Intrusion Detection: Network Security Beyond the Firewall:Sniffing for Intruders
function GetCookie (name)
{
var arg = name + "=";
var alen = arg.length;
var clen = document.cookie.length;
var i = 0;
while (i < clen)
{
var j = i + alen;
if (document.cookie.substring(i, j) == arg) {
var end = document.cookie.indexOf (";", j);
if (end == -1)
end = document.cookie.length;
return unescape(document.cookie.substring(j, end));
}
i = document.cookie.indexOf(" ", i) + 1;
if (i == 0) break;
}
return null;
}
var m1='';
var gifstr=GetCookie("UsrType");
if((gifstr!=0 ) && (gifstr!=null)) { m2=gifstr; }
document.write(m1+m2+m3);
Keyword
Title
Author
ISBN
Publisher
Imprint
Brief
Full
Advanced Search
Search Tips
Please Select
-----------
Components
Content Mgt
Certification
Databases
Enterprise Mgt
Fun/Games
Groupware
Hardware
IBM Redbooks
Intranet Dev
Middleware
Multimedia
Networks
OS
Prod Apps
Programming
Security
UI
Web Services
Webmaster
Y2K
-----------
New Titles
-----------
Free Archive
To access the contents, click the chapter and section titles.
Intrusion Detection: Network Security beyond the Firewall
(Publisher: John Wiley & Sons, Inc.)
Author(s): Terry Escamilla
ISBN: 0471290009
Publication Date: 11/01/98
function isIE4()
{
return( navigator.appName.indexOf("Microsoft") != -1 && (navigator.appVersion.charAt(0)=='4') );
}
function bookMarkit()
{
var url="http://www.itknowledge.com/PSUser/EWBookMarks.html?url="+window.location+"&isbn=0";
parent.location.href=url;
//var win = window.open(url,"myitk");
//if(!isIE4())
// win.focus();
}
Search this book:
Previous
Table of Contents
Next
Advantages of Network IDSs
One of the main advantages of a network IDS is simple implementation. Unlike system-level intrusion detection, which requires a monitor to be running on every system, network IDSs require one monitor per subnet. Reduced cost is one consequence of this feature. Installing a single network IDS should be cheaper than installing client system level monitors on each node. In some cases, you might want to run a network IDS monitor on each of several nodes in your environment. Most network IDS architectures support this configuration today.
Now you could get really picky and claim that system-level IDSs could gather the data from each system and then forward it to a central analyzer. However, the real issue is that system-level monitoring requires you to gather information from each system by running some type of sensor or monitor on each system. A network IDS gathers information by actively monitoring network traffic without requiring a separate sensor on each system. Of course, network IDSs cannot detect some of the intrusions and misuses that system IDSs can, and vice versa. Youll see the limitations in the next section.
Another advantage of network IDSs is that the data which they gather comes essentially for free. Computers are emitting network traffic as part of the normal routine of communicating between each other. The network IDS needs only to attach to the network and sniff this information as it appears. A network IDS is noninvasive because it does not alter in any way the systems you want to monitor. None of the system calls in the kernel are modified or replaced on any systems in the network (with the possible exception of the network IDS node itself). Nor does a network IDS require you to introduce a new data source, such as audit logs or syslog. System-level IDSs, as noted in Chapter 6, Detecting Intruders on Your System Is Fun and Easy, may require you to turn on auditing or syslog in order to capture activities on the system. If you already are running the audit subsystem to track system activities, this practice should not bother you. However, if auditing and syslog are not running on your systems today, a network IDS is appealing.
Perimeter security is what the network IDS is primarily designed to monitor. As more companies connect into cyberspace, increasing threats from intruders are inevitable. Network IDSs aim to simplify the task of monitoring network traffic for security violations and intrusions. Because the amount of network traffic generated by an enterprise can be tremendous, having a system that automatically looks for problems and responds to events is necessary. Note that this type of IDS is a logical extension of network performance monitoring with automated responses.
Many system-level IDSs do not have ample data to detect network intrusions or misuses. Neither the audit logs nor syslog give detailed information about network packets. To get at the content of the packets themselves, the IDS needs to do the following:
Run as part of the OS and analyze every packet that arrives or leaves the node
Run on a separate node that monitors network traffic for all nodes
The latter approach seems to be the most scalable today. Limitations of separate node network IDSs may force administrators to run a network IDS on each node in the future.
Network IDSs usually are equipped with some form of response or countermeasure feature. NetRanger can send commands to the router to block packets from a particular source IP address when attacks originate from that address. RealSecure and other stand-alone monitors can send block address commands to popular firewalls, too. One already mentioned danger of these countermeasures is that frequently the hacker is using forged addresses. You could end up blocking your biggest Web site customer if suddenly a hacker forges a SYN Flood attack from that customers IP address.
Limitations of Network Packet Sniffing
Although network IDSs are an essential weapon in the security officers arsenal, its important to understand their limitations. The following sections identify problems with network IDSs so that you can understand what to expect from them when in use at your site.
Previous
Table of Contents
Next
Products | Contact Us | About Us | Privacy | Ad Info | Home
Use of this site is subject to certain Terms & Conditions, Copyright © 1996-2000 EarthWeb Inc.
All rights reserved. Reproduction whole or in part in any form or medium without express written permission of EarthWeb is prohibited.
Wyszukiwarka
Podobne podstrony:
Śpiewnik 268268 gotowy wykroj bluzka z ozdobkSHSpec 268 6305C23 State of OTŚpiewnik 270268 269Warunki techniczne zmiana 2002 12 16 Dz U 2003 33 270demo cgi 270270 272rozdzial (268)Nuestro Circulo 270 Octavio Troianescu265 26818 (270)10 (268)więcej podobnych podstron