mirror of
https://github.com/jackyzha0/quartz.git
synced 2025-12-27 23:04:05 -06:00
101 lines
3.3 KiB
Markdown
101 lines
3.3 KiB
Markdown
---
|
|
title: "13-pen-testing-2"
|
|
aliases:
|
|
tags:
|
|
- conp210
|
|
- lecture
|
|
---
|
|
|
|
# Intrusion detection cont.
|
|
## Auditing
|
|
a thorough prces of investiagtina nd analaysing aa system for vilnerabilities
|
|
- e.g., pen testing
|
|
-
|
|
can also refer to logging (esp. in a databse context)
|
|
|
|
## Firewalls
|
|
protect aginst network intrusions
|
|
- built in or third party
|
|
- built in - integration quality of control. ofen light convenince features maybe no GUI
|
|
- black/whitelist
|
|
- mandatory access control on routers
|
|
- mandatory access control
|
|
- e.g., block a netork port
|
|
- block icmp packets (some sytems are vulnerable)
|
|
- application level filtering for desktop systems
|
|
- finer grained control for linking rules to applications themselves (processes)
|
|
- router doesn't know about applications
|
|
- may not trust an aplication to connect o a web server but do trust other.
|
|
- dont have to block everything on that webserver
|
|
- provide altering and logging (avoid crying wolf)
|
|
- "end user alert fatigue"
|
|
|
|
> northcutt and novak - network intrusion detection
|
|
|
|
|
|
## Intrustion detection systems
|
|
- often bundled with commercial routers, network storage devices (NAS, SAN) - "cloud storage within organisation"
|
|
- can also be host based (HIDS) "situated aroud network"
|
|
- intrusion can be identified by know signatures (like pattern-based virus scanners)
|
|
- can also be anomaly-based (using heuristics)
|
|
|
|
## other intrusion detection topics
|
|
- file integrity checking
|
|
- hash checking to detect changes
|
|
- backup and recovery
|
|
|
|
## keeping up to date with vulnerabilites
|
|
- CERT NZ
|
|
- US-CERT
|
|
- CVE at MITRE
|
|
- NVD (us NIST national vulnerabilities database)
|
|
- conferences such as DEF CON
|
|
|
|
# Sting operations
|
|
deliberately place sofware where it will interact with attacks, somewhat resembling a police sting operation.
|
|
|
|
## Honeypot
|
|
- decoy service used to attact attackers
|
|
- divert attackers from real service
|
|
- identify attack origin - analyse attack - create countermeasures
|
|
- honey-nets - co-ordiniated honeypots. - analyse malware infection behaviour (malware epidemiology)
|
|
- bogus email address lists to hinder spammers
|
|
- individual e-mail address can be used to gather and analyse spam smessages
|
|
|
|
## Tarpits
|
|
- similar to honeypots but for *slowing* attack not diverting
|
|
- often deployed as a proxy server in front of the real service
|
|
- talks to a web server as a client on behalf of another client
|
|
- intermediate between client and server
|
|
- logging, throttling,
|
|
|
|
## Heroic human tarpits
|
|
- 
|
|
|
|
## DNS blackholes/sinkholes
|
|
- aka real time blackhole list (RBL)
|
|
- anti-spam measure, widely used by ISPs
|
|
- traditional SMTP is highly vulnerable to abuse
|
|
- STMP assumes people "will be nice".
|
|
- you can list whoever you like as the sender
|
|
- open mail relays are readly exploited by spammers
|
|
- mail servers recieve email from anywhere and send to anyone
|
|
- exlpoited by spammers
|
|
- can usually be identified by AI and sent to blackholes
|
|
- use existing DNS protocols to communicate (OK/bad status)
|
|
|
|
## Software
|
|
- mac os activity monitor
|
|
- mac os console (sys logs)
|
|
- `tcpdump`
|
|
- `iptraf`
|
|
- WireShark
|
|
- Snort (open source NIDS)
|
|
- Fail2Ban ( intrusion prevention system usins logfile monitoring)
|
|
- TCP wrappers (historically significant)
|
|
- SATAN
|
|
|
|
# Pen-Testing
|
|
checking if system is secure. Simulated attacks of system to detect vulnerabilities
|
|
|
|
|