181-183.html

入侵检测的相关教程

		</td>
		
<!-- PUB PARTNERS END -->
<!-- END LEFT NAV -->

<td rowspan="8" align="right" valign="top"><img src="/images/iswbls.gif" width=1 height=400 alt="" border="0"></td>
<td><img src="/images/white.gif" width="5" height="1" alt="" border="0"></td>
<!-- end of ITK left NAV -->

<!-- begin main content -->
<td width="100%" valign="top" align="left">


<!-- END SUB HEADER -->

<!--Begin Content Column -->

<FONT FACE="Arial,Helvetica" SIZE="-1">
To access the contents, click the chapter and section titles.
</FONT>
<P>
<B>Intrusion Detection: Network Security beyond the Firewall</B>
<FONT SIZE="-1">
<BR>
<I>(Publisher: John Wiley & Sons, Inc.)</I>
<BR>
Author(s): Terry Escamilla
<BR>
ISBN: 0471290009
<BR>
Publication Date: 11/01/98
</FONT>
<P>
<form name="Search" method="GET" action="http://search.earthweb.com/search97/search_redir.cgi">

<INPUT TYPE="hidden" NAME="Action" VALUE="Search">
<INPUT TYPE="hidden" NAME="SearchPage" VALUE="http://search.earthweb.com/search97/samples/forms/srchdemo.htm">
<INPUT TYPE="hidden" NAME="Collection" VALUE="ITK">
<INPUT TYPE="hidden" NAME="ResultTemplate" VALUE="itk-full.hts">
<INPUT TYPE="hidden" NAME="ViewTemplate" VALUE="view.hts">

<font face="arial, helvetica" size=2><b>Search this book:</b></font><br>
<INPUT NAME="queryText" size=50 VALUE="">&nbsp;<input type="submit" name="submitbutton" value="Go!">
<INPUT type=hidden NAME="section_on" VALUE="on">
<INPUT type=hidden NAME="section" VALUE="http://www.itknowledge.com/reference/standard/0471290009/">

</form>


<!-- Empty Reference Subhead -->

<!--ISBN=0471290009//-->
<!--TITLE=Intrusion Detection: Network Security Beyond the Firewall//-->
<!--AUTHOR=Terry Escamilla//-->
<!--PUBLISHER=John Wiley & Sons, Inc.//-->
<!--IMPRINT=Wiley Computer Publishing//-->
<!--CHAPTER=6//-->
<!--PAGES=181-183//-->
<!--UNASSIGNED1//-->
<!--UNASSIGNED2//-->

<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="../ch05/178-180.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="183-186.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>
<P><BR></P>
<H2><A NAME="Heading1"></A><FONT COLOR="#000077">Chapter 6<BR>Detecting Intruders on Your System Is Fun and Easy
</FONT></H2>
<P>Well, perhaps the title of this chapter is a <I>slightly</I> misleading. Supposedly, <I>becoming</I> an intruder is fun and easy, too. If you want to detect intruders, you should know what type of system resources can be depended on for providing evidence. Should you want to become an intruder, you ought to know how commercial IDSs look for traces of your activity.</P>
<P>Scanners are designed to take a look at your system and to let you know whether you have configuration problems or holes that can be used for attacks. If your system was previously set up in a secure fashion, and an intruder has altered this configuration, a scanner will detect this change (when you run the scan) and notify you of the problem.</P>
<P>System-level intrusion detection tools differ from scanners in a couple of ways. If the IDS runs in real time, it can let you know the instant a compromise has occurred. Also, if the monitor gathers its data by reading an activity stream on the system, it can detect a range of features that a single scanner cannot. For example, scanners will not tell you that someone just entered three bad passwords and exceeded the failed login threshold.</P>
<P>By the time you finish this chapter, you will understand the following:</P>
<DL>
<DD><B>&#149;</B>&nbsp;&nbsp;How to classify attacks according to how they originate and the threat they pose
<DD><B>&#149;</B>&nbsp;&nbsp;The pros and cons of different data sources that a system monitor can use for decisions
<DD><B>&#149;</B>&nbsp;&nbsp;What system monitors can and cannot detect
<DD><B>&#149;</B>&nbsp;&nbsp;The tradeoffs you may need to make for monitoring your systems in real time
<DD><B>&#149;</B>&nbsp;&nbsp;What it takes to really track someone through a network
</DL>
<P>As you will soon see, you need to consider a number of issues when trying to build a system-level IDS.
</P>
<H3><A NAME="Heading2"></A><FONT COLOR="#000077">Classes of Attacks</FONT></H3>
<P>Table 6.1 provides a convenient way of looking at attack categories. You can see that threats generally are divided between <I>internal</I> and <I>external</I> points of origin. Along the other axis, you see increasingly more severe attacks. Inside the table are relative indications of the seriousness of the consequences. If an internal user obtains privileges belonging to other users, you usually can rectify the situation and perhaps take legal action. When someone outside your network is able to gain superuser access into one of your nodes, you have a catastrophic breakdown in security somewhere. Also, because so many ways to hide one&#146;s identity from the outside exist, the chances of catching the intruder are slim.</P>
<TABLE WIDTH="100%"><CAPTION ALIGN=LEFT><B>Table 6.1</B> Categorizing Attacks in Two Dimensions
<TR>
<TH COLSPAN="3"><HR>
<TR>
<TD WIDTH="30%" COLSPAN="3" ALIGN="CENTER"><B>Point of Origin</B>
<TR>
<TD>
<TH WIDTH="25%" ALIGN="LEFT">Internal User
<TH WIDTH="45%" ALIGN="LEFT">External User
<TR>
<TD COLSPAN="3"><HR>
<TR>
<TD>Denial of Service
<TD>Annoying
<TD>Annoying
<TR>
<TD>Increased privilege
<TD>Moderately serious
<TD>Serious risk
<TR>
<TD>Superuser privilege
<TD>Very serious
<TD>Disaster
<TR>
<TD COLSPAN="3"><HR>
<TR>
</TABLE>
<H4 ALIGN="LEFT"><A NAME="Heading3"></A><FONT COLOR="#000077">Internal Attacks</FONT></H4>
<P>Statistics from the FBI Crime Lab consistently show that the majority of computer crime occurs from the inside. True, as more people connect to the Internet, the threats from outside increase. Today, most crimes still are committed by insiders, or at least outside criminals are assisted by insiders. The theft of millions of dollars from a major U.S. bank was launched from Russia, but collusion from an insider made the task easier. Most of the money was returned. Although some companies do not like to think of their employees, contractors, or business partners as potential criminals, historical data encourages them to do so. What are some of the threats that an insider poses to internal systems?
</P>
<P><FONT SIZE="+1"><B>Internal Denial-of-Service Attack</B></FONT></P>
<P>Recently, a number of NT systems at the University of Texas were hounded by a denial-of-service attack against the IP stack delivered with NT. The attack was a variant of the <I>Teardrop</I> UDP attack that was possible because of a bug in NT. By sending certain types of UDP datagrams, an adversary could cause the system to crash. Because UDP packets often are blocked by screening routers or firewalls, this threat was unlikely from outside sources. Someone with access to one of the UT labs launched the attack internally.</P>
<P>Users with accounts on various company servers or on university systems pose threats because they already have access to the system. When you are able to establish a login session on a computer, a number of denial-of-service attacks rare possible:</P>
<DL>
<DD><B>&#149;</B>&nbsp;&nbsp;Consume all of the disk space in the /tmp directory of UNIX systems to slow or crash the system (depending on how that particular version of UNIX handles this condition)
<DD><B>&#149;</B>&nbsp;&nbsp;Write a program to consume all available resources such as all of the memory buffers allocated for sockets
<DD><B>&#149;</B>&nbsp;&nbsp;Fill up the printer queue directory
<DD><B>&#149;</B>&nbsp;&nbsp;Create a number of concurrent I/O bound processes that thrash the disk repeatedly
</DL>
<P>You really don&#146;t even need an account on a system to cause problems. As shown in Chapter 2, &#147;The Role of Identification and Authentication in Your Environment,&#148; physical or network access is sufficient for locking all accounts with failed login attempts until the lockout threshold is hit for each account. If the system permits remote logins from other nodes inside the enterprise, failed login attacks are possible even when physical access is not granted.
</P>
<P>Most environments run a large number of client-server applications. The telnet program is a well-known example. However, numerous proprietary client-server protocols are running throughout the enterprise, and each of these also is susceptible to denial-of-service attacks. For example, it is unlikely that many legacy applications are performing adequate authentication of packets received. Forged IP addresses and packets can find their way into listening servers and cause denial-of-service attacks. If the servers are designed to accept connections from any internal node, it&#146;s easy enough to create packets, flood the server with them, and thus render the server useless.</P>
<DL>
<DD><I>In general, the closer you can get to running on the system directly, the more damage you can potentially do.</I>
</DL>
<P><BR></P>
<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="../ch05/178-180.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="183-186.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>


<!-- all of the reference materials (books) have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->

<!-- BEGIN SUB FOOTER -->
		<br><br>
		</TD>
    </TR>
	</TABLE>

		
	<table width="640" border=0 cellpadding=0 cellspacing=0>
		<tr>
		<td align="left" width=135><img src="/images/white.gif" width=100 height="1" alt="" border="0"></td>
		
		
<!-- END SUB FOOTER -->

<!-- all of the books have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->

<!-- FOOTER -->
			
		<td width="515" align="left" bgcolor="#FFFFFF">
<font face="arial, helvetica" size="1"><b><a href="/products.html"><font color="#006666">Products</font></a>&nbsp;|&nbsp; <a href="/contactus.html"><font color="#006666">Contact Us</font></a>&nbsp;|&nbsp; <a href="/aboutus.html"><font color="#006666">About Us</font></a>&nbsp;|&nbsp; <a href="http://www.earthweb.com/corporate/privacy.html" target="_blank"><font color="#006666">Privacy</font></a> &nbsp;|&nbsp; <a href="http://www.itmarketer.com/" target="_blank"><font color="#006666">Ad Info</font></a> &nbsp;|&nbsp; <a href="/"><font color="#006666">Home</font></a></b>
		<br><br>
		
		Use of this site is subject to certain <a href="/agreement.html">Terms &amp; Conditions</a>, <a href="/copyright.html">Copyright &copy; 1996-1999 EarthWeb Inc.</a><br> 
All rights reserved.  Reproduction whole or in part in any form or medium without express written permision of EarthWeb is prohibited.</font><p>
</td>
		</tr>
</table>
</BODY>
</HTML>

<!-- END FOOTER -->