3.7 Network-Based Intrusion Detection Efforts

Previous page
Table of content
Next page

3.7 Network-Based Intrusion Detection Efforts

3.7.1 Common Intrusion Detection Framework

The Common Intrusion Detection Framework (CIDF) is an effort to develop protocols and application programming interfaces so intrusion detection research projects can share information and resources. Another goal is the reuse of intrusion detection components in different systems. This effort was started by Teresa Lunt while she was at the Information Technology Office (ITO) of the Defense Advanced Research Projects Agency (DARPA). It began as part of the information survivability program with a focus on allowing DARPA projects to work together.

Under the direction of its first coordinator , Stuart Staniford-Chen, the CIDF has broadened its scope significantly. The effort now has participation from several companies and organizations that have no relationship to DARPA. The CIDF is an open process and is currently (at the time of this writing) coordinated by Dan Schnackenberg and Brian Tung. For more information, please visit the CIDF Web site. [10]

3.7.2 Common Vulnerabilities and Exposures

Common Vulnerabilities and Exposures (CVE) is a list of standardized names for vulnerabilities and other information security exposures. The CVE aims to standardize the names for all publicly known vulnerabilities and security exposures. CVE is a dictionary, not a database. According to the CVE Web site, "The goal of CVE is to make it easier to share data across separate vulnerability databases and security tools. While CVE may make it easier to search for information in other databases, CVE should not be considered as a vulnerability database on its own merit."

The content of CVE is a collaborative effort of the CVE editorial board, which includes representatives from numerous security- related organizations such as security tool vendors , academic institutions, and government, as well as other prominent security experts. The MITRE Corporation maintains CVE and moderates editorial board discussions. CVE is freely available for download from their Web site. [11]

3.7.3 Shadowing

The Lightweight Directory Access Protocol, RFC 2251 [12], describes the process of shadowing as when a server creates a cache or shadow copy of directory entries. A shadow is to be used to answer search and comparison queries; however, if modification requests are made, the shadow server will return such referrals or contact other servers. Servers that perform caching or shadowing must ensure that they do not violate any access control constraints placed on the data by the originating server.

3.7.4 Honeypots and Honeynets

Honeypots are programs that simulate network services that can be specified on a computer's ports. An attacker assumes you are running vulnerable services that can be used to break into the machine. A honeypot can be used to log access attempts to those ports, including the attacker's keystrokes. This could give advanced warning of a more concerted attack. One honeypot program is called the Deception Tool Kit, which can be downloaded from http://www.all.net/dtk. With this program, an administrator can configure the responses for each port. According to Richard Caasi, in an article found on the SANS Web site [13], "honeypots are most successful when run on well-known servers, such as Web, mail, or DNS servers, because these systems are often attacked . They can also be used when a system comes under attack by substituting a honeypot system for the target." In a related article, Kecia Gubbels [14] distinguishes between a honeypot and a honeynet as follows :

A honeypot is a program, machine, or system put on a network as bait for attackers. The idea is to deceive the attacker by making the honeypot seem like a legitimate system. A honeynet is a network of honeypots set up to imitate a real network. Honeynets can be configured in both production and research environments. A research honeynet studies the tactics and methods of attackers . A production honeynet is set up to mimic the production network of the organization. This type of honeynet is useful to expose the organization's current vulnerabilities. Honeypots return highly valuable data that is much easier to interpret than that of an IDS (Intrusion Detection System). The information gathered from honeypots can be used to better prepare system administrators for attacks.

Honeypots and honeynets are but a few tools in the arsenal of a systems security administrator. Now, let's look at how to manage situations when someone is actually caught in the honeynet or honeypot. The next chapter covers computer security incidents and what to do when one occurs.



Previous page
Table of content
Next page
Wireless Operational Security
Wireless Operational Security
ISBN: 1555583172
EAN: 2147483647
Year: 2004
Pages: 153
Authors: John Rittinghouse PhD CISM, James F. Ransome PhD CISM CISSP
BUY ON AMAZON
Kanban Made Simple: Demystifying and Applying Toyotas Legendary Manufacturing Process
Oracle Developer Forms Techniques
Microsoft Windows Server 2003(c) TCP/IP Protocols and Services (c) Technical Reference
Lotus Notes Developers Toolbox: Tips for Rapid and Successful Deployment
Microsoft VBScript Professional Projects
Junos Cookbook (Cookbooks (OReilly))
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy