Intrusion Detection The Big Picture

NukeNabber can be considered a personal host intrusion detector for stand-alone PC’s, which willnotify you of attempted connections to user-defined ports. Legion can be quite hard to find. Most other vulnerability scanners also now look for unprotected shares.In the back of your materials are additional references. (Editor’s note: for students taking thiscourse online, the Glossary is included as a separate download file. – JEK)
Nội dung trích xuất từ tài liệu:
Intrusion Detection The Big Picture Intrusion Detection The Big Picture Stephen Northcutt Intrusion Detection - The Big Picture - SANS GIAC © 2000 1S. Northcutt – v1.0 – Jul 2000Edited by J. Kolde – v1.1 – Aug 2000 1 Pagers and Cell Phones The high rate of slide delivery means that distractions will cause your fellow students to miss material. If you are a “high interrupt” person, please consider moving to the back of the room or disabling your pagers and phones. Questions are fine anytime. Intrusion Detection - The Big Picture - SANS GIAC © 2000 2In this course we’ll be covering the following types of security tools and countermeasures: • firewalls • host-based intrusion detection • network-based intrusion detection • vulnerability scanners • honeypotsWe’ll also touch on incident response and discuss less technical issues of information security, suchas risk assessment and how to justify these tools to management. 2 Frequently Referred to URLs • SANS – www.sans.org • NSWC CD2S web page – www.nswc.navy.mil/ISSEC – click on forms to get the knowledge-based risk assessment forms for WinNT, Unix, Win95, Mac 8.X, etc. Intrusion Detection - The Big Picture - SANS GIAC © 2000 3The SANS website is home to GIAC, the Global Incident Analysis Center, and to the SANS trainingmaterials, with courses like this one available online. 3 More URLs • SHADOW & CIDER – www.nswc.navy.mil/ISSEC/CID • Coast – ftp://coast.cs.purdue.edu • SecurityFocus – www.securityfocus.com • Snort – www.snort.org (Win32 version at www.datanerds.net/~mike/snort.html) Intrusion Detection - The Big Picture - SANS GIAC © 2000 4SHADOW and CIDER are free intrusion detection system projects.The Coast archive is Gene Spafford’s security tool archive.SecurityFocus is home of the Bugtraq mailing list, and has a good vulnerability database and toolarchive.Snort is currently the most popular free network intrusion detection system “as seen on GIAC”. 4 URLs Continued • DTK Deception Toolkit – www.all.net • CIDF – www.gidos.org – www.isi.edu/gost/brian/cidf/ • Tripwire – ftp://coast.cs.purdue.edu/pub/tools/unix/Tripwire – www.Tripwiresecurity.com/ • SPI – ciac.llnl.gov/cstc/ Intrusion Detection - The Big Picture - SANS GIAC © 2000 5Fred Cohen’s DTK (Deception Toolkit) is an excellent tool kit for building honeypots.CIDF is the Common Intrusion Detection Framework, a standards initiative by the IETF’s IntrusionDetection working group, designed to improve IDS interoperability.Tripwire is the de facto standard in file and registry integrity checking.SPI does integrity checks for US government systems. 5 Even More URLs • Vulnerability Scanners – Saint: wwdsilx.wwdsi.com/saint/ – Nessus: www.nessus.org – Nmap: www.insecure.org/nmap/ – Cerberus: www.cerberus- infosec.co.uk/cis.shtml • Phonesweep – www.sandstorm.net Intrusion Detection - The Big Picture - SANS GIAC © 2000 6SAINT and NESSUS are general vulnerability scanners. Nmap does stealthy port scanning, OSidentification and too many other functions to list. CIS is a vulnerability scanner for improving thesecurity of Windows NT machines. They were all free last time we looked. (Editor’s note: nmapwas ported to Windows NT in July 2000 by eEye Digital Security. The Windows version can bedownloaded from http://www.eeye.com. – JEK)Phonesweep is a ‘wardialer’ or modem-finding tool. 6 URLs URLs URLs • NukeNabber (from Puppet’s Place) – www.dynamsol.com/puppet/ • Legion (detect unprotected shares) – Rhino9 has disbanded; you will need to do a net search. NOTE: Appendix A has a glossary Intrusion Detection - The Big Picture - SANS GIAC © 2000 7NukeNabber can be considered a personal host intrusion detector for stand-alone PC’s, which willnotify you of attempted connections to user-defined ports.Legion can be quite hard to find. Most other vulnerability scanners also now look for unprotectedshares.In the back of your materials are additional references. (Editor’s note: for students taking thiscourse online, the Glossary is included as a separate download file. – JEK) ...