[ISN] SANS Shadow IDS

From: mea culpa (jerichoat_private)
Date: Wed Sep 02 1998 - 18:59:17 PDT

  • Next message: mea culpa: "[ISN] Online Game Spreads PC Virus"

    Forwarded From: Mushin <mu_shinat_private>
    
    
    Me and my SHADOW 
    
    Using the new SANS intrusion-detection software        with Solaris 
    
    September  1998 
    
    Abstract 
    
         The System Administration Networking and Security (SANS)  Institute
    made a big splash in July by announcing a freely-available
    network-monitoring tool: the SANS Heuristic Analysis system for Defensive
    Online Warfare (SHADOW). What can SHADOW do for you? What should you let
    it do? This month James Triplett joins Peter in a discussion of the pros
    and cons of network monitoring. James provides a hands-on review of the
    tool.
    
        The SANS Heuristic Analysis system for Defensive Online Warfare,
    called SHADOW by most people, is one of that breed of tools known as
    Intrusion detection systems (IDSs). Previously, I've discussed other tools
    that can be used to implement a secure facility. These tools form the
    layers of your security onion. The complete onion should match your
    security needs and should provide your site with the appropriate level of
    security.
    
    The layers you can employ include: 
    
         Security policy -- the roadmap showing what security you need and
    how you're going to get there 
         Firewall or filtering router -- restricting the flow between your
    network and the rest of the world 
         Encryption -- protecting data as it flows between security domains 
         Authentication -- identifying who is trying to access a resource 
         Authorization -- determining whether access requests should be
    granted 
         Individual system security -- protecting each machine from
    security holes 
         System/Firewall monitoring -- monitoring machines for security
    incidents 
         Intrusion detection system -- monitoring networks and systems for
    security incidents 
         Obscurity -- hiding information to make it more difficult for a
    hacker to attack 
         Legal threat -- using fear of legal action to deter hackers 
         User education -- teaching your users to be a security weapon
    rather than a security hole 
    
    The newest addition to this list is Intrusion Detection Systems (IDS). 
    All the recent improvements in system performance and disk capacity have
    done more than just improve Quake performance. They also enable thorough
    network data collection and analysis. There are several commercial and
    semi-commercial IDS products available, including ISS RealSecure, Axent
    Intruder Alert, and Network Flight Recorder (see Resources for links to
    these products).
    
    And now there's a new player in town. The SANS Institute is distributing a
    freely-available contributor-based facility called SHADOW. It's part of
    the Cooperative Intrusion Detection Evaluation and Response (CIDER)
    project, which is a joint effort by the Dahlgren Naval Surface Warfare
    Center, Network Flight Recorder (NFR), the SANS community and other
    interested parties to locate, document, and improve freely-available
    security software. CIDER actually has two toolsets for IDS, one based on
    NFR and the other based on the free tcpdump package. Because tcpdump is
    free and easy to install and use, we'll focus on it this month.
    
    According to the SANS announcement, "A SHADOW system can be built using
    freely-available software and existing hardware or hardware that can be
    purchased for less than $10,000. All CIDER components come with source
    code and tutorials on what they do and how to set them up and what the
    results mean. Because of this, an organization will find this approach
    complements and enhances the impact of commercially-available
    intrusion-detection systems."
    
    The basic idea of an IDS is that there is a tale to be told by the packets
    traveling on your networks. Within the standard and expected data flows,
    there could be internal or external hacker and cracker packets. For
    instance, it could contain some of the standard attacks like the SYN flood
    -- or it could be more innocuous, like a telnet from or to a forbidden
    place. Without an IDS, it would be difficult or impossible to detect these
    security issues and to take the next step to determine their origin, watch
    for patterns, or set up alarms when similar events are detected.
    
    The SHADOW package is designed to have systems at key locations, say just
    outside or just inside a firewall, collecting data. The data is then moved
    to the analysis system for dissection.
    
    I enlisted the help of security expert James Triplett to implement SHADOW
    and comment on its utility.
    
    For the full article check out:
    http://www.sunworld.com/swol-09-1998/swol-09-security.html?0901i 
    
    
    
    
    
    
    
    
    
    ==
    I am with the Government.  I am here to help you. [:-)>-
    
    
    
    
    _________________________________________________________
    DO YOU YAHOO!?
    Get your free @yahoo.com address at http://mail.yahoo.com
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:03:01 PDT