Transcript Network Monitoring - Southern Oregon University

Network Assessment
How intrusion techniques contribute to
system/network security
Network and system monitoring
System mapping
Ports, OS, applications and purpose
Network mapping
Legal issues
Network Monitoring
•
•
•
•
•
•
•
General
Purpose
Functions
Applications
Design
NIDS – Network Intrusion Detection
IPS – Intrusion Prevention System
Network and System Scanning
•
•
•
•
•
•
What application versions are running?
What services are running?
What ports/services are open?
What does the network look like?
What can the external world see?
Have any of these changed?
Network Assessment
•
•
•
•
•
What do the other systems look like?
What does my system look like to outsiders?
Remote system characterization
LAN topology
Tools
• nmap
• nessus
Network Assessment
•
•
•
•
•
Planning
Initial reconnaissance
System enumeration
Service enumeration
Vulnerability discovery
Planning
• Appropriate time
• You will probably crash operational systems
• You will need admin support
• Approximate possible risks
• Determine costs – man hours
• Management written approval
• Make sure every one buys into what you are doing
Initial Reconnaissance
• Corporate structure
• Web surfing
» Web browser
» www.copernic.com
• whois
• host
• NetScanTools Pro
» DNS information
• nslookup
» DNS information
» Should return minimal info if well configured
System Enumeration
• Using information from initial reconn phase
• Discover more hosts and servers
• Perimeter defense may block some scans
• Directly probe target network
• Combine discovery and analysis techniques
• Structure of network
• Perimeter design
Tools
• traceroute
• The important info for this phase
» Target routers and DNS servers
» What is the route form a server to the Internet
» Often server names give geographic or organizational info
Tools
• Network scanners
• ICMP – fping and pinger
» Looks for systems that return ICMP messages
• TCP, UDP – nmap
» Searches the entire range of IP addresses allocated to
a network
Service Enumeration
• Now find out what is available on each system
• Services
• Ports open, ports filtered, OS
• Application versions
• System policies
• Password policy
• Users, domains, system names
Tools
• nmap
• LANGuard
• ww.gfisoftware.com/languard/lanscan.htm
• Used as a LAN audit tool, $249
• Telnet and banner retrieval
:\>telent sou.edu 22
SSH-1.99-OpenSSH_3.1p1
:\>telent www.sou.edu 80
HEAD / HTTP/1.0
HTTP/1.1 50` Method not implemented
Date: Sun, 02 Mar 2003 20:46:44 GMT
Server: Apache/1.3.27 (Unix) (Red Hat/Linux mod_ssl/2.8.12
OpenSSL/0.9.6 DAV/1.0.2 PHP/4.1.2 mod_perl/1.24
Vulnerability Discovery
• Vulnerability scanners
• Work at the application layer
• Most of these scanners also do network and port
scanning
• Best to start from the beginning
» Network enumeration, System enumeration,
Vulnerability discovery
Vulnerability Discovery
• Tools
• Nessus – open sourced, very complete
• ISS Internet Scanner – Windows, $$
• Retina – Windows, good GUI, $$
Summary
• Network assessment
• CAREFUL
• This is ILLEGAL