283-285.html

入侵检测的相关教程

			<option value="/reference/dir.hardware1.html">Hardware
			<option value="/reference/dir.intranetandextranetdevelopment1.html">Intranet Dev
			<option value="/reference/dir.middleware.html">Middleware
			<option value="/reference/dir.multimediaandgraphicdesign1.html">Multimedia
			<option value="/reference/dir.networkservices1.html">Networks 
			<option value="/reference/dir.operatingsystems.html">OS
			<option value="/reference/dir.productivityapplications1.html">Prod Apps
			<option value="/reference/dir.programminglanguages.html">Programming
			<option value="/reference/dir.security1.html">Security	
			<!-- <option value="/reference/dir.ewtraining1.html">Training Guides -->
			<option value="/reference/dir.userinterfaces.html">UI
			<option value="/reference/dir.webservices.html">Web Services
			<option value="/reference/dir.webmasterskills1.html">Webmaster
			<option value="/reference/dir.y2k1.html">Y2K
			<option value="">-----------
			<option value="/reference/whatsnew.html">New Titles
			<option value="">-----------
			<option value="/reference/dir.archive1.html">Free Archive		
			</SELECT>
			</font></td>
	</tr>
	</table>
	</form>
<!-- LEFT NAV SEARCH END -->

		</td>
		
<!-- PUB PARTNERS END -->
<!-- END LEFT NAV -->

<td rowspan="8" align="right" valign="top"><img src="/images/iswbls.gif" width=1 height=400 alt="" border="0"></td>
<td><img src="/images/white.gif" width="5" height="1" alt="" border="0"></td>
<!-- end of ITK left NAV -->

<!-- begin main content -->
<td width="100%" valign="top" align="left">


<!-- END SUB HEADER -->

<!--Begin Content Column -->

<FONT FACE="Arial,Helvetica" SIZE="-1">
To access the contents, click the chapter and section titles.
</FONT>
<P>
<B>Intrusion Detection: Network Security beyond the Firewall</B>
<FONT SIZE="-1">
<BR>
<I>(Publisher: John Wiley & Sons, Inc.)</I>
<BR>
Author(s): Terry Escamilla
<BR>
ISBN: 0471290009
<BR>
Publication Date: 11/01/98
</FONT>
<P>
<form name="Search" method="GET" action="http://search.earthweb.com/search97/search_redir.cgi">

<INPUT TYPE="hidden" NAME="Action" VALUE="Search">
<INPUT TYPE="hidden" NAME="SearchPage" VALUE="http://search.earthweb.com/search97/samples/forms/srchdemo.htm">
<INPUT TYPE="hidden" NAME="Collection" VALUE="ITK">
<INPUT TYPE="hidden" NAME="ResultTemplate" VALUE="itk-full.hts">
<INPUT TYPE="hidden" NAME="ViewTemplate" VALUE="view.hts">

<font face="arial, helvetica" size=2><b>Search this book:</b></font><br>
<INPUT NAME="queryText" size=50 VALUE="">&nbsp;<input type="submit" name="submitbutton" value="Go!">
<INPUT type=hidden NAME="section_on" VALUE="on">
<INPUT type=hidden NAME="section" VALUE="http://www.itknowledge.com/reference/standard/0471290009/">

</form>


<!-- Empty Reference Subhead -->

<!--ISBN=0471290009//-->
<!--TITLE=Intrusion Detection: Network Security Beyond the Firewall//-->
<!--AUTHOR=Terry Escamilla//-->
<!--PUBLISHER=John Wiley & Sons, Inc.//-->
<!--IMPRINT=Wiley Computer Publishing//-->
<!--CHAPTER=10//-->
<!--PAGES=283-285//-->
<!--UNASSIGNED1//-->
<!--UNASSIGNED2//-->

<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="../ch09/279-282.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="285-288.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>
<P><BR></P>
<H2><A NAME="Heading1"></A><FONT COLOR="#000077">Chapter 10<BR>Intrusion Detection for NT
</FONT></H2>
<P>In this chapter, you will read about NT vulnerabilities and attacks. Each of the types of IDSs defined&#151;vulnerability assessment scanners, system level, and network sniffers&#151;are available for NT as well as for UNIX. Some products, such as eNTrax from Centrax are designed exclusively for NT. Before learning about the products, it is important to review some of the underlying concepts that an IDS must handle.
</P>
<H3><A NAME="Heading2"></A><FONT COLOR="#000077">NT Security Review</FONT></H3>
<P>In Chapter 2, &#147;The Role of Identification and Authentication in Your Environment,&#148; you had a chance to dig into the I&#38;A process in NT. Chapter 3, &#147;The Role of Access Control in Your Environment,&#148; described how everything in the system is treated as an object, and that all object access requests go through a single reference monitor&#151;the <I>Security Reference Monitor</I> (SRM). Subjects in NT are processes and threads. Each process and thread is associated with an <I>access token</I> that is a complex data structure defining characteristics of the subject. One of the most important attribute lists in the access token is its <I>privileges</I>. Any time a process or thread is able to increase its privileges, that subject is able to access other resources that might normally be off limits.</P>
<P>Access control lists are associated with objects. Two different ACLs&#151;object ACLs and system ACLs&#151;were discussed in Chapter 3 as well. Object ACLs control access requests by subjects. System ACLs control activities, such as auditing for that object. Depending on the type of object, the ACL entries vary. For example, <I>access control entries</I> (ACE) for files are different than they are for registry keys.</P>
<P>Based on this simple review, you probably see some of the important events to monitor on NT systems. Any time a change is made to a user&#146;s privilege list in the user database you want to be notified. Changes to ACLs for important system files and directories also are potential preludes to an attack. As in UNIX systems, you should watch for attempts to install Trojan Horses. Especially serious is any attempt&#151;successful or not&#151;to increase the privileges associated with a thread or process.</P>
<H3><A NAME="Heading3"></A><FONT COLOR="#000077">Sources of Data for NT IDSs</FONT></H3>
<P>By now, it should be apparent to you that intrusion detection is a special case of monitoring. Performance monitoring tools track network traffic, system resource utilization, and application behavior. IDSs also need data from various sources to operate effectively.
</P>
<P>In Chapter 7, &#147;Vulnerability Scanners,&#148; you learned that vulnerability scanners that assess the state of your machines operate in one of two modes. Remote assessments are carried out from a central console and targeted at individual nodes in your network. With a remote scan, no special software is needed on the target machines. Local assessments are undertaken by software specifically installed on the node. When a scan is activated by a remote manager station or by a scheduled job, the local scanning software runs on the target node itself.</P>
<P>NT local vulnerability assessment tools operate much the same way as UNIX scanners. They look at configuration information on the system, inspect the contents of files, scour through registry entries, and attempt to crack passwords in the SAM. Other features, such as file-integrity checkers, are supported as well. Recall that a local scanner has the advantage of operating on the system as a login user. This means that the local scanner can read files and access other resources that a remote scanner cannot. Of course, you must install the local scanning code on each target.</P>
<P>Remote scanners against NT systems probe for known network configuration problems, check for back-level programs with holes, and attempt to gain access to the system by breaking in as normal users or as the administrator. The source of data for these IDSs is primarily feedback that comes from interacting with NT network services or applications, such as the <I>Internet Information Server</I> (IIS). Remote scanners benefit from the fact that they do not run client code directly on the target. For this reason, vendors can combine both NT and UNIX probing into the same product. As in the case of UNIX remote scanners, it is possible to peer into some of the internals of an NT system even though you are not running a process on that system. For example, if the trust relationship is configured to permit remote access, some NT registry entries can be inspected. Microsoft&#146;s Server Message Block protocol also divulges information to remote scanners, including the list of currently logged in users.</P>
<P>Network sniffers for UNIX and NT often are combined into one product, too. The source of data is the same for UNIX and NT network sniffers. Only the attacks monitored varies between the two operating system types. Many attacks are equally applicable to the IP stacks on both, such as SYN Flood.</P>
<P>System-level IDSs in UNIX and NT rely on different datastreams. NT provides an event log (or audit log) that tracks many important activities on the system. Vendors, who write system-level IDSs for NT, such as Centrax and Kane, depend on the event log for the data that drives their engines.</P><P><BR></P>
<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="../ch09/279-282.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="285-288.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>


<!-- all of the reference materials (books) have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->

<!-- BEGIN SUB FOOTER -->
		<br><br>
		</TD>
    </TR>
	</TABLE>

		
	<table width="640" border=0 cellpadding=0 cellspacing=0>
		<tr>
		<td align="left" width=135><img src="/images/white.gif" width=100 height="1" alt="" border="0"></td>
		
		
<!-- END SUB FOOTER -->

<!-- all of the books have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->

<!-- FOOTER -->
			
		<td width="515" align="left" bgcolor="#FFFFFF">
<font face="arial, helvetica" size="1"><b><a href="/products.html"><font color="#006666">Products</font></a>&nbsp;|&nbsp; <a href="/contactus.html"><font color="#006666">Contact Us</font></a>&nbsp;|&nbsp; <a href="/aboutus.html"><font color="#006666">About Us</font></a>&nbsp;|&nbsp; <a href="http://www.earthweb.com/corporate/privacy.html" target="_blank"><font color="#006666">Privacy</font></a> &nbsp;|&nbsp; <a href="http://www.itmarketer.com/" target="_blank"><font color="#006666">Ad Info</font></a> &nbsp;|&nbsp; <a href="/"><font color="#006666">Home</font></a></b>
		<br><br>
		
		Use of this site is subject to certain <a href="/agreement.html">Terms &amp; Conditions</a>, <a href="/copyright.html">Copyright &copy; 1996-1999 EarthWeb Inc.</a><br> 
All rights reserved.  Reproduction whole or in part in any form or medium without express written permision of EarthWeb is prohibited.</font><p>
</td>
		</tr>
</table>
</BODY>
</HTML>

<!-- END FOOTER -->