COEN 252 Computer Forensics

Slides:

Advertisements

Similar presentations

Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.

Advertisements

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

Packet Analyzers, a Threat to Network Security. Agenda Introduction The background of packet analyzers LAN technologies & network protocols Communication.

Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

System and Network Security Practices COEN 351 E-Commerce Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World

Sniffing the sniffers - detecting passive protocol analysers John Baldock, Intel Corp Craig Duffy, Bristol UWE.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Firewalls CS591 Topics in Internet Security November Steve Miskovitz, Steve Peckham, Kan Hayashi.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

A Guide to major network components

COEN 252: Computer Forensics Router Investigation.

Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study

Jennifer Rexford Princeton University MW 11:00am-12:20pm SDN Software Stack COS 597E: Software Defined Networking.

Department Of Computer Engineering

Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.

Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.

Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.

Intrusion Protection Mark Shtern. Protection systems Firewalls Intrusion detection and protection systems Honeypots System Auditing.

CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.

Intranet, Extranet, Firewall. Intranet and Extranet.

What is FORENSICS? Why do we need Network Forensics?

Common Devices Used In Computer Networks

COEN 252 Computer Forensics Collecting Network-based Evidence.

Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Windows 7 Firewall.

FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.

11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

NETWORKING COMPONENTS AN OVERVIEW OF COMMONLY USED HARDWARE Christopher Johnson LTEC 4550.

Linux Networking and Security

Firewalls  Firewall sits between the corporate network and the Internet Prevents unauthorized access from the InternetPrevents unauthorized access from.

Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.

Networking Components Daniel Rosser LTEC Network Hub It is very difficult to find Hubs anymore Hubs sends data from one computer to all other computers.

Chapter 5: Implementing Intrusion Prevention

© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.

CHAPTER 9 Sniffing.

Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.

1.1 1 Purpose of firewall : –Control access to or from a protected network; –Implements network access policy connections pass through firewall and are.

NETWORKING COMPONENTS Buddy Steele Assignment 3, Part 1 CECS-5460: Summer 2014.

Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.

A machine that acts as the central relay between computers on a network Low cost, low function machine usually operating at Layer 1 Ties together the.

Discovery 2 Internetworking Module 8 JEOPARDY K. Martin.

IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.

Sniffer, tcpdump, Ethereal, ntop

Security fundamentals Topic 10 Securing the network perimeter.

Network Components David Blakeley LTEC HUB A common connection point for devices in a network. Hubs are commonly used to connect segments of a LAN.

Role Of Network IDS in Network Perimeter Defense.

IS3220 Information Technology Infrastructure Security

Chapter 11 – Cloud Application Development. Contents Motivation. Connecting clients to instances through firewalls. Cloud Computing: Theory and Practice.

Unit 2 Personal Cyber Security and Social Engineering Part 2.

SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

Security fundamentals

CompTIA Security+ Study Guide (SY0-401)

COEN 152 / 252 Computer Forensics

Computer Data Security & Privacy

Introduction to Networking

CompTIA Security+ Study Guide (SY0-401)

Lecture # 7 Firewalls الجدر النارية. Lecture # 7 Firewalls الجدر النارية.

Firewalls Routers, Switches, Hubs VPNs

Presentation transcript:

COEN 252 Computer Forensics Collecting Network-based Evidence

Why Surveillance to confirm suspicion, to accumulate evidence, to identify co-conspiritors.

Goals Examine suspicion of incident. Accumulate additional evidence. Verify scope of compromise. Identify additional parties involved. Determine a timeline.

Network Monitoring Based on intrusiveness we distinguish: Event Monitoring Looks for certain types of packets representing events. Trap-and-Trace Monitoring Non-content monitoring. Date, Time, Protocol, Source, Destination Full-Content Monitoring Get complete packages.

Network Monitoring System Match technologies and capabilities to the situation. Goals of network surveillance. Ensure proper legal standing. Acquire proper hardware and software. Ensure the security of the platform. Evaluate the network monitor.

Network Monitoring Goals Watch traffic to and from a specific host. Monitor traffic to and from a specific network. Monitor a specific person’s actions. Verify intrusion attempts. Look for specific attack signatures. Focus on a specific protocol.

Network Monitoring Tools Match hardware power to the task. T3 need 1GHz processor, 1GB RAM Implement proper chain of custody for backup storage. Match software properties to the task. OS Remote access? Silent Sniffer? Capture files in portable format? Technical skills needed for monitor. Amount of data

Capturing Data on a Network Develop a threat model before deploying Network Security Monitoring Internal / External Attacker Wireless / Wired / … Develop Monitoring zoning Demilitarized zone Wireless zone Intranet zones

Capturing Data on a Network Wired monitoring Hubs SPAN ports Taps Inline devices

Capturing Data on a Network Hubs Broadcasts incoming data on all interfaces. Be careful about NIC capacity (10/100/1000 Mb/sec) Be careful about hub quality Are inexpensive, but can introduce collisions on the links where the hub sits.

Capturing Data on a Network Switched Port Analyzer (SPAN) A.k.a. Port mirroring, Port monitoring. SPAN port located on enterprise class switches. Copy traffic between certain ports to SPAN port. Configurable Easy access to traffic. Can make mistakes with configuration. Under heavy load, SPAN port might not get all traffic. SPAN only allows monitoring of a single switch.

Capturing Data on a Network Test Access Port (TAP) Networking device specifically designed for monitoring applications. Typically four ports: Router Firewall Monitor traffic on remaining ports. One port sees incoming, the other outgoing traffic. Moderately high costs.

Capturing Data on a Network Specialized inline devices: Server or hardware device Filtering bridges E.g. server with OpenBSD and two NICs

OS for Sniffing Requirements: Robust implementation of TCP/IP. SSH for remote access. Simple to disable services. Simple to run local firewall.

Remote Access Network connection. Modem /”Out of Band” communications Second network adapter. VLAN SSH Firewall restricts IP addresses. Modem /”Out of Band” communications User ID / password Calls from specific phone numbers.

Silent Sniffing Sniffing can be detected: Test for cards in promiscuous mode. Sniffers providing name-lookup make DNS queries. Sniffing machines have a higher response rate if the network is flooded. Incorrect implemented TCP/IP stacks react to packets with correct IP address but wrong ethernet address. Physically disable traffic from the card.

Data File Formats Captured traffic goes into a data file. Capture files have different formats. Proprietary formats can lock you in. We will use windump and ethereal. Free Work well. Runs on most platforms.

Deploying the Network Monitor Physical Security Physical Access => Logical Access. Chain of Custody: Capture files need to be authenticated.

Evaluating the Monitor Check Load. Check File System.

Trap-And-Trace Monitors only IP header and TCP header, but no content. Legal Issues: Without user supplied data, less privacy violation for corporate users. Without user supplied data, less need for a warrant. Tcpdump to screen protects private data.

Full-Content-Monitoring Sniffers can capture complete packages. Use a filter to block out noise. Protect capture files to maintain chain of custody. (file naming, scripting, md5)

Network-Based Logs Most network traffic leaves an audit trail. Routers, firewalls, servers, … maintain logs DHCP log IP leases Firewalls offer logging. IDS can capture part of an attack. Host-based sensors detect alteration of libraries Login attempts are logged.