| |
| |
Foreword | |
| |
| |
Preface | |
| |
| |
About the Author | |
| |
| |
About the Contributors | |
| |
| |
| |
Introduction to Network Security Monitoring | |
| |
| |
| |
The Security Process | |
| |
| |
What Is Security? | |
| |
| |
What Is Risk? | |
| |
| |
Threat | |
| |
| |
Vulnerability | |
| |
| |
Asset Value | |
| |
| |
A Case Study on Risk | |
| |
| |
Security Principles: Characteristics of the Intruder | |
| |
| |
Some Intruders Are Smarter Than You | |
| |
| |
Many Intruders Are Unpredictable | |
| |
| |
Prevention Eventually Fails | |
| |
| |
Security Principles: Phases of Compromise | |
| |
| |
Reconnaissance | |
| |
| |
Exploitation | |
| |
| |
Reinforcement | |
| |
| |
Consolidation | |
| |
| |
Pillage | |
| |
| |
Security Principles: Defensible Networks | |
| |
| |
Defensible Networks Can Be Watched | |
| |
| |
Defensible Networks Limit an Intruder's Freedom to Maneuver | |
| |
| |
Defensible Networks Offer a Minimum Number of Services | |
| |
| |
Defensible Networks Can Be Kept Current | |
| |
| |
Conclusion | |
| |
| |
| |
What Is Network Security Monitoring? | |
| |
| |
Indications and Warnings | |
| |
| |
Collection, Analysis, and Escalation | |
| |
| |
Detecting and Responding to Intrusions | |
| |
| |
Why Do IDS Deployments Often Fail? | |
| |
| |
Outsiders versus Insiders: What Is NSM's Focus? | |
| |
| |
Security Principles: Detection | |
| |
| |
Intruders Who Can Communicate with Victims Can Be Detected | |
| |
| |
Detection through Sampling Is Better Than No Detection | |
| |
| |
Detection through Traffic Analysis Is Better Than No Detection | |
| |
| |
Security Principles: Limitations | |
| |
| |
Collecting Everything Is Ideal but Problematic | |
| |
| |
Real Time Isn't Always the Best Time | |
| |
| |
Extra Work Has a Cost | |
| |
| |
What NSM Is Not | |
| |
| |
NSM Is Not Device Management | |
| |
| |
NSM Is Not Security Event Management | |
| |
| |
NSM Is Not Network-Based Forensics | |
| |
| |
NSM Is Not Intrusion Prevention | |
| |
| |
NSM in Action | |
| |
| |
Conclusion | |
| |
| |
| |
Deployment Considerations | |
| |
| |
Threat Models and Monitoring Zones | |
| |
| |
The Perimeter | |
| |
| |
The Demilitarized Zone | |
| |
| |
The Wireless Zone | |
| |
| |
The Intranet | |
| |
| |
Accessing Traffic in Each Zone | |
| |
| |
Hubs | |
| |
| |
SPAN Ports | |
| |
| |
Taps | |
| |
| |
Inline Devices | |
| |
| |
Wireless Monitoring | |
| |
| |
Sensor Architecture | |
| |
| |
Hardware | |
| |
| |
Operating System | |
| |
| |
Sensor Management | |
| |
| |
Console Access | |
| |
| |
In-Band Remote Access | |
| |
| |
Out-of-Band Remote Access | |
| |
| |
Conclusion | |
| |
| |
| |
Network Security Monitoring Products | |
| |
| |
| |
The Reference Intrusion Model | |
| |
| |
The Scenario | |
| |
| |
The Attack | |
| |
| |
Conclusion | |
| |
| |
| |
Full Content Data | |
| |
| |
A Note on Software | |
| |
| |
Libpcap | |
| |
| |
Tcpdump | |
| |
| |
Basic Usage of Tcpdump | |
| |
| |
Using Tcpdump to Store Full Content Data | |
| |
| |
Using Tcpdump to Read Stored Full Content Data | |
| |
| |
Timestamps in Stored Full Content Data | |
| |
| |
Increased Detail in Tcpdump Full Content Data | |
| |
| |
Tcpdump and Berkeley Packet Filters | |
| |
| |
Tethereal | |
| |
| |
Basic Usage of Tethereal | |
| |
| |
Using Tethereal to Store Full Content Data | |
| |
| |
Using Tethereal to Read Stored Full Content Data | |
| |
| |
Getting More Information from Tethereal | |
| |
| |
Snort as Packet Logger | |
| |
| |
Basic Usage of Snort as Packet Logger | |
| |
| |
Using Snort to Store Full Content Data | |
| |
| |
Using Snort to Read Stored Full Content Data | |
| |
| |
Finding Specific Parts of Packets with Tcpdump, Tethereal, and Snort | |
| |
| |
Ethereal | |
| |
| |
Basic Usage of Ethereal | |
| |
| |
Using Ethereal to Read Stored Full Content Data | |
| |
| |
Using Ethereal to Rebuild Sessions | |
| |
| |
Other Ethereal Features | |
| |
| |
A Note on Commercial Full Content Collection Options | |
| |
| |
Conclusion | |
| |
| |
| |
Additional Data Analysis | |
| |
| |
Editcap and Mergecap | |
| |
| |
Tcpslice | |
| |
| |
Tcpreplay | |
| |
| |
Tcpflow | |
| |
| |
Ngrep | |
| |
| |
IPsumdump | |
| |
| |
Etherape | |
| |
| |
Netdude | |
| |
| |
Using Netdude | |
| |
| |
What Do Raw Trace Files Look Like? | |
| |
| |
P0f | |
| |
| |
Conclusion | |
| |
| |
| |
Session Data | |
| |
| |
Forms of Session Data | |
| |
| |
Cisco's NetFlow | |
| |
| |
Fprobe | |
| |
| |
Ng_netflow | |
| |
| |
Flow-tools | |
| |
| |
Flow-capture | |
| |
| |
Flow-cat and Flow-print | |
| |
| |
sFlow and sFlow Toolkit | |
| |
| |
Argus | |
| |
| |
Argus Server | |
| |
| |
Ra Client | |
| |
| |
Tcptrace | |
| |
| |
Conclusion | |
| |
| |
| |
Statistical Data | |
| |
| |
What Is Statistical Data? | |
| |
| |
Cisco Accounting | |
| |
| |
Ipcad | |
| |
| |
Ifstat | |
| |
| |
Bmon | |
| |
| |
Trafshow | |
| |
| |
Ttt | |
| |
| |
Tcpdstat | |
| |
| |
MRTG | |
| |
| |
Ntop | |
| |
| |
Conclusion | |
| |
| |
| |
Alert Data: Bro and Prelude | |
| |
| |
Bro | |
| |
| |
Installing Bro and BRA | |
| |
| |
Interpreting Bro Output Files | |
| |
| |
Bro Capabilities and Limitations | |
| |
| |
Prelude | |
| |
| |
Installing Prelude | |
| |
| |
Interpreting Prelude Output Files | |
| |
| |
Installing PIWI | |
| |
| |
Using PIWI to View Prelude Events | |
| |
| |
Prelude Capabilities and Limitations | |
| |
| |
Conclusion | |
| |
| |
| |
Alert Data: NSM Using Sguil | |
| |
| |
Why Sguil? | |
| |
| |
So What Is Sguil? | |
| |
| |
The Basic Sguil Interface | |
| |
| |
Sguil's Answer to "Now What?" | |
| |
| |
Making Decisions with Sguil | |
| |
| |
Sguil versus the Reference Intrusion Model | |
| |
| |
Shellcode x86 Noop and Related Alerts | |
| |
| |
FTP Site Overflow Attempt Alerts | |
| |
| |
Scan nmap TCP Alerts | |
| |
| |
Misc Ms Terminal Server Request Alerts | |
| |
| |
Conclusion | |
| |
| |
| |
Network Security Monitoring Processes | |
| |
| |
| |
Best Practices | |
| |
| |
Assessment | |
| |
| |
Defined Security Policy | |
| |
| |
Protection | |
| |
| |
Access Control | |
| |
| |
Traffic Scrubbing | |
| |
| |
Proxies | |
| |
| |
Detection | |
| |
| |
Collection | |
| |
| |
Identification | |
| |
| |
Validation | |
| |
| |
Escalation | |
| |
| |
Response | |
| |
| |
Short-Term Incident Containment | |
| |
| |
Emergency Network Security Monitoring | |
| |
| |
Back to Assessment | |
| |
| |
Analyst Feedback | |
| |
| |
Conclusion | |
| |
| |
| |
Case Studies for Managers | |
| |
| |
Introduction to Hawke Helicopter Supplies | |
| |
| |
| |
Emergency Network Security Monitoring | |
| |
| |
Detection of Odd Orders | |
| |
| |
System Administrators Respond | |
| |
| |
Picking Up the Bat Phone | |
| |
| |
Conducting Incident Response | |
| |
| |
Incident Response Results | |
| |
| |
| |
Evaluating Managed Security Monitoring Providers | |
| |
| |
HHS Requirements for NSM | |
| |
| |
HHS Vendor Questionnaire | |
| |
| |
Asset Prioritization | |
| |
| |
| |
Deploying an In-House NSM Solution | |
| |
| |
Partner and Sales Offices | |
| |
| |
HHS Demilitarized Zone | |
| |
| |
Wireless Network | |
| |
| |
Internal Network | |
| |
| |
"But Who Shall Watch the Watchers?" | |
| |
| |
Other Staffing Issues | |
| |
| |
Conclusion | |
| |
| |
| |
Network Security Monitoring People | |
| |
| |
| |
Analyst Training Program | |
| |
| |
Weapons and Tactics | |
| |
| |
Definition | |
| |
| |
Tasks | |
| |
| |
References | |
| |
| |
Telecommunications | |
| |
| |
Definition | |
| |
| |
Tasks | |
| |
| |
References | |
| |
| |
System Administration | |
| |
| |
Definition | |
| |
| |
Tasks | |
| |
| |
References | |
| |
| |
Scripting and Programming | |
| |
| |
Definition | |
| |
| |
Tasks | |
| |
| |
References | |
| |
| |
Management and Policy | |
| |
| |
Definition | |
| |
| |
Tasks | |
| |
| |
References | |
| |
| |
Training in Action | |
| |
| |
Periodicals and Web Sites | |
| |
| |
Case Study: Staying Current with Tools | |
| |
| |
Conclusion | |
| |
| |
| |
Discovering DNS | |
| |
| |
Normal Port 53 Traffic | |
| |
| |
Normal Port 53 UDP Traffic | |
| |
| |
Normal Port 53 TCP Traffic | |
| |
| |
Suspicious Port 53 Traffic | |
| |
| |
Suspicious Port 53 UDP Traffic | |
| |
| |
Suspicious Port 53 TCP Traffic | |
| |
| |
Malicious Port 53 Traffic | |
| |
| |
Malicious Port 53 UDP Traffic | |
| |
| |
Malicious Port 53 TCP and UDP Traffic | |
| |
| |
Conclusion | |
| |
| |
| |
Harnessing the Power of Session Data | |
| |
| |
The Session Scenario | |
| |
| |
Session Data from the Wireless Segment | |
| |
| |
Session Data from the DMZ Segment | |
| |
| |
Session Data from the VLANs | |
| |
| |
Session Data from the External Segment | |
| |
| |
Conclusion | |
| |
| |
| |
Packet Monkey Heaven | |
| |
| |
Truncated TCP Options | |
| |
| |
SCAN FIN | |
| |
| |
Chained Covert Channels | |
| |
| |
Conclusion | |
| |
| |
| |
The Intruder versus Network Security Monitoring | |
| |
| |
| |
Tools for Attacking Network Security Monitoring | |
| |
| |
Packit | |
| |
| |
IP Sorcery | |
| |
| |
Fragroute | |
| |
| |
LFT | |
| |
| |
Xprobe2 | |
| |
| |
Cisco IOS Denial of Service | |
| |
| |
Solaris Sadmin Exploitation Attempt | |
| |
| |
Microsoft RPC Exploitation | |
| |
| |
Conclusion | |
| |
| |
| |
Tactics for Attacking Network Security Monitoring | |
| |
| |
Promote Anonymity | |
| |
| |
Attack from a Stepping-Stone | |
| |
| |
Attack by Using a Spoofed Source Address | |
| |
| |
Attack from a Netblock You Don't Own | |
| |
| |
Attack from a Trusted Host | |
| |
| |
Attack from a Familiar Netblock | |
| |
| |
Attack the Client, Not the Server | |
| |
| |
Use Public Intermediaries | |
| |
| |
Evade Detection | |
| |
| |
Time Attacks Properly | |
| |
| |
Distribute Attacks Throughout Internet Space | |
| |
| |
Employ Encryption | |
| |
| |
Appear Normal | |
| |
| |
Degrade or Deny Collection | |
| |
| |
Deploy Decoys | |
| |
| |
Consider Volume Attacks | |
| |
| |
Attack the Sensor | |
| |
| |
Separate Analysts from Their Consoles | |
| |
| |
Self-Inflicted Problems in NSM | |
| |
| |
Conclusion | |
| |
| |
Epilogue: The Future of Network Security Monitoring | |
| |
| |
Remote Packet Capture and Centralized Analysis | |
| |
| |
Integration of Vulnerability Assessment Products | |
| |
| |
Anomaly Detection | |
| |
| |
NSM Beyond the Gateway | |
| |
| |
Conclusion | |
| |
| |
| |
Appendixes | |
| |
| |
| |
Protocol Header Reference | |
| |
| |
| |
Intellectual History of Network Security Monitoring | |
| |
| |
| |
Protocol Anomaly Detection | |
| |
| |
Index | |