The Practice of Network Security Monitoring: Understanding Incident Detection and Response
Format: PDF / Kindle (mobi) / ePub
Network security is not simply about building impenetrable walls — determined attackers will eventually overcome traditional defenses. The most effective computer security strategies integrate network security monitoring (NSM): the collection and analysis of data to help you detect and respond to intrusions.
In The Practice of Network Security Monitoring, Mandiant CSO Richard Bejtlich shows you how to use NSM to add a robust layer of protection around your networks — no prior experience required. To help you avoid costly and inflexible solutions, he teaches you how to deploy, build, and run an NSM operation using open source software and vendor-neutral tools.
You'll learn how to:
- Determine where to deploy NSM platforms, and size them for the monitored networks
- Deploy stand-alone or distributed NSM installations
- Use command line and graphical packet analysis tools, and NSM consoles
- Interpret network evidence from server-side and client-side intrusions
- Integrate threat intelligence into NSM software to identify sophisticated adversaries
There's no foolproof way to keep attackers out of your network. But when they get in, you'll be prepared. The Practice of Network Security Monitoring will show you how to build a security net to detect, contain, and control them. Attacks are inevitable, but losing sensitive data shouldn't be.
Vivian’s Pets network includes several switches. Notice the switch to the left of location G and the firewall to the right. Location H is similar, with the firewall to the left and a switch to the right. Location B shows a firewall above and a switch below. Figure 2-13 shows three points of interest, the switch uplinks labeled S1, S2, and S3, next to each switch that’s closest to the firewall. We can use these switches to observe network traffic. These three switch interfaces are uplinks to the
download location to validate the integrity of the file. If you plan to deploy SO on physical hardware, you burned it to a DVD or flashed it to a USB drive. If you plan to try it on a VM, you have the .iso file on the system running the virtualization software. In either case, the hardware (physical or virtual) has at least two NICs (one for management and one for capturing traffic), at least 4GB RAM, and at least a 40GB hard drive. Let’s begin! Installing a Stand-alone System The general
public interfaces. Instead of letting applications listen on the public network interface, administrators “bind” them to nonpublic interfaces. One way to use nonpublic interfaces for tighter security is to configure an application to listen only on localhost (127.0.0.1). When an application 102 Chapter 5 is listening only on localhost, it can’t be reached remotely; it can be reached only via the local system (hence the localhost, nonpublic IP address). However, you can “simulate” local
13:33:01.775757 220.127.116.11 -> 192.168.2.108 ICMP 74 Echo (ping) reply id=0x0001, seq=16/4096, ttl=251 12519 2014-02-17 13:37:45.945105 18.104.22.168 -> 192.168.2.108 ICMP 74 Echo (ping) reply id=0x0001, seq=17/4352, ttl=251 Listing 6-25: Searching for a range of IP addresses with a Tshark display filter For more detail, add the -V and/or -x switch. As you can see, I like to use Tshark to review saved traces for specific elements. It would be difficult to create the equivalent BPF syntax for many of these
the wire or open a saved trace. NSM consoles, in contrast, offer a framework and interface to manipulate and interact with multiple NSM datatypes, but generally not via processing a saved trace. This is a limitation in some respects, because it restricts their use to live operational scenarios. This is not necessarily true of some commercial tools, but the focus of this book is open source software packaged with the free SO distribution: Sguil, Squert, Snorby, and ELSA. An NSM-centric Look at