Extrusion Detection
Addison-Wesley Educational Publishers Inc (Verlag)
978-0-321-34996-5 (ISBN)
Overcome Your Fastest-Growing Security Problem: Internal, Client-Based Attacks
Today's most devastating security attacks are launched from within the company, by intruders who have compromised your users' Web browsers, e-mail and chat clients, and other Internet-connected software. Hardening your network perimeter won't solve this problem. You must systematically protect client software and monitor the traffic it generates.
Extrusion Detection is a comprehensive guide to preventing, detecting, and mitigating security breaches from the inside out. Top security consultant Richard Bejtlich offers clear, easy-to-understand explanations of today's client-based threats and effective, step-by-step solutions, demonstrated against real traffic and data. You will learn how to assess threats from internal clients, instrument networks to detect anomalies in outgoing traffic, architect networks to resist internal attacks, and respond effectively when attacks occur.
Bejtlich's The Tao of Network Security Monitoring earned acclaim as the definitive guide to overcoming external threats. Now, in Extrusion Detection, he brings the same level of insight to defending against today's rapidly emerging internal threats. Whether you're an architect, analyst, engineer, administrator, or IT manager, you face a new generation of security risks. Get this book and protect yourself.
Coverage includes
Architecting defensible networks with pervasive awareness: theory, techniques, and tools
Defending against malicious sites, Internet Explorer exploitations, bots, Trojans, worms, and more
Dissecting session and full-content data to reveal unauthorized activity
Implementing effective Layer 3 network access control
Responding to internal attacks, including step-by-step network forensics
Assessing your network's current ability to resist internal attacks
Setting reasonable corporate access policies
Detailed case studies, including the discovery of internal and IRC-based bot nets
Advanced extrusion detection: from data collection to host and vulnerability enumeration
About the Web Site Get book updates and network security news at Richard Bejtlich's popular blog, taosecurity.blogspot.com, and his Web site, www.bejtlich.net.
Richard Bejtlich is founder of TaoSecurity, a company that helps clients detect, contain, and remediate intrusions using Network Security Monitoring (NSM) principles. He was formerly a principal consultant at Foundstone--performing incident response, emergency NSM, and security research and training--and created NSM operations for ManTech International Corporation and Ball Aerospace & Technologies Corporation. For three years, Bejtlich defended U.S. information assets as a captain in the Air Force Computer Emergency Response Team (AFCERT). Formally trained as an intelligence officer, he is a graduate of Harvard University and of the U.S. Air Force Academy. He has authored or coauthored several security books, including The Tao of Network Security Monitoring (Addison-Wesley, 2004).
Foreword.
Preface.
I. DETECTING AND CONTROLLING INTRUSIONS.
1. Network Security Monitoring Revisited.
Why Extrusion Detection?
Defining The Security Process
Security Principles
Network Security Monitoring Theory
Network Security Monitoring Techniques
Network Security Monitoring Tools
Conclusion
2. Defensible Network Architecture.
Monitoring the Defensible Network
Controlling the Defensible Network
Minimizing the Defensible Network
Keeping the Defensible Network Current
Conclusion
3. Extrusion Detection Illustrated.
Intrusion Detection Defined
Extrusion Detection Defined
History of Extrusion Detection
Extrusion Detection Through NSM
Conclusion
4. Enterprise Network Instrumentation.
Common Packet Capture Methods
PCI Tap
Dual Port Aggregator Tap
2X1 10/100 Regeneration Tap
2X1 10/100 SPAN Regeneration Tap
Matrix Switch
Link Aggregator Tap
Distributed Traffic Collection with Pf Dup-To
Squid SSL Termination Reverse Proxy
Conclusion
5. Layer 3 Network Access Control.
Internal Network Design
Internet Service Provider Sink Holes
Enterprise Sink Holes
Using Sink Holes to Identify Internal Intrusions
Internal Intrusion Containment
Notes on Enterprise Sink Holes in the Field
Conclusion
II. NETWORK SECURITY OPERATIONS.
6. Traffic Threat Assessment.
Why Traffic Threat Assessment?
Assumptions
First Cuts
Looking for Odd Traffic
Inspecting Individual Services: NTP
Inspecting Individual Services: ISAKMP
Inspecting Individual Services: ICMP
Inspecting Individual Services: Secure Shell
Inspecting Individual Services: Whois
Inspecting Individual Services: LDAP
Inspecting Individual Services: Ports 3003 to 9126 TCP
Inspecting Individual Services: Ports 44444 and 49993 TCP
Inspecting Individual Services: DNS
Inspecting Individual Services: SMTP
Inspecting Individual Services: Wrap-Up
Conclusion
7. Network Incident Response.
Preparation for Network Incident Response
Secure CSIRT Communications
Intruder Profiles
Incident Detection Methods
Network First Response
Network-Centric General Response and Remediation
Conclusion
8. Network Forensics.
What Is Network Forensics?
Collecting Network Traffic as Evidence
Protecting and Preserving Network-Based Evidence
Analyzing Network-Based Evidence
Presenting and Defending Conclusions
Conclusion
III. INTERNAL INTRUSIONS.
9. Traffic Threat Assessment Case Study.
Initial Discovery
Making Sense of Argus Output
Argus Meets Awk
Examining Port 445 TCP Traffic
Were the Targets Compromised?
Tracking Down the Internal Victims
Moving to Full Content Data
Correlating Live Response Data with Network Evidence
Conclusion
10. Malicious Bots.
Introduction to IRC Bots
Communication and Identification
Server and Control Channels
Exploitation and Propagation
Final Thoughts on Bots
Dialogue with a Bot Net Admin
Conclusion
Epilogue
Appendix A: Collecting Session Data in an Emergency.
Appendix B: Minimal Snort Installation Guide.
Appendix C: Survey of Enumeraiton Methods.
Appendix D: Open Source Host Enumeration.
Index.
| Erscheint lt. Verlag | 17.11.2005 |
|---|---|
| Verlagsort | New Jersey |
| Sprache | englisch |
| Maße | 177 x 234 mm |
| Gewicht | 778 g |
| Themenwelt | Mathematik / Informatik ► Informatik ► Datenbanken |
| Informatik ► Netzwerke ► Sicherheit / Firewall | |
| Wirtschaft ► Betriebswirtschaft / Management ► Wirtschaftsinformatik | |
| ISBN-10 | 0-321-34996-2 / 0321349962 |
| ISBN-13 | 978-0-321-34996-5 / 9780321349965 |
| Zustand | Neuware |
| Haben Sie eine Frage zum Produkt? |
aus dem Bereich
