ebook converter DEMO Watermarks.docx

******ebook converter DEMO Watermarks*******
The Tao of Network Security
Monitoring
Beyond Intrusion Detection
Richard Bejtlich
Boston • San Francisco • New York • Toronto • Montreal
London • Munich • Paris • Madrid
Capetown • Sydney • Tokyo • Singapore • Mexico City
Many of the designations used by manufacturers and sellers to

distinguish
their products are claimed as trademarks. Where those
designations appear in
this book, and Addison-Wesley was aware of a trademark claim,
the
designations have been printed with initial capital letters or in
all capitals.
This is a book about network monitoring. The act of collecting
traffic may
violate local, state, and national laws if done inappropriately.
The tools and
techniques explained in this book should be tested in a
laboratory
environment, separate from production networks. None of the
tools or
techniques should be tested with network devices outside of
your
responsibility or authority. Suggestions on network monitoring
in this book
shall not be construed as legal advice.
The author and publisher have taken care in the preparation of
this book, but
make no expressed or implied warranty of any kind and assume
no
responsibility for errors or omissions. No liability is assumed
for incidental or
consequential damages in connection with or arising out of the
use of the
information or programs contained herein.
The publisher offers discounts on this book when ordered in
quantity for bulk
purchases and special sales. For more information, please
contact:
U.S. Corporate and Government Sales
(800) 382-3419

[email protected]
For sales outside of the U.S., please contact:
International Sales
(317) 581-3793
[email protected]
Visit Addison-Wesley on the Web: www.awprofessional.com
Library of Congress Cataloging-in-Publication Data
Bejtlich, Richard.
The Tao of network security monitoring : beyond intrusion
detection /
Richard Bejtlich.
p. cm.
ISBN 0-321-24677-2 (pbk.)
mailto:[email protected]
mailto:[email protected]
http://www.awprofessional.com
1. Computer networks—Security measures. I. Title.
TK5105.59.B44 2004
005.8-dc 22
2004007857
Copyright © 2005 by Pearson Education, Inc.
All rights reserved. No part of this publication may be
reproduced, stored in a
retrieval system, or transmitted, in any form, or by any means,
electronic,
mechanical, photocopying, recording, or otherwise, without the
prior consent
of the publisher. Printed in the United States of America.
Published

simultaneously in Canada.
For information on obtaining permission for use of material
from this work,
please submit a written request to:
Pearson Education, Inc.
Rights and Contracts Department
75 Arlington Street, Suite 300
Boston, MA 02116
Fax: (617) 848-7047
ISBN 0-321-24677-2
Text printed in the United States on recycled paper at Courier
Stoughton in
Stoughton, Massachusetts.
10th Printing March 2010
TO MY WIFE, AMY:
LOVE IS CERTAIN, LOVE IS KIND. IT ISN'T SOMETHING
THAT WE FIND. IT'S
SOMETHING THAT WE DO.
Contents

Foreword
Preface
About the Author
About the Contributors
Part I. Introduction to Network Security Monitoring
Chapter 1. The Security Process
What Is Security?
What Is Risk?
Threat
Vulnerability
Asset Value
A Case Study on Risk
Security Principles: Characteristics of the Intruder
Some Intruders Are Smarter Than You
Many Intruders Are Unpredictable
Prevention Eventually Fails
Security Principles: Phases of Compromise
Reconnaissance
Exploitation
Reinforcement
Consolidation
Pillage
Security Principles: Defensible Networks
Defensible Networks Can Be Watched
Defensible Networks Limit an Intruder's Freedom to Maneuver
Defensible Networks Offer a Minimum Number of Services

Defensible Networks Can Be Kept Current
Conclusion
Chapter 2. What Is Network Security Monitoring?
Indications and Warnings
Collection, Analysis, and Escalation
Detecting and Responding to Intrusions
Why Do IDS Deployments Often Fail?
Outsiders versus Insiders: What Is NSM's Focus?
Security Principles: Detection
Intruders Who Can Communicate with Victims Can Be
Detected
Detection through Sampling Is Better Than No Detection
Detection through Traffic Analysis Is Better Than No Detection
Security Principles: Limitations
Collecting Everything Is Ideal but Problematic
Real Time Isn't Always the Best Time
Extra Work Has a Cost
What NSM Is Not
NSM Is Not Device Management
NSM Is Not Security Event Management
NSM Is Not Network-Based Forensics
NSM Is Not Intrusion Prevention
NSM in Action
Conclusion
Chapter 3. Deployment Considerations
Threat Models and Monitoring Zones
The Perimeter
The Demilitarized Zone
The Wireless Zone
The Intranet
Accessing Traffic in Each Zone
Hubs

SPAN Ports
Taps
Inline Devices
Wireless Monitoring
Sensor Architecture
Hardware
Operating System
Sensor Management
Console Access
In-Band Remote Access
Out-of-Band Remote Access
Conclusion
Part II. Network Security Monitoring Products
Chapter 4. The Reference Intrusion Model
The Scenario
The Attack
Conclusion
Chapter 5. Full Content Data
A Note on Software
Libpcap
Tcpdump
Basic Usage of Tcpdump
Using Tcpdump to Store Full Content Data
Using Tcpdump to Read Stored Full Content Data
Timestamps in Stored Full Content Data
Increased Detail in Tcpdump Full Content Data
Tcpdump and Berkeley Packet Filters
Tethereal
Basic Usage of Tethereal
Using Tethereal to Store Full Content Data

Using Tethereal to Read Stored Full Content Data
Getting More Information from Tethereal
Snort as Packet Logger
Basic Usage of Snort as Packet Logger
Using Snort to Store Full Content Data
Using Snort to Read Stored Full Content Data
Finding Specific Parts of Packets with Tcpdump, Tethereal, and
Snort
Ethereal
Basic Usage of Ethereal
Using Ethereal to Read Stored Full Content Data
Using Ethereal to Rebuild Sessions
Other Ethereal Features
A Note on Commercial Full Content Collection Options
Conclusion
Chapter 6. Additional Data Analysis
Editcap and Mergecap
Tcpslice
Tcpreplay
Tcpflow
Ngrep
IPsumdump
Etherape
Netdude
Using Netdude
What Do Raw Trace Files Look Like?
P0f
Conclusion
Chapter 7. Session Data
Forms of Session Data
Cisco's NetFlow

Fprobe
Ng_netflow
Flow-tools
Flow-capture
Flow-cat and Flow-print
sFlow and sFlow Toolkit
Argus
Argus Server
Ra Client
Tcptrace
Conclusion
Chapter 8. Statistical Data
What Is Statistical Data?
Cisco Accounting
Ipcad
Ifstat
Bmon
Trafshow
Ttt
Tcpdstat
MRTG
Ntop
Conclusion
Chapter 9. Alert Data: Bro and Prelude
Bro
Installing Bro and BRA
Interpreting Bro Output Files
Bro Capabilities and Limitations
Prelude
Installing Prelude
Interpreting Prelude Output Files

Installing PIWI
Using PIWI to View Prelude Events
Prelude Capabilities and Limitations
Conclusion
Chapter 10. Alert Data: NSM Using Sguil
Why Sguil?
So What Is Sguil?
The Basic Sguil Interface
Sguil's Answer to “Now What?”
Making Decisions with Sguil
Sguil versus the Reference Intrusion Model
SHELLCODE x86 NOOP and Related Alerts
FTP SITE Overflow Attempt Alerts
SCAN nmap TCP Alerts
MISC MS Terminal Server Request Alerts
Conclusion
Part III. Network Security Monitoring Processes
Chapter 11. Best Practices
Assessment
Defined Security Policy
Protection
Access Control
Traffic Scrubbing
Proxies
Detection
Collection
Identification

Validation
Escalation
Response
Short-Term Incident Containment
Emergency Network Security Monitoring
Back to Assessment
Analyst Feedback
Conclusion
Chapter 12. Case Studies for Managers
Introduction to Hawke Helicopter Supplies
Case Study 1: Emergency Network Security Monitoring
Detection of Odd Orders
System Administrators Respond
Picking Up the Bat Phone
Conducting Incident Response
Incident Response Results
Case Study 2: Evaluating Managed Security Monitoring
Providers
HHS Requirements for NSM
HHS Vendor Questionnaire
Asset Prioritization
Case Study 3: Deploying an In-House NSM
Solution
Partner and Sales Offices
HHS Demilitarized Zone
Wireless Network
Internal Network

“But Who Shall Watch the Watchers?”
Other Staffing Issues
Conclusion
Part IV. Network Security Monitoring People
Chapter 13. Analyst Training Program
Weapons and Tactics
Definition
Tasks
References
Telecommunications
Definition
Tasks
References
System Administration
Definition
Tasks
References
Scripting and Programming
Definition

Tasks
References
Management and Policy
Definition
Tasks
References
Training in Action
Periodicals and Web Sites
Case Study: Staying Current with Tools
Conclusion
Chapter 14. Discovering DNS
Normal Port 53 Traffic
Normal Port 53 UDP Traffic
Normal Port 53 TCP Traffic
Suspicious Port 53 Traffic
Suspicious Port 53 UDP Traffic
Suspicious Port 53 TCP Traffic
Malicious Port 53 Traffic
Malicious Port 53 UDP Traffic
Malicious Port 53 TCP and UDP Traffic
Conclusion

Chapter 15. Harnessing the Power of Session Data
The Session Scenario
Session Data from the Wireless Segment
Session Data from the DMZ Segment
Session Data from the VLANs
Session Data from the External Segment
Conclusion
Chapter 16. Packet Monkey Heaven
Truncated TCP Options
SCAN FIN
Chained Covert Channels
Conclusion
Part V. The Intruder versus Network Security Monitoring
Chapter 17. Tools for Attacking Network Security Monitoring
Packit
IP Sorcery
Fragroute
LFT
Xprobe2

Cisco IOS Denial of Service
Solaris Sadmin Exploitation Attempt
Microsoft RPC Exploitation
Conclusion
Chapter 18. Tactics for Attacking Network Security Monitoring
Promote Anonymity
Attack from a Stepping-Stone
Attack by Using a Spoofed Source Address
Attack from a Netblock You Don't Own
Attack from a Trusted Host
Attack from a Familiar Netblock
Attack the Client, Not the Server
Use Public Intermediaries
Evade Detection
Time Attacks Properly
Distribute Attacks Throughout Internet Space
Employ Encryption
Appear Normal
Degrade or Deny Collection
Deploy Decoys
Consider Volume Attacks

Attack the Sensor
Separate Analysts from Their Consoles
Self-Inflicted Problems in NSM
Conclusion
Epilogue. The Future of Network Security Monitoring
Remote Packet Capture and Centralized Analysis
Integration of Vulnerability Assessment Products
Anomaly Detection
NSM Beyond the Gateway
Conclusion
Part VI. Appendixes
Appendix A. Protocol Header Reference
Appendix B. Intellectual History of Network Security
Monitoring
Appendix C. Protocol Anomaly Detection
Index

Foreword
We've all heard the phrase “knowledge will set you free.” When
it comes to
real-world network security, I can think of no other phrase with
which
security professionals must arm themselves. Whether you are
brand new to
network intrusion detection, an incident responder, or a long-
time network
security veteran, you must always boil any situation down to its
basic facts.
The book you are about to read will arm you with the
knowledge you need to
defend your network from attackers, both the obvious and the
not so obvious.
Unlike other computer security books that focus on catching the
“hack of the
week,” this book will equip you with the skills needed to
perform in-depth
analysis of new and emerging threats. This book discusses many
different
approaches to network security. It also describes how to

communicate and in
some cases justify security monitoring efforts. This is important
because
many organizations may not readily appreciate the need for
monitoring—
until it is too late.
Frequently I run into security “professionals” who rely on
“cookbook”
methodologies or their favorite tools. Too often, these people do
not have a
broad understanding of how networks really work and are not
effective in
increasing their network's defensive posture or communicating
with the
network administrators. Although there is no substitute for
actual system and
network administration experience, by reading this book you
will
undoubtedly come away knowing more relevant information
than when you
started. In many large organizations, to gain the respect of the
system or
network administrators, you need to be able to converse at their
level—even
if it is way above or below your expertise.

The amount of plain talk in this book struck me as amazing.
Firewalls can
fail! Intrusion detection systems can be bypassed! Network
monitors can be
overloaded! We don't normally hear these messages from our
vendors, nor do
we hear it from our security administrators. Neither the vendor
nor the
administrator would be very successful if they focused on all
the things that
could go wrong. Unfortunately, this creates many false
perceptions in the
minds of managers and users.
You will enjoy the many examples in this book that show how
a network is
compromised and how it could have been prevented with some
extra
monitoring. Another dirty little secret that many security
professionals don't
speak much about is that our own tools are sometimes the most
insecure

portion of a network. You may be quite surprised to find out
that the server
set up to do sniffing or monitoring may be the gateway into the
very network
you are defending. You will learn ways to mitigate that threat
too.
I strongly urge you to try using the tools described throughout
this book
while you are reading it. All of the tools are available for
FreeBSD, Linux,
and, in many cases, Windows. Although it may take longer to
read the book,
learning by using is more effective than skimming the
command-line syntax.
If you are new to network security, don't put this book back on
the shelf! This
is a great book for beginners. I wish I had access to it many
years ago. If
you've learned the basics of TCP/IP protocols and run an open
source or
commercial intrusion detection system, you may be asking,
“What's next?” If
so, this book is for you.
Some people have been performing network security
monitoring for a very

long time, and this book reviews that history. It will expose you
to many
other forms of monitoring that are not pure intrusion detection.
The
information about how you can use various tools to enhance
your network
security monitoring activities is an excellent resource all on its
own.
I wish you the best of luck monitoring and defending your
network!
Ron Gula
CTO and Founder of Tenable Network Security
Original author of the Dragon Intrusion Detection System
Preface
Welcome to The Tao of Network Security Monitoring: Beyond
Intrusion

Detection. The goal of this book is to help you better prepare
your enterprise
for the intrusions it will suffer. Notice the term “will.” Once
you accept that
your organization will be compromised, you begin to look at
your situation
differently. If you've actually worked through an intrusion—a
real
compromise, not a simple Web page defacement—you'll realize
the security
principles and systems outlined here are both necessary and
relevant.
This book is about preparation for compromise, but it's not a
book about
preventing compromise. Three words sum up my attitude toward
stopping
intruders: prevention eventually fails. Every single network can
be
compromised, either by an external attacker or by a rogue
insider. Intruders
exploit flawed software, misconfigured applications, and
exposed services.
For every corporate defender, there are thousands of attackers,
enumerating
millions of potential targets. While you might be able to prevent

some
intrusions by applying patches, managing configurations, and
controlling
access, you can't prevail forever. Believing only in prevention
is like thinking
you'll never experience an automobile accident. Of course you
should drive
defensively, but it makes sense to buy insurance and know how
to deal with
the consequences of a collision.
Once your security is breached, everyone will ask the same
question: now
what? Answering this question has cost companies hundreds of
thousands of
dollars in incident response and computer forensics fees. I hope
this book will
reduce the investigative workload of your computer security
incident
response team (CSIRT) by posturing your organization for
incident response
success. If you deploy the monitoring infrastructure advocated
here, your
CSIRT will be better equipped to scope the extent of an
intrusion, assess its
impact, and propose efficient, effective remediation steps. The

intruder will
spend less time stealing your secrets, damaging your reputation,
and abusing
your resources. If you're fortunate and collect the right
information in a
forensically sound manner, you might provide the evidence
needed to put an
intruder in jail.
Audience
This book is for security professionals of all skill levels and
inclinations. The
primary audience includes network security architects looking
for ways to
improve their understanding of their network security posture.
My goal is to
provide tools and techniques to increase visibility and
comprehension of

network traffic. If you feel let down by your network-based
intrusion
detection system (NIDS), this book is definitely for you. I
explain why most
NIDS deployments fail and how you can augment existing NIDS
with open
source tools.
Because this book focuses on open source tools, it is more
likely to be
accepted in smaller, less bureaucratic organizations that don't
mandate the use
of commercial software. Furthermore, large organizations with
immense
bandwidth usage might find some open source tools aren't built
to handle
outrageous traffic loads. I'm not convinced the majority of
Internet-enabled
organizations are using connections larger than T-3 lines,
however.1 While
every tool and technique hasn't been stress-tested on high-
bandwidth links,
I'm confident the material in this book applies to a great
majority of users and
networks.
If you're a network security analyst, this book is also for you. I

wrote this
book as an analyst, for other analysts. This means I concentrate
on
interpreting traffic, not explaining how to install and configure
every single
tool from source code. For example, many books on “intrusion
detection”
describe the Transmission Control Protocol/Internet Protocol
(TCP/IP) suite
and how to set up the Snort open source IDS engine with the
Analysis
Console for Intrusion Databases (ACID) interface. These books
seldom go
further because they soon encounter inherent investigative
limitations that
restrict the usefulness of their tools. Since my analytical
techniques do not
rely on a single product, I can take network-based analysis to
the next level. I
also limit discussion of odd packet header features, since real
intrusions do
not hinge on the presence of a weird TCP flag being set. The
tools and
techniques in this book concentrate on giving analysts the
information they

need to assess intrusions and make decisions, not just identify
mildly
entertaining reconnaissance patterns.
This book strives to not repeat material found elsewhere. You
will not read
how to install Snort or run Nmap. I suggest you refer to the
recommended
reading list in the next section if you hunger for that
knowledge. I introduce
tools and techniques overlooked by most authors, like the
material on
protocol anomaly detection by Brian Hernacki, and explain how
you can use
them to your advantage.
Technical managers will appreciate sections on best practices,
training, and
personnel issues. All the technology in the world is worthless if
the staff
manning it doesn't understand their roles, responsibilities, and
escalation

procedures. Managers will also develop an intuition for the
sorts of
information a monitoring process or product should provide.
Many vendors
sell services and products named with combinations of the terms
“network,”
“security,” and “monitoring.” This book creates a specific
definition for
network security monitoring (NSM), built on a historical and
operational
foundation.
Prerequisites
I've tried to avoid duplicating material presented elsewhere, so I
hope readers
lacking prerequisite knowledge take to heart the following
reading
suggestions. I highly recommend reading the following three
books prior to
this one. If you've got the necessary background, consider these
titles as
references.
• Internet Site Security, by Erik Schetina, Ken Green, and

Jacob Carlson
(Boston, MA: Addison-Wesley, 2002). This is an excellent
“security
101” book. If you need to start from the ground floor, this book
is a
great beginning.
• Counter Hack: A Step-by-Step Guide to Computer Attacks
and
Effective Defenses, by Ed Skoudis (Upper Saddle River, NJ:
Prentice
Hall PTR, 2001). Counter Hack offers the best single-chapter
introductions to TCP/IP, Microsoft Windows, UNIX, and
security
issues available.
• Hacking Exposed: Network Security Secrets and

ebook converter DEMO Watermarks.docx

Recommended

Recommended

More Related Content

Similar to ebook converter DEMO Watermarks.docx

Similar to ebook converter DEMO Watermarks.docx (20)

More from tidwellveronique

More from tidwellveronique (20)

Recently uploaded

Recently uploaded (20)

ebook converter DEMO Watermarks.docx