وبلاگ بلیان

The Tao of Network Security Monitoring : Beyond Intrusion Detection

معرفی کتاب «The Tao of Network Security Monitoring : Beyond Intrusion Detection» نوشتهٔ Bejtlich, Richard;Gula, Ron(Foreword by)، منتشرشده توسط نشر Addison-Wesley Professional در سال 2004. این کتاب در فرمت pdf، زبان انگلیسی ارائه شده است.

"The book you are about to read will arm you with the knowledge you need to defend your network from attackers--both the obvious and the not so obvious.... If you are new to network security, don't put this book back on the shelf! This is a great book for beginners and I wish I had access to it many years ago. If you've learned the basics of TCP/IP protocols and run an open source or commercial IDS, you may be asking 'What's next?' If so, this book is for you." --Ron Gula, founder and CTO, Tenable Network Security, from the Foreword "Richard Bejtlich has a good perspective on Internet security--one that is orderly and practical at the same time. He keeps readers grounded and addresses the fundamentals in an accessible way." --Marcus Ranum, TruSecure "This book is not about security or network monitoring: It's about both, and in reality these are two aspects of the same problem. You can easily find people who are security experts or network monitors, but this book explains how to master both topics." --Luca Deri, ntop.org "This book will enable security professionals of all skill sets to improve their understanding of what it takes to set up, maintain, and utilize a successful network intrusion detection strategy." --Kirby Kuehl, Cisco Systems Every network can be compromised. There are too many systems, offering too many services, running too many flawed applications. No amount of careful coding, patch management, or access control can keep out every attacker. If prevention eventually fails, how do you prepare for the intrusions that will eventually happen? Network security monitoring (NSM) equips security staff to deal with the inevitable consequences of too few resources and too many responsibilities. NSM collects the data needed to generate better assessment, detection, and response processes--resulting in decreased impact from unauthorized activities. In The Tao of Network Security Monitoring , Richard Bejtlich explores the products, people, and processes that implement the NSM model. By focusing on case studies and the application of open source tools, he helps you gain hands-on knowledge of how to better defend networks and how to mitigate damage from security incidents. Inside, you will find in-depth information on the following areas. The NSM operational framework and deployment considerations. How to use a variety of open-source tools--including Sguil, Argus, and Ethereal--to mine network traffic for full content, session, statistical, and alert data. Best practices for conducting emergency NSM in an incident response scenario, evaluating monitoring vendors, and deploying an NSM architecture. Developing and applying knowledge of weapons, tactics, telecommunications, system administration, scripting, and programming for NSM. The best tools for generating arbitrary packets, exploiting flaws, manipulating traffic, and conducting reconnaissance. Whether you are new to network intrusion detection and incident response, or a computer-security veteran, this book will enable you to quickly develop and apply the skills needed to detect, prevent, and respond to new and emerging threats. Cover......Page 1 Contents......Page 8 Foreword......Page 18 Preface......Page 20 About the Author......Page 32 About the Contributors......Page 34 Part I: Introduction To Network Security Monitoring......Page 36 Chapter 1 The Security Process......Page 38 What Is Security?......Page 39 What Is Risk?......Page 41 A Case Study on Risk......Page 44 Security Principles: Characteristics of the Intruder......Page 47 Security Principles: Phases of Compromise......Page 49 Security Principles: Defensible Networks......Page 55 Conclusion......Page 59 Indications and Warnings......Page 60 Collection, Analysis, and Escalation......Page 63 Detecting and Responding to Intrusions......Page 64 Why Do Ids Deployments Often Fail?......Page 65 Outsiders Versus Insiders: What Is NSM’s Focus?......Page 66 Security Principles: Detection......Page 69 Security Principles: Limitations......Page 72 What Nsm Is Not......Page 75 Nsm in Action......Page 77 Conclusion......Page 78 Threat Models and Monitoring Zones......Page 80 Accessing Traffic in Each Zone......Page 86 Wireless Monitoring......Page 120 Sensor Architecture......Page 128 Sensor Management......Page 133 Conclusion......Page 137 Part II: Network Security Monitoring Products......Page 138 The Scenario......Page 140 The Attack......Page 141 Conclusion......Page 153 Chapter 5 Full Content Data......Page 154 A Note on Software......Page 155 Libpcap......Page 156 Tcpdump......Page 157 Tethereal......Page 175 Snort As Packet Logger......Page 184 Finding Specific Parts of Packets With Tcpdump, Tethereal, and Snort......Page 189 Ethereal......Page 197 A Note on Commercial Full Content Collection Options......Page 206 Conclusion......Page 207 Editcap and Mergecap......Page 208 Tcpslice......Page 209 Tcpreplay......Page 214 Tcpflow......Page 217 Ngrep......Page 220 Ipsumdump......Page 224 Etherape......Page 226 Netdude......Page 228 P0F......Page 240 Conclusion......Page 244 Chapter 7 Session Data......Page 246 Forms of Session Data......Page 247 Cisco’s Netflow......Page 249 Fprobe......Page 255 Ng_Netflow......Page 257 Flow-Tools......Page 259 Sflow and Sflow Toolkit......Page 267 Argus......Page 269 Tcptrace......Page 277 Conclusion......Page 281 Chapter 8 Statistical Data......Page 282 What Is Statistical Data?......Page 283 Cisco Accounting......Page 284 Ipcad......Page 290 Ifstat......Page 292 Bmon......Page 293 Trafshow......Page 295 Ttt......Page 299 Tcpdstat......Page 301 Mrtg......Page 306 Ntop......Page 313 Conclusion......Page 318 Chapter 9 Alert Data: Bro and Prelude......Page 320 Bro......Page 321 Prelude......Page 333 Conclusion......Page 350 Chapter 10 Alert Data: Nsm Using Sguil......Page 352 Why Sguil?......Page 353 So What Is Sguil?......Page 354 The Basic Sguil Interface......Page 356 Sguil’s Answer to “Now What?”......Page 358 Making Decisions With Sguil......Page 364 Sguil Versus the Reference Intrusion Model......Page 366 Conclusion......Page 379 Part III: Network Security Monitoring Processes......Page 380 Assessment......Page 382 Protection......Page 384 Detection......Page 389 Response......Page 415 Back to Assessment......Page 418 Conclusion......Page 419 Introduction to Hawke Helicopter Supplies......Page 420 Case Study 1: Emergency Network Security Monitoring......Page 421 Case Study 2: Evaluating Managed Security Monitoring Providers......Page 428 Case Study 3: Deploying An In-House Nsm Solution......Page 431 Conclusion......Page 437 Part IV: Network Security Monitoring People......Page 438 Chapter 13 Analyst Training Program......Page 440 Weapons and Tactics......Page 445 Telecommunications......Page 449 System Administration......Page 450 Scripting and Programming......Page 453 Management and Policy......Page 456 Training in Action......Page 457 Periodicals and Web Sites......Page 461 Case Study: Staying Current With Tools......Page 462 Conclusion......Page 466 Chapter 14 Discovering Dns......Page 468 Normal Port 53 Traffic......Page 469 Suspicious Port 53 Traffic......Page 483 Malicious Port 53 Traffic......Page 494 Conclusion......Page 507 Chapter 15 Harnessing the Power of Session Data......Page 508 The Session Scenario......Page 509 Session Data From the Wireless Segment......Page 510 Session Data From the Dmz Segment......Page 511 Session Data From the Vlans......Page 514 Session Data From the External Segment......Page 523 Conclusion......Page 525 Truncated Tcp Options......Page 526 Scan Fin......Page 533 Chained Covert Channels......Page 540 Conclusion......Page 553 Part V: The Intruder Versus Network Security Monitoring......Page 554 Packit......Page 556 Ip Sorcery......Page 565 Fragroute......Page 569 Lft......Page 583 Xprobe2......Page 593 Cisco Ios Denial of Service......Page 602 Solaris Sadmin Exploitation Attempt......Page 605 Microsoft Rpc Exploitation......Page 610 Conclusion......Page 615 Chapter 18 Tactics for Attacking Network Security Monitoring......Page 618 Promote Anonymity......Page 619 Evade Detection......Page 638 Appear Normal......Page 669 Degrade or Deny Collection......Page 674 Self-Inflicted Problems in Nsm......Page 682 Conclusion......Page 684 Epilogue The Future of Network Security Monitoring......Page 686 Remote Packet Capture and Centralized Analysis......Page 687 Integration of Vulnerability Assessment Products......Page 688 Anomaly Detection......Page 689 Nsm Beyond the Gateway......Page 691 Conclusion......Page 693 Part VI: Appendixes......Page 696 Appendix A: Protocol Header Reference......Page 698 Appendix B: Intellectual History of Network Security Monitoring......Page 720 Appendix C: Protocol Anomaly Detection......Page 792 A......Page 800 B......Page 802 C......Page 804 D......Page 806 E......Page 808 F......Page 809 H......Page 811 I......Page 812 L......Page 815 M......Page 816 N......Page 817 P......Page 819 R......Page 822 S......Page 824 T......Page 828 V......Page 831 W......Page 832 Z......Page 833

"The book you are about to read will arm you with the knowledge you need to defend your network from attackers—both the obvious and the not so obvious.... If you are new to network security, don't put this book back on the shelf! This is a great book for beginners and I wish I had access to it many years ago. If you've learned the basics of TCP/IP protocols and run an open source or commercial IDS, you may be asking 'What's next?' If so, this book is for you."

—Ron Gula, founder and CTO, Tenable Network Security, from the Foreword

"Richard Bejtlich has a good perspective on Internet security—one that is orderly and practical at the same time. He keeps readers grounded and addresses the fundamentals in an accessible way."

—Marcus Ranum, TruSecure

"This book is not about security or network monitoring: It's about both, and in reality these are two aspects of the same problem. You can easily find people who are security experts or network monitors, but this book explains how to master both topics."

—Luca Deri, ntop.org

"This book will enable security professionals of all skill sets to improve their understanding of what it takes to set up, maintain, and utilize a successful network intrusion detection strategy."

—Kirby Kuehl, Cisco Systems

Every network can be compromised. There are too many systems, offering too many services, running too many flawed applications. No amount of careful coding, patch management, or access control can keep out every attacker. If prevention eventually fails, how do you prepare for the intrusions that will eventually happen?

Network security monitoring (NSM) equips security staff to deal with the inevitable consequences of too few resources and too many responsibilities. NSM collects the data needed to generate better assessment, detection, and response processes—resulting in decreased impact from unauthorized activities.

In The Tao of Network Security Monitoring, Richard Bejtlich explores the products, people, and processes that implement the NSM model. By focusing on case studies and the application of open source tools, he helps you gain hands-on knowledge of how to better defend networks and how to mitigate damage from security incidents.

Inside, you will find in-depth information on the following areas.

  • The NSM operational framework and deployment considerations.
  • How to use a variety of open-source tools—including Sguil, Argus, and Ethereal—to mine network traffic for full content, session, statistical, and alert data.
  • Best practices for conducting emergency NSM in an incident response scenario, evaluating monitoring vendors, and deploying an NSM architecture.
  • Developing and applying knowledge of weapons, tactics, telecommunications, system administration, scripting, and programming for NSM.
  • The best tools for generating arbitrary packets, exploiting flaws, manipulating traffic, and conducting reconnaissance.

Whether you are new to network intrusion detection and incident response, or a computer-security veteran, this book will enable you to quickly develop and apply the skills needed to detect, prevent, and respond to new and emerging threats.

;. IEEE CIPHER

"Well constructed, readable and useful. The approach is a good one and the initial challenge of going beyond ID was successfully met by Bejtlich. It is a book that can be recommended without reservation.

Foreword Preface About the Author About the Contributors Introduction to Network Security Monitoring The Security Process What is Network Security Monitoring? Deployment Considerations Network Security Monitoring Products The Reference Intrusion Model Full Content Data Additional Data Analysis Session Data Statistical Data Alert Data: Bro and Prelude Alert Data: NSM Using Sguil Network Security Monitoring Processes Best Practices Case Studies for Managers Network Security Monitoring People Analyst Training Program Discovering DNS Harnessing the Power of Session Data Packet Monkey Heaven The Intruder versus Network Security Monitoring Tools for Attacking Network Security Monitoring Tactics for Attacking Network Security Monitoring The Future of Network Security Monitoring Appendixes Protocol Header Reference Intellectual History of Network Security Monitoring Protocol Anomaly Detection None Using real-life case studies of compromised networks, this title shows readers how to quickly develop and apply the skills necessary to detect, prevent, and respond to new and emerging threats to computer security Provides information on computer network security, covering such topics as NSM operational framework and deployment, using open-source tools, session data, statistical data, Sguil, and DNS.
دانلود کتاب The Tao of Network Security Monitoring : Beyond Intrusion Detection