Transcript Chapter 12

Linux Networking and
Security
Chapter 12
Network Intrusion Detection
Network Intrusion Detection



Use network scanning and packet-sniffing utilities
Understand basic intrusion detection systems
Perform automated security audits of your Linux system
Scanners and Sniffers

Cracker can employ the following techniques in order to
gain access to a Linux system:



Port scanning, in which packets are sent to a host to gain
information about it based on its response
Packet sniffing, in which every packet on the network has its
header and data examined
Network administrators also use these techniques to
check for security weaknesses, and though some feel
their use is illegitimate, it is important to stay ahead of
crackers
Port Scanning



A port scan enables someone to identify a network’s
operating system and any services that could potentially
allow greater access
Port scans typically use the TCP protocol and its
associated flags to gather information about the host and
its network services
Some port scanners use ICMP and UDP packets, which
do not provide as much data as TCP, but can offer some
information that TCP cannot
Port Scanning
Port Scanning




The most widely used port-scanning utility is nmap, the
network mapper
nmap is a command-line utility that uses a variety of
scanning methods
nmap allows for fingerprinting hosts, greater output, and
configuration of timing policy
nmap can also perform a Ping scan, which reports hosts
that are reachable using ICMP echo packets
Port Scanning
Port Scanning
Port Scanning
Packet Sniffing




A packet sniffer allows for the examination of any or all of
the traffic passing through a network cable or wireless
space
An Ethernet card can enable packet sniffing only if it is
operating in promiscuous mode
Users must be logged in as root to use this mode, so
packet sniffers require root access
If encryption technologies such as SSH, GPG, and
stunnel are used, packet data is more secure
Packet Sniffing

Three popular Linux utilities are:



IPTraf displays individual network connections, with protocol and
other data for each one, and it also displays statistics by
protocols, certain host names, or certain IP addresses
tcpdump provides information similar to IPTraf, but it also
includes more detailed information about network packets
Ethereal takes tcpdump a step farther in that it is a graphical
network analysis tool
Packet Sniffing
Packet Sniffing
Packet Sniffing
Packet Sniffing
Packet Sniffing
Packet Sniffing
Packet Sniffing
Packet Sniffing
Packet Sniffing
Packet Sniffing
Using Intrusion Detection Software




Intrusion detection is the process of noticing when
someone is trying to break into (or has already broken
into) a system
This category of software is called intrusion detection
systems (IDS)
PortSentry, by Psionic, watches network ports for
packets that appear to be port scans
A more complex tool than PortSentry is Linux IDS, or
LIDS, which can alter the Linux kernel
Using Intrusion Detection Software



Big Brother provides a different level of intrusion
detection than LIDS and it uses a client/server model
similar to SNMP
Big Brother includes a server that gathers data from
clients on each network host and displays that data as a
Web page
Some of the 26 standard services Big Brother will
manage are DNS, FTP, HTTP, POP3, SSH, Telnet, disk
space and memory usage
Using Intrusion Detection Software
Using Intrusion Detection Software

Suggested use of intrusion detection tools:




Use nmap to scan the system after configuration to check for
security holes
Next use PortSentry to watch for outside hosts trying to port scan
the server
Use LIDS to secure your file system and processes so that
anyone who is able to gain unauthorized access will have very
limited power
Use Big Brother to keep a constant eye on services that are
provided on network servers
System Security Audits



The best way to test confidence in the security of a Linux
system is to perform a security audit
Security audits are reviews or tests of how secure the
system is and what needs to be done to improve its
security
A security audit could take the form of:


A careful review of the security policy
Use of special security-auditing software
System Security Audits




One of the first security-auditing programs was called
Security Administrator Tool for Analyzing Networks
(SATAN)
The Security Administrator’s Integrated Network Tool
(SAINT) replaced SATAN
SAINT uses a Web browser interface to manage an
“attack” on a network and report vulnerabilities found
Other security audit tools are Tiger and SARA
System Security Audits
System Security Audits
System Security Audits
Chapter Summary



Port-scanning software lets anyone learn about the potentially
vulnerable network access points on any networked computer
Port scanners use various combinations of TCP flags, UDP
packets, and Ping packets to elicit responses that inform the
scanner about the services running on the targeted host
When a host detects that someone is using a port scanner,
software such as PortSentry can take action to prevent the
completion of the port scan and block all future access by the
host performing the scan
Chapter Summary



The most used port-scanning software is nmap and graphical
utilities are available as nmap front ends
Packet sniffers use the promiscuous mode of a NIC to capture
all data passing through that node of the network, including all
headers and payloads; Ethereal is a powerful and popular
graphical packet sniffer
Packet sniffing is just one type - though the most comprehensive
- of network traffic analysis; other programs such as IPTraf help
network administrators analyze network traffic patterns based on
protocol, point of origin or destination, and other factors
Chapter Summary



The tcpdump program is a very popular network traffic analysis
program that captures detailed information about network
packets
Intrusion detection systems (IDS) are an important part of
modern network security and they watch for signs of intruders
trying to access your servers and help you respond
appropriately
PortSentry is one piece of IDS software that detects port scans
from programs like nmap; A more comprehensive package is
LIDS, which alters the Linux kernel so that the root user has
limited access
Chapter Summary



Big Brother is a simpler IDS that watches the status of network
services on multiple servers through a Web page interface
Security audits using security policies or specialized software
can help network administrators see potential security problems
and fix them before someone else finds them
One popular security-auditing software tool is SAINT and many
others are available