Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort
Some of the primary tools of security and network administrators alike are network analysis tools. These include network sniffers, intrusion detection software, and network analyzers. A network sniffer is software that passively listens to traffic received and sent by a network interface. The workhorse sniffer of choice is TCPDump. TCPDump is simple enough that beginners can learn it quickly yet powerful enough to provide the necessary functionality for multiple protocols in multiple situations. Using TCPDump, it's possible to view traffic in numerous formats including ASCII and use expressions to fine-tune the exact traffic to be viewed through the tool. TCPDump is manual and primitive intrusion detection software. If you know what you're looking for, TCPDump can help you spot the anomalous traffic as it passes through the network. TCPDump in and of itself won't know that an attack just passed under its nose; that's the job of the intrusion analyst (as well as other software). However, TCPDump almost always becomes an integral tool for investigating active attacks because it allows the analyst to watch the attack in real-time. TCPDump is covered in-depth in Chapter 11, "Network Monitoring and Attack Detection." There you'll find coverage of normal protocol activity, as well as a look at some exploits through the eyes, or nose as it were, of TCPDump. When it comes to tools that listen to the network and perform some level of analysis on the traffic, none is better than Snort. Snort is provider- and enterprise-class intrusion detection software that's both widely deployed and mature. Snort works using the concept of intrusion signatures. The theory is that many attacks follow the same pattern or look the same or very similar at the network level. Consider this example: Assume that a packet is received on a certain port with its header flags set a certain way. When this occurs, it is always a precursor to an attack or an attempt to exploit a certain vulnerability. It can be said that this particular attack has, therefore, a signature that identifies it as malicious traffic. This signature, unique to the exploit of this vulnerability, can then be used by software such as Snort to detect that there was an attempt to exploit the vulnerability. Snort can then perform an action based on this detection (or can take no action). Snort is quite powerful and, when combined with reporting software called ACID, can produce complex reports in addition to the main function of intrusion detection. Ntop is network analysis software, as opposed to the sniffer that produces reports of usage based on protocol, flow, host, and other parameters. Using ntop is recommended at strategic points in the network to establish a baseline of the normal traffic flows on the network. A sample page with one of ntop's reports is shown in Figure 10.1. Figure 10.1. An example of one of ntop's reports.
Ntop is just one such analyzer. I chose to feature ntop here because it's simple to get working quickly. However, I also recommend other analysis software for network traffic. Among other analysis software, MRTG and Cricket are two excellent choices for traffic analysis. Creating baseline traffic reports and keeping them up-to-date helps not only to spot anomalies including both unexpected increases and decreases in the traffic but also to track when new bandwidth might be necessary. It is this dual usesecurity anomalies and bandwidth usage monitoringthat makes traffic analysis invaluable. To establish traffic baselines and effectively monitor the network for intrusions using Snort and TCPDump on large networks, it's important to place the tools at strategic locations within the network. Most large networks (even medium and small) use switches to pass traffic. Understanding the difference between switches and hubs is important when considering where to place network tools. Switches and Hubs and Why You Care
On a switched network, any given network interface would receive only traffic destined for it as well as broadcast traffic. In a hub network environment the network interface receives all traffic, whether that traffic is destined for it or for another device. This is why switched networks are faster than hubbed networksthe unnecessary traffic isn't sent to all ports of the switch. There are situations in which a network interface might receive all traffic or a greater subset than merely its own in a switched network, such as those when a switch is configured to mirror the traffic to a specific port. In practice this can be done, but it may result in performance problems for the switch because it now has to copy all traffic to two ports instead of one. Refer to your switch's documentation for more information. For example, Cisco Catalyst switches call this feature "Switched Port Analyzer," or SPAN. More information on SPAN can be found at http://www.cisco.com/warp/public/473/41.html. Regardless of where the traffic originates, if it comes into the interface where the sniffer is running, the traffic can be captured. The key, at a network level, is to place sniffers and the related intrusion detection software in the right locations. For host-based traffic sniffing, the placement of the sniffer is obvious, on the host itself. Sniffer Placement
The placement of network sniffers and traffic-analysis software is key to successfully analyzing the traffic. In a switched network, the switch needs to be configured to mirror all traffic out the sniffer's switch port. Chapter 11 discusses the placement of sniffers. In essence, I recommend placing them in as many points as you can, notably near termination points such as firewalls. ARPWatch
Another item to be discussed in Chapter 11 is ARPWatch. ARPWatch is software to watch for new network devices on the network. ARPWatch can be helpful for auditing the devices on the network, especially wireless networks. |
Категории