Bejtlich, Richard. The practice of network security monitoring: understanding incident detection and response / by. Richard Bejtlich. pages cm. Includes index. Richard Bejtlich – The Practice of Network Security Monitoring . http://papers. maroc-evasion.info pdf. The Practice of Network Security Monitoring teaches IT and security staff how to leverage powerful NSM tools to identify Ebook (PDF, Mobi, and ePub), $
|Language:||English, Spanish, French|
|Distribution:||Free* [*Registration needed]|
Download at: maroc-evasion.info?book= The Practice of Network Security Monitoring: Understanding Incident Detection. Provides transparency. • Improve for next time. • Defense in depth. Source: “ Richard Bejtlich,The Practice of Network Security Monitoring”, No Starch Press, Network Security Assessment. Practical UNIX and Internet. Security. Security Power Tools A security guard could easily be fooled if his practice was to investigate maroc-evasion.info pdf.
Upcoming SlideShare. Like this document? Why not share! An annual anal Embed Size px. Start on.
Show related SlideShares at end. WordPress Shortcode. Carriejue Follow. Published in: Full Name Comment goes here.
Are you sure you want to Yes No. Be the first to like this. No Downloads. Views Total views. Actions Shares.
Embeds 0 No embeds. No notes for slide. The Practice of Network Security Monitoring: Understanding Incident Detection and Response to download this book the link is on the last page 2. The most effective computer security strategies integrate network security monitoring NSM: To help you avoid costly and inflexible solutions, he teaches you how to deploy, build, and run an NSM operation using open source software and vendor-neutral tools. You'll learn how to: Additionally, it does not only detect an unusual activity but rather can initiate a secure fast recovery process.
The remainder of the paper is organized as follows: Section 2 discusses some literature review and presents experimental comparisons with other existing techniques. We discuss the security model we implement in Section 3.
In Section 4 , we present our adaptive monitor design. Section 5 describes the evaluation process. Resource utilization is presented in Section 5. Section 6 summarizes and concludes this paper. Research in network security has focused on many topics ranging from secure end-to-end protocols, such as IPsec [ 9 ] to anomaly detection [ 10 ]. Packet marking strategies have been also proposed in order to identify attack sources [ 11 ] and protect against denial-of-service attacks.
From the network side, firewalls [ 4 ] and intrusion detection systems [ 12 ] can protect some systems from some known attacks. On end systems, virus scanner software can also identify some other attacks. However, using a virus scanner software as a defense mechanism against intrusion assumes that a sufficiently powerful processor and operating system are available.
This assumption does not hold when considering embedded packet processors on routers. These systems frequently use network processors, which are embedded multi-core systems-on-a-chip that operate without operating system support to maximize throughput performance. These embedded processing systems are vulnerable to intrusion just as conventional end systems are [ 13 ].
When addressing security issues in the network infrastructure itself, very little work can be found in the literature. The study in [ 13 ] surveyed network devices that are vulnerable due to exposed interfaces which are part of the control plane and can be protected by better management methods. However, in our work, we consider the data plane which inherently needs to be exposed and thus propose a novel protection technique.
Some defenses may be based on techniques from embedded system security [ 14 ]. Other defenses are based on monitoring. Several processor monitoring techniques have been proposed in the literature.
In [ 15 ], Tokuda et al. The monitoring information is then communicated to a central control processor using the same interconnect as that of the processing core for moving packets and other data.
Such monitors require processing resources on the network processor and thus reduce the overall system performance. Additionally, software monitors require modification to the application binary and other additional specialized codes and does not scale well. Furthermore, monitoring techniques based on software are themselves pieces of code that can be targeted by attacks and thus are vulnerable to corruption [ 6 ].
However, it is important to note that our hardware monitor does not execute any code itself; rather, it only ensures that the processor is behaving correctly and going through the expected legitimate instructions.
With the holistic view that the SDN offers, several solutions were proposed to monitor and detect network attacks by collecting the network statistics. In [ 16 ], the authors propose a flow-graph model learned from SDN messages to detect network level attacks on the network topology and the data plane forwarding.
In [ 17 ], Braga et al. Similarly, netfuse [ 18 ] was proposed in order to monitor the network and find suspicious flows. Unlike such approaches, which act at the application layer of the SDN hierarchy, our hardware monitor acts at the data plane layer to detect attacks and prevent recursive in-network attacks that target the same vulnerability. Additionally, the aforementioned monitoring approaches do not detect attacks that change the instruction execution of the network processor [ 7 ] since they only rely on the flow statistics; however, our monitoring approach ensures that the right execution flow is being followed by the network processor.
Furthermore, the monitoring approaches mentioned will be software applications running on top of an operating system Network Operating System such as NOX [ 19 ], etc.
Hence, they need the services and functions provided by the OS to operate and thus will have less performance compared to our monitoring approach which acts at the data plane layer without any service requirements from the network operating system. In terms of hardware monitoring techniques, Mao and Wolf [ 20 ] proposed a hardware monitor for embedded systems that can track each instruction of the processor and compare it to the processing model used by the monitor.
In [ 21 ], Ragel et al. Arora et al. Similarly, the work proposed in [ 22 ] determines correct operation based on a block of instructions.
Unlike our monitor, such approaches operate at the granularity of basic blocks, thus requiring more memory resources for the monitoring system, are slower in detecting attacks, and require more resources in terms of memory and execution time.
A detailed comparison between our hardware monitoring design and existing techniques is provided in the following section. Other techniques [ 23 , 24 ] extend the processor instruction set and micro-architecture to support special verification steps.
In [ 25 ], Chen et al. In [ 26 ], Mansour and Chasaki proposed an approach to detect faults and attacks in network processors through power monitoring.
Our work extends the idea of hardware monitoring further and enhances it. The monitor we propose is adaptive, fault-tolerant, and reliable because it utilizes the idea of software diversity. It is also secure because the code integrity is checked before execution.
Attacks in our design can be detected within a few instructions rather than at the end of a longer code block. The detection and recovery are fast processes because the monitor is based on a TCAM memory. This article is an extension of the work that has been presented previously in a short poster paper [ 27 ] and in [ 28 ].
Therefore, the monitoring system we present implements a security model which reflects the operation of the current Internet. We assume that the initial code on the router is benign and an attacker aims to modify the code maliciously to perform malicious activities. For a secure packet processing system, there exist the following security requirements [ 7 ]: The network processor should not deviate from any normal forwarding behavior. The network processor should always execute the instructions that are loaded to the instruction memory.
No other instructions should be executed. Any malicious attempts through the data plane should be detected and lead to a packet drop. Malicious attempts should be detected by our monitor, and a recovery mechanism should be initiated to restore the processor to a secure functional state. If an intrusion was successful and was able to change the internal state of the processor, a recovery mechanism should reset the router into an equivalent functional state.