Chapter 12ObjectivesBaselining and HardeningOverview of Intrusion DetectionPassive Intrusion DetectionThird-Party Passive Intrusion-Detection ToolsActive Intrusion DetectionThird-Party Active Intrusion-Detection ToolsSlide 9Host-based Intrusion DetectionSlide 11Network-based Intrusion DetectionSlide 13InspectorAuditorDecoys and HoneypotsUsing Audit Trails and LogsViewing Logs in Windows 2000/XP/2003 (Continued)Slide 19Event Viewer in Windows Server 2003Viewing an Event in Windows Server 2003Viewing Logs in Red Hat Linux 9.x (Continued)Slide 23Red Hat Linux 9.x Default Logs (Continued)Slide 25Viewing Logs in Red Hat Linux 9.xViewing Logs in NetWare 6.x (Continued)Slide 28Viewing Logs in Red Hat Linux 9.xViewing Logs in Mac OS X (Continued)Slide 31Viewing Logs in Mac OS XReasons for Monitoring Logged-on UsersMonitoring Users in Windows 2000/XP/2003Monitoring Users in Windows XP ProfessionalMonitoring Users in Windows 2000 ServerSlide 37Monitoring Users in Red Hat Linux 9.xwho Command OptionsSlide 40Monitoring Users in NetWare 6.xMonitoring Users in Mac OS XMonitoring a NetworkWhy Network Monitoring Is ImportantUsing Microsoft Network MonitorNetwork Monitor DriverSlide 47Slide 48Network Monitor PanesViewing Capture Summary DataCreating a Filter in Network MonitorUsing Capture TriggerUsing Network Monitor to Set BaselinesSummary (Continued)SummaryGuide to Operating System SecurityChapter 12Security through Monitoring and Auditing2 Guide to Operating System SecurityObjectivesUnderstand the relationship between baselining and hardeningExplain intrusion-detection methodsUse audit trails and logsMonitor logged-on usersMonitor a network3 Guide to Operating System SecurityBaselining and HardeningBaselinesMeasurement standards for hardware, software, and network operationsUsed to establish performance statistics under varying loads or circumstances4 Guide to Operating System SecurityOverview of Intrusion DetectionDetects and reports possible network and computer system intrusions or attacksMain approachesPassiveActiveNetwork-basedInspectorsAuditorsDecoys and honeypots5 Guide to Operating System SecurityPassive Intrusion DetectionDetects and records intrusions; does not take action on findingsEffective as long as administrator checks logsCan create filters or trapsExamples of monitored activities Login attemptsChanges to filesPort scans6 Guide to Operating System SecurityThird-Party Passive Intrusion-Detection ToolsKlaxonLoginlogLsofNetwork Flight RecorderRealSecureDragon SquirePreCis7 Guide to Operating System SecurityActive Intrusion DetectionDetects an attack and sends alert to administrator or takes action to block attackMay use logs, monitoring, and recording devices8 Guide to Operating System SecurityThird-Party ActiveIntrusion-Detection ToolsEnterceptAppShieldSnortSecureHostStormWatch9 Guide to Operating System SecurityActive Intrusion Detection10 Guide to Operating System SecurityHost-based Intrusion DetectionSoftware that monitors the computer on which it is loadedLogonsFiles and foldersApplicationsNetwork trafficChanges to securityHost wrappers and host-based agents11 Guide to Operating System SecurityHost-based Intrusion Detection12 Guide to Operating System SecurityNetwork-based Intrusion DetectionMonitors network traffic associated with a specific network segmentTypically places NIC in promiscuous mode13 Guide to Operating System SecurityNetwork-based Intrusion Detection14 Guide to Operating System SecurityInspectorExamines captured data, logs, or other recorded information Determines if an intrusion is occurring or has occurredAdministrator sets up inspection parameters, for example:Files changed/created under suspicious circumstancesPermissions unexpectedly changedExcessive use of computer’s resources15 Guide to Operating System SecurityAuditorTracks full range of data and events – normal and suspicious, for example:Every time services are started and stoppedHardware events or problemsEvery logon attemptEvery time permissions are changedNetwork connection eventsRecords information to a log16 Guide to Operating System SecurityDecoys and HoneypotsFully operational computers that contain no information of valueDraw attackers away from critical targetsProvide a means to identify and catch or block attackers before they harm other systems17 Guide to Operating System SecurityUsing Audit Trails and LogsA form of passive intrusion detection used by most operating systems:Windows 2000/XP/2003Red Hat Linux 9.xNetWare 6.xMac OS X18 Guide to Operating System SecurityViewing Logs in Windows 2000/XP/2003 (Continued)Accessed through Event ViewerEvent logs can help identify a security problemFilter option can help quickly locate a problem19 Guide to Operating System SecurityViewing Logs in Windows 2000/XP/2003 (Continued)Principal event logsSystemSecurityApplicationEvent logs for installed servicesDirectory ServiceDNS ServiceFile Replication20 Guide to Operating System SecurityEvent Viewer in Windows Server 200321 Guide to Operating System SecurityViewing an Event in Windows Server 200322 Guide to Operating System SecurityViewing Logs in Red HatLinux 9.x (Continued)Offers a range of default logsLog filesHave four rotation levelsManaged through syslogd23 Guide to Operating System SecurityViewing Logs in Red HatLinux 9.x (Continued)Two ways to view default logsOpen LogViewer (Main Menu – System Tools – System Logs)•Enables creation of a filter on the basis of a keyword (eg, failed, denied, rejected)Use Emacs or vi editors or use cat command in a terminal window24 Guide to Operating System SecurityRed Hat Linux 9.x Default Logs (Continued)Log Name Location and FilenameDescriptionBoot Log /var/log/boot.log.x Contains messages about processes and events that occur during bootup or shutdownCron Log /var/log/cron.x Provides information about jobs that are scheduled to run or that have already runKernel Startup Log/var/log/dmesg.x Shows startup messages sent from the kernelMail Log /var/log/maillog.x Contains messages about mail server activitiesNews Log /var/log/spooler.x Provides messages from the news server25 Guide to Operating System SecurityRed Hat Linux 9.x Default Logs (Continued)Log Name Location and FilenameDescriptionRPM