221-225.html

入侵检测的相关教程

<INPUT TYPE="hidden" NAME="Action" VALUE="Search">
<INPUT TYPE="hidden" NAME="SearchPage" VALUE="http://search.earthweb.com/search97/samples/forms/srchdemo.htm">
<INPUT TYPE="hidden" NAME="Collection" VALUE="ITK">
<INPUT TYPE="hidden" NAME="ResultTemplate" VALUE="itk-full.hts">
<INPUT TYPE="hidden" NAME="ViewTemplate" VALUE="view.hts">

<font face="arial, helvetica" size=2><b>Search this book:</b></font><br>
<INPUT NAME="queryText" size=50 VALUE="">&nbsp;<input type="submit" name="submitbutton" value="Go!">
<INPUT type=hidden NAME="section_on" VALUE="on">
<INPUT type=hidden NAME="section" VALUE="http://www.itknowledge.com/reference/standard/0471290009/">

</form>


<!-- Empty Reference Subhead -->

<!--ISBN=0471290009//-->
<!--TITLE=Intrusion Detection: Network Security Beyond the Firewall//-->
<!--AUTHOR=Terry Escamilla//-->
<!--PUBLISHER=John Wiley & Sons, Inc.//-->
<!--IMPRINT=Wiley Computer Publishing//-->
<!--CHAPTER=7//-->
<!--PAGES=221-225//-->
<!--UNASSIGNED1//-->
<!--UNASSIGNED2//-->

<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="217-221.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="225-226.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>
<P><BR></P>
<P><B>Vulnerabilities Remotely Scanned by ISS</B></P>
<DL>
<DD>Admind
<DD>Alerter and Messenger Services
<DD>All Access NetBIOS share&#151; Everyone
<DD>All Access NetBIOS share&#151; Guest
<DD>All Access NetBIOS share
<DD>Anonymous FTP
<DD>Bootparam
<DD>Brute-Force
<DD>Brute-Force Netware FTP
<DD>Brute-Force Cisco
<DD>CGI Exec
<DD>Check Share Passwords
<DD>Data Flood
<DD>Echo, Chargen, Time, and Daytime Services
<DD>Files Obtained
<DD>Finger
<DD>Finger Bomb
<DD>Finger Names
<DD>Finger Output
<DD>FTP CD &#8764;root Bug
<DD>FTP Site Exec
<DD>FTP Writable
<DD>Guess cgi-bin
<DD>IIS &#147;.bat&#148; and &#147;.cmd&#148; Bug
<DD>IP Spoofing
<DD>Kerberos IV Brute Force
<DD>Kerberos IV User Peek
<DD>Lan Manager Security
<DD>Linux Time Bomb
<DD>List cgi-bin
<DD>Microsoft &#147;cd ..&#148; Bug
<DD>Microsoft Network Client Password Cache
<DD>NetBIOS Null Session
<DD>NetBIOS Share
<DD>Netstat Check
<DD>NFS
<DD>NFS Access Files
<DD>NFS CD .. Bug
<DD>NFS Cache
<DD>NFS Export
<DD>NFS mknod
<DD>NFS Portmapper Export
<DD>NFS Sun File Handle Guess
<DD>NFS UID
<DD>NFS Write
<DD>NIS
<DD>Open/Close Flood
<DD>Open NetBIOS Share
<DD>Out of Band Crash
<DD>Password Permutations
<DD>phf Check
<DD>PCNFSD
<DD>Ping Bomb
<DD>Ping &#145;O Death
<DD>Popd/Imapd
<DD>Proxy Scan
<DD>Rexd
<DD>Rexec Service
<DD>RIP Spoofing
<DD>Rlogin froot
<DD>Root Dot Dot
<DD>Routed
<DD>RPC/NIS Update
<DD>RPC Pcnfsd
<DD>RPC Statd
<DD>Rsh
<DD>Rsh Null Account
<DD>Rstat
<DD>Rstat Output
<DD>Ruser
<DD>Rwhod
<DD>Selection Service
<DD>Sendmail Debug Mode
<DD>Sendmail EXPN
<DD>Ident Service Test
<DD>Sendmail Identd Bug
<DD>Sendmail Remote Execution
<DD>Sendmail Syslog
<DD>Sendmail VRFY
<DD>Sendmail Wizard Backdoor
<DD>SNMP
<DD>SOCKS Scan
<DD>SYN Storm
<DD>Sysstat
<DD>System Log Flood
<DD>Telnetd Linker
<DD>TFTP (Trivial File Transfer Protocol)
<DD>Traceroute
<DD>Trusted Hosts
<DD>UDP Bomb
<DD>Ultrix NFS Remount Bug
<DD>Unresolved HTTP Link
<DD>UUCP
<DD>Vulnerable HTTP Servers
<DD>Vulnerable NNTP Server
<DD>Window NT Active Server Page Bug
<DD>Windows NT DNS Server
<DD>Windows NT 4.0 beta
<DD>Writable NetBIOS share&#151; Everyone
<DD>Writable NetBIOS share&#151; Guest
<DD>Wall
<DD>Writable NetBIOS Share
<DD>WWW Directories without an index
<DD>WWW Proxy Penetrated
<DD>X25
<DD>X Window System
</DL>
<P>Earlier we mentioned that most remote scanners cannot peer into your system like local scanners do. Actually, some protocols, such as RPC and NIS, can be used by remote scanners to peek inside your system much like local processes. For example, in older implementations of NIS, you could get a copy of the password file by running ypcat on remote nodes in the NIS domain. Remote vulnerability scanners use some of these protocol techniques to look for weaknesses in your systems, too.
</P>
<P><FONT SIZE="+1"><B>Where Is ISS Headed?</B></FONT></P>
<P>By the time this book is published, you can expect to find ISS rounding out its offerings with a system-level IDS as well. Other vendors are acquiring or developing complementary technologies, too, to offer scanners, network, and system IDSs individually or as part of a suite. When this occurs, you will benefit from common configuration files, similar user interfaces, and a common management framework (or console).
</P>
<H3><A NAME="Heading9"></A><FONT COLOR="#000077">Other Scanners</FONT></H3>
<P>A number of other scanners are in the market today. Two others are mentioned here. The list of competitors is growing almost daily. Ballista, developed by Secure Networks, Inc., is now owned and marketed by Network Associates. The IBM Network Security Auditor (NS Auditor) is another alternative primarily for UNIX systems.
</P>
<H4 ALIGN="LEFT"><A NAME="Heading10"></A><FONT COLOR="#000077">Ballista</FONT></H4>
<P>Developed under the leadership of Alfred Huger, Ballista boasts the largest list of vulnerabilities detected for UNIX systems. Although systems management and scalability features are clearly important to many customers, there seems to be a laundry-list factor in how purchase decisions are made. Whether the list of attacks scanned becomes the distinguishing feature for the market leader in scanners remains to be seen.
</P>
<P>Ballista is a remote scanner that provides informative graphical reporting on results. The list of attacks is too long to include here, but you can find it at <A HREF="www.secnet.com">www.secnet.com</A> or at <A HREF="www.neta.com">www.neta.com</A> (the Network Associates site). Not only does Ballista have an impressive list of recognized vulnerabilities, but the IDS is based on an extensible architecture known as CAPE. This leads to some very interesting possibilities. You can build your own attack patterns to scan or plug Ballista into other products.</P>
<H4 ALIGN="LEFT"><A NAME="Heading11"></A><FONT COLOR="#000077">IBM Network Security Auditor</FONT></H4>
<P>The IBM Firewall is packaged with the Network Security Auditor remote scanner as an added bonus. The NS Auditor has its roots in the days of the Internet Worm incident. Two scientists at IBM Research were nose down in graduate school at Texas A&#38;M University when the Worm hit. Not long after that incident, several other attacks were launched on the Internet. Dave Safford and Doug Schales were involved in discovering, monitoring, and repairing the damage caused by these attacks. The results of their efforts are widely distributed as the TAMU Tiger package. These two are also the initial authors of NS Auditor.
</P>
<P>The NS Auditor is unique in that it uses heuristics (AI techniques) to make some decisions during its scanning phase. A wide range of options also can be specified for controlling the scan, including the following:</P>
<DL>
<DD><B>&#149;</B>&nbsp;&nbsp;Time-out limits for open port connections
<DD><B>&#149;</B>&nbsp;&nbsp;Whether to walk anonymous ftp trees looking for writable directories
<DD><B>&#149;</B>&nbsp;&nbsp;Factors affecting the speed of the scan
</DL>
<P>At this time, IBM does not offer NS Auditor as a separate product, although the tool is used by IBM consultants. The version of NS Auditor that ships with the firewall is limited to scanning an individual subnet of addresses rather than being wide open to scanning <I>any</I> addresses. Other scanners impose the same limitations using a license-key mechanism. The reason is simple&#151;the difference between a network assessment and a network penetration attempt depends on the person running the scanner. A scanner with no limitations on network addresses for targets could be used to probe systems throughout the Internet.</P>
<H4 ALIGN="LEFT"><A NAME="Heading12"></A><FONT COLOR="#000077">Keeping the Scanners Current</FONT></H4>
<P>Most scanners rely on knowledge of historical problems rather than on predictive capabilities. Because a new exploit is discovered at least every week, keeping the scanning database up to date is necessary. Companies that aggressively market intrusion detection products often maintain a skilled set of researchers who monitor newsgroups, communicate with the underground, and generate original results to find new hacks to add to the products. The X-Force team is one good example (<A HREF="www.iss.net/xforce">www.iss.net/xforce</A>). Others include the squads at Secure Networks Inc. (SNI, now part of Network Associates) and the WheelGroup (now part of Cisco). L0pht Heavy Industries is particularly skilled and has reported many important findings.</P><P><BR></P>
<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="217-221.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="225-226.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>


<!-- all of the reference materials (books) have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->

<!-- BEGIN SUB FOOTER -->
		<br><br>
		</TD>
    </TR>
	</TABLE>

		
	<table width="640" border=0 cellpadding=0 cellspacing=0>
		<tr>
		<td align="left" width=135><img src="/images/white.gif" width=100 height="1" alt="" border="0"></td>
		
		
<!-- END SUB FOOTER -->

<!-- all of the books have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->

<!-- FOOTER -->
			
		<td width="515" align="left" bgcolor="#FFFFFF">
<font face="arial, helvetica" size="1"><b><a href="/products.html"><font color="#006666">Products</font></a>&nbsp;|&nbsp; <a href="/contactus.html"><font color="#006666">Contact Us</font></a>&nbsp;|&nbsp; <a href="/aboutus.html"><font color="#006666">About Us</font></a>&nbsp;|&nbsp; <a href="http://www.earthweb.com/corporate/privacy.html" target="_blank"><font color="#006666">Privacy</font></a> &nbsp;|&nbsp; <a href="http://www.itmarketer.com/" target="_blank"><font color="#006666">Ad Info</font></a> &nbsp;|&nbsp; <a href="/"><font color="#006666">Home</font></a></b>
		<br><br>
		
		Use of this site is subject to certain <a href="/agreement.html">Terms &amp; Conditions</a>, <a href="/copyright.html">Copyright &copy; 1996-1999 EarthWeb Inc.</a><br> 
All rights reserved.  Reproduction whole or in part in any form or medium without express written permision of EarthWeb is prohibited.</font><p>
</td>
		</tr>
</table>
</BODY>
</HTML>

<!-- END FOOTER -->