Ir para o conteúdo
  • Revista PROGRAMAR: Já está disponível a edição #60 da revista programar. Faz já o download aqui!

herakty

Is your Network Intrusion Detecton System blind in one eye?

Mensagens Recomendadas

herakty

?id=725X1342&site=misterreiner.wordpress.com&url=http%3A%2F%2Fmisterreiner.files.wordpress.com%2F2010%2F05%2Fnetwork-e.jpg&sref=http%3A%2F%2Fmisterreiner.wordpress.com%2F2010%2F05%2F17%2Fis-your-network-intrusion-detecton-system-blind-in-one-eye%2F

o problema de se confiar demais nos produtos de segurança e não se entender que também estas são falíveis e contornáveis... eu antes de qualquer teste, testo em várias IDS o "rasto" que as técnicas que vou usar para ver se são detectáveis pelas assinaturas das IDS conhecidas... e há técnicas de "afinar" e contornar"... ou simplesmente usar uma cadeia de proxys que mesmo que o ataque seja detectado não é ninguém detectado  :ipool: :smoke:

Many organizations don’t realize that their NIDS implementation is flawed and as a result, their NIDS doesn’t see hostile activity at certain points within its network infrastructure. This means that those monitoring the NIDS may not realize what hostile activity is attempting to get into the network, is happening inside of the network, or is attempting to get out of the network. Does your network’s NIDS implementation get a passing grade?

Is your Network Intrusion Detecton System blind in one eye?

If your network administrator/security guy implemented more than just the basic security for your network, you’ve got a Network Intrusion Detection System (NIDS) connected to your network.  A NIDS inspects network packets looking for indications of hostile activity, such as exploit attempts, malicious email, port scanning, and protocols associated with specific Trojans. When implementing a NIDS, there are several different options for connecting it to the network.  A common option is to mirror one or more ports on a network switch to send a copy of each packet to the NIDS. This can be accomplished in several different ways:

Option 1: Connect the NIDS in front of the router (Switch A, red line). The NIDS “sees” all hostile activity (meaning the NIDS is able to inspect the network packets) attempting to enter the network at the router and leaving the network from the router, but cannot see anything behind the router. It does not know if inbound hostile activity is blocked by the router (access control list) or firewall (firewall policy).

Option 2: Connect the NIDS in front of the firewall (Switch B, purple line). The NIDS sees all hostile activity between the router and the firewall, but cannot see inbound hostile activity blocked by the router  or any activity internal to the network at Switch C. The NIDS cannot see what hostile activity leaves the router in the outbound direction and does not know if the router blocks the outbound hostile activity. The NIDS does not know what inbound hostile activity is blocked by the firewall and does not see outbound hostile activity from Switch C that is blocked by the firewall.

Option 3: Connect the NIDS in back of the firewall (Switch C, blue line).  The NIDS does not see any hostile activity in front of the router or between the router and the firewall. The NIDS does not know if any outbound hostile activity is blocked by the firewall or router. There are two switch configuration options at Switch C:

a. The NIDS sees all packets entering and leaving the network, but is not configured to see the packets going between desktops A, B and C.

b. The NIDS sees all packets entering and leaving the network and is also configured to see the packets going between desktops A, B and C.

Option 4: The NIDS is connected using any combination of the options listed above.

Given these options, what option(s) would you choose to connect the NIDS to the network?

Here are two questions for you to ask your network administrator/security guy:

1. How many ports on the NIDS are connected to the network?

2. What devices are connected to the NIDS and what activity does it see  (inbound, outbound, desktop, server, etc.)?

After you talk with your network administrator/security guy, ask yourself these questions given your network’s NIDS configuration:

1. If the user on Desktop A opens a malicious email that installs a Trojan that isn’t detected by the anti-virus/spyware software,  and the Trojan starts attacking Desktops B and C, what will the NIDS see?

2. If the NIDS is connected to Switch A and/or B, and not Switch C, if outbound hostile activity is blocked by the firewall, what will the NIDS see?

3. If the NIDS is connected to Switch B and/or C, and not Switch A, how will you know what type of inbound exploits are being attempted if the activity is blocked by the router’s access control list?

4. Are you happy with your network’s NIDS configuration?

Many organizations don’t realize that their NIDS implementation is flawed and as a result, their NIDS doesn’t see hostile activity at certain points within its network infrastructure. This means that those monitoring the NIDS may not realize what hostile activity is attempting to get into the network, is happening inside of the network, or is attempting to get out of the network. Does your network’s NIDS implementation get a passing grade?

http://misterreiner.wordpress.com/2010/05/17/is-your-network-intrusion-detecton-system-blind-in-one-eye/

teckV

Partilhar esta mensagem


Ligação para a mensagem
Partilhar noutros sites

Crie uma conta ou ligue-se para comentar

Só membros podem comentar

Criar nova conta

Registe para ter uma conta na nossa comunidade. É fácil!

Registar nova conta

Entra

Já tem conta? Inicie sessão aqui.

Entrar Agora

×

Aviso Sobre Cookies

Ao usar este site você aceita os nossos Termos de Uso e Política de Privacidade. Este site usa cookies para disponibilizar funcionalidades personalizadas. Para mais informações visite esta página.