ch26.htm

Maximum Security (First Edition) 网络安全 英文版

<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>In cases where you cannot cut the
	user loose entirely (perhaps the user is an employee), you can give warnings and
	make the user's position contingent on compliance. Carefully document the incident
	as well, so that if further problems occur, the user has no case for a wrongful termination
	action if fired. 
<HR>


</BLOCKQUOTE>

<H4><FONT COLOR="#000077"><B>Responding to Level-Three, -Four, and -Five Attacks</B></FONT></H4>
<P>If you experience any sort of an attack higher than a level two, you have a problem.
Your job, then, is to undertake several actions:

<UL>
	<LI>Isolate the network segment so that the activity can only occur in a small area<BR>
	<BR>
	
	<LI>Allow the activity to continue<BR>
	<BR>
	
	<LI>Log all activity heavily<BR>
	<BR>
	
	<LI>Make every effort (using a different portion of the network) to identify the
	source or sources of the attacks
</UL>

<P>You are dealing with a criminal. Under state and federal statutes, this type of
access is a crime. If you are to capture that criminal, you will need evidence. Generating
that evidence will take time.</P>
<P>The standards of evidence in an Internet criminal case are not exactly settled.
Certainly, the mere act of someone trying to retrieve your <TT>/etc/passwd</TT> file
by sendmail will not support a criminal case. Nor will evidence of a handful of <TT>showmount</TT>
requests. In short, to build an iron-clad case against an intruder, you must have
some tangible evidence that the intruder was within your network or, alternatively,
some tangible evidence identifying the intruder as the one who downed your server
in a denial-of-service attack. To do this, you must endure the brunt of the attack
(although you can institute come safeguards to ensure that this attack does not harm
your network).</P>
<P>My advice in such a situation would be to call in not only some law enforcement
but also at least one qualified security firm to assist in snagging the offender.
The most important features of such an operation are logs and, of course, locating
the perpetrator. You can provide the logs on your own. However, as far as tracing
the individual, you can only go so far. You might start with a simple traceroute
and, before you're finished, you may have implemented a dozen different techniques
only to find that the network from which the perpetrator is hailing is either also
a victim (that is, the cracker is island hopping), a rogue site, or even worse, located
in a country beyond the reach of the U.S. Justice Department. In such cases, little
can be done besides shoring up your network and getting on with your business. Taking
any other course of action might be very costly and largely a waste of time.
<H2><FONT COLOR="#000077"><B>Summary</B></FONT></H2>
<P>In this chapter, you learned about levels of attack. These levels of attack are
defined numerically (level one being the least harmful, level six being the most
harmful). This chapter discusses how to combat attacks of various levels, and informs
you of tools you can use to wage a successful battle.
<H2><FONT COLOR="#000077"><B>Resources</B></FONT></H2>
<P><B>UNIX Incident Guide How to Detect an Intrusion.</B>

<UL>
	<LI><A HREF="http://ciac.llnl.gov/ciac/documents/CIAC-2305_UNIX_Incident_Guide_How_to_Detect_an_Intrusion.pdf"><TT>http://ciac.llnl.gov/ciac/documents/CIAC-2305_UNIX_Incident_Guide_How_to_Detect_an_Intrusion.pdf</TT></A>
</UL>

<P><B>Securing Internet Information Servers.</B> CIAC-2308.

<UL>
	<LI><A HREF="http://ciac.llnl.gov/ciac/documents/CIAC-2308_Securing_Internet_Information_Servers.pdf"><TT>http://ciac.llnl.gov/ciac/documents/CIAC-2308_Securing_Internet_Information_Servers.pdf</TT></A>
</UL>

<P><B>Threat Assessment of Malicious Code and Human Computer Threats.</B> L.E. Bassham
and T.W. Polk. National Institute of Standards and Technology. Report to the U.S.
Army Vulnerability/Survivability Study Team, NISTIR 4939. October, 1992.

<UL>
	<LI><A HREF="http://bilbo.isu.edu/security/isl/threat.html"><TT>http://bilbo.isu.edu/security/isl/threat.html</TT></A>
</UL>

<P><B>Hackers in the Mist.</B> R. Blake. Northwestern University, Independent study
in anthropology. December 2, 1994.

<UL>
	<LI><A 
HREF="http://www.eff.org/pub/Privacy/Security/Hacking_cracking_phreaking/Net_culture_and_hacking/Hackers/hackers_in_the_mist.article"><TT>http://www.eff.org/pub/Privacy/Security/Hacking_cracking_phreaking/Net_culture_and_hacking/Hackers/hackers_in_the
_mist.article</TT></A>
</UL>

<P><B>Computer Break-ins: A Case Study.</B> Leendert van Dorn. Vrije University.
January 21, 1993.

<UL>
	<LI><A HREF="http://www.alw.nih.gov/Security/FIRST/papers/general/holland.ps"><TT>http://www.alw.nih.gov/Security/FIRST/papers/general/holland.ps</TT></A>
</UL>

<P><B>Concerning Hackers Who Break into Computer Systems.</B> Presented at the 13th
National Computer Security Conference, October 1, 1990.

<UL>
	<LI><A HREF="http://www.cpsr.org/ftp/cpsr/computer_crime/denning_defense_hackers.txt"><TT>http://www.cpsr.org/ftp/cpsr/computer_crime/denning_defense_hackers.txt</TT></A>
</UL>

<P><B>Selling Security: Security Policies Are Key to a Strong Defense, But Top Management
Must First Be Brought on Board.</B> C. Waltner. InfoWorld.

<UL>
	<LI><A HREF="http://www.infoworld.com/cgi-bin/displayArchives.pl?dt_iwe52-96_82.htm"><TT>http://www.infoworld.com/cgi-bin/displayArchives.pl?dt_iwe52-96_82.htm</TT></A>
</UL>

<P><B>The United States vs. Craig Neidorf: A Debate on Electronic Publishing Constitutional
Rights and Hacking.</B> D.E. Denning. Communications of the ACM, March, 1991.

<UL>
	<LI><A HREF="http://www.aracnet.com/~gtr/archive/intrusions.html"><TT>http://www.aracnet.com/~gtr/archive/intrusions.html</TT></A>
</UL>

<P><B>An Evening With Berferd In Which a Cracker is Lured, Endured and Studied.</B>
B. Cheswick. AT&amp;T Bell Labs.

<UL>
	<LI><A HREF="ftp://research.att.com/dist/internet_security/berferd.ps"><TT>ftp://research.att.com/dist/internet_security/berferd.ps</TT></A>
</UL>

<P><B>Recombinant Culture: Crime in the Digital Network.</B> C. E. A. Karnow. Presented
at Defcon II, July 1994.

<UL>
	<LI><A HREF="http://www.cpsr.org/cpsr/computer_crime/net.crime.karnow.txt"><TT>http://www.cpsr.org/cpsr/computer_crime/net.crime.karnow.txt</TT></A>
</UL>

<P><B>The Baudy World of the Byte Bandit: A Postmodernist Interpretation of the Computer
Underground.</B> G. Meyer and J. Thomas. Department of Sociology, Northern Illinois
University. March 5, 1990.

<UL>
	<LI><A HREF="http://ei.cs.vt.edu/~cs6704/papers/meyer.txt"><TT>http://ei.cs.vt.edu/~cs6704/papers/meyer.txt</TT></A>
</UL>

<H3><FONT COLOR="#000077"><B>Intrusion Detection</B></FONT></H3>
<P><B>An Introduction to Intrusion Detection.</B> Aurobindo Sundaram.

<UL>
	<LI><A HREF="http://www.techmanager.com/nov96/intrus.html"><TT>http://www.techmanager.com/nov96/intrus.html</TT></A>
</UL>

<P><B>Intrusion Detection for Network Infrastructures.</B> S. Cheung, K.N. Levitt,
and C. Ko. 1995 IEEE Symposium on Security and Privacy, Oakland, CA, May 1995.

<UL>
	<LI><A HREF="http://seclab.cs.ucdavis.edu/papers/clk95.ps"><TT>http://seclab.cs.ucdavis.edu/papers/clk95.ps</TT></A>
</UL>

<P><B>Fraud and Intrusion Detection in Financial Information Systems.</B> S. Stolfo,
P. Chan, D. Wei, W. Lee, and A. Prodromidis. 4th ACM Computer and Communications
Security Conference, 1997.

<UL>
	<LI><A HREF="http://www.cs.columbia.edu/~sal/hpapers/acmpaper.ps.gz"><TT>http://www.cs.columbia.edu/~sal/hpapers/acmpaper.ps.gz</TT></A>
</UL>

<P><B>Detecting Unusual Program Behavior Using the Statistical Component of the Next-
Generation Intrusion Detection Expert System (NIDES).</B> Debra Anderson, Teresa
F. Lunt, Harold Javitz, Ann Tamaru, and Alfonso Valdes. SRI-CSL-95-06, May 1995.
(Available in hard copy only.)

<UL>
	<LI><A HREF="http://www.csl.sri.com/tr-abstracts.html#csl9506"><TT>http://www.csl.sri.com/tr-abstracts.html#csl9506</TT></A>
</UL>

<P><B>Intrusion Detection Systems (IDS): A Survey of Existing Systems and A Proposed
Distributed IDS Architecture.</B> S.R. Snapp, J. Brentano, G.V. Dias, T.L. Goan,
T. Grance, L.T. Heberlein, C. Ho, K.N. Levitt, B. Mukherjee, D.L. Mansur, K.L. Pon,
and S.E. Smaha. Technical Report CSE-91-7, Division of Computer Science, University
of California, Davis, February 1991.

<UL>
	<LI><A HREF="http://seclab.cs.ucdavis.edu/papers/bd96.ps"><TT>http://seclab.cs.ucdavis.edu/papers/bd96.ps</TT></A>
</UL>

<P><B>A Methodology for Testing Intrusion Detection Systems.</B> N. F. Puketza, K.
Zhang, M. Chung, B. Mukherjee, and R. A. Olsson. IEEE Transactions on Software Engineering,
Vol.22, No.10, October 1996.

<UL>
	<LI><A HREF="http://seclab.cs.ucdavis.edu/papers/tse96.ps"><TT>http://seclab.cs.ucdavis.edu/papers/tse96.ps</TT></A>
</UL>

<P><B>GrIDS--A Graph-Based Intrusion Detection System for Large Networks.</B> S.
Staniford-Chen, S. Cheung, R. Crawford, M. Dilger, J. Frank, J. Hoagland, K. Levitt,
C. Wee, R. Yip, and D. Zerkle. The 19th National Information Systems Security Conference.

<UL>
	<LI><A HREF="http://seclab.cs.ucdavis.edu/papers/nissc96.ps"><TT>http://seclab.cs.ucdavis.edu/papers/nissc96.ps</TT></A>
</UL>

<P><B>NetKuang--A Multi-Host Configuration Vulnerability Checker.</B> D. Zerkle and
K. Levitt, Proceedings of the 6th Usenix Security Symposium. San Jose, California.
1996.

<UL>
	<LI><A HREF="http://seclab.cs.ucdavis.edu/papers/zl96.ps"><TT>http://seclab.cs.ucdavis.edu/papers/zl96.ps</TT></A>
</UL>

<P><B>Simulating Concurrent Intrusions for Testing Intrusion Detection Systems: Parallelizing
Intrusions.</B> M. Chung, N. Puketza, R.A. Olsson, and B. Mukherjee. Proceedings
of the 1995 National Information Systems Security Conference. Baltimore, Maryland.
1995.

<UL>
	<LI><A HREF="http://seclab.cs.ucdavis.edu/papers/cpo95.ps"><TT>http://seclab.cs.ucdavis.edu/papers/cpo95.ps</TT></A>
</UL>

<P><B>Holding Intruders Accountable on the Internet.</B> S. Staniford-Chen and L.T.
Heberlein. Proceedings of the 1995 IEEE Symposium on Security and Privacy, Oakland,
CA, 8-10 May 1995.

<UL>
	<LI><A HREF="http://seclab.cs.ucdavis.edu/~stanifor/papers.html"><TT>http://seclab.cs.ucdavis.edu/~stanifor/papers.html</TT></A>
</UL>

<P><B>Machine Learning and Intrusion Detection: Current and Future Directions.</B>
J. Frank. Proceedings of the 17th National Computer Security Conference, October
1994.

<UL>
	<LI><A HREF="http://seclab.cs.ucdavis.edu/~frank/mlid.html"><TT>http://seclab.cs.ucdavis.edu/~frank/mlid.html</TT></A>
</UL>

<P><B>Another Intrusion Detection Bibliography.</B>

<UL>
	<LI><A HREF="http://doe-is.llnl.gov/nitb/refs/bibs/bib1.html"><TT>http://doe-is.llnl.gov/nitb/refs/bibs/bib1.html</TT></A>
</UL>

<P><B>Intrusion Detection Bibliography.</B>

<UL>
	<LI><A HREF="http://www.cs.purdue.edu/coast/intrusion-detection/ids_bib.html"><TT>http://www.cs.purdue.edu/coast/intrusion-detection/ids_bib.html</TT></A>
</UL>

<P><B>Bibliography on Intrusion Detection.</B> The Collection of Computer Science
Bibliographies.

<UL>
	<LI><A HREF="http://src.doc.ic.a