Chapter 12ObjectivesBaselining and HardeningOverview of Intrusion DetectionPassive Intrusion DetectionThird-Party Passive Intrusion-Detection ToolsActive Intrusion DetectionThird-Party Active Intrusion-Detection ToolsSlide 9Host-based Intrusion DetectionSlide 11Network-based Intrusion DetectionSlide 13InspectorAuditorDecoys and HoneypotsUsing Audit Trails and LogsViewing Logs in Windows 2000/XP/2003 (Continued)Slide 19Event Viewer in Windows Server 2003Viewing an Event in Windows Server 2003Viewing Logs in Red Hat Linux 9.x (Continued)Slide 23Red Hat Linux 9.x Default Logs (Continued)Slide 25Viewing Logs in Red Hat Linux 9.xViewing Logs in NetWare 6.x (Continued)Slide 28Viewing Logs in Red Hat Linux 9.xViewing Logs in Mac OS X (Continued)Slide 31Viewing Logs in Mac OS XReasons for Monitoring Logged-on UsersMonitoring Users in Windows 2000/XP/2003Monitoring Users in Windows XP ProfessionalMonitoring Users in Windows 2000 ServerSlide 37Monitoring Users in Red Hat Linux 9.xwho Command OptionsSlide 40Monitoring Users in NetWare 6.xMonitoring Users in Mac OS XMonitoring a NetworkWhy Network Monitoring Is ImportantUsing Microsoft Network MonitorNetwork Monitor DriverSlide 47Slide 48Network Monitor PanesViewing Capture Summary DataCreating a Filter in Network MonitorUsing Capture TriggerUsing Network Monitor to Set BaselinesSummary (Continued)SummaryGuide to Operating System SecurityChapter 12Security through Monitoring and Auditing2 Guide to Operating System SecurityObjectivesUnderstand the relationship between baselining and hardeningExplain intrusion-detection methodsUse audit trails and logsMonitor logged-on usersMonitor a network3 Guide to Operating System SecurityBaselining and HardeningBaselinesMeasurement standards for hardware, software, and network operationsUsed to establish performance statistics under varying loads or circumstances4 Guide to Operating System SecurityOverview of Intrusion DetectionDetects and reports possible network and computer system intrusions or attacksMain approachesPassiveActiveNetwork-basedInspectorsAuditorsDecoys and honeypots5 Guide to Operating System SecurityPassive Intrusion DetectionDetects and records intrusions; does not take action on findingsEffective as long as administrator checks logsCan create filters or trapsExamples of monitored activities Login attemptsChanges to filesPort scans6 Guide to Operating System SecurityThird-Party Passive Intrusion-Detection ToolsKlaxonLoginlogLsofNetwork Flight RecorderRealSecureDragon SquirePreCis7 Guide to Operating System SecurityActive Intrusion DetectionDetects an attack and sends alert to administrator or takes action to block attackMay use logs, monitoring, and recording devices8 Guide to Operating System SecurityThird-Party ActiveIntrusion-Detection ToolsEnterceptAppShieldSnortSecureHostStormWatch9 Guide to Operating System SecurityActive Intrusion Detection10 Guide to Operating System SecurityHost-based Intrusion DetectionSoftware that monitors the computer on which it is loadedLogonsFiles and foldersApplicationsNetwork trafficChanges to securityHost wrappers and host-based agents11 Guide to Operating System SecurityHost-based Intrusion Detection12 Guide to Operating System SecurityNetwork-based Intrusion DetectionMonitors network traffic associated with a specific network segmentTypically places NIC in promiscuous mode13 Guide to Operating System SecurityNetwork-based Intrusion Detection14 Guide to Operating System SecurityInspectorExamines captured data, logs, or other recorded information Determines if an intrusion is occurring or has occurredAdministrator sets up inspection parameters, for example:Files changed/created under suspicious circumstancesPermissions unexpectedly changedExcessive use of computer’s resources15 Guide to Operating System SecurityAuditorTracks full range of data and events – normal and suspicious, for example:Every time services are started and stoppedHardware events or problemsEvery logon attemptEvery time permissions are changedNetwork connection eventsRecords information to a log16 Guide to Operating System SecurityDecoys and HoneypotsFully operational computers that contain no information of valueDraw attackers away from critical targetsProvide a means to identify and catch or block attackers before they harm other systems17 Guide to Operating System SecurityUsing Audit Trails and LogsA form of passive intrusion detection used by most operating systems:Windows 2000/XP/2003Red Hat Linux 9.xNetWare 6.xMac OS X18 Guide to Operating System SecurityViewing Logs in Windows 2000/XP/2003 (Continued)Accessed through Event ViewerEvent logs can help identify a security problemFilter option can help quickly locate a problem19 Guide to Operating System SecurityViewing Logs in Windows 2000/XP/2003 (Continued)Principal event logsSystemSecurityApplicationEvent logs for installed servicesDirectory ServiceDNS ServiceFile Replication20 Guide to Operating System SecurityEvent Viewer in Windows Server 200321 Guide to Operating System SecurityViewing an Event in Windows Server 200322 Guide to Operating System SecurityViewing Logs in Red HatLinux 9.x (Continued)Offers a range of default logsLog filesHave four rotation levelsManaged through syslogd23 Guide to Operating System SecurityViewing Logs in Red HatLinux 9.x (Continued)Two ways to view default logsOpen LogViewer (Main Menu – System Tools – System Logs)•Enables creation of a filter on the basis of a keyword (eg, failed, denied, rejected)Use Emacs or vi editors or use cat command in a terminal window24 Guide to Operating System SecurityRed Hat Linux 9.x Default Logs (Continued)Log Name Location and FilenameDescriptionBoot Log /var/log/boot.log.x Contains messages about processes and events that occur during bootup or shutdownCron Log /var/log/cron.x Provides information about jobs that are scheduled to run or that have already runKernel Startup Log/var/log/dmesg.x Shows startup messages sent from the kernelMail Log /var/log/maillog.x Contains messages about mail server activitiesNews Log /var/log/spooler.x Provides messages from the news server25 Guide to Operating System SecurityRed Hat Linux 9.x Default Logs (Continued)Log Name Location and FilenameDescriptionRPM
View Full Document