PPT - EDUCAUSE Library | studyslide.com

PPT - EDUCAUSE Library

Transcript PPT - EDUCAUSE Library

Unit 4: Freeware Security Tools
Use Freeware Tools to help evaluate
commercial tools OR
“you have more tools than you think”
The Layers of Security
 Policy
 Awareness
 Risk Analysis
 Incident Response
 Free Tools
Educause MARC, 2003
Copyright 2002, Marchany
2
Suggested Strategy
 Use freeware tools to gain experience with your
system/network environment.
 Gain experience with the features provided by these
tools in order to better analyze a vendor tool.
 Freeware tools provide a good short-term solution.
 Vendor tools may provide better long-term solution.
Educause MARC, 2003
Copyright 2002, Marchany
3
The Tools
 Audit/Port Scanning Tools





Nessus
Saint
Sara
Nmap, strobe
Tripwire, AIDE
 “Personal” Firewall



TCP Wrappers
Portsentry,ipfilters
ZoneAlarm, BlackIce, NeoWorks
Educause MARC, 2003
Copyright 2002, Marchany
4
The Tools
 Syslog Scanners

Logcheck
 Sniffers



Snoop, iptrace, tcpdump
Netwatch (NT)
Snort
Educause MARC, 2003
Copyright 2002, Marchany
5
The Tools
 Sysadmin Tools


Big Brother
Password Checkers



Crack, nt-crack, l0phtcrack,npasswd, passwd+
Lsof, inzider (NT)
Sudo (unix)
 Remote Control Tools

VNCviewer
 Homegrown Tools

Network Mgt Tools that can be used for Incident
Response
Educause MARC, 2003
Copyright 2002, Marchany
6
Audit/Port Scan Tools
 These tools can be used to scan your systems
and network for vulnerabilities.
 Some tools can perform integrity checks on
designated files.
 They have very good reporting tools usually
based on HTML.
Educause MARC, 2003
Copyright 2002, Marchany
7
Nessus
 Available from www.nessus.org
 Best of the scanning tools
 Easy to build for Linux, harder for Solaris, need to
work on other OS.
 Requires GNU tools
 Provides HTML based reports
 Has distributed architecture: clients (Windows,
Unix) & engines (Unix only)
Educause MARC, 2003
Copyright 2002, Marchany
8
Nessus – Pros/Con
 Pro


Easy to install if you have linux
Most comprehensive tests for your money
 Con




Not that easy to understand at first
Non-linux builds require GNU software
Some inconsistency in quality of checks
Must use Unix server for specific user accounts
Educause MARC, 2003
Copyright 2002, Marchany
9
Educause MARC, 2003
Copyright 2002, Marchany
10
Educause MARC, 2003
Copyright 2002, Marchany
11
Educause MARC, 2003
Copyright 2002, Marchany
12
Educause MARC, 2003
Copyright 2002, Marchany
13
Educause MARC, 2003
Copyright 2002, Marchany
14
X
Educause MARC, 2003
Copyright 2002, Marchany
15
Educause MARC, 2003
Copyright 2002, Marchany
16
Educause MARC, 2003
Copyright 2002, Marchany
17
Educause MARC, 2003
Copyright 2002, Marchany
18
Educause MARC, 2003
Copyright 2002, Marchany
19
Educause MARC, 2003
Copyright 2002, Marchany
20
SAINT
 Based on SATAN, developed by World Wide
Security, Inc. (www.wwdsi.com)
 Security Administrator’s Integrated Network Tool



Gathers info on remote hosts/nets
Looks at finger, NFS, NIS, ftp, tftp, rexd, statd
Can run heavy, moderate or light probes on targets.
 Will check for the SANS Top 10 Threats
Educause MARC, 2003
Copyright 2002, Marchany
21
Educause MARC, 2003
Copyright 2002, Marchany
22
Educause MARC, 2003
Copyright 2002, Marchany
23
Educause MARC, 2003
Copyright 2002, Marchany
24
SARA
 Security Auditor’s Research Assistant

www.www-arc.com/sara
 Checks for SANS Top 10 Threats
 Does Unix/Windows vulnerability tests
 Has CVE dictionary support
 Search engine for post audit analysis
 Has a Report Writer
Educause MARC, 2003
Copyright 2002, Marchany
25
Educause MARC, 2003
Copyright 2002, Marchany
26
Educause MARC, 2003
Copyright 2002, Marchany
27
Educause MARC, 2003
Copyright 2002, Marchany
28
Educause MARC, 2003
Copyright 2002, Marchany
29
Port Scanning Tools
 Strobe was one of the earliest port scanning
tools.

Available from ciac.llnl.gov
 Nmap is the more sophisticated grandson of
strobe

Available from www.insecure.org
Educause MARC, 2003
Copyright 2002, Marchany
30
Educause MARC, 2003
Copyright 2002, Marchany
31
Educause MARC, 2003
Copyright 2002, Marchany
32
Tripwire
 Available from www.tripwire.com
 First of the file integrity checkers
 Unix and NT versions available

Network capable versions available
 Academic version is free. Commercial and
NT versions are not.
 Useful in finding trojan programs
Educause MARC, 2003
Copyright 2002, Marchany
33
Tripwire
 Generates a “signature” for each file based
on checksums and other characteristics.
 These signatures are stored in a database file
that should be kept offline.
 This is the baseline.
Educause MARC, 2003
Copyright 2002, Marchany
34
Tripwire
 To initialize the DB: tripwire –initialize
 Update DB interactively:
tripwire
-interactive
 Non-interactive DB update:
tripwire – update <FN>
Educause MARC, 2003
Copyright 2002, Marchany
35
Tripwire
 Security Issues


Need to protect the DB
Need to protect the vulnerable executables
 Advantages

Simple interface, good choice of crypto hash functions,
good all-around tool
 Disadvantages

Kernel mod attacks, initial tw.config takes some time to
customize, NT version is good but costs $$$, no network
security
Educause MARC, 2003
Copyright 2002, Marchany
36
Educause MARC, 2003
Copyright 2002, Marchany
37
Personal Firewall Tools
 These tools monitor connection attempts to
your system and give you the option of
allowing or denying the access
 They log the connection attempt to standard
log files
 More valuable than real Firewall, IMHO.
Educause MARC, 2003
Copyright 2002, Marchany
38
Portsentry/TCP Wrappers
 Available from www.psionic.com
 TCP Wrappers available from ciac.llnl.gov and a
ton of other sites
 Any host that scans a list of “banned” ports is
placed in an /etc/hosts.deny file
 Need TCP Wrappers installed on the machine

Tcpwrappers logs attempts to connect to services
Educause MARC, 2003
Copyright 2002, Marchany
39
TCP Wrappers
 Everyone should buy Wietse Venema dinner
for writing this tool. 
 Purpose


Log network connections to a system
Allow you to filter who connects to the system
 Needs an inetd-like program to act as the
dispatcher of network services
Educause MARC, 2003
Copyright 2002, Marchany
40
TCP Wrappers Features
 Allows you to monitor/filter incoming
requests for SYSTAT, FINGER, FTP,
TELNET, R-Commands, TFTP, TALK and
other network services.
 Provides access control to restrict what
systems connect to what network daemons.
 Provides some protection from host spoofing
Educause MARC, 2003
Copyright 2002, Marchany
41
TCP Wrappers
 Advantages



Logs and applies access controls to remote connections
Lets you define which daemons are wrapped
Does good reverse lookup on hosts
 Disadvantages




Ident service not reliable
Only looks at network daemons spawned by inetd
Doesn’t wrap ALL services (RPC)
Could give a false sense of security
Educause MARC, 2003
Copyright 2002, Marchany
42
Portsentry
 Available from www.psionic.com
 Monitors ports and performs an action when
an attempt to access the port is made.
 Usually access is denied to the probing
systems.
 Monitors TCP and UDP traffic. A little more
flexible than TCP Wrappers
Educause MARC, 2003
Copyright 2002, Marchany
43
Portsentry Configuration Files
 Portsentry.conf contains the list of ports to be
monitored.
 3 levels of paranoia 
Educause MARC, 2003
Copyright 2002, Marchany
44
Educause MARC, 2003
Copyright 2002, Marchany
45
IP Filter
 Software package that can do NAT or basic firewall
services.
 Designed to be used as a loadable kernel module
but can be incorporated into a Unix kernel
 Can be configured to do IP Accounting (count #
bytes), IP Filtering or IP authentication or NAT.
 http://coombs.anu.edu.au/~avalon/ip-filter.html
Educause MARC, 2003
Copyright 2002, Marchany
46
IP Filter





Can explicitly allow/deny any packet.
Distinguishes between multiple interfaces.
Filters by IP network, hosts or protocol.
Filters by port number or port range.
Logs the following:



TCP/UDP/ICMP/IP packet headers
First 128 bytes
Pass or blocked status
Educause MARC, 2003
Copyright 2002, Marchany
47
IP Filter
 Statistics collected include:





Packets blocked
Packets used for accounting (packet count)
Packets passed
Packets logged
Inbound/outbound packet information
Educause MARC, 2003
Copyright 2002, Marchany
48
Educause MARC, 2003
Copyright 2002, Marchany
49
IP Filter Log Format
Jul 30 01:46:52 myhost.vt.edu ipmon[147]: [ID
702911local0.warning] 01:46:52.196772 hme0 @0:5 b
194.143.66.126,21 ->198.82.255.255,21 PR tcp len 20 40 -S IN
Jul 30 01:47:03 myhost.vt.edu ipmon[147]: [ID
702911local0.warning] 01:47:03.269595 hme0 @0:5 b
194.143.66.126,21 ->198.82.255.255,21 PR tcp len 20 40 -S IN
Jul 30 05:53:51 myhost.vt.edu ipmon[147]: [ID
702911local0.warning] 05:53:50.699235 hme0 @0:5 b
203.90.84.163,1781 ->198.82.255.255,21 PR tcp len 20 60 -S IN
Educause MARC, 2003
Copyright 2002, Marchany
50
Logcheck
 Available from www.psionic.com
 Syslog keyword scanner
 When it matches something, it does
something



Send email
Page someone
Run a command
Educause MARC, 2003
Copyright 2002, Marchany
51
logcheck.violations
These keywords denote a
problem and are flagged by
logcheck.
Educause MARC, 2003
Copyright 2002, Marchany
52
logcheck.ignore
Phrases listed in this file
are ignored by the
logcheck program.
Educause MARC, 2003
Copyright 2002, Marchany
53
logcheck.hacking
Keywords in this file indicate
an attack is taking place
Educause MARC, 2003
Copyright 2002, Marchany
54
Educause MARC, 2003
Copyright 2002, Marchany
55
Zone Alarm
 Available from www.zonelabs.com
 Not quite free
 Client based, application level firewall
 Designed to prevent unauthorized sending
and receiving of packets to your workstation
 Good defense against trojans
Educause MARC, 2003
Copyright 2002, Marchany
56
Configuring Zone Alarm
 ZA requires you authorize each & every
application that attempts to send receive
information to/from your network
connection.
 Default is BLOCK. This pops up a window
asking what to do
Educause MARC, 2003
Copyright 2002, Marchany
57
Basic Setup
 Click the arrow in ZA box that points down and to
the right
 Click the security button
 Verify local security is set to MEDIUM
 Verify internet security is set to HIGH
 Click the advanced button
 Do NOT put a checkmark next to your adapter,
OW, all machines in your subnet will be considered
to be in your local zone
 Click OK
Educause MARC, 2003
Copyright 2002, Marchany
58
Educause MARC, 2003
Copyright 2002, Marchany
59
Educause MARC, 2003
Copyright 2002, Marchany
60
Educause MARC, 2003
Copyright 2002, Marchany
61
Black Ice Defender
 Available from www.networkice.com
 Workstation Version


End-user PC with a single connection
Tuned for common attacks to workstations
 Server Version

Additional NT and W2K attacks signatures
 IcePac Suite allows multiple agents to be managed
from a single host. Can install agents remotely.
 Not quite free 
Educause MARC, 2003
Copyright 2002, Marchany
62
Educause MARC, 2003
Copyright 2002, Marchany
63
NeoWatch
 Available from www.neoworx.com
 Another Personal FW type tool for Windows
systems.
 Does traceback to the originating site.
 Similar features as Zone Alarm and Black Ice
Defender
 Can send data to a central site.
 Not quite Free  $39.95. Trial version is free for 30
days
Educause MARC, 2003
Copyright 2002, Marchany
64
Educause MARC, 2003
Copyright 2002, Marchany
65
Educause MARC, 2003
Copyright 2002, Marchany
66
Educause MARC, 2003
Copyright 2002, Marchany
67
Sniffers: snoop, iptrace,
tcpdump, snort
 Some systems have builtin sniffers




Solaris - snoop
AIX - iptrace
Linux - tcpdump
NT/2000 - netwatch
 Tcpdump is the generic sniffer for those
systems with no builtin sniffer
Educause MARC, 2003
Copyright 2002, Marchany
68
Sniffer Output - Solaris Snoop
1042
1045
1046
1047
1050
1052
1053
1054
1055
1056
1087
1090
1093
1094
1105
1108
1115
1120
1122
1123
1124
1125
1126
1127
1128
1131
1133
1136
0.10594 scws29.harvard.edu -> cesgi1.ce.vt.edu TELNET R port=6754 login:
0.02429 cesgi1.ce.vt.edu -> scws29.harvard.edu TELNET C port=6754
0.02039 cesgi1.ce.vt.edu -> scws29.harvard.edu TELNET C port=6754
0.03137 scws29.harvard.edu -> cesgi1.ce.vt.edu TELNET R port=6754
0.09288 cesgi1.ce.vt.edu -> scws29.harvard.edu TELNET C port=6754
1.17258 cesgi1.ce.vt.edu -> scws29.harvard.edu TELNET C port=6754 b
0.08960 scws29.harvard.edu -> cesgi1.ce.vt.edu TELNET R port=6754 b
0.10377 cesgi1.ce.vt.edu -> scws29.harvard.edu TELNET C port=6754
0.08251 cesgi1.ce.vt.edu -> scws29.harvard.edu TELNET C port=6754 r
0.04324 scws29.harvard.edu -> cesgi1.ce.vt.edu TELNET R port=6754 r
0.24398 cesgi1.ce.vt.edu -> scws29.harvard.edu TELNET C port=6754 e
0.01475 scws29.harvard.edu -> cesgi1.ce.vt.edu TELNET R port=6754 e
0.07074 cesgi1.ce.vt.edu -> scws29.harvard.edu TELNET C port=6754 a
0.11020 scws29.harvard.edu -> cesgi1.ce.vt.edu TELNET R port=6754 a
0.07212 scws29.harvard.edu -> cesgi1.ce.vt.edu TELNET R port=6754 Password:
0.02244 cesgi1.ce.vt.edu -> scws29.harvard.edu TELNET C port=6754
0.24651 cesgi1.ce.vt.edu -> scws29.harvard.edu TELNET C port=6754 p
0.07970 scws29.harvard.edu -> cesgi1.ce.vt.edu TELNET R port=6754
0.00623 cesgi1.ce.vt.edu -> scws29.harvard.edu TELNET C port=6754 o
0.11307 scws29.harvard.edu -> cesgi1.ce.vt.edu TELNET R port=6754
0.09368 cesgi1.ce.vt.edu -> scws29.harvard.edu TELNET C port=6754 o
0.10588 scws29.harvard.edu -> cesgi1.ce.vt.edu TELNET R port=6754
0.08829 cesgi1.ce.vt.edu -> scws29.harvard.edu TELNET C port=6754 h
0.13538 scws29.harvard.edu -> cesgi1.ce.vt.edu TELNET R port=6754
0.10856 cesgi1.ce.vt.edu -> scws29.harvard.edu TELNET C port=6754 b
0.04106 scws29.harvard.edu -> cesgi1.ce.vt.edu TELNET R port=6754
0.16857 cesgi1.ce.vt.edu -> scws29.harvard.edu TELNET C port=6754 e
0.02925 scws29.harvard.edu -> cesgi1.ce.vt.edu TELNET R port=6754
Educause MARC, 2003
Copyright 2002, Marchany
69
Tcpdump Example
Educause MARC, 2003
Copyright 2002, Marchany
70
Big Brother
 Web based system and network monitor
 Client server model


Clients run on the systems you want to monitor
Simple shell scripts that monitor different
aspects of your system and network
 What can it check?

Disk space, CPU Utilization, critical processes,
weather parameters, building monitors
Educause MARC, 2003
Copyright 2002, Marchany
71
Big Brother
 Color coded WWW page showing a matrix
of machines and monitored functions
 Notifies sysadmins by email, pager, SMS.
 System requirements


Unix – www server, /bin/sh, C compiler to port
BB
NT – v4.0 with SP3 minimum, Intel or Alpha
platforms.
Educause MARC, 2003
Copyright 2002, Marchany
72
Educause MARC, 2003
Copyright 2002, Marchany
73
Educause MARC, 2003
Copyright 2002, Marchany
74
Educause MARC, 2003
Copyright 2002, Marchany
75
VNCViewer
 Available from www.uk.research.att.com/vnc
 Great remote control tool for Windows
95/98, NT, 2000, Macintosh, Unix clients
 Nice help desk tool
 It displays the remote desktop on your
system.
 A better version of BackOrifice, BO2K tool
Educause MARC, 2003
Copyright 2002, Marchany
76
Educause MARC, 2003
Copyright 2002, Marchany
77
Educause MARC, 2003
Copyright 2002, Marchany
78
Educause MARC, 2003
Copyright 2002, Marchany
79
Lsof, inzider
 These programs list the processes running on
a system.
 They also list the files opened by those
processes.
 Useful in finding where a sniffer log file is
located
Educause MARC, 2003
Copyright 2002, Marchany
80
Sample lsof Utility Output
# ./lsof /sbin/racket.udp
COMMAND PID USER FD TYPE DEVICE SIZE/OFF INODE NAME
racket.ud 450
root txt VREG 128, 16
20332 15836
/sbin/racket.
# ./lsof -p 450
COMMAND PID
racket.ud 450
root
racket.ud 450
root
racket.ud 450
root
racket.ud 450
root
racket.ud 450
root
USER FD TYPE DEVICE SIZE/OFF
cwd VDIR 128, 16
1024
2/
txt VREG 128, 16
20332 15836
txt VREG 128, 16 1483100 904
txt VREG 128, 16
585876 2051
3u inet 0x8af730e4
0t0 TCP *:3038
# ./lsof -p 1423,1424
COMMAND PID USER FD TYPE DEVICE SIZE/OFF
racket.ud 1423
root cwd VDIR 128, 16
1024
2/
racket.ud 1423
root txt VREG 128, 16
20332 15836
racket.ud 1423
root txt VREG 128, 16 1483100 904
racket.ud 1423
root txt VREG 128, 16
585876 2051
racket.ud 1423
root 0u inet 0x89c804e0
0t373 TCP
cesgi1.ce.vt.edu:3038->sable.cc. vt. edu:4894
racket.ud 1423
root 1u inet 0x8a8d8d60
0t225 TCP
cesgi1.ce.vt.edu:1307->vtaix.cc.vt.edu:telnet
racket.ud 1424
root cwd VDIR 128, 16
1024
2/
racket.ud 1424
root txt VREG 128, 16
20332 15836
racket.ud 1424
root txt VREG 128, 16 1483100 904
racket.ud 1424
root txt VREG 128, 16
585876 2051
racket.ud 1424
root 3u inet 0x8af730e4
0t0 TCP *:
Educause MARC, 2003
Copyright 2002, Marchany
INODE NAME
/sbin/racket. udp
/lib/libc.so.1
/lib/rld
INODE NAME
/sbin/racket. udp
/lib/libc. so.1
/lib/rld
/sbin/racket. udp
/lib/libc. so.1
/lib/rld
81
Fport
 Available from www.foundstone.com
 Windows version of lsof


Shows the ports and the programs listening on
those ports
Current version (9/20/01): 1.33
Educause MARC, 2003
Copyright 2002, Marchany
82
Educause MARC, 2003
Copyright 2002, Marchany
83
Active Ports
 Similar to fport
 Keeps an open window showing the
processes listening on ports.
 Free for Windows platforms
Educause MARC, 2003
Copyright 2002, Marchany
84
Educause MARC, 2003
Copyright 2002, Marchany
85
LANGuard Monitor
 Use to scan your networks for information on
Windows systems.
 Collects network interface addresses,
NETBIOS names, IP address, open ports, etc.
 Scan individual system or subnets
 Available from www.gfi.com
Educause MARC, 2003
Copyright 2002, Marchany
86
Educause MARC, 2003
Copyright 2002, Marchany
87
Educause MARC, 2003
Copyright 2002, Marchany
88
Educause MARC, 2003
Copyright 2002, Marchany
89
Sysadmin Tools
 Sudo



Unix access control is all (root) or nothing
(user).
Some commands (backup, restore) are restricted
to root but are really an OPER class command.
You don’t want an operator to have root access
but you want them to do backups.
Sudo lets you set up this “pseudo” privilege
scheme.
Educause MARC, 2003
Copyright 2002, Marchany
90
Sudo
 Sudo uses user identity and host to restrict
the commands the user can run in “root”
mode.
 It is a restricted root shell.
 User is prompted for a special password that
allows them to run the command.
Educause MARC, 2003
Copyright 2002, Marchany
91
Sudo
 The sudoers files lists the commands, shells, hosts
that a user can execute commands
 Should always list the full path name for the
commands
 Notifies sysadmins if illegal uses of sudo is
attempted.
 Notifies sysadmins if user in sudoers tries to run a
restricted command
Educause MARC, 2003
Copyright 2002, Marchany
92
Proactive Password Tools
 Most newer OS allow you to set password rules in
config files.
 Crack is still the best of the bunch.
 Npasswd and passwd+ are two older but still
effective tools.
 Npasswd is a good tool for those who don’t want to
spend a lot of time configuring a password checker
 Passwd+ requires more configuration time.
Educause MARC, 2003
Copyright 2002, Marchany
93
Crack
 The first of the really good password crackers.
Available on the net for the past 10 years.
 Easy to customize. Works on non-shadow password
files.Use a preprocessor to rebuild in old format or
use NIS, NIS+ . Can be distributed among
systems
 http;//www.users.dircon.co.uk/~crypto/
 Crack Results Example
Educause MARC, 2003
Copyright 2002, Marchany
94
npasswd
 Uses ASCII dictionaries or DBM format
dictionaries. If the password is in the dictionary, it’s
rejected. Case and reversed word checks are done.
 Does singlecase (Yes/No) checks

Allow passwords in one case. Default = No.
 Does Control Character (Yes/No) checks.

Allows passwords with ASCII control characters in them.
Default = Yes.
 Does min/max length checks.
Educause MARC, 2003
Copyright 2002, Marchany
95
npasswd
 Checks for 3 sequential occurrences of the
same character. This value can be modified.
 Does illegal character check. (^C, ^D, ^G, ^J,
^M, ^O, ^Q, etc.
 Good, quick easy tool to use.
Educause MARC, 2003
Copyright 2002, Marchany
96
Home Grown Tools
 Build specific packages for the tools



Preconfigured with your site information
Easy to install (pkgadd, RPM)
Put on a CD so you can configure the machines
offline.
Preconfigured Tripwire, SSH, IP Filters, lsof,
 CIS Security Benchmark scripts
 Other Firewall installation scripts

Educause MARC, 2003
Copyright 2002, Marchany
97
Educause MARC, 2003
Copyright 2002, Marchany
98
Educause MARC, 2003
Copyright 2002, Marchany
99
Home Grown Tools
 Network Mgt Group developed a couple of
tools for their use.
 Our CIRT can use the same tools to track an
attack in our network.
 Our Netadmins controls the ENTIRE
University net and developed these tools to
help them manage, fix and bill usage of net
resources. SQL front ends to Oracle DB.
Educause MARC, 2003
Copyright 2002, Marchany
100
Educause MARC, 2003
Copyright 2002, Marchany
101
Educause MARC, 2003
Copyright 2002, Marchany
102
Educause MARC, 2003
Copyright 2002, Marchany
103
Educause MARC, 2003
Copyright 2002, Marchany
104
Educause MARC, 2003
Copyright 2002, Marchany
105
Educause MARC, 2003
Copyright 2002, Marchany
106
Educause MARC, 2003
Copyright 2002, Marchany
107
Educause MARC, 2003
Copyright 2002, Marchany
108
Educause MARC, 2003
Copyright 2002, Marchany
109
Educause MARC, 2003
Copyright 2002, Marchany
110
Using the Tools – A Strategy
 Preparation
 Detection
 Containment
 Eradication
 Recovery
 Followup
Educause MARC, 2003
Copyright 2002, Marchany
111
Preparation
 Unix Host Systems

Install TCP Wrappers, Portsentry, logcheck,
tripwire, lsof, ipfilter
 NT/2000

Inzider,syslog converters
 Network


Ingress, egress filters in place
Router logs in place
Educause MARC, 2003
Copyright 2002, Marchany
112
Detection
 Portsentry, TCP wrappers, Personal Firewall
tools usually send the first alarm.
 Network router filters may trigger an alarm
as well.
 Once an event is detected, reaction
mechanisms are enabled
Educause MARC, 2003
Copyright 2002, Marchany
113
Containment
 Detection tools give the source IP address.
 Router blocks may be enabled to prevent
additional attacks.
 HC++ tool used to isolate offending system
 Portsentry or PFW tools prevent further
access to the systems
Educause MARC, 2003
Copyright 2002, Marchany
114
Eradication
 HC++ tool used to shut off internal port.
 Router blocks on external IP address.
 Tripwire used to remove offending files.
 Network backup software can be used to
verify this. Why? Most network backup
software does incremental backups so they
can capture a newly installed file.
Educause MARC, 2003
Copyright 2002, Marchany
115
Recovery
 “Jumpstart” style OS installation
 Network and regular backup software
 File servers may limit the damage
Educause MARC, 2003
Copyright 2002, Marchany
116
Followup
 See what components worked.





Could additional scanning detect the holes?
How fast did the reaction mechanisms work?
Internal network tools work?
Backup procedures work?
What didn’t work? Why? How?
Educause MARC, 2003
Copyright 2002, Marchany
117
Summary
 There are some excellent freeware tools that will
help you with sysadmin and security issues at your
site.
 Use these tools to gain experience in evaluating
vendor tools.
 A combination of vendor and freeware tools is
desired
 There are MORE tools out there.
Educause MARC, 2003
Copyright 2002, Marchany
118
Where to Get the Tools
 Http://ciac.llnl.gov

TCP Wrappers, crack, tcpdump, lsof
 Http://www.wwdsi.com

SAINT
 Http://www.www-arc.com/sara

SARA
 Http://www.tripwire.com

tripwire
Educause MARC, 2003
Copyright 2002, Marchany
119
Where to Get the Tools
 Http://www.psionic.com

Logcheck, portsentry
 Http://www.uk.research.att.com/vnc

VNCViewer
 Http://www.insecure.org

Nmap
 Http://www.ssh.org

SSH
Educause MARC, 2003
Copyright 2002, Marchany
120
Where to Get the Tools
 www.nessus.org

Nessus
 http://packetstormsecurity.com
Educause MARC, 2003
Copyright 2002, Marchany
121

PPT - EDUCAUSE Library

Transcript PPT - EDUCAUSE Library

Directory