The Tao of Network Security... | Buy

Foreword

xvii

Preface

xix

About the Author

xxxi

About the Contributors

xxxiii

PART I INTRODUCTION TO NETWORK SECURITY MONITORING

Chapter 1 The Security Process

(22)

What Is Security?

(2)

What Is Risk?

(3)

Threat

(2)

Vulnerability

(1)

Asset Value

(1)

A Case Study on Risk

(3)

Security Principles: Characteristics of the Intruder

(2)

Some Intruders Are Smarter Than You

(1)

Many Intruders Are Unpredictable

(1)

Prevention Eventually Fails

(1)

Security Principles: Phases of Compromise

(6)

Reconnaissance

(1)

Exploitation

(1)

Reinforcement

(1)

Consolidation

(1)

Pillage

(2)

Security Principles: Defensible Networks

(4)

Defensible Networks Can Be Watched

(1)

Defensible Networks Limit an Intruder's Freedom to Maneuver

(2)

Defensible Networks Offer a Minimum Number of Services

(1)

Defensible Networks Can Be Kept Current

(1)

Conclusion

(1)

Chapter 2 What Is Network Security Monitoring?

(20)

Indications and Warnings

(3)

Collection, Analysis, and Escalation

(1)

Detecting and Responding to Intrusions

(1)

Why Do IDS Deployments Often Fail?

(1)

Outsiders versus Insiders: What Is NSM's Focus?

(3)

Security Principles: Detection

(3)

Intruders Who Can Communicate with Victims Can Be Detected

(1)

Detection through Sampling Is Better Than No Detection

(1)

Detection through Traffic Analysis Is Better Than No Detection

(1)

Security Principles: Limitations

(3)

Collecting Everything Is Ideal but Problematic

(1)

Real Time Isn't Always the Best Time

(1)

Extra Work Has a Cost

(1)

What NSM Is Not

(2)

NSM Is Not Device Management

(1)

NSM Is Not Security Event Management

(1)

NSM Is Not Network-Based Forensics

(1)

NSM Is Not Intrusion Prevention

(1)

NSM in Action

(1)

Conclusion

(2)

Chapter 3 Deployment Considerations

(58)

Threat Models and Monitoring Zones

(6)

The Perimeter

(1)

The Demilitarized Zone

(1)

The Wireless Zone

(1)

The Intranet

(1)

Accessing Traffic in Each Zone

(34)

Hubs

(4)

SPAN Ports

(7)

Taps

(13)

Inline Devices

(9)

Wireless Monitoring

(8)

Sensor Architecture

(5)

Hardware

(2)

Operating System

(2)

Sensor Management

(4)

Console Access

(1)

In-Band Remote Access

100

(1)

Out-of-Band Remote Access

101

(1)

Conclusion

102

(1)

PART II NETWORK SECURITY MONITORING PRODUCTS

103

(242)

Chapter 4 The Reference Intrusion Model

105

(14)

The Scenario

105

(1)

The Attack

106

(12)

Conclusion

118

(1)

Chapter 5 Full Content Data

119

(54)

A Note on Software

120

(1)

Libpcap

121

(1)

Tcpdump

122

(18)

Basic Usage of Tcpdump

124

(1)

Using Tcpdump to Store Full Content Data

125

(1)

Using Tcpdump to Read Stored Full Content Data

126

(6)

Timestamps in Stored Full Content Data

132

(2)

Increased Detail in Tcpdump Full Content Data

134

(1)

Tcpdump and Berkeley Packet Filters

135

(5)

Tethereal

140

(9)

Basic Usage of Tethereal

140

(1)

Using Tethereal to Store Full Content Data

141

(3)

Using Tethereal to Read Stored Full Content Data

144

(2)

Getting More Information from Tethereal

146

(3)

Snort as Packet Logger

149

(5)

Basic Usage of Snort as Packet Logger

149

(3)

Using Snort to Store Full Content Data

152

(1)

Using Snort to Read Stored Full Content Data

153

(1)

Finding Specific Parts of Packets with Tcp dump, Tethereal, and Snort

154

(8)

Ethereal

162

(9)

Basic Usage of Ethereal

162

(2)

Using Ethereal to Read Stored Full Content Data

164

(3)

Using Ethereal to Rebuild Sessions

167

(2)

Other Ethereal Features

169

(2)

A Note on Commercial Full Content Collection Options

171

(1)

Conclusion

172

(1)

Chapter 6 Additional Data Analysis

173

(38)

Editcap and Mergecap

173

(1)

Tcpslice

174

(5)

Tcpreplay

179

(3)

Tcpflow

182

(3)

Ngrep

185

(4)

IPsumdump

189

(2)

Etherape

191

(2)

Netdude

193

(12)

Using Netdude

193

(3)

What Do Raw Trace Files Look Like?

196

(9)

P0f

205

(4)

Conclusion

209

(2)

Chapter 7 Session Data

211

(36)

Forms of Session Data

212

(2)

Cisco's NetFlow

214

(6)

Fprobe

220

(2)

Ng_netflow

222

(2)

Flow-tools

224

(8)

Flow-capture

225

(4)

Flow-cat and Flow-print

229

(3)

sFlow and sFlow Toolkit

232

(2)

Argus

234

(8)

Argus Server

236

(2)

Ra Client

238

(4)

Tcptrace

242

(4)

Conclusion

246

(1)

Chapter 8 Statistical Data

247

(38)

What Is Statistical Data?

248

(1)

Cisco Accounting

249

(6)

Ipcad

255

(2)

Ifstat

257

(1)

Bmon

258

(2)

Trafshow

260

(4)

Ttt

264

(2)

Tcpdstat

266

(5)

MRTG

271

(7)

Ntop

278

(5)

Conclusion

283

(2)

Chapter 9 Alert Data: Bro and Prelude

285

(32)

Bro

286

(12)

Installing Bro and BRA

287

(5)

Interpreting Bro Output Files

292

(5)

Bro Capabilities and Limitations

297

(1)

Prelude

298

(17)

Installing Prelude

299

(8)

Interpreting Prelude Output Files

307

(2)

Installing PIWI

309

(2)

Using PIWI to View Prelude Events

311

(2)

Prelude Capabilities and Limitations

313

(2)

Conclusion

315

(2)

Chapter 10 Alert Data: NSM Using Sguil

317

(28)

Why Sguil?

318

(1)

So What Is Sguil?

319

(2)

The Basic Sguil Interface

321

(2)

Sguil's Answer to "Now What?"

323

(6)

Making Decisions with Sguil

329

(2)

Sguil versus the Reference Intrusion Model

331

(13)

SHELLCODE x86 NOOP and Related Alerts

332

(7)

FTP SITE Overflow Attempt Alerts

339

(1)

SCAN nmap TCP Alerts

340

(2)

MISC MS Terminal Server Request Alerts

342

(2)

Conclusion

344

(1)

PART III NETWORK SECURITY MONITORING PROCESSES

345

(58)

Chapter 11 Best Practices

347

(38)

Assessment

347

(2)

Defined Security Policy

348

(1)

Protection

349

(5)

Access Control

350

(1)

Traffic Scrubbing

351

(1)

Proxies

351

(3)

Detection

354

(26)

Collection

355

(5)

Identification

360

(11)

Validation

371

(6)

Escalation

377

(3)

Response

380

(3)

Short-Term Incident Containment

381

(1)

Emergency Network Security Monitoring

381

(2)

Back to Assessment

383

(1)

Analyst Feedback

383

(1)

Conclusion

384

(1)

Chapter 12 Case Studies for Managers

385

(18)

Introduction to Hawke Helicopter Supplies

385

(1)

Case Study 1: Emergency Network Security Monitoring

386

(7)

Detection of Odd Orders

386

(2)

System Administrators Respond

388

(1)

Picking Up the Bat Phone

389

(1)

Conducting Incident Response

389

(1)

Incident Response Results

390

(3)

Case Study 2: Evaluating Managed Security Monitoring Providers

393

(3)

HHS Requirements for NSM

394

(1)

HHS Vendor Questionnaire

394

(2)

Asset Prioritization

396

(1)

Case Study 3: Deploying an In-House NSM Solution

396

(6)

Partner and Sales Offices

398

(1)

HHS Demilitarized Zone

398

(1)

Wireless Network

398

(1)

Internal Network

399

(1)

"But Who Shall Watch the Watchers?"

399

(2)

Other Staffing Issues

401

(1)

Conclusion

402

(1)

PART IV NETWORK SECURITY MONITORING PEOPLE

403

(116)

Chapter 13 Analyst Training Program

405

(28)

Weapons and Tactics

410

(4)

Definition

410

(1)

Tasks

410

(2)

References

412

(2)

Telecommunications

414

(1)

Definition

414

(1)

Tasks

414

(1)

References

415

(1)

System Administration

415

(3)

Definition

415

(1)

Tasks

416

(1)

References

416

(2)

Scripting and Programming

418

(3)

Definition

418

(1)

Tasks

419

(1)

References

419

(2)

Management and Policy

421

(1)

Definition

421

(1)

Tasks

421

(1)

References

421

(1)

Training in Action

422

(4)

Periodicals and Web Sites

426

(1)

Case Study: Staying Current with Tools

427

(4)

Conclusion

431

(2)

Chapter 14 Discovering DNS

433

(40)

Normal Port 53 Traffic

434

(14)

Normal Port 53 UDP Traffic

434

(8)

Normal Port 53 TCP Traffic

442

(6)

Suspicious Port 53 Traffic

448

(11)

Suspicious Port 53 UDP Traffic

448

(7)

Suspicious Port 53 TCP Traffic

455

(4)

Malicious Port 53 Traffic

459

(13)

Malicious Port 53 UDP Traffic

459

(7)

Malicious Port 53 TCP and UDP Traffic

466

(6)

Conclusion

472

(1)

Chapter 15 Harnessing the Power of Session Data

473

(18)

The Session Scenario

474

(1)

Session Data from the Wireless Segment

475

(1)

Session Data from the DMZ Segment

476

(3)

Session Data from the VLANs

479

(9)

Session Data from the External Segment

488

(2)

Conclusion

490

(1)

Chapter 16 Packet Monkey Heaven

491

(28)

Truncated TCP Options

491

(7)

SCAN FIN

498

(7)

Chained Covert Channels

505

(13)

Conclusion

518

(1)

PART V THE INTRUDER VERSUS NETWORK SECURITY MONITORING

519

(142)

Chapter 17 Tools for Attacking Network Security Monitoring

521

(62)

Packit

521

(9)

IP Sorcery

530

(4)

Fragroute

534

(14)

LFT

548

(10)

Xprobe2

558

(9)

Cisco IOS Denial of Service

567

(3)

Solaris Sadmin Exploitation Attempt

570

(5)

Microsoft RPC Exploitation

575

(5)

Conclusion

580

(3)

Chapter 18 Tactics for Attacking Network Security Monitoring

583

(68)

Promote Anonymity

584

(19)

Attack from a Stepping-Stone

584

(5)

Attack by Using a Spoofed Source Address

589

(8)

Attack from a Netblock You Don't Own

597

(2)

Attack from a Trusted Host

599

(1)

Attack from a Familiar Netblock

600

(1)

Attack the Client, Not the Server

601

(1)

Use Public Intermediaries

602

(1)

Evade Detection

603

(31)

Time Attacks Properly

604

(3)

Distribute Attacks Throughout Internet Space

607

(11)

Employ Encryption

618

(16)

Appear Normal

634

(5)

Degrade or Deny Collection

639

(8)

Deploy Decoys

639

(2)

Consider Volume Attacks

641

(2)

Attack the Sensor

643

(4)

Separate Analysts from Their Consoles

647

(1)

Self-Inflicted Problems in NSM

647

(2)

Conclusion

649

(2)

Epilogue The Future of Network Security Monitoring

651

(10)

Remote Packet Capture and Centralized Analysis

652

(1)

Integration of Vulnerability Assessment Products

653

(1)

Anomaly Detection

654

(2)

NSM Beyond the Gateway

656

(2)

Conclusion

658

(3)

PART VI APPENDIXES

661

(104)

Appendix A Protocol Header Reference

663

(22)

Appendix B Intellectual History of Network Security Monitoring

685

(72)

Appendix C Protocol Anomaly Detection

757

(8)

Index

765

Welcome toThe Tao of Network Security Monitoring: Beyond Intrusion Detection. The goal of this book is to help you better prepare your enterprise for the intrusions it will suffer. Notice the term "will." Once you accept that your organization will be compromised, you begin to look at your situation differently. If you've actually worked through an intrusiona real compromise, not a simple Web page defacementyou'll realize the security principles and systems outlined here are both necessary and relevant. This book is aboutpreparationfor compromise, but it's not a book aboutpreventingcompromise. Three words sum up my attitude toward stopping intruders:prevention eventually fails. Every single network can be compromised, either by an external attacker or by a rogue insider. Intruders exploit flawed software, misconfigured applications, and exposed services. For every corporate defender, there are thousands of attackers, enumerating millions of potential targets. While you might be able to prevent some intrusions by applying patches, managing configurations, and controlling access, you can't prevail forever. Believing only in prevention is like thinking you'll never experience an automobile accident. Of course you should drive defensively, but it makes sense to buy insurance and know how to deal with the consequences of a collision. Once your security is breached, everyone will ask the same question:now what?Answering this question has cost companies hundreds of thousands of dollars in incident response and computer forensics fees. I hope this book will reduce the investigative workload of your computer security incident response team (CSIRT) by posturing your organization for incident response success. If you deploy the monitoring infrastructure advocated here, your CSIRT will be better equipped to scope the extent of an intrusion, assess its impact, and propose efficient, effective remediation steps. The intruder will spend less time stealing your secrets, damaging your reputation, and abusing your resources. If you're fortunate and collect the right information in a forensically sound manner, you might provide the evidence needed to put an intruder in jail. Audience This book is for security professionals of all skill levels and inclinations. The primary audience includes network security architects looking for ways to improve their understanding of their network security posture. My goal is to provide tools and techniques to increase visibility and comprehension of network traffic. If you feel let down by your network-based intrusion detection system (NIDS), this book is definitely for you. I explain why most NIDS deployments fail and how you can augment existing NIDS with open source tools. Because this book focuses on open source tools, it is more likely to be accepted in smaller, less bureaucratic organizations that don't mandate the use of commercial software. Furthermore, large organizations with immense bandwidth usage might find some open source tools aren't built to handle outrageous traffic loads. I'm not convinced the majority of Internet-enabled organizations are using connections larger than T-3 lines, however. While every tool and technique hasn't been stress-tested on high-bandwidth links, I'm confident the material in this book applies to a great majority of users and networks. If you're a network security analyst, this book is also for you. I wrote this book as an analyst, for other analysts. This means I concentrate on interpreting traffic, not explaining how to install and configure every single tool from source code. For example, many books on "intrusion detection" describe the Transmission Control Protocol/Internet Protocol (TCP/IP) suite and how to set