Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

SRU 5 Network Intrusion

20100413
by

Daniel Dvorak

on 26 September 2012

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of SRU 5 Network Intrusion

Records network traffic related to an intrusion
Provides the tools needed to analyze that event

Networks were designed to transmit data, not store it, so intrusion evidence can be fleeting.

Provides active-sensing capability for real time analysis

Can be misused; malware is essentially doing the same thing when it makes changes to your computer across the network

Wireshark Exercise Looks for unusual activity
A baseline is created for normal operating reference point

Locate intrusions based on a signature or an anomaly

Reactionary rather than being proactive and won't provide forensic data An NFAT system should:
Keep up with increasing network speeds
Forensically capture complete and correct evidence
Store captured evidence
Keep evidence secure NFAT Components

Agents - software on network hosts to monitor,
retrieve and intercept data
Server - centralized computer used to store
captured information in a database
Examiner computer - place where analysis is performed Two Kinds of NFAT

Catch it as you can - saves EVERY bit of data across
the system; saves a huge amount of data but everything is there in case of an attack. Privacy concerns...

Stop, look and listen - performs filtering on the fly, looking for keywords and known problems. Requires fast processing power to quickly review packets. Data Sources on the Network

Host computers - image and search for data on
computers without writing to them, also enables
you to view volatile data Types of Firewalls

Network layer - Filters IP addresses to determine whether IP is permitted or denied (OSI Layer 3)
Application layer - Permit or deny based on application utilities like FTP and HTTP (OSI Layer 7)
Proxy firewall - Mediator between internal and external network DHCP Servers - Dynamicaly assign IP addresses to clients. Logs the IP address issued, date and time, lease expiration and MAC address (ipconfig/all)

NFAT/IDS Agents - Hosts collect data required by NFAT server

IDS/Network Monitoring - collect data on traffic

Packet Sniffers - Looks at every packet coming over the wire, puts protocols in an understandable language What systems collect data
and where is data found? Capturing Data Other Hardware Devices

Switch Port Analyzer (SPAN) - Port mirroring takes all information going to a port and send it to the IDS/NFAT to analyze
Test Access Port (TAP) - Splices the line and send data into the IDS/NFAT >
Host Inline Device - Two network cards in a computer, one input and one output. The input analyzes data
Hubs - Simple device that repeats information to all ports, causes collisions on the network >
Wireless Access Points - Transmits data with radio frequencies, analyzes data coming off the access point > PPPPPPP An attempt to:
access information of a computer system
manipulate information of a system
render a computer system unreliable An IDS is a software or hardware system designed to detect unwanted attempts at accessing, manipulating or disabling of computer systems, mainly through a network such as the Internet.

An IDS does not usually take preventive measures when an attack is detected, rather it is reactive. Passwords can be hacked, users can lose their passwords, an social engineers can find out enough to get into a system. Two kinds of IDS

Passive - detects a potential security breach, logs the information and signals an alert

Active - responds to suspicious activity by resetting the connection or reprogramming the firewall to block newtwork traffic from the suspect source Types of IDS

Protocol based - monitors the communication protocol between clients
Application Protocol based - Sits within a group of servers monitoring and analyzing the communication on application spcific protocols
Host based - analyzes system calls, application logs, file system modifications, and host activities and state
Network based - independent platform which identifies intrusions by examining network traffic and monitors multiple hosts
Hybrid - combines two or more approaches Listen for Terms
Master
Agent
Monitoring
Remotely monitor from single point
Provide solution to threat
Email alert Intrusion test
Open a command prompt
Type NET VIEW
Open Internet Explorer (not Firefox)
Type \\'the users name'\c$
If there is no password on the client you will have access Hack into a computer on your network

Download www.filefactory.com/file0313ca/
Unzip to the c:\ drive with thepassword metacafe
Open the command prompt
Type cd c:\
Type winvnc.exe -install
Type net start winvnc
Get victim's IP address by typing ipconfig
On your computer download www.realvnc.com/products/download.html
Click on Free Edition (viewer for Windows) and install
Enter victim's IP address Plan Ahead Exercise Network Security
Companies Security Comes in Various Forms What is an Intrusion? Why do you need network security devices? Network Forensic Analysis
Toolkit (NFAT) Intrusion Detection Systems (IDS) Firewalls - logging capabilities can provide ports, IP addresses, packet data and logon attempts/denials.
Ability to provide an external IP address using Network Address Translation (NAT) to protect internal hosts
Maps traffic between external and internal computers
Proxy is the intermediary between internal and external network, unlike the NAT firewall it reads every packet to make sure the data conforms to security rules; if so it is addressed with the IP of the proxy and is passed on (recipient never sees the internal IP address) How does the Internet work?
Full transcript