Đang chuẩn bị nút TẢI XUỐNG, xin hãy chờ
Tải xuống
Network reconnaissance cannot be prevented entirely. If Internet Control Message Protocol (ICMP) echo and echo-reply is turned off on edge routers, ping sweeps can be stopped, but at the expense of network diagnostic data. However, port scans can easily be run without full ping sweeps; they just take longer because they need to scan IP addresses that might not be live. Intrusion detection systems (IDSs) at the network and host levels can usually notify an administrator when a reconnaissance attack is underway. This enables the administrator to better prepare for the coming attack or to notify the Internet service provider. | Bejtlich_book.fm Page 25 Thursday June 17 2004 8 40 AM What Is Network Security Monitoring Now that we ve forged a common understanding of security and risk and examined principles held by those tasked with identifying and responding to intrusions we can fully explore the concept of NSM. In Chapter 1 we defined NSM as the collection analysis and escalation of indications and warnings to detect and respond to intrusions. Examining the components of the definition which we do in the following sections will establish the course this book will follow. Indications and Warnings It makes sense to understand what we plan to collect analyze and escalate before explaining the specific meanings of those three terms in the NSM definition. Therefore we first investigate the terms indications and warnings. Appreciation of these ideas helps put the entire concept of NSM in perspective. The U.S. Department of Defense Dictionary of Military Terms defines an indicator as an item of information which reflects the intention or capability of a potential enemy to adopt or reject a course of action. 1 I prefer the definition in a U.S. Army intelligence 1. This definition appears in http www.dtic.mil doctrine jel doddict data i 02571.html. This sentence marks the first use of the word information in this chapter. In a personal communication from early 2004 Todd Heberlein makes the point that one entity s information is another entity s data. For example a sensor may interpret packets as data and then forward alerts which it considers information. An intrusion management system IMS treats the incoming alerts as data which it correlates for an analyst as information. The analyst treats the IMS output as data and sends information to a supervisor. This book does not take as strict a view concerning these two words but the distinction is enlightening. 25 Bejtlich_book.fm Page 26 Thursday June 17 2004 8 40 AM Chapter 2 What Is Network Security Monitoring training document titled Indicators in