Forwarded From: Mushin <mu_shinat_private> Me and my SHADOW Using the new SANS intrusion-detection software with Solaris September 1998 Abstract The System Administration Networking and Security (SANS) Institute made a big splash in July by announcing a freely-available network-monitoring tool: the SANS Heuristic Analysis system for Defensive Online Warfare (SHADOW). What can SHADOW do for you? What should you let it do? This month James Triplett joins Peter in a discussion of the pros and cons of network monitoring. James provides a hands-on review of the tool. The SANS Heuristic Analysis system for Defensive Online Warfare, called SHADOW by most people, is one of that breed of tools known as Intrusion detection systems (IDSs). Previously, I've discussed other tools that can be used to implement a secure facility. These tools form the layers of your security onion. The complete onion should match your security needs and should provide your site with the appropriate level of security. The layers you can employ include: Security policy -- the roadmap showing what security you need and how you're going to get there Firewall or filtering router -- restricting the flow between your network and the rest of the world Encryption -- protecting data as it flows between security domains Authentication -- identifying who is trying to access a resource Authorization -- determining whether access requests should be granted Individual system security -- protecting each machine from security holes System/Firewall monitoring -- monitoring machines for security incidents Intrusion detection system -- monitoring networks and systems for security incidents Obscurity -- hiding information to make it more difficult for a hacker to attack Legal threat -- using fear of legal action to deter hackers User education -- teaching your users to be a security weapon rather than a security hole The newest addition to this list is Intrusion Detection Systems (IDS). All the recent improvements in system performance and disk capacity have done more than just improve Quake performance. They also enable thorough network data collection and analysis. There are several commercial and semi-commercial IDS products available, including ISS RealSecure, Axent Intruder Alert, and Network Flight Recorder (see Resources for links to these products). And now there's a new player in town. The SANS Institute is distributing a freely-available contributor-based facility called SHADOW. It's part of the Cooperative Intrusion Detection Evaluation and Response (CIDER) project, which is a joint effort by the Dahlgren Naval Surface Warfare Center, Network Flight Recorder (NFR), the SANS community and other interested parties to locate, document, and improve freely-available security software. CIDER actually has two toolsets for IDS, one based on NFR and the other based on the free tcpdump package. Because tcpdump is free and easy to install and use, we'll focus on it this month. According to the SANS announcement, "A SHADOW system can be built using freely-available software and existing hardware or hardware that can be purchased for less than $10,000. All CIDER components come with source code and tutorials on what they do and how to set them up and what the results mean. Because of this, an organization will find this approach complements and enhances the impact of commercially-available intrusion-detection systems." The basic idea of an IDS is that there is a tale to be told by the packets traveling on your networks. Within the standard and expected data flows, there could be internal or external hacker and cracker packets. For instance, it could contain some of the standard attacks like the SYN flood -- or it could be more innocuous, like a telnet from or to a forbidden place. Without an IDS, it would be difficult or impossible to detect these security issues and to take the next step to determine their origin, watch for patterns, or set up alarms when similar events are detected. The SHADOW package is designed to have systems at key locations, say just outside or just inside a firewall, collecting data. The data is then moved to the analysis system for dissection. I enlisted the help of security expert James Triplett to implement SHADOW and comment on its utility. For the full article check out: http://www.sunworld.com/swol-09-1998/swol-09-security.html?0901i == I am with the Government. I am here to help you. [:-)>- _________________________________________________________ DO YOU YAHOO!? Get your free @yahoo.com address at http://mail.yahoo.com -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:03:01 PDT