Packet Sniffing on Layer 2 Switched Local Area Networks
Packet sniffing is a technique of monitoring network traffic. It is effective on both switched and non-switched networks. This paper discusses several methods that result in packet sniffing on Layer 2 switched networks. Each of the sniffing methods will be explained in detail. The purpose of the paper is to show how sniffing can be accomplished on switched networks, and to understand how it can be prevented.
|
|
Intelligence Preparation of The Battlefield
"Intelligence Preparation of the Battlefield" is a term used in the military that defines the methodology employed to reduce uncertainties concerning the enemy, environment, and terrain for all types of operations. It is a continuous process that is used throughout all planned and executed operations. The networked environment which security professionals are tasked with securing is analogous to a battlefield. The myriad of attackers and intruders from the void are the aggressors constantly on the offense. The security professionals are the defenders, entrusted to preserve the confidentiality and integrity of data against these marauders.
|
|
Intrusion Detection Terminology (Part One)
Intrusion Detection Systems (IDS) are still in their infancy, but in terms of development they are evolving at an extraordinary rate. The terminology associated with IDS is evolving just as rapidly. As a result of IDS' rapid growth and the marketing prowess of some IDS vendors, some confusion has arisen about the correct meaning of key terms. In some cases the same term may be used by different vendors to mean different things. This is the first of a two-part series that discusses IDS terminology, including terms where there may be disagreement from within the security community. Wherever possible, I have tried to include all definitions except where I consider usage of the term to be inaccurate or misleading.
|
|
Intrusion Detection Terminology (Part Two)
The first part of this series discussed the concept of Alerts, Consoles, False Negatives, and many other terms that are important for Intrusion Detection Systems (IDS). This second and final terminology article will continue in the same vein, starting with an explanation of the many different types of IDSs that exist today.
|
|
Intrusion Detection, Theory and Practice
This article gives an overview of several types of intrusion detection systems, and introduces the reader to some of the concepts and practices involved in intrusion detection. Be aware that this article is only introductory, and while I have suggested a number of possible systems, further research should always be undertaken before trusting in the strength of your intrusion detection system.
|
|
|
|
Network Intrusion Detection Signatures, Part 1
This is the first in a series of articles on understanding and developing signatures for network intrusion detection systems. In this article we will discuss the basics of network IDS signatures and then take a closer look at signatures that focus on IP, TCP, UDP and ICMP header values. Such signatures ignore packet payloads and instead look for certain header field values or combinations of values. By learning about network IDS signatures, you'll have more knowledge of how intrusion detection systems operate, and you'll have a better foundation to write your own IDS signatures.
|
|
Network Intrusion Detection Signatures, Part 2
This is the second in a series of articles on understanding and developing signatures for network intrusion detection systems. In the first installment we looked at signature basics, the functions that signatures serve, header values, signature components, and choosing signatures. In this article we will continue our discussion of IP protocol header values in signatures by closely examining some signature examples. Although it may be relatively easy to develop a signature that matches a particular type of traffic, it will likely cause unexpected false positives and false negatives. Signatures must be carefully developed and tested in order to create a signature set that is highly accurate, yet is also as efficient as possible.
|
|
Network Intrusion Detection Signatures, Part 3
This is the third in a series of articles on understanding and developing signatures for network intrusion detection systems. In Part One and Part Two, we examined the use of IP protocol header values, particularly TCP, UDP and ICMP, in network intrusion detection signatures. In this article, we will continue our discussion of signatures by studying the area of protocol analysis, focusing on the examination of values within TCP and UDP payloads. Network intrusion detection using protocol analysis-based signatures is very effective in detecting both known and unknown attacks involving protocols such as DNS, FTP, HTTP and SMTP.
|
|
Network Intrusion Detection Signatures, Part 4
This is the fourth in a series of articles on understanding and developing signatures for network intrusion detection systems. In part one we discussed the basics of network IDS signatures and then took a closer look at signatures that focus on IP, TCP, UDP and ICMP header values. In the second installment we looked at some signature examples. In the previous article, we began to examine the topic of protocol analysis, which means that the intrusion detection system actually understands how various protocols, such as FTP, are supposed to work. In this article, we will continue to look at protocol analysis and how it can overcome attempts by attackers to obfuscate their exploits so that they cannot be detected by simple intrusion detection signature methods.
|
|
Network Intrusion Detection Signatures, Part 5
This is the fifth and final installment in a series of articles on understanding and developing signatures for network intrusion detection systems. In the previous article, we looked at the topic of protocol analysis, meaning that the intrusion detection system actually understands how various protocols, such as FTP, are supposed to work. We initially looked at protocol analysis as it applied to a single request or response. In this article, we will extend this discussion by looking closely at stateful protocol analysis, which involves performing protocol analysis for an entire connection or session, capturing and storing certain pieces of relevant data seen in the session, and using that data to identify attacks that involve multiple requests and responses.
|
|
An Overview of LIDS, Part One
In traditional Unix models, the root user is all-powerful. Root is exempt from the rules and regulations of the filesystem, and has abilities that other users do not: putting interfaces into promiscuous mode, for example. Many folks realized that this uncontrolled access could be a bad thing. Should a vulnerability be found in a program that is run as root, it could cause boundless damage. More importantly, should an attacker manage to gain root access to your machine, there is no limit to what they could do.
|
|
Overview of LIDS, Part Two
This is the second part of a four-part series devoted to an overview of LIDS, a Linux kernel patch that will allow users to take away the all-powerful nature of root in order to give programs exactly the access they need and no more. The first article in this series offered an overview of LIDS. This installment will look at file restrictions, LIDS File ACLs, and LIDS enhancements of Linux capabilities.
|
|
Overview of LIDS, Part Three
This is the third part of a four-part article devoted to the exploration of LIDS, a Linux kernel patch that will allow users to take away the all-powerful nature of root. The first article in this series offered an overview of LIDS. The second installment looked at file restrictions, LIDS File ACLs, and LIDS enhancements of Linux capabilities. This installment will discuss granting capabilities, the LIDS-specific capabilities, ACL inheritance and time-based ACLs.
|
|
Page: 1 2 3 4 5
|
Actions
Category Stats