The Tao of Network Security Monitoring Beyond Intrusion Detection,9780321246776

The Tao of Network Security Monitoring Beyond Intrusion Detection

by
ISBN13: 9780321246776
ISBN10: 0321246772
Format: Paperback
Pub. Date: 2004-07-12
Publisher(s): Addison-Wesley Professional
List Price: $74.99

Rent Book

Select for Price
Add to Cart
There was a problem. Please try again later.

New Book

We're Sorry
Sold Out

Used Book

We're Sorry
Sold Out

eBook

We're Sorry
Not Available

Buy from our Marketplace starting at $5.50

How Marketplace Works:

  • This item is offered by an independent seller and not shipped from our warehouse
  • Item details like edition and cover design may differ from our description; see seller's comments before ordering.
  • Sellers much confirm and ship within two business days; otherwise, the order will be cancelled and refunded.
  • Marketplace purchases cannot be returned to eCampus.com. Contact the seller directly for inquiries; if no response within two days, contact customer service.
  • Additional shipping costs apply to Marketplace purchases. Review shipping costs at checkout.

Summary

Quickly develop and apply the skills needed to detect, prevent, and respond to new and emerging computer security exploits.

Author Biography

Former Air Force intelligence officer Richard Bejtlich is a security engineer at ManTech International Corporation's Computer Forensics and Intrusion Analysis division

Table of Contents

Foreword xvii
Preface xix
About the Author xxxi
About the Contributors xxxiii
PART I INTRODUCTION TO NETWORK SECURITY MONITORING
Chapter 1 The Security Process
3(22)
What Is Security?
4(2)
What Is Risk?
6(3)
Threat
6(2)
Vulnerability
8(1)
Asset Value
9(1)
A Case Study on Risk
9(3)
Security Principles: Characteristics of the Intruder
12(2)
Some Intruders Are Smarter Than You
12(1)
Many Intruders Are Unpredictable
12(1)
Prevention Eventually Fails
13(1)
Security Principles: Phases of Compromise
14(6)
Reconnaissance
15(1)
Exploitation
16(1)
Reinforcement
17(1)
Consolidation
18(1)
Pillage
18(2)
Security Principles: Defensible Networks
20(4)
Defensible Networks Can Be Watched
20(1)
Defensible Networks Limit an Intruder's Freedom to Maneuver
21(2)
Defensible Networks Offer a Minimum Number of Services
23(1)
Defensible Networks Can Be Kept Current
23(1)
Conclusion
24(1)
Chapter 2 What Is Network Security Monitoring?
25(20)
Indications and Warnings
25(3)
Collection, Analysis, and Escalation
28(1)
Detecting and Responding to Intrusions
29(1)
Why Do IDS Deployments Often Fail?
30(1)
Outsiders versus Insiders: What Is NSM's Focus?
31(3)
Security Principles: Detection
34(3)
Intruders Who Can Communicate with Victims Can Be Detected
35(1)
Detection through Sampling Is Better Than No Detection
35(1)
Detection through Traffic Analysis Is Better Than No Detection
36(1)
Security Principles: Limitations
37(3)
Collecting Everything Is Ideal but Problematic
37(1)
Real Time Isn't Always the Best Time
38(1)
Extra Work Has a Cost
39(1)
What NSM Is Not
40(2)
NSM Is Not Device Management
40(1)
NSM Is Not Security Event Management
40(1)
NSM Is Not Network-Based Forensics
41(1)
NSM Is Not Intrusion Prevention
41(1)
NSM in Action
42(1)
Conclusion
43(2)
Chapter 3 Deployment Considerations
45(58)
Threat Models and Monitoring Zones
45(6)
The Perimeter
48(1)
The Demilitarized Zone
49(1)
The Wireless Zone
50(1)
The Intranet
50(1)
Accessing Traffic in Each Zone
51(34)
Hubs
52(4)
SPAN Ports
56(7)
Taps
63(13)
Inline Devices
76(9)
Wireless Monitoring
85(8)
Sensor Architecture
93(5)
Hardware
94(2)
Operating System
96(2)
Sensor Management
98(4)
Console Access
99(1)
In-Band Remote Access
100(1)
Out-of-Band Remote Access
101(1)
Conclusion
102(1)
PART II NETWORK SECURITY MONITORING PRODUCTS 103(242)
Chapter 4 The Reference Intrusion Model
105(14)
The Scenario
105(1)
The Attack
106(12)
Conclusion
118(1)
Chapter 5 Full Content Data
119(54)
A Note on Software
120(1)
Libpcap
121(1)
Tcpdump
122(18)
Basic Usage of Tcpdump
124(1)
Using Tcpdump to Store Full Content Data
125(1)
Using Tcpdump to Read Stored Full Content Data
126(6)
Timestamps in Stored Full Content Data
132(2)
Increased Detail in Tcpdump Full Content Data
134(1)
Tcpdump and Berkeley Packet Filters
135(5)
Tethereal
140(9)
Basic Usage of Tethereal
140(1)
Using Tethereal to Store Full Content Data
141(3)
Using Tethereal to Read Stored Full Content Data
144(2)
Getting More Information from Tethereal
146(3)
Snort as Packet Logger
149(5)
Basic Usage of Snort as Packet Logger
149(3)
Using Snort to Store Full Content Data
152(1)
Using Snort to Read Stored Full Content Data
153(1)
Finding Specific Parts of Packets with Tcp dump, Tethereal, and Snort
154(8)
Ethereal
162(9)
Basic Usage of Ethereal
162(2)
Using Ethereal to Read Stored Full Content Data
164(3)
Using Ethereal to Rebuild Sessions
167(2)
Other Ethereal Features
169(2)
A Note on Commercial Full Content Collection Options
171(1)
Conclusion
172(1)
Chapter 6 Additional Data Analysis
173(38)
Editcap and Mergecap
173(1)
Tcpslice
174(5)
Tcpreplay
179(3)
Tcpflow
182(3)
Ngrep
185(4)
IPsumdump
189(2)
Etherape
191(2)
Netdude
193(12)
Using Netdude
193(3)
What Do Raw Trace Files Look Like?
196(9)
P0f
205(4)
Conclusion
209(2)
Chapter 7 Session Data
211(36)
Forms of Session Data
212(2)
Cisco's NetFlow
214(6)
Fprobe
220(2)
Ng_netflow
222(2)
Flow-tools
224(8)
Flow-capture
225(4)
Flow-cat and Flow-print
229(3)
sFlow and sFlow Toolkit
232(2)
Argus
234(8)
Argus Server
236(2)
Ra Client
238(4)
Tcptrace
242(4)
Conclusion
246(1)
Chapter 8 Statistical Data
247(38)
What Is Statistical Data?
248(1)
Cisco Accounting
249(6)
Ipcad
255(2)
Ifstat
257(1)
Bmon
258(2)
Trafshow
260(4)
Ttt
264(2)
Tcpdstat
266(5)
MRTG
271(7)
Ntop
278(5)
Conclusion
283(2)
Chapter 9 Alert Data: Bro and Prelude
285(32)
Bro
286(12)
Installing Bro and BRA
287(5)
Interpreting Bro Output Files
292(5)
Bro Capabilities and Limitations
297(1)
Prelude
298(17)
Installing Prelude
299(8)
Interpreting Prelude Output Files
307(2)
Installing PIWI
309(2)
Using PIWI to View Prelude Events
311(2)
Prelude Capabilities and Limitations
313(2)
Conclusion
315(2)
Chapter 10 Alert Data: NSM Using Sguil
317(28)
Why Sguil?
318(1)
So What Is Sguil?
319(2)
The Basic Sguil Interface
321(2)
Sguil's Answer to "Now What?"
323(6)
Making Decisions with Sguil
329(2)
Sguil versus the Reference Intrusion Model
331(13)
SHELLCODE x86 NOOP and Related Alerts
332(7)
FTP SITE Overflow Attempt Alerts
339(1)
SCAN nmap TCP Alerts
340(2)
MISC MS Terminal Server Request Alerts
342(2)
Conclusion
344(1)
PART III NETWORK SECURITY MONITORING PROCESSES 345(58)
Chapter 11 Best Practices
347(38)
Assessment
347(2)
Defined Security Policy
348(1)
Protection
349(5)
Access Control
350(1)
Traffic Scrubbing
351(1)
Proxies
351(3)
Detection
354(26)
Collection
355(5)
Identification
360(11)
Validation
371(6)
Escalation
377(3)
Response
380(3)
Short-Term Incident Containment
381(1)
Emergency Network Security Monitoring
381(2)
Back to Assessment
383(1)
Analyst Feedback
383(1)
Conclusion
384(1)
Chapter 12 Case Studies for Managers
385(18)
Introduction to Hawke Helicopter Supplies
385(1)
Case Study 1: Emergency Network Security Monitoring
386(7)
Detection of Odd Orders
386(2)
System Administrators Respond
388(1)
Picking Up the Bat Phone
389(1)
Conducting Incident Response
389(1)
Incident Response Results
390(3)
Case Study 2: Evaluating Managed Security Monitoring Providers
393(3)
HHS Requirements for NSM
394(1)
HHS Vendor Questionnaire
394(2)
Asset Prioritization
396(1)
Case Study 3: Deploying an In-House NSM Solution
396(6)
Partner and Sales Offices
398(1)
HHS Demilitarized Zone
398(1)
Wireless Network
398(1)
Internal Network
399(1)
"But Who Shall Watch the Watchers?"
399(2)
Other Staffing Issues
401(1)
Conclusion
402(1)
PART IV NETWORK SECURITY MONITORING PEOPLE 403(116)
Chapter 13 Analyst Training Program
405(28)
Weapons and Tactics
410(4)
Definition
410(1)
Tasks
410(2)
References
412(2)
Telecommunications
414(1)
Definition
414(1)
Tasks
414(1)
References
415(1)
System Administration
415(3)
Definition
415(1)
Tasks
416(1)
References
416(2)
Scripting and Programming
418(3)
Definition
418(1)
Tasks
419(1)
References
419(2)
Management and Policy
421(1)
Definition
421(1)
Tasks
421(1)
References
421(1)
Training in Action
422(4)
Periodicals and Web Sites
426(1)
Case Study: Staying Current with Tools
427(4)
Conclusion
431(2)
Chapter 14 Discovering DNS
433(40)
Normal Port 53 Traffic
434(14)
Normal Port 53 UDP Traffic
434(8)
Normal Port 53 TCP Traffic
442(6)
Suspicious Port 53 Traffic
448(11)
Suspicious Port 53 UDP Traffic
448(7)
Suspicious Port 53 TCP Traffic
455(4)
Malicious Port 53 Traffic
459(13)
Malicious Port 53 UDP Traffic
459(7)
Malicious Port 53 TCP and UDP Traffic
466(6)
Conclusion
472(1)
Chapter 15 Harnessing the Power of Session Data
473(18)
The Session Scenario
474(1)
Session Data from the Wireless Segment
475(1)
Session Data from the DMZ Segment
476(3)
Session Data from the VLANs
479(9)
Session Data from the External Segment
488(2)
Conclusion
490(1)
Chapter 16 Packet Monkey Heaven
491(28)
Truncated TCP Options
491(7)
SCAN FIN
498(7)
Chained Covert Channels
505(13)
Conclusion
518(1)
PART V THE INTRUDER VERSUS NETWORK SECURITY MONITORING 519(142)
Chapter 17 Tools for Attacking Network Security Monitoring
521(62)
Packit
521(9)
IP Sorcery
530(4)
Fragroute
534(14)
LFT
548(10)
Xprobe2
558(9)
Cisco IOS Denial of Service
567(3)
Solaris Sadmin Exploitation Attempt
570(5)
Microsoft RPC Exploitation
575(5)
Conclusion
580(3)
Chapter 18 Tactics for Attacking Network Security Monitoring
583(68)
Promote Anonymity
584(19)
Attack from a Stepping-Stone
584(5)
Attack by Using a Spoofed Source Address
589(8)
Attack from a Netblock You Don't Own
597(2)
Attack from a Trusted Host
599(1)
Attack from a Familiar Netblock
600(1)
Attack the Client, Not the Server
601(1)
Use Public Intermediaries
602(1)
Evade Detection
603(31)
Time Attacks Properly
604(3)
Distribute Attacks Throughout Internet Space
607(11)
Employ Encryption
618(16)
Appear Normal
634(5)
Degrade or Deny Collection
639(8)
Deploy Decoys
639(2)
Consider Volume Attacks
641(2)
Attack the Sensor
643(4)
Separate Analysts from Their Consoles
647(1)
Self-Inflicted Problems in NSM
647(2)
Conclusion
649(2)
Epilogue The Future of Network Security Monitoring
651(10)
Remote Packet Capture and Centralized Analysis
652(1)
Integration of Vulnerability Assessment Products
653(1)
Anomaly Detection
654(2)
NSM Beyond the Gateway
656(2)
Conclusion
658(3)
PART VI APPENDIXES 661(104)
Appendix A Protocol Header Reference
663(22)
Appendix B Intellectual History of Network Security Monitoring
685(72)
Appendix C Protocol Anomaly Detection
757(8)
Index 765

Excerpts

Welcome toThe Tao of Network Security Monitoring: Beyond Intrusion Detection. The goal of this book is to help you better prepare your enterprise for the intrusions it will suffer. Notice the term "will." Once you accept that your organization will be compromised, you begin to look at your situation differently. If you've actually worked through an intrusiona real compromise, not a simple Web page defacementyou'll realize the security principles and systems outlined here are both necessary and relevant. This book is aboutpreparationfor compromise, but it's not a book aboutpreventingcompromise. Three words sum up my attitude toward stopping intruders:prevention eventually fails. Every single network can be compromised, either by an external attacker or by a rogue insider. Intruders exploit flawed software, misconfigured applications, and exposed services. For every corporate defender, there are thousands of attackers, enumerating millions of potential targets. While you might be able to prevent some intrusions by applying patches, managing configurations, and controlling access, you can't prevail forever. Believing only in prevention is like thinking you'll never experience an automobile accident. Of course you should drive defensively, but it makes sense to buy insurance and know how to deal with the consequences of a collision. Once your security is breached, everyone will ask the same question:now what?Answering this question has cost companies hundreds of thousands of dollars in incident response and computer forensics fees. I hope this book will reduce the investigative workload of your computer security incident response team (CSIRT) by posturing your organization for incident response success. If you deploy the monitoring infrastructure advocated here, your CSIRT will be better equipped to scope the extent of an intrusion, assess its impact, and propose efficient, effective remediation steps. The intruder will spend less time stealing your secrets, damaging your reputation, and abusing your resources. If you're fortunate and collect the right information in a forensically sound manner, you might provide the evidence needed to put an intruder in jail. Audience This book is for security professionals of all skill levels and inclinations. The primary audience includes network security architects looking for ways to improve their understanding of their network security posture. My goal is to provide tools and techniques to increase visibility and comprehension of network traffic. If you feel let down by your network-based intrusion detection system (NIDS), this book is definitely for you. I explain why most NIDS deployments fail and how you can augment existing NIDS with open source tools. Because this book focuses on open source tools, it is more likely to be accepted in smaller, less bureaucratic organizations that don't mandate the use of commercial software. Furthermore, large organizations with immense bandwidth usage might find some open source tools aren't built to handle outrageous traffic loads. I'm not convinced the majority of Internet-enabled organizations are using connections larger than T-3 lines, however. While every tool and technique hasn't been stress-tested on high-bandwidth links, I'm confident the material in this book applies to a great majority of users and networks. If you're a network security analyst, this book is also for you. I wrote this book as an analyst, for other analysts. This means I concentrate on interpreting traffic, not explaining how to install and configure every single tool from source code. For example, many books on "intrusion detection" describe the Transmission Control Protocol/Internet Protocol (TCP/IP) suite and how to set

An electronic version of this book is available through VitalSource.

This book is viewable on PC, Mac, iPhone, iPad, iPod Touch, and most smartphones.

By purchasing, you will be able to view this book online, as well as download it, for the chosen number of days.

Digital License

You are licensing a digital product for a set duration. Durations are set forth in the product description, with "Lifetime" typically meaning five (5) years of online access and permanent download to a supported device. All licenses are non-transferable.

More details can be found here.

A downloadable version of this book is available through the eCampus Reader or compatible Adobe readers.

Applications are available on iOS, Android, PC, Mac, and Windows Mobile platforms.

Please view the compatibility matrix prior to purchase.