Page 406 - StudyBook.pdf
P. 406
390 Chapter 6 • Infrastructure Security: Devices and Media
as possible to match with the input data stream (large complex signatures may pose
a serious processing burden). Just as there are varying types of attacks, there must be
varying types of signatures. Some signatures define the characteristics of a single IP
option, such as a map portscan, while others are derived from the actual payload of
an attack. Most signatures are constructed by running a known exploit several
times, monitoring the data as it appears on the network, and looking for a unique
pattern that is repeated on every execution.This method works well at ensuring
that the signature consistently matches an attempt by that particular exploit.
Remember that the idea is for the unique identification of attacks, not merely the
detection of attacks.
Baiting with Honeynets
Notes From the Underground…
Recently, there has been an upsurge in the use of honeynets or honey-
pots as a defensive tool. A honeynet is a system that is deployed with the
intended purpose of being compromised. This is an excellent tool for dis-
tracting intruders from the important systems on your network, by luring
them to a group of systems where they can be detected. This is done by
making the honeynet look more attractive than the real servers in your
network. A hacker will attack a server that appears vulnerable and looks
like it contains important data rather than attempt to break into a system
that seems well protected.
The current best-known configuration type for these tools is where
two systems are deployed, one as bait and the other configured to log all
traffic. The logging host should be configured as a bridge (invisible to any
remote attacker) with sufficient disk space to record all network traffic
for later analysis. The system behind the logging host can be configured
in any fashion. Most systems are bait, meaning they are designed to be
the most attractive targets on a network segment. The defender hopes
that all attackers will see this easy point of presence and target their
attacks in that direction.
No system is foolproof. Attackers are able to discern that they are
behind a bridge by the lack of Layer 2 traffic and the discrepancy in MAC
addresses in the bait system’s ARP cache. See http://project.honeynet.org
for more details.
There are two types of IDSes that can be used to secure a network: system
IDSes or network IDSes.A system IDS (referred to as IDS or a Kernel Proxy) runs
on each individual server on which the administrator wants to perform intrusion
detection.A network IDS (NIDS) does intrusion detection across the network.
System IDSes are great for ensuring that the server on which it is installed is
www.syngress.com
