Professional Documents
Culture Documents
1
Getting and
Implementing
Your Protocol
Analyzer
Analyzer Selection
Standalone
Distributed
Software only
Hardware/software
My opinions…
2
Analyzer Placement – Hub Networks
Hub
3
Analyzer Placement – Routed Networks
Router
Hub Hub
www.ieee.org
www.iana.org
www.ietf.org
www.packet-level.com
www.podbooks.com
www.sans.org
www.cert.org
4
Baselining the Network
Alarms/Alerts
5
Defining Alarms
6
Building Security Filters
7
Consider
An Intruder
Detection
Systems
Active IDS
• Actively looking for attack signatures in real time.
• ISS Real Secure
Passive IDS
• Passively gathering data for later signature checking and
correlation.
• Offline buffer filtering
8
Snort IDS
Link: www.snort.org
© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 17
Off a hub
Off a spanned/mirrored switch port
Switch
2 Hub
Client A Client B
1
Server 1
9
Forensics
Forensics
And Other Tools
Forensic Computing
10
Forensic Ordering
Forensics
11
Unix Forensic Tools
Grave Robber
• memory
• netstat, route, arp, etc.
• capture process data
• log files
DiskSearch NT - A Text Search Utility for Windows NT. It searches files, slack and
erased space.
FileList NT - A disk catalog tool used to evaluate computer use time lines for
normal and erased files on Windows NT systems.
PTable - A partition table analysis tool which is essential for the processing of NT
based systems.
12
Law Enforcement (LE) Tools
Tools we can only dream about
• Coroner’s Toolkit
• Encase
• A-TIP (Alarm-Triggered IP)
• Nasa VISAR
• Carnivore (FBI) Before VISAR After VISAR
Enhancement Enhancement
2
5
7 V
A 1
3
6
4 •Node Append <all rtrs>
A=attacker •Node Sampling <one rtr each>
V=victim •Edge Sampling <outside rtrs>
•Compressed Edge Sampling
<combo edge rtrs>
13
Case Studies
The situation:
Onsite training class – tapped into the live network.
Suddenly, the firewall was breached.
Filters
Based
On
Blocked
Firewall
ports
14
Case #2: Dodging the Firewall
Filter
Based
On
Gnutella
signature
Love
Confidential
Client Payroll That
Files
List AR/AP Data Expense Copy
Info Info Room!
15
Case #4: The Open Door Policy
CITRIX
Internet
Router
The Culprit
16
Your Turn to Hack/Crack
More Training/Information
• Attend other analysis sessions
• US/Canada Roadshow (www.nuihotlabs.com)
• Hands-On Analysis, Troubleshooting and
Cybercrime
• Classes (private and public)
• Read the specs along side your analyzer
• Read books focusing on analysis and packet-level
communications
• see www.podbooks.com
• Get online at www.packet-level.com—join the mailing list
17
© 2002 hp
18