, & Full Content Data into One Graphical Interface Uses Snort as Alert Engine Flash Demo at: http://sguil.sourceforge.net/index.php?page=f lashdemo

15 Future Work Implementing NSM Techniques & Tool – Download Sguil Client http://sourceforge.net/project/showfiles.php?group _id=71220 and connect to sguil daemon at demo.sguil.net on port 7734 http://sourceforge.net/project/showfiles.php?group _id=71220 Attempting Attacks on NSM

16 References (1) Richard Bejtlich, The Tao of Network Security Monitoring, Pearson Education, Inc. 2005, pg 25 (2) Richard Bejtlich, The Tao of Network Security Monitoring, Pearson Education, Inc. 2005, pg 119, 120 (3) Richard Bejtlich, The Tao of Network Security Monitoring, Pearson Education, Inc. 2005, pg 119, 211

Download ppt "Network Security Monitoring By Bea Wilds CS 522 6 Dec 06."

Similar presentations

F3 Collecting Network Based Evidence (NBE)

F3 Collecting Network Based Evidence (NBE)
SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.

SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.
Guide to Computer Forensics and Investigations1 Network Forensics Overview Network forensics –Systematic tracking of incoming and outgoing traffic To ascertain.

Guide to Computer Forensics and Investigations1 Network Forensics Overview Network forensics –Systematic tracking of incoming and outgoing traffic To ascertain.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,

1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Common IS Threat Mitigation Strategies An overview of common detection and protection technologies Max Caceres CORE Security Technologies www.coresecurity.com.

Common IS Threat Mitigation Strategies An overview of common detection and protection technologies Max Caceres CORE Security Technologies
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.

IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
Guide to Computer Forensics and Investigations Third Edition Chapter 11 Network Forensics.

Guide to Computer Forensics and Investigations Third Edition Chapter 11 Network Forensics.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.

Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.

John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.
By Edith Butler Fall 2008. Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.

By Edith Butler Fall Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Network Forensics Networking Basics Collecting Network-Based Evidence (NBE) Collection of Packets using Tools Windows Intrusion UNIX Intrusion.

Network Forensics Networking Basics Collecting Network-Based Evidence (NBE) Collection of Packets using Tools Windows Intrusion UNIX Intrusion.
Hands-on: Capturing an Image with AccessData FTK Imager

Hands-on: Capturing an Image with AccessData FTK Imager
Securing Legacy Software SoBeNet User group meeting 25/06/2004.

Securing Legacy Software SoBeNet User group meeting 25/06/2004.

Similar presentations

Ads by Google