234-237.html

入侵检测的相关教程

			</font>
</td>
</tr>
</table>
	</form>
<!-- BROWSE BY TOPIC -->
		
		<form action="" name="catlist">			
		<img src="/images/browse5.gif" width=115 height=34 alt="" border="0">
<table width="120" height="32" border="1" cellspacing="0" cellpadding="3" bordercolor="#006666" bgcolor="#e0e0e0">
				<tr>
				<td width="117" align="center">
			<font face="Arial,helvetica" size="1">
			<SELECT NAME="cat" onChange='top.location.href=this.options[selectedIndex].value;' style="font-size: 10; font-family: sans-serif;">
			<option value="" selected>Please Select
			<option value="">-----------
			<option value="/reference/dir.components.html">Components
			<option value="/reference/dir.contentmanagement.html">Content Mgt
			<option value="/reference/dir.certification1.html">Certification
			<option value="/reference/dir.databases.html">Databases
			<option value="/reference/dir.enterprisemanagement1.html">Enterprise Mgt
			<option value="/reference/dir.funandgames1.html">Fun/Games
			<option value="/reference/dir.groupwareandcollaboration1.html">Groupware
			<option value="/reference/dir.hardware1.html">Hardware
			<option value="/reference/dir.intranetandextranetdevelopment1.html">Intranet Dev
			<option value="/reference/dir.middleware.html">Middleware
			<option value="/reference/dir.multimediaandgraphicdesign1.html">Multimedia
			<option value="/reference/dir.networkservices1.html">Networks 
			<option value="/reference/dir.operatingsystems.html">OS
			<option value="/reference/dir.productivityapplications1.html">Prod Apps
			<option value="/reference/dir.programminglanguages.html">Programming
			<option value="/reference/dir.security1.html">Security	
			<!-- <option value="/reference/dir.ewtraining1.html">Training Guides -->
			<option value="/reference/dir.userinterfaces.html">UI
			<option value="/reference/dir.webservices.html">Web Services
			<option value="/reference/dir.webmasterskills1.html">Webmaster
			<option value="/reference/dir.y2k1.html">Y2K
			<option value="">-----------
			<option value="/reference/whatsnew.html">New Titles
			<option value="">-----------
			<option value="/reference/dir.archive1.html">Free Archive		
			</SELECT>
			</font></td>
	</tr>
	</table>
	</form>
<!-- LEFT NAV SEARCH END -->

		</td>
		
<!-- PUB PARTNERS END -->
<!-- END LEFT NAV -->

<td rowspan="8" align="right" valign="top"><img src="/images/iswbls.gif" width=1 height=400 alt="" border="0"></td>
<td><img src="/images/white.gif" width="5" height="1" alt="" border="0"></td>
<!-- end of ITK left NAV -->

<!-- begin main content -->
<td width="100%" valign="top" align="left">


<!-- END SUB HEADER -->

<!--Begin Content Column -->

<FONT FACE="Arial,Helvetica" SIZE="-1">
To access the contents, click the chapter and section titles.
</FONT>
<P>
<B>Intrusion Detection: Network Security beyond the Firewall</B>
<FONT SIZE="-1">
<BR>
<I>(Publisher: John Wiley & Sons, Inc.)</I>
<BR>
Author(s): Terry Escamilla
<BR>
ISBN: 0471290009
<BR>
Publication Date: 11/01/98
</FONT>
<P>
<form name="Search" method="GET" action="http://search.earthweb.com/search97/search_redir.cgi">

<INPUT TYPE="hidden" NAME="Action" VALUE="Search">
<INPUT TYPE="hidden" NAME="SearchPage" VALUE="http://search.earthweb.com/search97/samples/forms/srchdemo.htm">
<INPUT TYPE="hidden" NAME="Collection" VALUE="ITK">
<INPUT TYPE="hidden" NAME="ResultTemplate" VALUE="itk-full.hts">
<INPUT TYPE="hidden" NAME="ViewTemplate" VALUE="view.hts">

<font face="arial, helvetica" size=2><b>Search this book:</b></font><br>
<INPUT NAME="queryText" size=50 VALUE="">&nbsp;<input type="submit" name="submitbutton" value="Go!">
<INPUT type=hidden NAME="section_on" VALUE="on">
<INPUT type=hidden NAME="section" VALUE="http://www.itknowledge.com/reference/standard/0471290009/">

</form>


<!-- Empty Reference Subhead -->

<!--ISBN=0471290009//-->
<!--TITLE=Intrusion Detection: Network Security Beyond the Firewall//-->
<!--AUTHOR=Terry Escamilla//-->
<!--PUBLISHER=John Wiley & Sons, Inc.//-->
<!--IMPRINT=Wiley Computer Publishing//-->
<!--CHAPTER=8//-->
<!--PAGES=234-237//-->
<!--UNASSIGNED1//-->
<!--UNASSIGNED2//-->

<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="231-234.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="237-240.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>
<P><BR></P>
<H4 ALIGN="LEFT"><A NAME="Heading8"></A><FONT COLOR="#000077">Some Alternative Stalker Configurations</FONT></H4>
<P>As noted in other chapters, many tradeoffs can be made in system monitoring. The two most important variables you can tradeoff are CPU and network performance. If you run Stalker Manager and Agent software on each node, you can analyze the data on the systems where it is created. You will spend CPU cycles on each node performing the analysis, but you will not be sending large audit logs across the network. If you get clever, you can use the Stalker Manager code on the Agent systems to reduce the audit logs before sending them to a central server for storage. Unfortunately, the pricing model of Stalker does not make this configuration too attractive at this time.
</P>
<P>On the other hand, if you do not want your agent nodes wasting CPU cycles doing intrusion detection, you can eat up some network bandwidth and send the audit logs to the server using NFS, FTP, or your favorite distributed file system tool. By the way, a Stalker Agent is not necessarily a puny little workstation. Agent is a <I>role</I> that a system plays in the Stalker environment. An agent could be a big megaserver with loads of storage, memory, and plenty of parallel processors. Similarly, the Stalker Manager could be run on the oldest single user UNIX workstation you have at your site, although this would not be a good choice for something that needs to analyze quite a bit of data.</P>
<P>A special version of Stalker is modified to monitor the IBM Firewall. The product includes some custom reports to monitor configuration and executable files that make up the firewall. This feature is complementary to the Tripwire type of file checking that the firewall already does. Stalker will report on who is changing firewall executables or configuration files and describe the audit events that led up to that behavior. Although it would be a useful extension, Stalker does not read or monitor the log files emitted by the firewall. Special attack patterns also have not been developed explicitly for firewalls. Now that Haystack has subsumed into Network Associates who owns the Gauntlet Firewall, a closer fit between IDSs and firewalls is likely.</P>
<P><FONT SIZE="+1"><B>Stalker V3</B></FONT></P>
<P>A new version of Stalker is planned for 1998. One notable enhancement is real-time processing of MD signatures, so that you can look for attacks as they occur. Information exchanges between Stalker Agents and the Manager will be accomplished in real time using a secure communications protocol.
</P>
<P>In Chapter 2, &#147;The Role of Identification and Authentication in Your Environment,&#148; emphasis was placed on the following triad:</P>
<DL>
<DD>Prevention &#43; Detection &#43; Response
</DL>
<P>Stalker V3 also provides capabilities for different real-time responses when attack patterns are matched. Possibilities include e-mail, paging, custom scripts, killing processes, disabling logins, blocking logins for an interval, and SNMP traps. The design is flexible enough to enable you to respond in unique ways to different intrusions and to vary your responses by time of day.
</P>
<P>Before moving to the next section, it is worth mentioning again that Stalker also provides <I>threshold</I> detection for a few events, such as failed logins or failed su events. Thus, Stalker shares characteristics with anomaly detectors such as CMDS. Exceeding a threshold of a specific event is the simplest form of statistical anomaly detection. Conversely, CMDS includes a few pattern matching rules, too. You can even find a few sites that run <I>both</I> CMDS and Stalker.</P>
<H3><A NAME="Heading9"></A><FONT COLOR="#000077">Detecting Hacks with the Computer Misuse Detection System</FONT></H3>
<P>Like Stalker, CMDS is an audit trail analysis tool. CMDS performs audit reduction from heterogeneous and distributed <I>target</I> nodes. CMDS development at <I>Science Applications International Corporation</I> (SAIC) was led by Paul Proctor (Proctor, 1994). The CMDS <I>server</I> analyzes the data provided to it by monitored targets. Analysis occurs in real time unless CMDS is configured otherwise. Historical audit logs can be saved and interrogated later as in Stalker.</P>
<P>Because the audit logs are the primary source of information for CMDS, accountability can be attributed to users via the AUID or to remote systems by gathering all activities for a particular IP address. Statistical profiles for a given network address can be thus be created and tracked historically.</P>
<P>Often, potential IDS customers ask for &#147;useful management reports&#148; to pass up the chain of command.  Summary statistical reporting is another CMDS strength. The original sponsors were  looking for a system that could provide good summaries of suspicious activities. This requirement helped drive the development of good reporting in the core CMDS offering.</P>
<P>When a survey of existing IDSs was done as part of the CMDS background research, it was discovered that many existing tools were tailored to the data source and other characteristics of the environment. At that time, Stalker was just beginning to emerge to provide a general-purpose framework adaptable to audit