Network Devices

There are many devices that are utilized to create a functional data network. It is important to take time to understand how each of these devices works to better understand how each one will be attacked and what security risk can be associated with each device. While some devices such as NICs, hubs, and switches provide simple network connectivity, there are other devices that are strictly geared towards security such as firewalls and intrusion detection systems (IDSs).

Network Interface Cards

A Network Interface Card (NIC) allows a computer to connect to and access a data network. There are many types of NICs that can connect to a variety of different networks. Some NICs can function on a variety of network topologies, but this section focuses on the most common NIC which functions on an Ethernet network. A NIC is a computer's physical connection to the network. It is responsible for sending and receiving the actual bits of data to and from the network so that the computer can then process the data.

A NIC is assigned a unique MAC address that allows it to function on a network. If any two computers on a network are assigned the same MAC address, data communications cannot continue reliably. The MAC address is usually programmed into the read-only memory (ROM) of a NIC and cannot be changed. Note that MAC addresses can be changed depending on the operating system being used. MAC address spoofing is commonly used to bypass security mechanisms that function using MAC addresses.

Common Problems

As frames travel over the wire, bad cabling, transceivers, and other physical layer issues can cause corruption. Although many errors occur at Layer 2, the following are some of the more common ones:

  • Runts   In Ethernet networks, the minimum frame length is 64 bytes. If a frame is shorter than 64 bytes, it is called a runt. Runts are sometimes caused by collisions, which is normal behavior. However, they can also be caused by bad hardware, transmission problems, or poor network design.

  • Giants   The maximum frame length in Ethernet is 1518 bytes, although the practical limit is 1500. If a frame is larger than 1518 bytes, it is considered a giant. Giants are generally caused by bad transmitters on a NIC. They can also be caused by transmission problems, either by the addition of garbage signals or by corruption of the bits that indicate the frame size. PPPoE, which is used for most Digital Subscriber Lines (DSL), has a maximum frame length of 1492 bytes.

  • CRC   CRC errors occur when the FCS value on the Ethernet frame does not match the calculated FCS value. These errors are caused when frames are damaged in transit.

  • Alignment Errors   All frames should end on an 8-bit boundary. If a problem on the network causes the frame to deviate from this boundary, an alignment error occurs. Misaligned frames are caused by either the transmitting NIC or bad cabling. Alignment errors can also be caused by a poorly designed network that does not meet Ethernet specifications.

Hubs

A hub is a central location on a network that all physical wires are connected to. It is the location that all cables on an Ethernet network are terminated at. A hub typically allows network operations to function at 10 Mbps or 100 Mbps. They are typically dumb centers of a network that forward data packets to all other ports on a switch. This can be a high security risk because any computer connected to the hub can intercept any packets that are passed along the entire network.

Switches

A switch, also referred to as an enhanced hub, performs the basic functions of a hub but also provides many other features not supported by a hub. For example, a switch can provide network monitoring and management capabilities. Dependant upon the vendor and device features, you can sometimes connect to a switch and view statistics such as which ports are the most active, what speeds different ports are operating at, and where the most errors are occurring. A switch can also contain non-volatile memory that can hold configuration settings through a power outage. A switch provides security improvements over a typical hub because it only forwards packets to their appropriate destination. The switch keeps a table of MAC addresses mapped to specific ports to determine what ports should receive the data packets. A switch can still be vulnerable to attacks. A collection of tools called dsniff, available at http://monkey.org/~dugsong/dsniff, provides various methods for attacking a switch.

There are two common modes that a switch can operate in. These are

  • Store-and-forward Mode   In this mode, the switch checks each packet for errors before it is sent to its destination. This can be overwhelming for a switch in high traffic networks and can cause a network outage similar to a DoS attack.

  • Cross-Point   This mode forwards traffic without checking for errors first. This allows for faster network performance when compared to a store-and-forward switch.

Exercise 7.01: ARP Spoofing

start example

ARP spoofing can be quickly and easily done with a variety of tools, most of which are designed to work on UNIX operating systems. One of the best all-around suites is a package called dsniff. It contains an ARP spoofing utility and a number of other sniffing tools that can be beneficial when spoofing.

To make the most of dsniff you will need a Layer 2 switch, into which all of your lab machines are plugged. It is also helpful to have various other machines doing routine activities such as Web surfing, checking POP mail, or using Instant Messenger software.

  1. To run dsniff for this exercise, you will need a UNIX-based machine. To download the package and to check compatibility, visit the dsniff Web site at www.monkey.org/~dugsong/dsniff.

  2. After you have downloaded and installed the software, you will see a utility called arpspoof. This is the tool that you will be using to impersonate the gateway host. The gateway is the host that routes the traffic to other networks.

  3. You will also need to make sure that IP forwarding is turned on in your kernel. If you are using *BSD UNIX, you can enable this with the sysctl command (sysctl -w net.inet.ip.forwarding=1). After this has been done, you should be ready to spoof the gateway.

  4. Arpspoof is a really flexible tool. It will allow you to poison the ARP of the entire LAN, or target a single host. Poisoning is the act of tricking the other computers into thinking you are another host. The usage is as follows:

    home# arpspoof -i fxp0 10.10.0.1

    This will start the attack using interface fxp0 and will intercept any packets bound for 10.10.0.1. The output will show you the current ARP traffic.

  5. Congratulations, you have just become your gateway.

You can leave the arpspoof process running, and experiment in another window with some of the various sniffing tools that dsniff offers. dsniff itself is a jack-of-all-trades password grabber. It will fetch passwords for Telnet, FTP, HTTP, IM, Oracle, and almost any other password that is transmitted in the clear. Another tool, mailsnarf, will grab any and all e-mail messages it sees, and store them in a standard Berkeley mbox file for later viewing. Finally, one of the more visually impressive tools is WebSpy. This tool will grab URL strings sniffed from a specified host and display them on your local terminal, giving the appearance of surfing along with the victim.

You should now have a good idea of the kind of damage an attacker can do with ARP spoofing and the right tools. This should also make clear the importance of using encryption to handle data. Additionally, any misconceptions about the security or sniffing protection provided by switched networks should now be alleviated thanks to the magic of ARP spoofing!

end example

Virtual LANs

A virtual LAN (VLAN) is a group of network stations that behave as though they are connected to a single network segment, even though they might not be. Legacy networks used router interfaces to separate broadcast domains. A broadcast domain is any area of a computer network where any computer can send a packet to any other computer on the network without having to go through a router. Today's switches have the ability to create broadcast domains based on the switches' configuration. VLANs provide a logical, rather than a physical, grouping of devices attached to a switch or a group of switches. A VLAN defines a broadcast domain and limits unicast, multicast, and broadcast flooding. Flooded traffic originating from a particular VLAN is flooded out only the other ports belonging to that VLAN. The process of flooding indicates that packets are only sent to other computers on a particular VLAN, which keeps the packets from being sent to every computer on the network.

VLANs are often associated with Layer 3 networks. All stations that belong to the same VLAN generally belong to the same Layer 3 network. Since VLANs define broadcast domains, traffic between VLANs must be routed.

Ports can be assigned to a VLAN statically or dynamically. If using static membership, the administrator must manually specify which ports belong to a given VLAN. In dynamic mode, a station is automatically assigned to a particular VLAN based on its MAC address. A server on the network must keep a track of MAC address to VLAN mappings.

If two network devices share the same VLANs, frames for multiple VLANs might need to be exchanged. Rather than a separate physical link to connect each VLAN, VLAN-tagging technology provides the ability to send traffic for multiple VLANs over a single physical link. A common VLAN-tagging mechanism is the IEEE 802.1q, which inserts a "tag" right after the SA field in Ethernet. The tag contains, among other things, the number of the VLAN to which the frame belongs.

Firewalls

A firewall is a generic term used to describe any device that protects a trusted network from an untrusted network. The device acting as a firewall can provide a number of functions to protect the network. Some of the common functions performed by firewalls and some specific types of devices that act as firewalls are discussed later in this chapter. A firewall can filter data packets or data content or both. These particular functions and how they work are also described later in this chapter.

Network Address Translation

One of the most commonly used features of a firewall is its ability to provide Network Address Translation (NAT) to an internal network. NAT is defined by RFC 1918, which can be found at www.ietf.org/rfc/rfc1918.txt?number=1918. NAT is a widely used concept that allows an internal network using a private address scheme to communicate with the Internet by using a single public IP address to masquerade all internal systems. NAT converts a request sent out to the Internet from a non-routable internal address to a routable external address. For instance, assume that the internal device at 192.168.5.1 wishes to request a Web page from www.syngress.com. There is a firewall protecting the network that 192.168.5.1 resides on that employs NAT. The firewalls internal address is 192.168.1.1 and its external address is 181.5.61.3. The internal device (192.168.5.1) sends the request to the firewall (192.168.1.1). The firewall then records the transmission in its NAT table and sends the request itself. So now the request to www.syngress.com is received by 181.5.61.3. The page requested from the Syngress Web site is then returned to 181.5.61.3. The firewall receives the data, checks the NAT table, and forwards the packet to the original address of 192.168.5.1 without the internal computer ever being directly exposed to the Internet.

One reason that NAT is commonly used is that the number of hosts on the Internet has grown exponentially over the past decade. When the IP address scheme was created it was thought that there would be plenty of available address to accommodate any number of hosts that may be connected to the Internet in the future. Since the Internet has grown and is so widely used, if all hosts that communicated used a public IP, there would not be enough to go around. For that reason the Internet Assigned Numbers Authority (IANA) reserved three blocks of private IP address for Intranets to use. All of these addresses are non-routable and thus cannot be connected to the Internet and be useful.

These three blocks of addresses are:

  • 10.0.0.0 to 10.255.255.255 (used for large Intranets)

  • 172.16.0.0 to 172.31.255.255 (used for medium Intranets)

  • 192.168.0.0 to 192168.255.255 (used for small Intranets)

Exam Warning 

It will help to know how NAT works and the security benefits that it adds. Also, remember the private address block set aside for internal network use and that they are non-routable addresses.

Another reason that NAT is so widely used is due to the security of the network. Due to the availability and ease of use of port scanners, it would not be surprising if every device that is connected to the Internet is scanned for vulnerabilities at least once each day. It is the security administrator's responsibility to protect any device that their network has that is connected to the Internet. Luckily, because of NAT, they usually only have to protect their firewall and any server, such as a Web server, attached to the Internet. Protecting and monitoring these few devices can be a daunting task. Imagine if you had to protect each device on a network that needed access to the Internet. This would be an impossible task. NAT helps to hide internal hosts from outside attackers, but if the attacker knows the internal IP address they may still be able to reach that device.

Demilitarized Zone

Another commonly used feature provided by a firewall is the ability to add a Demilitarized Zone (DMZ) to a network architecture (see Figure 7.14). A DMZ is a section of the network that is in between the inside trusted network and the outside untrusted network. This is typically where an organization's Extranet exists. Combinations of firewalls and/or bastion hosts are used to create this unique area. Assume that the DMZ is created to provide a secure area to place publicly accessible servers. Assume an organization has just decided to host its own public Web server. A firewall is already set up to protect the internal network from external attacks. The first option is to place the Web server outside the firewall and assign it a public IP address. This would make it very accessible to attackers and is not a very good idea. Another option that is available is to use one-to-one NAT. NAT allows a private IP address range to access the Internet using one public IP address. One of the main reasons for using NAT is so that external devices cannot directly access an internal system without that internal system initiating the connection. Using one-to-one NAT, the administrator can directly map an external address to an internal address. An external device could then initiate a connection to the public one-to-one NAT address and the system would forward it to the one internal address it is mapped to. This allows the Web server to be available to the public, but more types of traffic may have to be allowed through the firewall for the Web server to function correctly. Port Address Translation (PAT) is responsible for keeping track of what port traffic comes in on and redirecting the traffic to the appropriate internal port.

click to expand
Figure 7.14: A DMZ is an Area in Between the Public Internet and the Private Network

The preferred method is to create a DMZ were the administrator could place the company's Web server. They could first place an external router on the very outskirts of their network. This would allow most traffic through, but could still filter obvious attacks. There would then be another router or firewall behind the Web server placed in front of the internal network. This firewall would contain all of the usual filters needed to keep the internal network safe from attack.

Exam Warning 

A DMZ is a very common logical location in which to place a Web server. This allows the Web server to be accessible from the Internet, but still provides a layer of protection from the firewall in the front of the DMZ.

start sidebar
Notes from the Underground…
Points of Entry

You should take into account the various points of entry into your network and resources that you are protecting. An attacker will commonly attack an "easy" target on a network in order to use that target as a stepping-stone into another network.

For example, an attacker may be trying to reach an internal database housed inside your company's LAN. Since you have the server hosting the database securely protected behind the external firewall, it seems protected. The attacker seemingly has no way to reach the database so he must find a system that can access it. Web servers are typically placed on the DMZ to allow outside users to access web services on that server. The web server also commonly has access to internal databases so that customer orders on the Web site are updated on internal databases. In this example, the attacker may try to compromise the web server on the DMZ to gain access to the internal database.

end sidebar

Packet Filtering Firewalls

The most common type of firewall used today is the packet filtering firewall. The packet filtering firewall is placed between the trusted internal network and the untrusted external network. It uses ACLs to filter the various types of traffic to determine what is allowed into the network and what is denied access to the network. This type of firewall could be the main router connecting the internal network to the external network while at the same time filtering the packets according to the defined ACLs. The packet filtering firewall can be difficult to maintain due to the complex ACLs that can be hard to keep track of. A major drawback of packet filtering firewalls is that network performance is hindered as the packets are forced to navigate through the ACLs. Other problems with this type of firewall are the lack of strong auditing and the lack of strong user authentication. An example can be seen in Figure 7.15.

click to expand
Figure 7.15: A Packet Filtering Firewall

A packet filtering firewall can also be used to prevent access to certain content. This is known as content filtering. For example, it is common for firewalls to filter access to certain Web sites that contain profanity, nudity, or other inappropriate material. The firewall will look at packets as they pass through and compare the DA to a known list of sites that contain inappropriate material.

Screened Host Firewall

The screened host firewall provides two methods of protection for the internal or trusted network. It first uses a dual-homed firewall, often referred to as a bastion host, which provides application-level security through proxy services to first screen the traffic coming into the network. The dual-homed firewall is a machine that contains two NICs, with one NIC being connected to the external or untrusted network and the second NIC being connected to the internal or trusted network. The traffic must then pass through a packet filtering firewall before entering the internal or trusted network. This setup is more secure than strictly using a packet filtering firewall to protect the network. A downfall to this type of firewall is that the dual-homed firewall will be the target of a large amount of attacks as it is immediately available to the outside or untrusted network. An example of a screened-host firewall can be seen in Figure 7.16.

click to expand
Figure 7.16: A Screened Host Firewall Provides Two Layers of Protection

Bastion Host

Commonly referred to as a bastion host, application filtering firewall, or application layer gateway, this type of firewall is more advanced than the packet-filtering firewall. This machine typically has two NICs installed. The first NIC receives untrusted traffic from the Internet and the second is connected to the internal network. All traffic is inspected before being passed on to the internal network. This configuration is more secure than a packet filtering firewall because the machine can use more complex rules and can tell what application the packet is trying to use. A downfall to this system is that the bastion host requires more data processing and can therefore slow down network performance.

Screened Subnet Firewall with a DMZ

A screened subnet firewall with a DMZ) is one of the more secure types of firewall systems. This type of firewall employs a first firewall/router with packet filtering enabled, then a dual-homed firewall, and finally an additional firewall/router with more stringent ACLs defined. The first firewall provides the first line of defense and protects against common network attacks, but allows the most amount of traffic through. Located behind the first router is the dual-homed firewall and servers hosting Web services. This is known as the DMZ because it is holds machines that are semi-protected but are still more available and attackable than machines inside the internal or trusted network. The dual-homed firewall is a machine that contains two NICs, with one NIC being connected to the external or untrusted network and the second NIC being connected to the internal or trusted network. The traffic must pass through some type of security mechanism to filter or block untrusted traffic from the internal network. The dual-homed firewall and the servers in the DMZ hosting Web services will be the victim of a majority of external attacks against a network. Before the traffic can enter the internal or trusted network, it must pass through the second packet-filtering firewall/router which contains the strict ACLs and severely limits the types of traffic that are allowed into the trusted network. An example of a screened subnet with DMZ can be seen in Figure 7.17.

click to expand
Figure 7.17: A Screened Subnet Firewall with a DMZ

Stateful Inspection

Stateful inspection is a technology that allows the firewall to not only monitor packets and filter them out, but it also monitors the status of connections and dynamically keeps that information up-to-date in a state table. This type of firewall can log stealth scans because it monitors the complete connection status. This way if a half-open connection is used to probe a firewall's port, the security administrator will still be able to monitor the activity through the firewall logs.

Stateful inspection is a compromise between these two existing technologies. It overcomes the drawbacks of both simple packet filtering and application layer gateways, while enhancing the security provided by the firewall. Stateful inspection technology supplies awareness at the Application layer without actually breaking the client/server architecture by disassembling and rebuilding the packet. Additionally, it is much faster than an application layer gateway due to the way packets are handled. It is also more secure than a packet-filtering firewall, due to the awareness at the Application layer and the introduction of application, and communication-derived state awareness.

The primary feature of stateful inspection is the monitoring of application and communication states. This means that the firewall is aware of specific application communication requests and knows what should be expected out of any given communication session. This information is stored in a dynamically updated state table and any communication not explicitly allowed by a rule in this table is denied. This allows the firewall to dynamically conform to the needs of the applications and open or close ports as needed. Ports are closed when the requested transactions are completed, which provides another layer of security.

A great example of how these different technologies work is the FTP process. With FTP, the client has the option of requesting that the server open a back connection. With a packet filtering firewall, the only options are either leaving all ports beyond port 1023 open thus allowing the back connection to be permitted, or closing them which makes the attempted communication fail.

With an application layer gateway (bastion host), this type of communication can easily be permitted, but the performance of the entire session will be degraded due to the additional sessions created by the application layer gateway itself. With stateful inspection, the firewall simply examines the packet where the back connection is requested, then allows the back connection to go through the firewall when the server requests it on the port previously specified by the requesting packet. When the FTP session is terminated, the firewall closes off all ports that were used and removes their entries from the state table. Figure 7.18 shows how this technology works in relation to the OSI model discussed earlier in the chapter.

click to expand
Figure 7.18: Stateful Inspection Technology

Routers

A router is used to logically forward packets to their intended destination. When a router receives a packet, it views the packet and determines where the packet came from and where the packet should be forwarded. Routers are used throughout Internet to forward traffic.

On a local network, a device first broadcasts the packet throughout the network. If the destination is not found inside the network, the device checks to see if it has a gateway address defined. If there is an address defined for the local gateway, the packet is forwarded to that router. The packet then travels across several routers before finally reaching its destination. The packet is then be routed back in the same manner.

Routers keep broadcast traffic to a minimum. If routers did not exist to route packets on the Internet, there would a massive congestion of broadcast traffic caused by all packets being forwarded to all hosts on the Internet in order to find its destination.

When a router views a packet it may check defined ACLs to see if there are any restrictions placed on the packet. The router may then forward the packet normally, or drop the packet according the its ACLs.

Access Control Lists

To understand ACLs, it is important to understand that everything in a security model can be viewed as an object. An object can be a user or group. An ACL is a list that defines what permissions an object has. For instance, there may be an ACL on an internal server that allows a specific user or group rights to access resources on that server. When any request is made to that server, the ACL is checked and, based on what object is making the request, access is either allowed or denied.

ACLs can also be used on routers and firewalls to define what IP address or types of traffic are allowed to pass through. In the DMZ sample presented in the previous section, the external-most firewall may have ACLs set up to allow normal access to the Web server in the DMZ. This allows traffic to pass into the network on the port for HTTP and SSL. The internal firewall would not allow these protocols to pass into the internal network because there would be no normal reason for them to be allowed in. The ACLs allow traffic originating from the LAN to use the HTTP and SSL ports so that they can make requests to other Web servers on the Internet.

  • ACLs are widely used to deny or allow access to network resources.

  • Routers and servers are two network devices that commonly use ACLs.

  • Since a router that uses ACLs technically protects the internal network from full access, it may technically be referred to as a firewall. Note that a firewall by default will deny all traffic and specific traffic must be permitted, while a router by default will allow all traffic and ACLs can be used to deny certain traffic.

Note 

For more information on Access Control and ACLs, please refer to Chapter 2.

Proxies

A proxy server is used to filter requests made by client applications before the packets are forwarded to their destination. A proxy server in a traditional view is placed between a company's internal network and the Internet. When a client on the network requests a Web page, the proxy server will first see if it contains the page in its cache. If it does, it sends the internal client the page. This can significantly improve the speed that the Web page is served to the client. If the proxy server does not have the page in cache, it will retrieve the page and forward it to the client.

A proxy server can also be used to filter traffic. For example, if clients on the internal network request a Web page, the proxy may check its filters first. If the Web page is listed in the proxy's filters as inappropriate, the request will be filtered out and the page will not be returned to the client.

Remote Authentication Service Servers

A major part of data security is making sure only authorized users can access a system. There have been several methods that have been created to help make authentication easier to administer and to make the system more secure.

Remote Authentication Dial-In User Service

Remote Authentication Dial-In User Service (RADIUS) is the simplest method of providing user authentication to large systems. RADIUS holds a list of usernames and passwords that systems on the network refer to when authenticating a user. RADIUS supports a number of popular protocols such as:

  • PPP

  • PAP

  • CHAP

Authentication Process

RADIUS authentication consists of five steps:

  1. Users initiate a connection with an ISP remove access server (RAS) or corporate RAS. Once a connection is established, users are prompted for a username and password.

  2. The RAS encrypts the username and password using a shared secret, and passes the encrypted packet to the RADIUS server.

  3. The RADIUS server attempts to verify the user's credentials against a centralized database.

  4. If the credentials match those found in the database, the server responds with an access-accept message. If the username does not exist or the password is incorrect, the server responds with an access-reject message.

  5. The RAS then accepts or rejects the message and grants the appropriate rights.

Terminal Server Controller Access Control Systems

Terminal Server Controller Access Control Systems (TACACS) provides remote authentication and event logging. TACACS was first developed during the days of ARPANET, which was the basis for the Internet. TACACS is detailed in RFC 1492, which can be found at www.cis.ohio-state.edu/cgi-bin/rfc/rfc1492.html. When a user tries to log into a TACACS device, the device refers to the TACACS server to authenticate the user. This provides a central location for all usernames and passwords to be stored. TACACS does not allow for a device to prompt a user to allow them to change their password. It also does not use dynamic password tokens. TACACS uses UDP as its communication protocol.

Terminal Server Controller Access Control Systems Plus

Terminal Server Controller Access Control Systems Plus (TACACS+) provides enhancements to the standard version of TACACS. TACACS+ was developed by Cisco. It allows users the ability to change their password. It allows dynamic password tokens so that the tokens can be resynchronized and it also provides better auditing capabilities. TACACS+ is incompatible with previous version of TACACS because it changes its packet formats. TACACS+ uses TCP as its communication protocol.

Test Day Tip 

Know the differences between TACACS, TACACS+, and RADIUS.

RADIUS is widely implemented because it is compatible by a majority of network devices.

TACACS+ supports enhancements like improved auditing and logging.
TACACS+ uses TCP packets.
TACACS uses UDP packets.

Intrusion Detection Systems

An IDS does just as its name implies: It detects intrusions. An IDS attempts to identify data traffic that is out of the ordinary and then notifies the appropriate individuals of the anomaly. It can be set up to monitor, detect, and then notify administrators of network attacks. A common problem with any IDS is the amount of false positives that are reported. An IDS requires a significant initial administration overhead to tweak the system for a particular network environment. If the administrator fails to properly configure the IDS, it is very likely that they will quickly become frustrated with the number of false positives received and may discontinue properly monitoring alerts.

Host-Based IDS

A host-based IDS sits on an application server and monitors traffic to that specific server. This type of IDS looks at and keeps logs kept on an individual server and then notifies an administrator of specific types of alerts. A host-based IDS is well suited to detect internal attacks, since most internal logs keep lists of both authorized and unauthorized attempts to access a system. The downfall of this type of IDS is that if an attacker disables the logging mechanism, the IDS is rendered useless.

A host-based IDS most commonly detects intrusions based on policies created on a server or target monitoring. For example, if a policy is defined to only allow members of a certain group access to certain folders and a member of that group then tries to access other folders, the administrator can be notified of the attempted intrusion and take appropriate action.

Network-Based IDS

A network-based IDS monitors traffic that passes over the actual network as opposed to traffic intended for a specific target. A packet is then compared to a list of know malicious packets to determine if it is legitimate or not. A network-based IDS acts as a sniffer to view data packets on the network. A downfall of these types of systems is the amount of configuration that must be done by the administrator to minimize false alerts while still picking up malicious packets.

A network-based IDS uses signatures or anomaly detection to detect attacks. A signature is basically a map of a packet that is known to be associated with a known exploit or attack. Each packet that the IDS views is compared to the available signatures and if they match, the IDS flags the packet as an attack and notifies the administrator. Because this type of IDS is only as good as its signature list, it is very important to update the list as often as possible. Anomaly detection is the process of detecting abnormal network traffic on the network. The IDS creates a baseline of standard network traffic patterns. It then notifies the administrator if the typical patterns are deviated from. For example, if network traffic suddenly triples, the IDS will flag the anomaly and notify the administrator.



SSCP Systems Security Certified Practitioner Study Guide
SSCP Study Guide and DVD Training System
ISBN: 1931836809
EAN: 2147483647
Year: 2003
Pages: 135

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net