It would be wonderful if this could close by claiming victory in the war on intruders. You know by now that perfect security is impossible. You’ve had a chance to see how scanners, system-level tools, and network IDSs are able to catch some hacks but miss others. Your job is to know the types of […]
RealSecure
ISS is already the market leader in scanning tools with SAFESuite. RealSecure is a widely used network IDS that complements ISS’s other offerings. Like NetRanger, RealSecure supports remote sensing stations, called engines, that report to a central console. Naturally, communication between engines and the console are cryptographically protected using a shared pass phrase. It shows […]
An Infoworld test reported in the May 4, 1998 issue rated products as follows:
IBM’s outsourced solution using NetRanger
ISS Real Secure
Network Flight Recorder (NFR)
Abirnet Session Wall
The study by the Infoworld team announced a suite of 16 well-known network attacks that they tried against the products. Only NFR caught all of the attacks. The team used the […]
Still, this seems to be something that an IDS can track. As long as a path can be found from the source buffer to the final memory storage location written to the socket, the IDS will be able to detect that data has been compromised. Before you get another cup of coffee or tea, consider […]
An IDS traces the path of activity so that an operation can be traced back to a specific user. In other words, the IDS will look at more than one event to make a policy decision. This process is much different from an OS that relies on the credentials of the running process at the […]
A number of other scanners are in the market today. Two others are mentioned here. The list of competitors is growing almost daily. Ballista, developed by Secure Networks, Inc., is now owned and marketed by Network Associates. The IBM Network Security Auditor (NS Auditor) is another alternative primarily for UNIX systems.
Ballista
Developed under the leadership […]
Next, you want to look for the event that turns this file into an executable. In AIX this would be a FILE_Mode event. For this example, the audit event for this activity will be labeled E2. The sequence of interest is El, followed by any number of other events, followed by E2. El alone is […]
A hacker prefers to gain additional access to resources on the system rather than launch DoS attacks. To get beyond the system’s defined ACLs, a local user needs to trick another user into either granting this access or into operating on behalf of that user. Obviously, if you can determine someone else’s password, you can […]
UNIX systems are susceptible to denial-of-service (DoS) attacks because, among users, many of the system’s resources are shared including kernel resources, disk storage, and memory. This section describes a few DoS attacks that can occur even if the user does not have special privileges. As UNIX OSs have become more mature, they have been placing […]
A pattern-matching IDS can look at a sequence of events to detect a problem. For example, if someone is suddenly removing dozens or hundreds of files, you might be faced with a disgruntled employee about to leave a system in an irreparable state. If you wanted to detect such an attack, you could configure your […]
Recall from earlier discussions that systems are usually compromised for one of two reasons:
Improper configuration by the vendor or by an administrator
Software bugs in software you purchase and in software you develop
Even the best preventative security tool will not meet your expectations if improperly configured. Firewall scans by consultants and security organizations such as ICSA […]
One of the consequences of acquisitions and mergers in the security industry is the maturing of security products so that they fit better into enterprise system management solutions. General event monitoring is one of the most useful components of a distributed management framework, such as Tivoli TME, which includes the Event Manager. Site administrators are […]
CMDS is best known for its statistical anomaly-detection approach, although CMDS also includes an expert system with pattern-matching signatures. Many early IDSs were written using rule-based expert systems, although this programming paradigm is not widely used today.
Analysis Modes
CMDS can analyze target node data in real time, batch, or on-demand modes. Each target runs a daemon […]
At the time this was written, the real-time, client-server, heterogeneous Stalker product was not available. Naturally, you should check the Network Associates Web site for the latest information. Many enhancements to Stalker have been planned and will roll out over time. You want to remember that batch reports are an important part of security monitoring. […]
Many tradeoffs can be made in system monitoring. The two most important variables you can tradeoff are CPU and network performance. If you run Stalker Manager and Agent software on each node, you can analyze the data on the systems where it is created. You will spend CPU cycles on each node performing the analysis, […]
The output from the query can be displayed, printed, mailed, or saved to a file. When saved to a file; the format can be either a text report or an audit event file that can be further reduced with a query. Queries may be formulated in advance and then stored as templates. Scheduled TB queries […]
Configuring and maintaining audit logs on UNIX systems is no trivial matter. A number of different parameters need to be properly set. Expertise in UNIX audit administration is not a widely available skill. Furthermore, the management concepts and tasks across different UNIX systems differ widely. For example, the AIX audit subsystem provides a panic capability. […]
The important features of S3 to examine are its alternative configurations, its reporting capabilities, and the set of vulnerabilities it handles.
Local and Remote Scan Configurations
S3 can be run on a single node to scan for and report on security weaknesses on that node. Each system in the network that requires scanning must be installed with […]
Stalker conveniently groups patterns into classes, such as Trojan Horse. Space does not permit an exhaustive list and description of attacks detected by Stalker. Table 8.1 summarizes this information.
The MD was developed over several years and has a good foundation in intrusion detection research. IDSs use different engines for analyzing attacks. Some, such as CMDS, […]
Stalker is a client-server, heterogeneous IDS for UNIX systems. In addition to providing intrusion and misuse detection, Stalker also can be used for audit reduction to whittle down a collection of audit records into meaningful information.
Stalker employs a client-server model for distributed, heterogeneous UNIX systems. The Stalker Manager software is installed on a central server […]