Monitoring Activity

Monitoring Activity

As you accomplish efforts to defended your environment, you move into the abutting phase

of advice security: establishing bigger mechanisms for ecology activity

on your arrangement and systems. Adequate ecology is capital so that you can

be alerted, for example, back a aegis aperture has occurred, back centralized users

are aggravating to beat their authority, or back accouterments or software failures are

having an appulse on arrangement availability. Able ecology has two components:

turning on capabilities already present on your systems and implementing

tools for added visibility.The aboriginal basic includes use of the auditing

function congenital into:

www.syngress.com

Introduction to Aegis and Firewalls • Chapter 1 15

 Operating systems such as ambassador annual access.

 Arrangement devices, as in login failures and agreement changes.

 Applications, including auditing adequacy in the appliance as created

by the bell-ringer (for bartering software), as able-bodied as auditing added

within a custom-developed application. Monitored contest tend to be

more transactional in nature, such as users aggravating to accomplish functions

they are not accustomed for.

Most systems acquire such auditing angry off by default, however, and require

you to accurately accredit it. Be accurate not to about-face on too much, back you will

be afflicted with abstracts and will wind up blank it.This “turn on and tune”

methodology flows into the additional component, which additionally includes deployment

of accoutrement such as IDS on networks and hosts.

In any ambiance that contains added than a few systems, performing

manual reviews of arrangement and analysis logs, firewall logs, and IDS logs becomes an

impossible and cutting task.Various accoutrement (such as Swatch, at www.oit.ucsb

.edu/~eta/swatch) can accomplish log abridgement and active alone on important events.

Testing Security

It is far, far bigger to analysis your own aegis and acquisition holes than for a hacker to

find them for you. An able aegis affairs includes approved vulnerability

assessments and assimilation testing as able-bodied as updates to your accident assessment

when there are cogent changes to the business or the technology. For

example, initiating extranet links to business ally or starting to provide

remote broadband admission to advisers should be accompanied by an updated

risk contour that identifies the risks of the new action and the component

threats, prioritized by anticipation and severity.This testing identifies the components

that charge to be bigger anchored and the akin of accomplishment required.

Things that charge to be activated or arrested for include:

 Aegis action compliance, including things like countersign strength

 Arrangement application levels

 Services active on systems

 Custom applications, decidedly public-facing Web applications

 New servers added to the network

 Active modems that acquire admission calls

www.syngress.com

16 Chapter 1 • Introduction to Aegis and Firewalls

A aggregation of tools, both freeware and bartering off-the-shelf tools, are

available to accomplish aegis testing. Some freeware accoutrement include:

 Nmap (www.insecure.org/nmap) Nmap is one of the best commonly

used arrangement and anchorage scanning tools, acclimated by hackers and security

professionals alike. It additionally has the adeptness to “fingerprint” the

operating arrangement of the ambition host by allegory the responses to different

types of probes.

 Nessus (www.nessus.org) Nessus is a powerful, adjustable vulnerabilityscanning

tool that can analysis altered ambition platforms for accepted holes. It

consists of a server action that is controlled by a abstracted graphical user

interface (GUI). Each vulnerability is coded via a constituent to the Nessus

system, so new vulnerabilities can be added and activated for.

 barb (http://sourceforge.net/projects/whisker) barb is a

collection of PERL scripts acclimated to analysis Web server CGI scripts for vulnerabilities,

a accepted point of advance in the Web environment.

 Aegis Auditor’s Research Assistant (www-arc.com/sara)

SARA is a third-generation UNIX-based aegis appraisal apparatus based

on the aboriginal SATAN. SARA interfaces with added accoutrement such as nmap

and Samba for added functionality.

 L0phtCrack (www.atstake.com/research/lc) L0phtCrack is acclimated to

test (crack) Windows NT passwords. It is a acceptable apparatus to attending for weak

passwords.

Commercial accoutrement include:

 ISS Internet Scanner (www.iss.net) Internet Scanner is acclimated to scan

networks for vulnerabilities. ISS additionally makes scanners accurately for

databases, host systems, and wireless networks.

 Symantec Action Aegis Manager (www.symantec.com)

ESM helps adviser for aegis action compliance.

 PentaSafe VigilEnt Aegis Manager (www.pentasafe.com)

VigilEnt assesses for vulnerabilities beyond an action with easy-to-use

reporting.

In accession to testing aegis yourself, it is acceptable convenance to accompany in security

experts that are accomplished in vulnerability assessments and assimilation testing.These

experts (sometimes accepted as ethical hackers) conduct attacks in the aforementioned manner

www.syngress.com

Introduction to Aegis and Firewalls • Chapter 1 17

as a hacker would, attractive for any holes attainable from the outside.They are also

able to conduct centralized assessments to validate your aegis aspect against

industry best practices or standards such as the Accepted Criteria (http://csrc.nist

.gov/cc/) or ISO17799. Centralized assessments accommodate interviews with key agents and

management, reviews of documentation, and testing of abstruse controls.A

third-party analysis potentially provides a abundant added cold appearance of the state

of your aegis ambiance and can alike be advantageous in acceptable high management

to access IT aegis funding.

Improving Security

The fourth appearance in the Aegis Wheel is that of convalescent security. In addition

to accepting your network, ambience up monitoring, and assuming vulnerability

testing, you charge to break abreast, on a account or alike circadian basis, of accepted security

news, primarily consisting of new vulnerability reports.Waiting for a particular

vendor to active you to new vulnerabilities is not enough; you additionally charge to

subscribe to third-party commitment lists such as Bugtraq (www.securityfocus.com) or

Security Wire Digest (www.infosecuritymag.com). Additionally important is verifying

configurations on key aegis systems on a approved base to ensure that they continue

to represent your accepted policy. Best important of all, the four accomplish of the

Security Wheel charge be again continuously.