List of Figures


Chapter 1: Introduction to Intrusion Detection

Fig. 1.1. The results of testing the security level of the DoD information system
Fig. 1.2. Levels of the Information System (IS)
Fig. 1.3. Attack via tunnels in a firewall
Fig. 1.4. An attack resulting from incorrect firewall configuration
Fig. 1.5. Bypassing a firewall (via a modem)
Fig. 1.6. Attacks bypassing the firewall (conducted by employees)
Fig. 1.7. Attack from a trusted network via a VPN connection
Fig. 1.8. Attack using a Trojan horse
Fig. 1.9. Attack by address spoofing
Fig. 1.10. Attack on the firewall
Fig. 1.11. Attack using an intercepted password

Chapter 2: Anatomy of an Attack

Fig. 2.1. A model of a security event
Fig. 2.2. Attack model
Fig. 2.3. An informal attack model
Fig. 2.4. "One-to-one" relationship
Fig. 2.5. "One-to-many" relationship
Fig. 2.6. Implementation of the attack via intermediate hosts
Fig. 2.7. "Many-to-one" relationship
Fig. 2.8. "Many-to-many" relationship
Fig. 2.9. Distributed attack
Fig. 2.10. Stages of attack
Fig. 2.11. The "Incident" model
Fig. 2.12. Complexity of attacks and intruder's skills

Chapter 4: The Three Basic Principles of Intrusion Detection

Fig. 4.1. Specifying the maximum number of login attempts permitted in Windows 2000
Fig. 4.2. Replacement of the external address
Fig. 4.3. Replacement of the internal address
Fig. 4.4. The Patch.exe process starting the NetBus Trojan
Fig. 4.5. Network scanning for detecting the NetBus Trojan
Fig. 4.6. Searching for information on IMAP service vulnerabilities at the rootshell.com server
Fig. 4.7. Analysis of the header returned by a web server
Fig. 4.8. A Windows 2000 Security Log file
Fig. 4.9. A typical anomaly detection system
Fig. 4.10. A typical misuse detection system

Chapter 5: Detecting Attack Traces

Fig. 5.1. Methods of analyzing attack information
Fig. 5.2. The hacked www.securityfocus.com server
Fig. 5.3. Control over the Windows registry
Fig. 5.4. Changing access rights to the system-registry keys
Fig. 5.5. The system variables
Fig. 5.6. Parameters of the controlled files

Chapter 6: Classification of Intrusion Detection Systems

Fig. 6.1. Classification of intrusion detection systems by attack stage
Fig. 6.2. Classification of intrusion detection systems by implementation principle
Fig. 6.3. Classification of security scanners by the type of vulnerability detected
Fig. 6.4. Classification of the methods for searching for implementation vulnerabilities
Fig. 6.5. Classification of the tools for searching for implementation vulnerabilities
Fig. 6.6. Network-level security scanner
Fig. 6.7. Security-scanner architecture (type 1)
Fig. 6.8. Security-scanner architecture (type 2)
Fig. 6.9. Security-scanner architecture (type 3)
Fig. 6.10. Security-scanner architecture (type 4)
Fig. 6.11. Security-scanner architecture (type 5)
Fig. 6.12. Architecture of the intrusion detection system
Fig. 6.13. Architecture of the intrusion detection system sensor
Fig. 6.14. Architecture of the intrusion detection system console
Fig. 6.15. Console fault-tolerant implementation
Fig. 6.16. Incorrect architecture in the intrusion detection system
Fig. 6.17. Hierarchical management of intrusion detection system sensors
Fig. 6.18. Three-level sensor-management scheme
Fig. 6.19. Components of the host-level intrusion detection system
Fig. 6.20. Components of the network-level intrusion detection system
Fig. 6.21. Comparison to the pattern (the second step)
Fig. 6.22. Comparison to the pattern (fourth and subsequent steps)
Fig. 6.23. Analysis of the protocol as a whole (the second step)
Fig. 6.24. Analysis of the protocol as a whole (the third step)
Fig. 6.25. Analysis of the protocol as a whole (the fourth step)
Fig. 6.26. Analysis of the protocol as a whole (the fifth step)
Fig. 6.27. DTK-Pro GUI
Fig. 6.28. The CyberCop Sting deception system

Chapter 7: Anticipating Attacks, or Creating an Intrusion Detection Infrastructure

Fig. 7.1. Chances of tracing an intruder based on the qualifications of the security personnel
Fig. 7.2. RealSecure synchronization mechanism

Chapter 8: The Life Cycle, Deployment, and Implementation of an IDS

Fig. 8.1. The life cycle of the IDS deployment project
Fig. 8.2. The criteria to be used during deployment and implementation

Chapter 9: Selecting an Intrusion Detection System

Fig. 9.1. A large company with remote affiliates
Fig. 9.2. An international corporation
Fig. 9.3. Mechanisms for updating intrusion detection systems
Fig. 9.4. Update center in a corporate network
Fig. 9.5. The CASL attack description system
Fig. 9.6. Controlling access to HTTP pages (using the example of the RealSecure Network Sensor system)
Fig. 9.7. Types of IDS responses to an attack
Fig. 9.8. Termination of the network connection
Fig. 9.9. Reconfiguring network equipment
Fig. 9.10. The SmlDS technology (first implementation)
Fig. 9.11. The SmlDS technology (second implementation)
Fig. 9.12. Managing the RealSecure intrusion detection system from the command line
Fig. 9.13. Managing RealSecure using the RealSecure Workgroup Manager graphic console
Fig. 9.14. Managing Specter using a graphic console
Fig. 9.15. Stealth mode
Fig. 9.16. IDS console backup
Fig. 9.17. IDS sensor backup
Fig. 9.18. Architecture of the Spitfire system
Fig. 9.19. Graphic user interface of the Spitfire system
Fig. 9.20. An example of a test bench for evaluating network intrusion detection systems

Chapter 10: Placement of the Intrusion Detection System

Fig. 10.1. Placing the network sensor between the router and firewall
Fig. 10.2. The network sensor in the demilitarized zone
Fig. 10.3. Placing the network sensor behind the firewall
Fig. 10.4. The Network sensor placed near the remote access server
Fig. 10.5. The solution developed by TopLayer and Internet Security Systems
Fig. 10.6. The results of AS3502 AppSwitch testing
Fig. 10.7. Intrusion detection when using backup Internet connections
Fig. 10.8. Intrusion detection on e-commerce hosts
Fig. 10.9. Intrusion detection in asymmetric networks
Fig. 10.10. Hub operation
Fig. 10.11. A switch operation
Fig. 10.12. The network sensor and span port
Fig. 10.13. Combined usage of a hub and switch
Fig. 10.14. Splitter operation
Fig. 10.15. The Shomiti Century 12-Tap
Fig. 10.16. Using splitters and a network sensor
Fig. 10.17. Using a Century 12-Tap and network sensor
Fig. 10.18. Closing the connection using splitters
Fig. 10.19. Using a load balancer to protect a set of controlled segments
Fig. 10.20. Connecting a splitter to a load balancing device
Fig. 10.21. The Cisco Catalyst 6000 IDS Module
Fig. 10.22. Placement of a security scanner
Fig. 10.23. The first approach to deception system placement
Fig. 10.24. The second approach to positioning the deception system

Chapter 11: Using Intrusion Detection Systems

Fig. 11.1. Cisco IDS 4200
Fig. 11.2. RealSecure for Nokia (based on IP740, IP710, IP530, IP330, IP120, IP71, IP51, and IP30)
Fig. 11.3. SecureNet 7000
Fig. 11.4. The NID 300 family
Fig. 11.5. Stealth mode implementation
Fig. 11.6. Disabling unneeded ports and protocols (in RealSecure Network Sensor)
Fig. 11.7. Implementation of mapping numeric and symbolic names
Fig. 11.8. Mapping NetBIOS host names
Fig. 11.9. Implementation of the preliminary scanning mechanism
Fig. 11.10. Grouping protected devices in RealSecure SiteProtector
Fig. 11.11. Comparison of the security level for a specified time period
Fig. 11.12. Synchronization of log files
Fig. 11.13. The endless loop situation
Fig. 11.14. Firewall configuration for IDS support
Fig. 11.15. Scheduled start of Internet Scanner with a predefined template

Chapter 12: Common IDS Problems

Fig. 12.1. The interval between a report of a new attack and the release of a signature for it
Fig. 12.2. Dragon Server
Fig. 12.3. Specific features of the management system operation
Fig. 12.4. The potential danger of reconfiguring network equipment
Fig. 12.5. The potential danger of automatically terminating network connections
Fig. 12.6. Event Viewer




Protect Your Information with Intrusion Detection
Protect Your Information with Intrusion Detection (Power)
ISBN: 1931769117
EAN: 2147483647
Year: 2001
Pages: 152

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net