Network Security Hacks [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

Network Security Hacks [Electronic resources] - نسخه متنی

Andrew Lockhart

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
ارسال به دوستان
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات
توضیحات
افزودن یادداشت جدید







Hack 91 Create a Distributed Stealth Sensor Network

Keep your IDS sensors safe from attack, while
still giving yourself access to their data.

Your IDS sensors are the early warning
system that can both alert you to an attack and provide needed
evidence for investigating a break-in after one has occurred. You
should take extra care to protect them and the data that they
collect. One way to do this is to run your IDS sensors in
stealth mode.

To do this, simply don't configure an IP address for
the interface that your IDS software will be collecting data from.
Putting the interface up, but without specifying an IP address, can
do this.

For example:

# tcpdump -i eth1
tcpdump: bind: Network is down
# ifconfig eth1 up promisc
# ifconfig eth1
eth1 Link encap:Ethernet HWaddr 00:DE:AD:BE:EF:00
UP BROADCAST PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:11 Base address:0x1c80
# /usr/sbin/tcpdump -i eth1
tcpdump: WARNING: eth1: no IPv4 address assigned
tcpdump: listening on eth1

After you've put the interface up, just start your
IDS [Hack #82] .
Your IDS will run as normal, but since there is no way to directly
access the machine, it is very difficult to attack it.

However, just like potential attackers, you will be unable to access
the machine remotely. Therefore, if you want to manage the sensor
remotely, you'll need to put in a second network
interface. Of course, if you did this and hooked it up to the same
network that the IDS sensor is monitoring, it would totally defeat
the purpose of running the other interface without an IP address. To
keep the traffic isolated, you should create a separate network for
managing the IDS sensors. You can of course attach this network to
one that is remotely accessible and then firewall it heavily.

Another approach is to access the box using an alternate channel,
such as a serial port connected to another machine that does have a
network connection. Just run a console on the serial port, and take
care to heavily secure the second machine. You could also connect a
modem (remember those?) to an unlisted phone number or, better yet,
an unlisted extension on your office's PBX.
Depending on your situation, simply using the console for access may
be the simplest and most secure method.

Whichever method you decide to use for remote access is a choice
you'll have to make by weighing the value of
increased security against the inconvenience of jumping through hoops
to access the machine. Security nearly always involves a trade-off
between convenience and confidence.


/ 158