Terms you'll need to understand:
Dictionary attack
Brute-force attack
Password types
Mandatory access control (MAC)
Discretionary access control (DAC)
Role-based access control (RBAC)
Denial-of-service attack (DoS)
Honeypots
Crossover error rate (CER)
Techniques you'll need to master:
Understand access-control techniques
Understand the goals of penetration testing
Understand the types of intrusion-detection systems
Describe the two types of intrusion-detection systems engines
Be able to differentiate authorization types
Know the advantages of single sign-on technologies
Access control is a key component of security. When properly designed, it lets in legitimate users and keeps unauthorized individuals out. Access control has moved far beyond simple usernames and passwords. Modern access-control systems can use physical attributes or biometrics for authentication. Many airports now use biometrics for authentication. Security administrator have more to worry about than just authentication. Many employees now have multiple accounts to keep up with. Luckily, there is a way to consolidate these accounts: single sign-on.
This chapter discusses access-control techniques and the ways to implement control within centralized and decentralized environments. It also discusses some of the threats to access control. Attackers can launch password-cracking attacks to try and gain unauthorized access. If they still cannot get into a system, they might attempt to launch denial-of-service (DoS) attacks to disrupt avail ability to legitimate users. That is why access control is also about detective and corrective measures. It's important to have systems to detect misuse or attacks. One such system is an intrusion-detection system (IDS). IDS systems are also discussed in this chapter.
Access control is probably one of the most targeted security mechanisms. After all, its job is to keep out unauthorized individuals. Attackers can use a variety of tools and techniques to try to bypass or subvert access control.
Think your passwords are secure? A European Infosec conference performed an impromptu survey and discovered that 74% of those surveyed would trade their passwords for a chocolate bar. Now, the results of this survey might not meet strict scientific standards, but this does prove a valuable point: Many individuals don't practice good password security. Attackers are well aware of this and use the information to launch common password attacks. Attackers typically use one of two methods to crack passwords: a dictionary crack or a brute-force crack.
A dictionary crack uses a predefined dictionary to look for a match between the encrypted password and the encrypted dictionary word. Many dictionary files are available, ranging from Klingon to popular movies, sports, and the NFL.
Many times, these cracks can be performed in just a few minutes because individuals tend to use easily remembered passwords. If passwords are well-known, dictionary-based words, dictionary tools will crack them quickly.
Just how do cracking programs recover passwords? Passwords are commonly stored in a hashed format, so most password-cracking programs use a technique called comparative analysis. Each potential password found in a dictionary list is hashed and compared to the encrypted password. If a match is obtained, the password has been discovered. If not, the program continues to the next word, computes its hashed value, and compares that to the hashed password. These programs are comparatively smart because they can manipulate a word and use its variations. For example, take the word password. It would be processed as Password, password, PASSWORD, PassWord, PaSSword, and so on. These programs tackle all common permutations of a word. They also add common prefixes, suffixes, and extended characters to try to crack the password. This is called a hybrid attack. Using the previous example, these attempts would look like 123password, abcpassword, drowssap, p@ssword, pa44w0rd, and so on. These various approaches increase the odds of successfully cracking an ordinary word or any common variation of it.
The brute-force attack is a type of encrypted password assault and can take hours, days, months, or years, depending on the complexity of the password and the key combinations used. This type of crack depends on the speed of the CPU's power because the attacker attempts every combination of letters, numbers, and characters.
An alternative to traditional brute-force password cracking is to use a rainbow table. Whereas traditional brute-force password cracking tries one combination at a time, the rainbow table technique precomputes all possible passwords in advance. This is considered a time/memory trade-off technique. When this time-consuming process is complete, the passwords and their corresponding encrypted values are stored in a file called the rainbow table. An encrypted password can be quickly compared to the values stored in the table and cracked within a few seconds.
Attackers can find other ways to break in besides cracking passwords. They might try to sniff the stray electrical signals that emanate from electronic devices. This might sound like science fiction, but the U.S. government was concerned enough about the possibility of this type of attack that it started a program to study it. The program eventually became a standard known as TEMPEST.
TEMPEST is somewhat dated; newer technologies such as white noise and control zones are now used to control emanation security. White noise uses special devices that send out a stream of frequencies that make it impossible for an attacker to distinguish the real information. Control zones are the practice of designing facilities, walls, floors, and ceilings to block electrical signals from leaving the zone.
Denial-of-service (DoS) attacks consume resources to the point that legitimate access is not possible. Distributed DoS (DDoS) attacks work in much the same way, except that they are launched from many more devices and add a layer between the attacker and the victim. Following are DoS/DDoS attacks:
Smurf—. Sends a message to the broadcast of a subnet or network so that every node on the network produces one or more response packets.
Syn flood—. Takes advantage of the maximum number of connection requests that a host can handle at one time. When all possible connections are consumed, no one can access the server for legitimate purposes.
Trinoo—. A DDoS tool capable of launching User Datagram Protocol (UDP) flood attacks from various channels on a network.
One of the main reasons to have a variety of access-control types is to provide the organization with true defense in depth. Each control type provides a different level of protection, and because each level can be tweaked to meet the needs of the organization, the security administrator has a very granular level of control over the security mechanisms. Security mechanisms can serve many purposes, although they are primarily used to prevent, detect, or recover from problems. The best approach is for the organization to focus the bulk of its controls on prevention because this allows the organization to stop a problem before it starts. The three access-control types include administrative, technical, and physical controls.
Administrative controls are the policies and procedures implemented by the organization. Preventive administrative controls can include security awareness training, strong password policies, and robust pre-employment checks.
Technical controls are the logical controls you have put in place to protect the IT infrastructure. Technical controls include strong authentication (biometrics or two-factor), encryption, network segmentation, demilitarized zones (DMZs), and antivirus controls.
Identification, authentication, and authorization are three of the core concepts of access control. Together these items determine who gets into the network and what they have access to. A failure of any of these services can have detrimental results to the security of the organization. Identification is the process of identifying yourself to an authentication service. Authentication is the process of determining whether a user is who he or she claims to be. Authorization is the process of determining whether a user has the right to access a requested resource. These concepts are tied to one additional item: accountability, which is discussed in subsequent chapters. Accountability is the capability to relate specific actions and operations to a unique individual.
In network security, authentication is the process of determining the legitimacy of a user or process. Various authentication schemes have been developed over the years. These are some common authentication methods:
Usernames and passwords—. Typically a name and an alphanumeric password.
Tokens—. A hardware-based device used for authentication.
Smart cards—. An intelligent token that been embedded with an integrated circuit chip. It provides not only memory capacity, but computational capability as well.
Magnetic stripe cards—. A widely used standard that became established in the 1970s. The magnetic strip contains information used to authenticate the user.
Certificates—. Some authentication methods, such as Protected Extensible Authentication Protocol (PEAP) and Extensible Authentication Protocol (EAP), can use certificates for authentication of computers and users. Certificates can reside on a smart card or can be used by IPSec and Secure Sockets Layer (SSL) for web authentication.
Biometrics—. Systems that make use of something you are, such as a fingerprint, retina scan, or voice print.
A quick review of this list should illustrate that all these forms of authentication can be distilled into three distinct types:
Something you know—. passwords
Something you have—. tokens, smart cards, and certificates
Something you are—. biometrics
Note
Some experts actually list four categories of authentication: something you know, something you have, something you are, and where you are.
Of these three types, probably the most widely used are usernames and passwords. The problem with this method is that passwords as a form of authentication are also one of the easiest to crack. Using passwords makes the network even more vulnerable because most individuals make passwords easy to remember, such as a birthday, an anniversary, or a child's name. Also, people have a limited memory, so the same password is often used to gain access to several different systems. With valid usernames and easily guessed passwords, a network is very close to losing two of the three items that ensure security, confidentiality, and integrity. Programs such as John the Ripper can quickly cycle through huge dictionary files looking for a match. This makes password security an important topic for anyone studying access control: Many times, it is all that stands between an intruder and account access. If you can't make the change to a more robust form of authentication, password policy should at least follow some basic guidelines:
Passwords should not use personal information.
Passwords should be 7 or 14 characters.
Passwords should expire at least every 30 days.
Passwords should never consist of common words or names.
Passwords should be complex and should use upper- and lowercase letters and characters (such as !@#$%^&).
Logon attempts should be limited to a small number of times, such as three to five successive attempts.
Note
A logon limit is also known as a clipping level in CISSP terminology. Remember that a clipping level is the threshold or limit that must be reached before action is taken.
Cognitive passwords are another interesting password mechanism that has gained popularity. For example, three to five questions might be asked, such as these:
What country were you born in?
What department do you work for?
What's your pet's name?
What is your mother's maiden name?
If you answer all the questions correctly, you are authenticated. Cognitive passwords are widely used during enrollment processes and when individuals call help desks or request other services that require authentication. Cognitive passwords are not without their problems. For example, if your name is Paris Hilton and the cognitive password you're prompted for by T-Mobil is “What's your pet's name?” anyone who knows that your pet's name is Tinkerbell can easily access your account.
The tokens described in the previous sections can be synchronous dynamic password tokens or asynchronous password devices. These devices use a Poloniums challenge-response scheme and are form-factored as smart cards, USB plugs, key fobs, or keypad-based units. These devices generate authentication credentials that are often used as one-time passwords. Another great feature of token-based devices is that they can be used for two-factor authentication.
Tokens that are said to be synchronous are synchronized to the authentication server. Each individual passcode is valid for only a short period of time. Even if an attacker were able to intercept a token-based password, it would be valid for only a limited time. After that small window of opportunity, it would have no value to an attacker. As an example, RSA's SecurID changes user passwords every 60 seconds.
Asynchronous token devices are not synchronized to the authentication server. These devices use a challenge-response mechanism. These devices work as follows:
The server sends the user a value.
The value is entered into the token.
The user is prompted to enter a secret passphrase.
The token performs a hashing process on the entered value.
The new value is displayed on the LCD screen of the token device.
The user enters the displayed value into the computer for authentication.
Biometrics is a means of authentication that is based on a behavioral or physiological characteristic that is unique to an individual. Biometrics is a most accurate means of authentication, but it is also more expensive than the other methods discussed. Biometric authentication systems have been slow to mature because many individuals are adverse to the technology. Issues such as privacy are typically raised, although things have started to change somewhat after 9-11. More companies have felt the need for increased security, and biometric authentication systems have been one way to meet the challenge. Biometric systems work by recording information that is very minute and individual to the person. When the biometric system is first used, the system must develop a database of information about the user. This is considered the enrollment period. When enrollment is complete, the system is ready for use. So, if an employee then places his hand on the company's new biometric palm scanner, the scanner compares the ridges and creases found on the employee's palm to the one that is identified as that individual's in the device's database. Whether the employee gains access depends on the accuracy of the system.
Different biometric systems have varying levels of accuracy. The accuracy of a biometric device is measured by the percentage of Type I and Type II errors it produces. Type I errors (false rejection rate) are a measurement of the percentage of individuals who should have gotten in but were not allowed access. Type II errors (false acceptance rate) are the percentage of individuals who got in and should not have been allowed access. Together these two values determine the accuracy of the system. This is determined by mapping the point at which Type I errors equal Type II errors. This point is known as the crossover error rate (CER). The lower the CER, the better—for example, if system A had a CER of 4 and system B had a CER of 2, system B would be the system with the greatest accuracy. Some of the most widely used types of biometric systems include these:
Finger scan—. Distinguishes one fingerprint from another by examining the configuration of the peaks, valleys, and ridges of the fingerprint. It is the most common type of biometric system used.
Hand geometry—. Uses the unique geometry of a user's fingers and hand in identification.
Palm scan—. Uses the creases and ridges of a user for identification.
Retina pattern—. Uses the person's eye for identification; very accurate.
Iris recognition—. Another eye-recognition system that matches the person's blood vessels on the back of the eye; also very accurate.
Keyboard dynamics—. Analyzes the speed and pattern of typing.
Note
Before attempting the CISSP exam, make sure you understand the difference between Type I and Type II errors and the CER. Type II values are considered to be the most critical error rate to examine, while the CER is considered to be the best measurement of biometric systems accuracy.
Other considerations must be made before deploying a biometric system:
Employee buy-in—. Users might not like or want to interact with the system. If so, the performance of the system will suffer. For example, a retina scan requires individuals to look into a cuplike device, whereas an iris scanner requires only a quick look into a camera.
Age, gender, or occupation of the user—. Users who perform physical labor or work in an unclean environment might find finger scanners frustrating.
The physical status of the user—. Users who are physically challenged or handicapped might find the placement of eye scanners difficult to reach. Those without use of their hands or fingers will be unable to use fingerprint readers, palm scanners, or hand geometry systems.
To make authentication stronger, you can combine several of the methods discussed previously. This combination is referred to as multifactor or strong authentication. The most common form of strong authentication is known as two-factor authentication. Tokens combined with passwords form an effective and strong authentication. If you have a bank card, you are familiar with two-factor authentication. Bank cards require two items to successfully access an account: something you have and something you know. These two items, your card and your PIN, grant you access to the account.
The decision to use strong authentication depends on your analysis of the value of the assets being protected. What are the dollar values of the assets being protected? What might it cost the organization in dollars, lost profit, potential public embarrassment, or liability if unauthorized access is successful?
Single sign-on is an attempt to address a problem that is common for all users and administrators. Various systems within the organization likely require the user to log on multiple times to multiple systems. Each one of these systems requires the user to remember a potentially different username and password combination. Most of us tire of trying to remember all this information and begin to look for shortcuts. The most common is to just write down the information. Walk around your office, and you might see that many of your co-workers have implemented the same practice. Single sign-on is designed to address this problem by permitting users to authenticate once to a single authentication authority and then access all other protected resources without reauthenticating. Before you run out and decide to implement single sign-on at your organization, you should be aware that it is expensive and if an attacker can gain entry, that person then has access to everything. Kerberos, SESAME, KryptoKnight (by IBM), and NetSP (a KryptoKnight derivative) are authentication server systems with operational modes that can implement single sign-on.
Note
Thin clients can be considered a type of single sign-on system because the thin client holds no data. All information is stored in a centralized server. Thus, once a user is logged in, there is no reason for that user to reauthenticate.
Kerberos is a network authentication protocol created by the Massachusetts Institute of Technology (MIT) that uses secret-key cryptography. Kerberos has three parts: a client, server, and trusted third party (KDC) to mediate between them. Clients obtain tickets from the Kerberos Key Distribution Center (KDC), and they present these tickets to servers when connections are established. Kerberos tickets represent the client's credentials.
The KDC is a service that runs on a physically secure server. The KDC consists of two components:
Authentication service—. The authentication service issues ticket-granting tickets (TGTs) that are good for admission to the ticket-granting service (TGS). Before network clients can get tickets for services, they must obtain a TGT from the authentication service.
Ticket-granting service—. Clients receive tickets to specific target services.
The basic operation of Kerberos is as follows (and is shown in Figure 4.1):
The client asks the KDC for a ticket, making use of the authentication service (AS).
The client receives the encrypted ticket and the session key.
The client sends the encrypted TGT to the TGS and requests a ticket for access to the application server. This ticket has two copies of the session key: One copy is encrypted with the client key, and the other copy is encrypted with the application server key.
The TGS decrypts the TGT using its own private key and returns the ticket to the client that will allow it to access the application server.
The client sends this ticket, along with an authenticator, to the application server.
The application server sends confirmation of its identity to the client.
Note
Some Kerberos literature uses the term principal instead of client. Principals can be a user, a process, or an application. Kerberos systems authenticate one principal to another.
Although Kerberos can provide authentication, integrity, and confidentiality, it's not without its weaknesses. One weakness is that Kerberos cannot guarantee availability. Some others are listed here:
Kerberos is time sensitive; therefore, it requires all system clocks to be highly synchronized.
The tickets used by Kerberos, which are authentication tokens, can be sniffed and potentially cracked.
If an attacker targets the Kerberos server, it can prevent anyone in the realm from logging in. It is important to note that the Kerberos server can be a single point of failure.
The Secure European System and Applications in a Multivendor Environment (SESAME) project was developed to address some of the weaknesses found in Kerberos. SESAME incorporates MD5 and CRC32 hashing and two certificates. One of these certificates is used to provide authentication, as in Kerberos, and the second certificate is used to control the access privileges assigned to a client.
Access-control models can be divided into two distinct types: centralized and decentralized. Depending on the organization's environment and requirements, typically one methodology works better than the other.
Centralized access-control systems maintain user IDs, rights, and permissions in one central location. RADIUS, TACACS, and DIAMETER are examples of centralized access-control systems. Characteristics of centralized systems include these:
One entity makes all access decisions.
Owners decide what users can access, and the administration supports these directives.
Remote Authentication and Dial-In User Service (RADIUS) is a UDP-based client/server protocol defined in RFCs 2058 and 2059. RADIUS provides three services: authentication, authorization, and accounting. It facilitates centralized user administration and keeps all user profiles in one location that all remote services share. Although ISPs have used RADIUS for years, it has become a standard in may other ways. RADIUS is widely used for wireless LAN authentication. The IEEE designed EAP to easily integrate with RADIUS to authenticate wireless users. The wireless user takes on the role of the supplicant, and the access point serves as the client. If the organization has an existing RADIUS server that's being used for remote users, it can be put to use authenticating wireless users, too.
RADIUS functions are as follows (see Figure 4.2):
The user connects to the RADIUS client.
The RADIUS client requests credentials from the user.
The user enters credentials.
The RADIUS client encrypts the credentials and passes them to the RADIUS server.
The RADIUS server then accepts, rejects, or challenges the credentials.
If the authentication was successful, the user is authenticated to the network.
Other centralized authentication methods include TACACS and LDAP.
Terminal Access Controller Access Control System (TACACS) is available in three variations: TACACS, XTACACS (Extended TACACS), and TACACS+, which features two-factor authentication. TACACS also allows the division of the authentication, authorization, and auditing functions, which gives the administrator more control over its deployment. TACACS has failed to gain the popularity of RADIUS; it is now considered a somewhat dated protocol.
Decentralized access-control systems store user IDs, rights, and permissions in different locations throughout the network. Characteristics of decentralized systems include these:
Gives control to individuals closer to the resource, such as department managers and occasionally users
Maintains multiple domains and trusts
Does not use one centralized entity to process access requests
Used in database-management systems (DBMS)
Peer-to-peer in design
Lacks standardization and overlapping rights, and might include security holes
Data access controls are established to control how subjects can access data, what they can access with it, and what they can do with it once accessed. Three primary types of access control are discussed in this section.
The discretionary access control (DAC) model is so titled because access control is left to the owner's discretion. It can be thought of as similar to a peer-to-peer computer network. Each of the users is left in control. The owner is left to determine whether other users have access to files and resources. One significant problem with DAC is that its effectiveness is limited by user's skill and ability. A user who is inexperienced or simply doesn't care can easily grant full access to files or objects under his or her control. These are the two primary components of a DAC:
File and data ownership—. All objects within a system must have an owner. Objects without an owner will be left unprotected.
Access rights and permissions—. These control the access rights of an individual. Variation exists, but a basic access-control list checks read, write, or execute privileges.
Access rights are controlled through means of an access-control list (ACL). The ACL identifies users who have authorization to specific information. This is a dynamic model that allows data to be easily shared. A sample ACL is shown in Table 4.1. An ACL is a column within the access-control matrix displayed in Table 4.1. A subject's capabilities refer to a row within the matrix and reference what action can be taken.
A MAC model is static and based on a predetermined list of access privileges; therefore, in a MAC-based system, access is determined by the system rather than the user. Figure 4.3 shows the differences between DAC and MAC. The MAC model is typically used by organizations that handle highly sensitive data (such as the DoD, NSA, CIA, and FBI). Systems based on the MAC model use sensitivity labels. Labels such as Top Secret, Secret, or Sensitive are assigned to objects. Objects are passive entities that provide data or information to subjects. A subject can be a user, system, program, or file. When a subject attempts to access an object, the label is examined for a match to the subject's level of clearance. If no match is found, access is denied. Important items to know about the MAC model include these:
It's considered a need-to-know system.
It has more overhead than DAC.
All users and resources are assigned a security label.
RBAC enables a user to have certain preestablished rights to objects. These rights are assigned to users based on their roles in the organization. The roles almost always map to the organization's structure. RBAC models are used extensively by banks and other organizations that have very defined roles. One profile might exist for tellers, while another exists for loan officers. Assigning access rights and privileges to a group rather than an individual reduces the burden on administration.
Other types of access-control techniques include these:
Content-dependent access control—. This model is based on the content of the resource. CDAC is primarily used to protect databases that contain potentially sensitive data.
Lattice-based access control—. This MAC-based model functions by defining boundaries. For example, if you were cleared for secret access, you could read the level below, which is confidential.
Rule-based access control—. Based on a specific set of rules much like a router ACL, this is considered a variation of the DAC model.
An IDS is designed to function as an access-control monitor. It can monitor network or host activity and record which users attempt to access specific network resources. An IDS can be configured to scan for attacks, track a hacker's movements, alert an administrator to ongoing attacks, and highlight possible vulnerabilities that need to be addressed. IDS systems can be divided into two broad categories: network-based intrusion-detection systems (NIDS) and host-based intrusion-detection systems (HIDS).
IDS systems are like 3-year-olds. They require constant care and nurturing, and don't do well if left alone. I say this because IDS systems take a considerable amount of time to tune and monitor. The two biggest problems with IDS systems are false positives and false negatives. False positives refer to when the IDS has triggered an alarm for normal traffic. For example, if you go to your local mall parking lot, you're likely to hear some car alarms going off that are experiencing false positives. False positives are a big problem because they desensitize the administrator. False negatives are even worse. A false negative occurs when a real attack has occurred and the IDS never picked it up.
Note
Intrusion-prevention systems (IPS) build upon the foundation of IDS and attempt to take the technology a step further. IPS systems can react automatically and actually prevent a security occurrence from happening, preferably without user intervention. IPS is considered the next generation of IDS and can block attacks in real time.
Much like a protocol analyzer operating in promiscuous mode, NIDS capture and analyze network traffic. These devices diligently inspect each packet as it passes by. When they detect suspect traffic, the action taken depends on the particular NIDS. Alarms could be triggered, sessions could be reset, or traffic could be blocked. Among their advantages are that they are unobtrusive, they have the capability to monitor the entire network, and they provide an extra layer of defense between the firewall and the host. Their disadvantages include the fact that attackers can send high volumes of traffic to attempt to overload them, they cannot decrypt or analyze encrypted traffic, and they can be vulnerable to attacks. Things to remember about NIDS include the following:
They monitor network traffic in real time.
They analyze protocols and other relevant packet information.
They integrate with a firewall and define new rules as needed.
They send alerts or terminate offending connection.
HIDS are more closely related to a virus scanner in their function and design because they are application-based programs that reside on the host computer. Running quietly in the background, they monitor traffic and attempt to detect suspect activity. Suspect activity can range from attempted system file modification to unsafe activation of ActiveX commands. Although they are effective in a fully switched environment and can analyze network-encrypted traffic, they can take a lot of maintenance, cannot monitor network traffic, and rely on the underling OS because it does not control core services. Things to remember about HIDS include the following:
They consume some of the host's resources.
They analyze encrypted traffic.
They send alerts when unusual events are discovered.
Signature-based and behavior-based IDS systems are the two primary types of analysis methods used. These two types take different approaches to detecting intrusions.
Signature-based models, also known as rule-based models, rely on a database of known attacks and attack patterns. This system examines data to check for malicious content, which could include fragmented IP packets, streams of SYN packets (DoS), or malformed ICMP packets. Anytime data is found that matches one of these known signatures, it can be flagged to initiate further action. This might include an alarm, an alert, or a change to the firewall configuration. Although signature-based systems work well, their shortcoming is due to the fact that they are only as effective as their most current update. Anytime there is a new or varied attack, the IDS will be unaware of it and will ignore the traffic. The two subcategories of signature-based system include these:
Model based—. Looks at specific signatures. Snort is an example of this type of design.
State based—. A more advanced design that has the capability of tracking the state of the traffic and data as it moves between host and target.
A behavior-based IDS observes traffic and develops a baseline of normal operations. Intrusions are detected by identifying activity outside the normal range of activities. As an example, if Mike typically tries to log on only between the hours of 8 a.m. to 5 p.m., and now he's trying to log on 5,000 times at 2 a.m., the IDS can trigger an alert that something is wrong. The big disadvantage of a behavior-based IDS system is that an activity taught over time is not seen as an attack, but merely as normal behavior. These systems also tend to have a high number of false positives. Basic IDS components include the following categories:
Central monitoring system—. Processes and analyzes data sent from sensors
Report analysis—. Offers information about how to counteract a specific event
Database and storage components—. Perform trend analysis and store the IP address and information about the attacker
Response box—. Inputs information from the previously listed components and forms an appropriate response
Note
Carefully read any questions that discuss IDS. Remember that several variables can change the outcome or potential answer. Take the time to underline such words as network, host, signature, and behavior, to help clarify the question.
Your organization's security policy should detail the placement of your IDS system and sensors. The placement of IDS sensors requires some consideration. IDS sensors can be placed externally, in the DMZ, or inside the network. Your decision to place a sensor in any one or more of these locations will require specific tuning. Without it, the sensor will generate alerts for all traffic that matches a given criteria, regardless of whether the traffic is indeed something that should generate an alert.
Penetration testing is a series of activities undertaken to identify and exploit security vulnerabilities. Penetration testing can be carried out in several different ways, including zero knowledge, full knowledge, or partial network knowledge. Regardless of what is known about the network, the penetration test team typically starts with basic user access. Its goal is to advance to root or administrator and control the network or systems. Probably the most important step of a penetration test is the approval. Without a signed consent of the network owner, the penetration test team could very well be breaking the law. A generic model of a penetration test is listed here:
Discovery—. Identify and document information about the targeted organization.
Enumeration—. Use intrusive methods and techniques to gain more information about the targeted organization.
Vulnerability mapping—. Map the findings from the enumeration to known and potential vulnerabilities.
Exploitation—. Attempt to gain user and privileged access by launching attacks against known vulnerabilities.
Note
Penetration testing can be performed with the full knowledge of the security staff, as a blind test, or a double-blind test. A blind test is one in which only publicly available information is used. A double-blind test is one in which only publicly available information is used and the security staff is not notified of the event. A double-blind test allows the organization to observe the reactions of the security staff.
These other types of tests should be considered beyond basic penetration tests:
Application security testing—. Many organizations offer access to core business functionality through web-based applications. This can give attackers a big potential target. Application security testing verifies that the controls over the application and its process flow are adequately designed.
Denial-of-service (DoS) testing—. The goal of DoS testing is to evaluate the networks susceptibility to DoS attacks.
War dialing—. War dialing is an attempt to systematically call a range of telephone numbers to identify modems, remote-access devices, and maintenance connections of computers that could exist on an organization's network.
Wireless network testing—. This form of testing is done to verify the organization's wireless access policies and ensure that no misconfigured devices have been introduced that have caused additional security exposures.
Social engineering testing—. This form of penetration test refers to techniques using social interaction, typically with the organization's employees, suppliers, and contractors, to gather information and penetrate the organization's systems.
Various guides are available to help the penetration test team members follow a structured methodology for any of the testing scenarios described. The Open Source Security Testing Methodology Manual (OSSTMM) (www.isecom.org) is a good example of a test guide. The Open Web Application Security Project (www.owasp.org) is another source for testing methodologies and tips.
A honeypot is much like an IDS, in that it is another tool for detecting intrusion attempts. A honeypot is really a tool of deception. Its purpose is to fool an intruder into believing that the honeypot is a vulnerable computer. Honeypots usually contain phony files, services, and databases to attract and entrap a hacker. For these lures to be effective, they must adequately persuade hackers that they have discovered a real system. Some honeypot vendors sell products that can simulate an entire network, including routers and hosts that are actually located on a single workstation. Honeypots are effective because real servers can generate tons of traffic, which can make it hard to detect malicious activity. The honeypot can be deployed in such a manner that it is a separate server not being used by production. Because nothing is running on this server except the honeypot, it can easily detect any potential intrusions.
So, honeypots can be configured in such a way that administrators will be alerted to their use and will have time to plan a defense or guard of the real network. However, the downside of honeypots includes the fact that, just like any other security system on the network, they require time and configuration. Administrators must spend a certain amount of time monitoring these systems. In addition, if an attacker can successfully compromise the honeypot, he now has a base of attack from which to launch further attacks.
www.honeypots.net—. Honeypot resources
www.owasp.org/index.html—. The Open Web Application Security Project
www.cccure.org/Documents/Ben_Rothke/Access%20Control.ppt—. Access-control information
www.itsecurity.com/papers/camelot.htm—. Getting a grip on access control
www.microsoft.com/windows2000/techinfo/administration/radius.asp—. RADIUS best practices
www.antsight.com/zsl/rainbowcrack/—. Rainbow tables, advanced password-cracking techniques
www.nwfusion.com/news/2005/021405ids.html—. Why IPS is better than IDS
http://project.honeynet.org—. The Honeynet Project
http://searchsecurity.techtarget.com/content/0,290959,sid14_gci1011764,00.html—. Cognitive passwords