Monitoring
|
|
Complex systems are always vulnerable to attack in one way or another. It is a constant battle to keep abreast of the latest known attack methods and to protect a system from these methods. In most major corporations, not a day goes by that the network does not get attacked in some manner, be it a simple port scan or a complex multi-part attack plan, there is always something happening.
To properly secure a system, security administrator's must constantly monitor the system and be aware of these attacks as they happen. Monitoring can be done automatically or manually, but either way a good policy of constant monitoring should be in place. This section discusses several methods of monitoring and goes over how they can help keep a network secure.
Intrusion Detection Systems
An intrusion detection system (IDS) is the high-tech equivalent of a burglar alarm—a burglar alarm configured to monitor access points, hostile activities, and known intruders. There are also network intrusion detection systems (NIDS), which monitor the entire network. These systems typically trigger on events by referencing network activity against an attack signature database. If a match is made, an alert will take place and be logged for future reference.
Creating and maintaining the attack signature database is the most difficult part of working with IDS technology. It must always be kept up to date with the latest signature database provided by the vendor, as well as updating the database with the signatures found in the administrator's own testing.
Attack signatures consist of several components used to uniquely describe an attack. An ideal signature would be one that is specific to the attack while being as simple as possible to match with the input data stream (large complex signatures may pose a serious processing burden). Just as there are varying types of attacks, there must be varying types of signatures. Some signatures define the characteristics of a single IP option, perhaps an nmap portscan, while others are derived from the actual payload of an attack.
Most signatures are constructed by running a known exploit several times, monitoring the data as it appears on the network and looking for a unique pattern that is repeated on every execution. This method works fairly well at ensuring that the signature will consistently match an attempt by that particular exploit. Remember, the idea is for the unique identification of an attack, not merely the detection of attacks.
Alarms
Alarms work in conjunction with other automated monitoring or logging systems. With alarms, the administrator specifies specific parameters that indicate problems. This can be anything from detecting a specific attack signature to a value range that should not be exceeded for processor utilization on a firewall. However the alarm parameters are set, an alarm allows an administrator to be made aware of the occurrence of a specific event. This can give the administrator a chance to head off an attack or to fix something before a situation gets worse.
The purpose of an alarm is to give notice of a problem. As such, alarms can be configured to alert administrators in several ways. These notifications can include paging, calling a telephone number and delivering a message, or notification of centralized monitoring personnel. However alarms are configured, it is important to remember that they are a very useful tool for giving administrators advance notice of future problems or notification of current problems.
Audit Trails
Audit trails provide a method of tracking or logging that allow for tracing security-related activity. A good audit system includes not only the logging of authentication transactions, but also any use of rights or privileges. The following items should always be logged to create a useful audit trail:
-
Password changes
-
Privilege use
-
Privilege escalation
-
Account creations
-
Account deletions
-
Resource access
-
Authentication failures
In addition to these, any suspicious activities detected on the network either manually or by automated means should be logged. These audit logs can provide a trail to detect who has attempted to break into the system as well as provide evidence for any legal action. There are many cases when charges have been dropped in a legal manner due to a lack of evidence such as audit logs.
Violation Reports
A violation report is used extensively in monitoring an access control system. This type of report basically shows any attempts at unauthorized access. This could simply be a list of failed logon attempts reported by the NOS, or it could be as complex as an attack report from an intrusion detection system. In a good violation report, any and all detectable attempts at unauthorized access should be shown. When working with violation reports, it is important to remember that some number of unauthorized access attempts is normal. Users sometimes mistype a password or forget an ID. In addition, a large Internet presence in the world does not get port-scanned on a daily basis. Both of these activities would appear on a violation report, but are expected activities. The trick is knowing what actually indicates a problem. For example, if a single ID or group of IDs is constantly listed as having failed login attempts, someone may be trying to hack the account. Violation reports refers to any log that holds data for unauthorized access attempts. Examples are syslog storage, the Windows security audit log for failed attempts at accessing a file, the IDS logs, or firewall blocked logs.
|
|
EAN: 2147483647
Pages: 135