ptg www.it-ebooks.info ptg Practical Intrusion Analysis www.it-ebooks.info ptg This page intentionally left blank www.it-ebooks.info ptg Practical Intrusion Analysis PREVENTION AND DETECTION FOR THE TWENTY-FIRST CENTURY Ryan Trost Upper Saddle River, NJ • Boston • Indianapolis • San Francisco New York • Tor o n t o • Montreal • London • Munich • Paris • Madrid Capetown • Sydney • To k y o • Singapore • Mexico City www.it-ebooks.info ptg Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and the publisher was aware of a trademark claim, the designations have been printed with initial capital letters or in all capitals. The author and publisher have taken care in the preparation of this book, but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for incidental or consequential damages in connection with or arising out of the use of the information or programs contained herein. The publisher offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales, which may include electronic versions and/or custom covers and content particular to your business, training goals, marketing focus, and branding interests. For more information, please contact: U.S. Corporate and Government Sales (800) 382-3419 corpsales@pearsontechgroup.com For sales outside the United States please contact: International Sales international@pearson.com Visit us on the Web: informit.com/aw Library of Congress Cataloging-in-Publication Data: Tro s t, Ryan. Practical intrusion analysis : prevention and detection for the twenty-first century / Ryan Tr os t . p. cm. Includes index. ISBN-13: 978-0-321-59180-7 (pbk. : alk. paper) ISBN-10: 0-321-59180-1 1. Computer networks Security measures. 2. Computer networks Monitoring. 3. Computer security. 4. Computers Access control. I. Title. TK5105.59.T76 2009 005.8 dc22 2009019158 Copyright © 2010 Pearson Education, Inc. All rights reserved. Printed in the United States of America. This publication is protected by copyright, and permission must be obtained from the publisher prior to any prohibited reproduction, storage in a retrieval system, or transmission in any form or by any means, electronic, mechanical, photocopying, recording, or likewise. For information regarding permissions, write to: Pearson Education, Inc Rights and Contracts Department 501 Boylston Street, Suite 900 Boston, MA 02116 Fax (617) 671-3447 ISBN-13: 978-0-321-59180-7 ISBN-10: 0-321-59180-1 Te x t p r i n t e d i n t h e U n i t e d S t a te s o n r e c y c l e d p a p e r a t R . R . Donnelley in Crawfordsville, Indiana. First printing July 2009 Editor-in-Chief Karen Gettman Acquisitions Editor Jessica Goldstein Senior Development Editor Chris Zahn Managing Editor Kristy Hart Project Editor Jovana San Nicolas-Shirley Copy Editor Sheri Cain Indexer Erika Millen Proofreader Debbie Williams Publishing Coordinator Romny French Cover Designer Chuti Prasertsith Compositor Jake McFarland www.it-ebooks.info V413HAV ptg To my loving w ife , Kasey, who is pregnant with our first beautiful child. To my su ppor tiv e fam ilies: To my p are nt s, sister, and brother, who have supported me, motivated me and somehow sustained my endless IT ramblings.And to my wife’s family, the Arbacas clan, who have only had to endure my InfoSec rambling for a couple years and still invite me to dinner. I very much appreciate all the help and support! www.it-ebooks.info ptg This page intentionally left blank www.it-ebooks.info ptg Preface xv Chapter 1 Network Overview 1 Key Terms and Concepts 2 Brief History of the Internet 2 Layered Protocols 3 TCP/IP Protocol Suite 10 Internet Protocol 14 Addressing 21 IP Addresses 22 IPv6 27 Summary 29 Chapter 2 Infrastructure Monitoring 31 Network-Analysis Tools 32 Packet Sniffing 35 Accessing Packets on the Network 40 SPANs (Port Mirroring) 40 Network Taps 43 To Ta p o r t o S PA N 48 Defense-in-Depth 50 Summary 51 Contents vii www.it-ebooks.info ptg CONTENTS viii Chapter 3 Intrusion Detection Systems 53 IDS Groundwork 54 From the Wire Up 55 DoS Attacks 55 IP Fragmentation 57 TCP Stream Issues 58 Ta rg e t- Ba s ed Re as se m bl y 59 Two De te ct io n P h il os op hi es : Signature and Anomaly Based 60 Snort: Signature-Based IDS 61 Two Si g na tu re Wri ti n g Te ch n iq u es 67 Bro: An Anomaly-Based IDS 74 Similarities Between the Systems 82 Summary 85 Chapter 4 Lifecycle of a Vulnerability 87 A Vulnerability Is Born 87 FlashGet Vulnerability 88 Collecting a Sample Packet Capture 90 Packet Analysis and Signature-Writing 95 Signature Tuning 100 Detection Tuning 100 Performance Tuning 101 Advanced Examples 104 CitectSCADA ODBC Server Buffer Overflow: Metasploit 104 FastStone Image Viewer Bitmap Parsing 109 Libspf2 DNS TXT Record Size Mismatch 114 Summary 117 Chapter 5 Proactive Intrusion Prevention and Response via Attack Graphs 119 To p o l o g i c a l Vu l n e r a b i l i t y A n a l y s i s ( T VA ) 121 Overview of Approach 121 Illustrative Example 122 Limitations 125 Attack Modeling and Simulation 126 Network Attack Modeling 126 Attack Simulation 130 Optimal Network Protection 134 Vulnerability Mitigation 135 Attack Graph Visualization 137 Security Metrics 139 CONTENTS www.it-ebooks.info ptg Intrusion Detection and Response 141 Intrusion Detection Guidance 141 Attack Prediction and Response 144 Summary 147 Acknowledgments 147 Endnotes 148 Chapter 6 Network Flows and Anomaly Detection 151 IP Data Flows 152 NetFlow Operational Theory 153 A Matter of Duplex 155 Cisco IOS NetFlow and Flexible NetFlow 156 sFlow: More Data, But Less Frequency 159 Internet Protocol Flow Information Export (IPFIX) 161 It’s a Virtual World 162 Endless Streams of Data 164 Behavioral Analysis and Anomaly Detection 167 Compare and Contrast 172 IDS and NetFlow 172 Signature Updates 173 IDS System Resources 174 Syslog and NetFlow 178 Te c h n o l o g y M a t r i x 180 Summary 182 Endnotes 183 Chapter 7 Web Application Firewalls 185 Web Th re at O ve r vie w 186 Why a WAF? 189 WAF Pro te ct io n Mo de ls 191 Positive Security Model 191 Negative Security Model 192 Virtual Patching Model 193 Output Detection Model/Content Scrubbing 194 WAF Pol ic y Mo de ls 195 Learning 195 Vulnerability Assessment Feedback 195 Manual Entry 195 ix CONTENTS www.it-ebooks.info [...]... left blank www.it-ebooks.info Preface This book was developed to help fill multiple gaps in practical intrusion detection within a single cover-to-cover publication Traditionally, intrusion detection books concentrate on narrow subject matter that focuses on vendor-specific information, like Snort or Cisco MARS, Intrusion Detection System (IDS) installation, and sensor placement or signature writing This... Summary Endnotes 236 236 239 241 243 255 259 260 261 265 266 270 274 274 Geospatial Intrusion Detection 275 Current Uses of Geocoding Introduction to Geographic Information Systems GIS Basic Functions Framework for Cooperation Map Projection Raster Versus Vector Vector Data Model Spatial Point Pattern Analysis Classes of Spatial Analysis Point Intensity Point Process Statistics Dynamics of a Professional... This book incorporates the essential core knowledge to understand the IDS, but it also expands the subject matter to other relevant areas of intrusion interest, such as NetFlow, wireless IDS /Intrusion Prevention System (IPS), physical security, and geospatial intrusion detection Don’t get me wrong…the previously mentioned books are the foundation of my security knowledge, but as the industry matures... “Infrastructure Monitoring,” to more advanced chapters Chapter 3 Intrusion Detection Systems” starts to outline the blank canvas with cornerstone concepts and techniques Chapter 4 “Lifecycle of a Vulnerability” is the perfect transition from beginner to more advanced topics of new intrusion detection strategies consisting of wireless IDS/IPS, network behavioral analysis (NBA), converging of xv www.it-ebooks.info... follows a compartmentalized organization because each chapter focuses on specific intrusion techniques The beginning of this book introduces basic networking terminology, and it transitions into providing an overview of intrusion detection, which caters to the InfoSec newbies and finally dives into more sophisticated and advanced intrusion defenses Here is a brief description of each chapter: • Chapter 1,... network Attack graph analysis identifies critical vulnerabilities and provides strategies for protecting critical network assets But, because of operational realities, vulnerability paths often remain visible In such cases, attack graphs provide an ideal methodology for planning appropriate attack responses This includes optimal placement of intrusion detection sensors, correlating intrusion alarms, accounting... converged detection can offer Chapter 10, “Geospatial Intrusion Detection,” proves how the source IP address is one of the most overlooked and powerful components of an intrusion detection log IDSs/IPSs are becoming more advanced, and geocoding source IP addresses is adding another layer of defensive intelligence The ultimate goal of geospatial intrusion detection is to maximize situational awareness... leading experts on intrusion detection using Snort xxiv www.it-ebooks.info 1 Network Overview Knowledge of the structure of Internet Protocol (IP) packets is a fundamental part of understanding the Internet and how information moves from one point to another The benefits of such knowledge extend to virtually all networking disciplines, not the least of which is intrusion detection Rules-based intrusion- detection... predicting the next possible attack steps • Chapter 6, “Network Flows and Anomaly Detection,” explores the topic of network flow data: its collection for network security analysis and, specifically, an emerging field called Network Behavior Analysis (NBA) First, this chapter explores flow technology and analyzes the different flow formats: their characteristics, respective datasets, and key fields It discusses... wireless security, the shortcomings of the networkbased IDS, and the options available to those who want to keep a close eye on their wireless traffic Chapter 9, “Physical Intrusion Detection for IT,” gets IT security staffs thinking about how intrusion detection efforts can be bolstered by converging with the physical security team This chapter includes an overview of physical security technologies to help . ptg www.it-ebooks.info ptg Practical Intrusion Analysis www.it-ebooks.info ptg This page intentionally left blank www.it-ebooks.info ptg Practical Intrusion Analysis PREVENTION AND DETECTION FOR. Web: informit.com/aw Library of Congress Cataloging-in-Publication Data: Tro s t, Ryan. Practical intrusion analysis : prevention and detection for the twenty-first century / Ryan Tr os t . p. cm. Includes. book was developed to help fill multiple gaps in practical intrusion detection within a single cover-to-cover publication. Tr ad it ional ly, intrusion detection books concentrate on narrow subject