intrusion detection and prevention - unc charlotteapkerr/itis6200_06_intrusion_detection.pdf ·...
TRANSCRIPT
Related Chapters
• Chapter 3, Detecting System Intrusions
• Chapter 4, Preventing System Intrusions
• Chapter 5, Guarding Against Network Intrusions
• Chapter 26, Intrusion Prevention and Detection Systems
• Chapter 27, TCP/IP Packet Analysis
• Chapter 28, The Enemy (The Intruder’s Genesis)
2
Intrusion detection systems v.s. Firewalls
• Intrusion detection systems (IDSs) – Detect unauthorized intrusions
• Anomaly-based learn “normal”
• Signature-based look for slight variations
• Hybrid combines best characteristics
• Firewalls offer first line of defense – Secure Firewall combines the five most necessary security
systems—firewall, antivirus/spyware/spam, VPN, application filtering, and intrusion prevention/detection systems—into a single appliance.
5
TCP/IP
• Transmission Control Protocol/Internet Protocol
– Ubiquitous networking protocol
– Uses freely available open protocol standards
– Independent of device and transmission media
– Consistent addressing scheme • Globally scalable
• Vast majority of attacks utilize TCP/IP
7
TCP/IP Data Architecture
• Layered stack of functions
• Each layer provides services and capabilities to layers above and below
– Modular functionality
– Details within a function are hidden from other functions
• Application layer
– Concerned with applications and processes
8
TCP/IP Data Architecture (cont.)
• Transport layer – Handles data flow between applications on different
network hosts
– There are two transport protocols: TCP and UDP
• Network layer – Responsible for packet addressing and routing
• Physical layer – Responsible for interaction with physical network
medium
10
Data Encapsulation
• As data handed down the stack: – Each layer adds its own header
• IP header
• TCP header
• UP header
• Network attacks can occur at every layer of the TCP/IP stack
• Effective intrusion prevention and detection system must inspect each layer
11
Figure 26.3
TCP/IP encapsulation
Headers are added as data packets move through the layers. 13
Outgoing Incoming
Figure 26.4
Application and network interaction example
The example uses email messages to illustrate header information.
14
Definitions
• Intrusion – A set of actions aimed to compromise the security
goals, namely • Integrity, confidentiality, or availability, of a computing and
networking resource
• Intrusion detection – The process of identifying and responding to intrusion
activities
16
Intrusions
• An intrusion is any action taken by an adversary
• Negatively impacts information: – Confidentiality
– Integrity
– Availability
• Commonly occurring types of intrusions – Physical theft
– Abuse of privileges (insider threat)
– Unauthorized access by outsider
17
Intrusion Monitoring and Detection
• Must detect and diagnose malicious activities
• Monitoring and analysis: passive techniques
• Typical IDS response: alert to administrators – Presumes incidents need human expertise and judgment for
follow-up
• Detection accuracy: critical problem – Minimize false positives and false negatives
• Two analysis approaches – Misuse detection and anomaly detection
18
Attackers and Motives
• Script kiddy – Attacker with little or no skill using another’s published
“script” to perform attack
• Joy rider – Attack motive: exploring, usually not malicious
• Mercenary – Selling skills to compromise computer systems – Organized crime
• Nation-state backed – Espionage against other nations
20
Malicious Software
• Virus
• Worm
• Backdoor
• Trojan horse
• User-level rootkit
• Kernel-level rootkit
• Blended malware
**Refer to pages 486-487 21
Malicious Software
• Infectious: viruses and worms
– Carry a payload (malicious code)
• Concealed: Trojan horses and rootkits
– Stealth: important feature for malware
• Remote control: remote access Trojans (RATs) and bots
– Enable covert communications
• Data theft: keyloggers and spyware
– Record keystrokes or monitor and report user activity
22
Stack-Based Overflow Attacks
• Take advantage of poorly-written applications
• When a called function is executing, it stores data in the stack (memory buffer)
– If this memory region is overwritten, program will crash
• Instruction pointer (IP) points to stack location for program to return if it crashes
– Attacker can manipulate IP to direct program to execute malware
23
Password Attacks and DDoS Attack
• Attacker attempts to locate the file with encrypted passwords
• Password cracking tools – Example: “John the Ripper”
• Distributed denial of service (DDoS) attack – Generating multiple requests to flood a server
– Multiple servers make half-connections to the target server
– Usually carried out via botnets of compromised systems
24
Sniffing
• Packet sniffing tool – Examples: Wireshark, TCPDump
– Placed on a network node
– Captures every packet sent to or from that node
• Once the data traffic is captured, the hacker would have analyzed the contents of the packets – Hackers would be able to draw inferences about what is being
captured.
– Hackers would thus have access to port numbers, IP addresses, and application details.
25
IP Address Spoofing
• Fools perimeter router into accepting a packet with a spoofed IP address
• Difficult to trace back to attacker’s node
• Done by IP packet crafting
• Ethernet address can also be spoofed
• DNS spoofing – Sends Web traffic to attacker’s site instead of legitimate
IP address
26
Session Hijacking
• Taking over an ongoing active connection between two nodes on a network
• Two types
– TCP session hijacking
– UDP session hijacking
• Route table modification
– Attacker blocks packets by modifying routing tables
27
Lures and “Pull” Attacks
• Network attacks trending towards stealthier attacks – Wait for victims to visit malicious Web sites
• Advantages for attackers – Not as “noisy” as active attacks
– Web servers have stealthy intelligence
– Web server can serve up different attacks
• Web-based attack types – Phishing, drive-by download
• Challenge: attracting visitor to malicious site
28
Stealthy attacks lure victims to malicious servers.
The Web has become the primary vector for infecting computers, in large part because email has become
better secured.
Figure 5.2
29
Lures and “Pull” Attacks
Reconnaissance
• Traditional attacks use sequential steps – Reconnaissance tools
• Ping, traceroute, port scan, OS discovery, vulnerability scanner
– Compromise tools • Password attacks, exploit attack code, buffer overflows,
Structured Query Language (SQL) injection, automated customized attack toolkits, social engineering
– Cover-up methods • Change system logs, rootkits, tunneling, encryption, fragment IP
packets
30
Steps in directed attacks.
Attempt to hit as many targets as quickly as possible without caring about who or what the targets are.
Figure 5.1
31
Reconnaissance
Active Reconnaissance
• The steps of a hacker – Search domain names for those that would contain valuable
information
– Map domain names to network addresses
– Map out the detailed network infrastructure
– Discover IP addresses of the network nodes
– Attempt to identify different server types • DNS, email, database, Web
• Use network tools to gather information about the servers
– Design a scheme to attack the network
32
Reconnaissance: Network Mapping
• Network mapping is the process of discovering information about the topology of the target network. – finding the IP addresses of gateways, routers, email, Web, FTP
servers, and database servers
• Sweep the network to find live nodes (pinging target nodes)
• Can use traceroute to find paths to each host – Provides information about routers and gateways
• Find more information with Nmap – Nmap: Security/network exploration tool and port scanner
33
Figure 28.2 Switched Ethernet network Nanjun is a Linux server, kalidas is an XP Workstation, and kailash is a Windows 2000 server.
34
Figure 28.3
Network mapping of computers in Figure 28.2
Screenshot from network security scanner from GFI Languard.
35
Covering Tracks
• Attacker must disguise the fact that there has been an attack
• Trojan horse – Disguised as a benign program
– Usually has malicious intent
• Backdoor – Method to allow attacker to return and continue attack
• Rootkit – Run with system privileges
36
Intrusion Detection Approaches
• Modeling – Features: evidences extracted from audit data
– Analysis approach: piecing the evidences together • Misuse detection (a.k.a. signature-based)
• Anomaly detection (a.k.a. statistical-based)
• Deployment: Network-based or Host-based
• Development and maintenance – Hand-coding of “expert knowledge”
– Learning based on audit data
38
Host-Based and Network-Based
• Host-based IDS – System objects, processes, memory
– Concern for possible tampering by an attacker
– Drawbacks • Visibility limited to a single host; IDS process consumes resources;
attacks not seen until they reached the host
• Network-based – Use network packets for reconnaissance, exploits, DoS attacks,
malware checks
– Complements host-based IDSs
39
Elements of Intrusion Detection
• Primary assumptions: – System activities are observable
– Normal and intrusive activities have distinct evidence
• Components of intrusion detection systems: – From an algorithmic perspective:
• Features - capture intrusion evidences
• Models - piece evidences together
– From a system architecture perspective: • Audit data processor, knowledge base, decision engine, alarm
generation and responses
41
Components of Intrusion Detection System
42
Audit Data Preprocessor
Audit Records
Activity Data
Detection Models
Detection Engine
Alarms
Decision Table
Decision Engine Action/Report
system activities are observable
normal and intrusive activities have distinct evidence
Figure 5.5 Misuse detection and anomaly detection.
These two views are complementary and are often used in combination. 43
Misuse vs Anomaly Detection
44
Misuse Detection
Intrusion Patterns
activities
pattern matching
intrusion
Can’t detect new attacks
Example: if (src_ip == dst_ip && src_port == dst_port) then “land attack”
Misuse Detection: Signature Based
• Look for an incident matches a known signature – Signature identifies a specific attack
• Central issue – How to define signatures or model attacks
• Three inherent drawbacks – Attacks missed if matching signature not known – New signatures require time to develop – New signatures must be distributed continually
• Signature-based IDS example – Snort program
45
Figure 26.5
Anti-malware file scanning
Signature-based analysis is only as effective as its signature information. 46
47
Anomaly Detection
activity measures
0
10
20
30
40
50
60
70
80
90
CPU Process Size
normal profile
abnormal
probable intrusion
Relatively high false positive rate - anomalies can just be new normal activities.
Anomaly Detection: Behavior Based
• Potential to recognize new attacks without a known signature
• Define normal behavior in statistical terms – Anything outside definition: suspicious
• Challenges – Normal behavior based on past behavior
– Behavior can and does change over time
– Anomalies are just unusual events
– Not good at discerning exact nature of attacks
48
Host-based IDSs
• Using OS auditing mechanisms
– E.G., BSM on Solaris: logs all direct or indirect events generated by a user
– strace for system calls made by a program
• Monitoring user activities
– E.G., Analyze shell commands
• Monitoring executions of system programs
– E.G., Analyze system calls made by sendmail
50
Monitoring Key Files in the System
• Monitor any changes on the key files (system files) – Eg. /etc/passwd and /etc/shadow in Linux systems
• One way is to Log everything happening inside the file system (Example product: LoggedFS).
• File integrity monitoring (FIM): – Internal control or a process – Validates operating system and application software integrity – Verifies current state versus a baseline – Calculates known cryptographic checksum – Process generally automated
51
Security Objectives
• Watch for changes impacting file or configuration integrity – Credentials, privileges and security settings, content, core
attributes and size, hash values, configuration values
– Legitimate or somewhat legitimate file names
– Additional accounts that do not belong
– Events with out of order timestamps
• Hide system files and directories – Reduces accidental damage or deletion
– Prevents casual snooping
52
Figure 3.1 Screen shot of the nCircle file integrity monitor panel.
One of many open-source and commercial software products available to perform file integrity monitoring.
53
Figure 3.2 The wrong symbol.
The hacker has a directory on the system named ‘. ‘ Note that one bit or one symbol in the output may make
the difference between a compromised and clean system.
54
Figure 3.3 Additional account DBNET.
After a compromise, hackers may create a new account on the server and try to mimic some legitimate
accounts that should exist. 55
Figure 3.4 Folder modification.
Windows malware just loves this folder! Look for any folders or files with a different date modified timestamp. 56
Zero-Day Attacks
• A zero-day attack is an attack that exploits a previously unknown vulnerability
– meaning that the attack occurs on “day zero” of awareness of the vulnerability.
– the developers have had zero days to address and patch the vulnerability
• Attack vectors (directions):
– Web browsers, e-mail attachments, common file types
57
Zero-Day Attacks (cont.)
• Vulnerability window is the time between first exploit and published fix.
• Vulnerability management life cycle phases – Analyze, test, report, and mitigate
• Many OSs provide protection mechanisms against 0day memory corruption vulnerabilities, such as buffer overflows.
• Multiple layers, port knocking, whitelisting, and keeping OS updated are some mechanisms for 0day protection.
58
Good Known State
• Watch for backdoors installed by hackers
– removing backdoords is not enough
• Restore hacked system to a good, clean system
– Typically done via OS reinstallation
• Monitor running processes for hacker software
– May look legitimate
• Watch for weird-looking file names
59
Rootkits
• Stealthy type of malicious software
• Automated or installed with root access
• Kernel-mode rootkits – Highest operating system privileges (ring 0)
– Add code or replace portions of the OS core
– difficult to detect.
• User-mode rootkits – Run with other applications as a user (ring 3)
• Rootkit search software for live systems (rootkit detection) – Example: “rootkit hunter”
60
Low Hanging Fruit
• Deter intrusions
– Protect your system better than your neighbor • Hacker will select easier target
– Use snow flaking (differentiate your system from normal) • Takes more time to analyze a particular system to gain access
• Example: move an SSH port from default TCP/22 to TCP/31234
– Ignore pings to the host • Takes less time to detect those live IPs and scan them for
vulnerabilities
61
Homegrown Intrusion Protection
• To defeat a hacker; think like a hacker
– Examine common files a hacker may look at
– Deter a hacker from using information in the file • Subtly hide important directories or file names
• Set up dummy directories
– If hacker persists • Examine access logs to dummy files to identify the enemy
62
Out-of-band Attack Vectors
• People: weak link in corporate security plans
– Fall into social engineering attacks
– Connect personal devices to corporate network is a huge risk
– Demyo plug
• Full-blown Linux-based OS with many penetration testing tools preinstalled
• Prevention method
– Strong policy disallowing connection of non-approved devices
– Must be enforceable and be understood by all
63
Figure 3.8 The Demyo plug.
Once connected, penetration testers can use it as a jump box to do further penetration testing inside the
local area network (LAN) of the corporation. 64
Security Event Management
• Real-time analysis of security alerts generated by network hardware and applications
• Security Event Management (SEM) – Real-time monitoring, correlation of events, notifications, and
console views
• Security Information Management (SIM) – Long-term storage, analysis, and reporting
• Security Information Event Management (SIEM) – Data Aggregation, correlation, alerting, dashboards,
compliance, retention
65
Other Weird Stuff on the System
• Possible system compromises – Missing log files
– Network interface in promiscuous mode • Controller passes all traffic to the central processing unit (CPU)
• Normally used for packet sniffing
• Computer may read frames intended for other machines or network devices
• Usually requires super user privileges
• Often used to diagnose network problems
– Stay away from insecure protocols
66
Network IDS
• Deploying sensors at strategic locations – E.G., Packet sniffing via tcpdump at routers
• Inspecting network traffic – Watch for violations of protocols and unusual connection
patterns • Monitoring user activities
– Look into the data portions of the packets for malicious command sequences
• May be easily defeated by encryption – Data portions and some header information can be encrypted
• Other problems …
68
Network IDS
• Sensors – Monitor and analyze network activity on one or more network
segments
– Appliance-based and software-only sensors
• Provide variety of security capabilities
• Collect information on hosts – Operating systems and application versions
• Perform extensive logging of data related to detected events
69
Figure 5.6 IDSs monitoring various network zones. (Network-based IDSs)
Place outside a firewall for learning about malicious activities on the Internet. Place in the DMZ to see
attacks originating from the Internet that are able to get through the outer firewall to public servers. Place in
the private network to detect any attacks that are able to successfully penetrate perimeter security.
70
Figure 26.6 Network-based IDS device scanning packets flowing past sensor interface
Anomaly detection is accomplished by comparing with a stored baseline. 71
10:35:41.5 A > B : . 512:1024(512) ack 1 win 9216 10:35:42.2 C > D: . ack 1073 win 16384 10:35:45.6 E > F: . ack 2650 win 16225 ...
t im e d u r s r c d s t b y te s s r v f la g …
1 0 :3 5 :3 9 .1 5 .2 A B 4 2 h t tp S F …
1 0 :3 5 :4 0 .4 2 0 .5 C D 2 2 u s e r R E J …
1 0 :3 5 :4 1 .2 1 0 .2 E F 1 0 3 6 f tp S F …
… … … … … . . . … …
connection records
tcpdump packet data
72
Packet Data Pre-processing
Firewall Versus Network IDS
• Firewall
– Active filtering
– Fail-close
• Network IDS
– Passive monitoring
– Fail-open
73 FW
IDS
Preventive Measures
• Access Control
• Vulnerability Testing and Patching
• Closing unnecessary ports
• Firewalls
• Antivirus and Antispyware Tools
• Spam Filtering
• Honeypots
• Network Access Control
75
Defense in Depth
• Hinder attacker as much as possible – Use multiple defense layers
• Each layer might be surmountable
– More valuable assets should be protected behind more layers of defense
• Combination of multiple layers – Increased cost for attacker success (time, effort, or equipment)
• Cost must be proportional to asset value
– Effective against unpredictable attacks
• Involves people, technology, operations • Risk assessment determines:
– Asset value, possible threats, threat likelihood and impact
76
Know your Enemy
• Unauthorized network penetration
• Types: active and passive
• Intrusions come from outside and within the network
• Intruder’s purposes
– Make their presence known
– Extract critical information
• One-time or ongoing parasitic relationship
• Access is gained physically, externally or internally
77
Know your Enemy (Hacker vs. Cracker)
• Traditional hacker performed good deeds – Built and made the Internet run, created Unix
• Crackers’ intentions are normally malicious/criminal in nature
• Crackers steal data or create havoc – Lone-wolves, disgruntled employees, hostile governments – Seek out and exploit vulnerabilities
• Underground organizations and code available • Cyber ninjas sneak around
– Create chains of exploits – Use multiple layers to hide
78
Understand Motives
• Goal differs from motive
– Goal: penetrate network defenses
– Motive: hurt organization or steal information
• Grab and dash
– Steal credit-card information and resell
– Breach network and siphon off data
79
Our “Unsecured” Wireless World
• Public wireless activity can affect corporate network security by stealing information from users – Firesheep: a tool used to steal browser cookie
information
• What tools can crackers use to test for network weak spots? – Wireless sniffers, packet sniffers, port scanners, port
knocking, keystroke loggers, remote administration tools, network scanners, password crackers
80
Symptoms of Intrusions
• Large numbers of unsuccessful login attempts
• Packet inconsistencies
• Packets coming from the outside that have local network addresses (IP spoofing)
• Odd or unexpected system behavior can be a sign.
– changes to system clocks, servers going down, unusually high CPU activity, overflows in file systems
81
What Can You Do?
• Balance network security and user needs
• Use strong multilayer perimeter defense
– Implement dynamic and effective response policy
• Educate users: Why is this crucial?
• Implement intrusion detection system (IDS)
– Must detect and stop intrusion
– Can be inline or based on firewall scheme
82
Know Today’s Network Needs
• Traditional networks use preventative measures (firewalls) to protect the infrastructure from intrusion.
• Mobile computing expanded boundaries • Unified threat management (UTM) system
– “Blacklist” approach: game of catch-up – “Whitelist” approach: specifies what gets in – Specifically allow applications and devices – Offer policy-based approach
• Recognize remote technologies and the risks • Best practice: educate users on security policy
83
Figure 4.1
Network diagram
Key to managing several hundred (or several thousand) users is a good security policy. 84
Security Policies
• Security policy is designed to get everyone involved with your network, always a work in progress
– must evolve with technology
• Conglomeration of policies
– computer and network use, forms of authentication, email policies, remote/mobile technology use, and Web surfing policies
85
Security Policies (cont.)
• Simplicity works best
– Draft policies defining network architecture
– Spell out responsibilities, communicate your expectations to users, and lay out the role(s) for your network administrator
– Establish a security team • Provide clear policy for handling changes to overall network
security
86
Risk Analysis and Vulnerability Testing
• Risk analysis determines risk faced based on operations. It may influence network design.
• Security policy should include regular vulnerability testing.
• Some very good vulnerability testing tools allow you to conduct your own security testing – Eg. WebInspect, Acunetix, GFI LANguard, Nessus, HFNetChk, and
Tripwire
• Third party companies can be contracted to scan your network for open and/or accessible ports, weaknesses in firewalls, and Web site vulnerability.
87
Digital Forensics
• Digital forensics is the “application of computer science and investigative procedures for a legal purpose involving the analysis of digital evidence”
• Can be divided into two subfields – Network forensics
• Captured network traffic and session information
– Host-based forensics • collection and analysis of digital evidence collected from
individual computer systems
88
Intrusion Prevention Systems (IPSs)
• Configurable for autonomous decisions – Application-level threats, IP address or port-level attacks
• Threat response mechanisms – Automatically drop suspicious packets
– Place intruder into “quarantine” file
• Access control pass/fail decisions
• Several IPS types – Network-based, host-based, content-based, rate-based
• What are characteristics of a good IPS?
89
Intrusion Prevention Capabilities
• Agenda for Action for Intrusion Prevention Activities checklist – Code analysis – Network traffic analysis – Network traffic filtering – Filesystem monitoring – Removable media restriction – Audiovisual device monitoring – Host hardening – Process status monitoring – Network traffic sanitization
90
Reactive Measures
• When an attack is detected/analyzed, a system admin. must exercise an appropriate response.
– responses depend on the circumstances
– block, slow, modify, or redirect any malicious traffic.
• It is not possible to delineate every possible response.
91
Reactive Measures: Quarantine and Traceback
• Quarantine in the context of malware
– Prevents infected host from contaminating other hosts
– Block traffic using firewalls or routers with access control lists (ACLs)
• Almost impossible to discover attacker (Why?)
– May trace packet’s route back to intermediary • Store hash of a packet for some amount of time
• Stamp packets with a unique router identifier
92
Figure 5.7 Tracking information stored at routers or carried in packets to enable packet traceback.
To trace a packet’s route, some tracking information must be either stored at routers when the packet is
forwarded or carried in the packet. 93
Reactive Measures: Audits and Recovery
• Regular and detailed audits are needed with emphasis on activities near or outside established norm
• Ensure clearly established rules – Security, use, and/or policy violations
– Attempted or actual intrusions
• Recovery of network after attack – Reconfigure to close off exploited opening
– Estimate damage
• Ensure preemptive disaster recovery plan is available
94
Tools of the Trade • Host-based IDS
– TCPWrappers (http://coast.cs.purdue.edu/pub/tools/unix) – NukeNabber
(http://www.amitar.com.au/DOWNLOADS/INTERNET/PROTECTION/NukeNabber_2_9b.html
– WRQ's AtGuard (http://www.atguard.com) – AXENT (www.axent.com) – CyberSafe, (www.cybersafe.com) – ISS, (www.iss.net) – Tripwire (www.tripwiresecurity.com)
• Network-based IDS – AXENT (www.axent.com) – Cisco (www.cisco.com) – CyberSafe (www.cybersafe.com) – ISS (www.iss.net) – Shadow (www.nswc.navy.mil/ISSEC/CID)
96
Snort
• Try snort—a nice tool
– Packet sniffer – outputting all viewed network data to a console device
– Packet logger – logging of all network packets to a disk
– Network IDS – performing a variety of functions from analyzing traffic, to filtering and performing actions based on packet analysis.
97
Defend Your hosts with Freeware • Install the most current release of Redhat Linux, Debian
Linux, FreeBSD etc. • OS hardening
– To protect against misconfiguration-based attacks, install the very good hardening utility Bastille (http://sourceforge.net). Bastille essentially closes all the doors left open in a default installation.
• Network services access control – Install Wietse Venema’s TCP Wrapper
(ftp://ftp.porcupine.org/pub/security/index.html). This is a simple tool, simple to install, simple to configure and simple in operation. It is an access control list for services run under the control of the Internet daemon.
98
Defend Your hosts with Freeware • Snort --- Intrusion Detection Tool Snort
(http://www.snort.org/). – There are both Linux version and Windows version. It will let you see
what kinds of messages are observed by your network card and let you to write your own rules for IDS. It is almost infinitely configurable.
• Shorewall (http://shorewall.net/) – a freeware firewall/gateway based on linux iptables/ipchains. You
may also try Astaro’s Security Linux (http://astaro.com/), which is a freeware sateful inspection gateway that provides proxy and VPN services.
99
Defend Your hosts with Freeware • Secure Remote Access
• Never try telnet or ftp. Install OpenSSH (http://www.openssh.com/) for remote access tools (there are both Linux and Windows versions).
100
• Penetration Testing • After your system is set
up, now try to break it. – Install OpenVAS – Test each port to
determine what sort of listener is active
• Finally, once your security suite is complete, install the freeware version of Tripwire – Tripwire takes a “snapshot”
of a large number of critical binaries on your system, and
– stores that information encrypted and in an obscure place.
101
Defend Your hosts with Freeware
NMAP = Network Mapper
• Open source security scanner
• Identify
– Which hosts
– What services are open
• potentially vulnerable to attacks
– Example of usage: OS fingerprinting • sudo nmap -O -v xyz.com
• Web site
– www. nmap.org
Wireshark
• Freeware for network protocol analysis
– Analyze packets & protocols
– Used
• Primarily for trouble shooting
• To a lesser extent for detecting certain (low-grade) malware
• www.wireshark.org
102
Defend Your hosts with Freeware
Honeypots/Honeynets
• Divert an attacker from accessing critical systems – Collect information about the attackers’ activity – Learn about attacker techniques by attracting attacks to a seemingly
vulnerable host.
• Encourage the attacker to stay on the system long enough for administrators to respond
• Can be passive or active (honey-monkey). • Not used for legitimate services. • A honeypot should have comprehensive and reliable
capabilities for monitoring and logging all activities. • Usually monitor unused address space (isolated).
103