Intrusion Detection: Network Security beyond the Firewall
(Publisher: John Wiley & Sons, Inc.)
Author(s): Terry Escamilla
ISBN: 0471290009
Publication Date: 11/01/98

Table of Contents


Index

A

abstract syntax notation 1 (ASN 1), Kerberos, 66
access class labels, 18–20
access control, 3–4, 9–14, 18–20, 22, 163–164, 314, 315
access class labels, 18–20, 18
access control entries (ACEs), 86
access control lists (ACLs), 86
access type, 84
administering access control, 85–86
application level access control, 128
attacks to access control, 102–104
authorization, 10–12
buffer overflow attacks, 83, 104, 164
bugs, 81, 82–83
category labels, 18–20
common desktop environment (CDE), 85–86
configuration problems, 81, 82
discretionary access control, 18
explicit access control, 126
GetAdmin hack, 104
identification & authentication (I&A), 15
identifiers, 84
implicit access control, 126
improving access control, 104–110
inter-process communication (IPC), 85
intrusion detection systems (IDS), 104, 111
labels, 18–20
mandatory access control, 18–20
network security, 126–128
objects, 84
operating system security, 7
packet filtering, 128
permissive rules, 103
privileged programs, 107
read access, 10
reference monitors, 164
role-based models, 110
root access problems, 103
SeOS (Memco) to improve access control, 104–110
subjects, 84
Tivoli Management Environment (TME), 110
tracing path of access, 200–206
trust, 128
UNIX security (See also Unix security), 81, 84–85, 87–97
Windows NT security (See also Windows NT security), 81, 84–85, 97–102, 285–287
wrapper attacks, 90
write access, 10
access control entries (ACEs), 86, 98, 283
access control list (ACL), 86, 98, 283
access tokens, Windows NT security, 283
accountability, 163, 321
ACE/Server (Security Dynamics), 74–77
activity profiles, 176–178, 177
address resolution protocol (ARP), 139–140
address-based authentication, 16, 125
addressing, Internet Protocol (IP), 130, 131
administering security, 3
AIX operating system, identification & authentication (I&A), 29–30
algorithms, cryptographic, 53
alive addresses, Internet Protocol (IP), 130
Andrew File System (AFS), Kerberos, 63
Anonymous vulnerability, Windows NT security, 291
application program interfaces (APIs), SeOS, 107
application-level security, 125–126, 128, 320–321
intrusion detection systems (IDS), 176
network security, 149
transmission control protocol (TCP), 145–146
ARPAnet, 128
assignment of addresses, Internet Protocol (IP), 130
assurance level, 6
asymmetric cryptography, 53
attack classification, 182–208
attack signatures, 322
attribute-value pairs, X.509 digital certificates, 68
audit ID (AUID), UNIX security, 88, 199–200
audit logs, 244–245
audit trails, 198–200
auditing, 14, 20–21, 175, 244–245, 307–308
audit IDs (AUID), 88, 199–200
audit trails, 198–200
event logs, 195
IBM Network Security Auditor, 224–225
network security, 169, 175
SeOS, 108–109
Stalker, 228, 229–230
syslog event logger, 195–198
tracing path of access, 200–206
Windows NT security, 285–287
augment vs. replace existing security, 25
AUSCERT, 327
authentication (See also identification & authentication), 6, 14–18
authentication headers (AH), IPsec, 138–139
authentication servers (AS), 52–71
Athena project, 52
cryptography/encryption, 53–54
digital certificates, 54
Kerberos, 52, 54–67, 327
X.509 digital certificates, 54, 67–71, 152
authenticators, Kerberos, 60, 65
authorization, 10–12, 15
authorization databases, 10–12
availability of data, 5–6
Axent-Raptor Eagle, 194

B

backups, 305–308, 310
Ballista, 224
basic security model, 9–14, 314
bastion hosts, network security, 148
.bat bug, Windows NT security, 291
bilateral or mutual authentication, 17, 65
X.509 digital certificates, 67–68
binding addresses, Internet Protocol (IP), 140
biometrics, 78
boot records, 96
boundaries (see trust boundaries)
boundary between network layers, 116
broadcast addresses, Internet Protocol (IP), 131
brute force attacks, passwords, 44–47
buffer overflow attacks, 185, 191
access control, 83, 104, 164
network security, 267
UNIX security, 258–259
Windows NT security, 292
bugs, 5, 193, 245–246
access control, 81, 82–83
network security, 161–162
passwords, 51
UNIX security, 260–261
Windows NT security, 290

C

category labels, 18–20, 18
centralized security, 24
Centrax, Windows NT security, 294–297, 295, 297, 318–319
CERT, 327
certificate authority (CA), X.509 digital certificates, 68, 69
certificate revocation list (CRL), X.509 digital certificates, 69
certificates/certification (see digital certificates; X.509)
challenge-response authentication, 77–78
changes to data (see integrity of data)
checksums, 63
choosing a password, 44, 51–52
ciphertext passwords, 36
classes of addresses, Internet Protocol (IP), 130
classic security model, 3–4
classifying security products, 21–25
.cmd bug, Windows NT security, 291
COAST, 94, 178, 200, 327
combined products, 323
common data security architecture (CDSA)
network security, 151
X.509 digital certificates, 70
common desktop environment (CDE), 30, 85–86
common gateway interface (CGI), network security, 160
common language integrated production system (CLIPS), 239
computable nature of confidentiality/integrity, 6
computer misuse detection system (CMDS), 227, 235–240, 318
analysis modes, 236–237
anomaly reporting, 237–239, 238
common language integrated production system (CLIPS), 239
distributed intrusion detection, 241
ease of setup, 240–241
how it works, 236
monitoring security, 242–243
pattern matching signatures, 239–240
privacy issues, 242–243
statistical anomaly detection, 240
statistical measures, 237
confidentiality of data, 5–6, 5
configuration errors, 8, 81, 82, 245–246
access control, 81, 82
network security, 158–162
Windows NT security, 292–293
covert channels, 204
Crack penetration program, passwords, 46
crashes, 5
credentials, UNIX security, 33, 34, 96
Cross Site, 322
cryptography/encryption, 53–54, 308
algorithms, 53
asymmetric cryptography, 53
authentication headers (AH), IPsec, 138–139
data encryption standard (DES), 36, 53
digital signatures, 54
encapsulation security payload (ESP), IPsec, 138, 139
generic security services API (GSSAPI), 67
hash, cryptographic, 36, 308
identification & authentication (I&A), 16
intrusion detection systems (IDS), 175
Kerberos, 55, 63
keys, cryptographic, 53
network information system (NIS/NIS+), 38–39
network security, 149, 167–168, 271–272, 274
one-time pads, 73
plaintext to ciphertext passwords, 36
private keys, 53–54
public keys, 53–54
RSA public-key cryptography, 53
salt for password enhancement, 36–37
secret keys, 53
sniffers, 271–272, 274
symmetric cryptography, 53
UNIX security, 35–37
X.509 digital certificates, 67–71

D

data encryption standard (DES), 36, 53
data source security, 174–175, 193–200, 284–288
database security, 7
authorization databases, 10–12
data source security, 174–176, 193–200, 284–288
database management systems (DBMS), 124
entities, 7
existing vs. new data sources, 25
network security, 124
trust boundaries, 7
trust relationships, 7
users, 7
data-driven attacks, 185
decimal notation in addresses, Internet Protocol (IP), 130
DEFCON, 243
delegation of tickets, Kerberos, 66
denial of service attack, 182–183, 186–187
Internet Protocol (IP), 133, 137
network security, 161, 267
passwords, 44–47
UNIX security, 249–251
dependencies of security products, 7
destination addresses, network security, 124
detecting security breaches, 25–26
dictionary of passwords, 45
digital certificates, 54, 67–71, 152, 164–165, 321
digital signatures, 54, 68
directory management, UNIX security, 89–94
disconnect/shut down of resources, 309
discretionary access control (DAC), 18
UNIX security, 33
Windows NT security, 98–102
distinguished names, X.509 digital certificates, 68
distributed authentication, 120
distributed computing environments (DCE), 16, 24
distributed intrusion detection, 241
distributed security, 24
documentation of system, 305–308
domain controllers, Windows NT security, 39, 41–42, 43
domain name system (DNS), network security, 127, 140–141, 267
duplicate token system calls, 290
dynamic host configuration protocol (DHCP), 241

E

effective group IDs (EGID), UNIX security, 87–97, 247–259
effective user IDs (EUID), UNIX security, 87–97, 247–259
electromagnetic emissions monitoring, passwords, 50
e-mail security, 152
EMERALD project, 179, 191
encapsulation, 114
encapsulation security payload (ESP), IPsec, 138, 139
encryption (see cryptography/encryption)
engine categories, intrusion detection systems (IDS), 170–173
entities, 4, 9–14
database security, 7
network security, 120–122
operating system security, 7, 8
evaluation of attack situation, 309
evasion attacks, 275
event logs, 195, 285–287, 307–308
Event Manager, 244
event monitoring, 244
event records, Windows NT security, 286–288
events, 176–178, 177
evidence collection, in possible litigation, 309
explicit access control, 126
external threats, 186–188

F

facial features, 78
file management
NT file system (NTFS), 98
UNIX security, 89–94
Windows NT security, 285–287
filtering (see packet filtering)
finding hackers, 311–312
fingerprints, 16, 78
firewalls, 26, 114, 185, 193
Internet Protocol (IP), 129, 150–151
Internet security, 188–189
intrusion detection systems (IDS), 194
IP security, 129
network security, 146–147, 149, 165–166, 168–169, 175, 264
Forum for Incident and Response Security Teams (FIRST), 327
forwarding of tickets, Kerberos, 66
fragmentation, network security, 116, 267, 268
FTP, 145, 151–152, 187–188, 189, 192, 267
network security, 151–152, 267
transmission control protocol (TCP), 145

G

gateways
Internet Protocol (IP), 130
network security, 148, 160, 165–166, 166, 175
Gauntlet firewall, 150
generic security services API (GSSAPI), Kerberos, 67
GetAdmin hack, access control, 104
global positioning system (GPS), 16
goals of computer security, 4–6
Gopher, 189
group IDs (GIDs), UNIX security, 31, 33, 62, 87–97, 113, 247–259
groups, 122–124
network security, 122–124
UNIX security, 30
Windows NT security, 39–40
guessing attacks, passwords, 44–47

H

hard links, UNIX security, 92–93
hash, cryptographic, 36, 308
heuristics to guess passwords, 45–46
hijacking sessions, 192, 319
Internet Protocol (IP), 136
network security, 267
transmission control protocol (TCP), 144
Windows NT security, 290
hop routing, Internet Protocol (IP), 130, 131
hot links for information, 327
HTML interfaces, 185–186
HTTP, 186–187, 189
network security, 152, 160
transmission control protocol (TCP), 145

I

IBM Network Security Auditor, 224–225
ICMP Echo, Internet Protocol (IP), 133
identification & authentication (I&A), 14–18, 22, 29–79, 162–163, 314–315, 321
accountability, 163
ACE/Server (Security Dynamics), 74–77
address-based authentication, 16, 125
AIX operating system, 29–30
application level authentication, 125–126
authentication servers, 52–71
authorization, 15
bilateral or mutual authentication, 17, 65, 67–68, 67
biometrics, 78
challenge-response authentication, 77–78
common desktop environment (CDE), 30
components must be trustworthy, 17–18
credentials for system use, 15
cryptography/encryption, 16, 53–54
data encryption standard (DES), 36
distributed authentication, 16, 120
domain controllers, 41–42, 43
groups, 122–124
hash, cryptographic, 36, 308
impersonation of network entities, 124
improving I&A, 71–78
intrusion detection, 78
Kerberos, 52
login security, 29
methods/objects of authentication, 15–16
network information system (NIS/NIS+), 37–39
network security, 119–126
nodes, 124–125
nonce, 42
one-time pads, 73
one-time passwords, 72
operating system security, 29
passwords, 15–16, 36, 42–52, 72
personal identification numbers (PINs), 75–76
plaintext passwords, 36
salt for password enhancement, 36–37
scope of entities in network, 122
smart cards, 74–76, 75
software applications, 122
storing passwords in central server, 37–39
strong authentication, 72–74
third-party authentication (See also authentication servers), 52–71
token cards, 74–76, 75
trusted third party, 17
two-factor authentication, 74–77
two-party authentication, 35
unilateral or one-way authentication, 35, 65
UNIX (See also UNIX security), 29, 30–39
users, 122–124
Windows NT (See also Windows NT security), 29, 39–42
X.509 digital certificates, 67–71
impersonation, 124
Internet Protocol (IP), 132, 133–137
network security, 158–159, 267
transmission control protocol (TCP), 143
UNIX security, 251–256
Windows NT security, 289–290
implicit access control, 126
inheritance, UNIX security, 34
init processes, 96–97
insertion attacks, 275
INSPECT language, 194, 280
instances, Kerberos, 55
instrumentation, 176–178, 177
integrity of data, 5–6
internal attacks, 182–186
International Computer Security Association, 327
Internet Activities Board (IAB), address assignment, IP, 130
Internet control message protocol (ICMP), Internet Protocol (IP), 130, 133–134
Internet history and development, 128
Internet Information Server (IIS) bugs, 159–160, 284
Internet Protocol (IP), 114, 188–189
address resolution protocol (ARP), 139–140
addressing, 130, 131
alive addresses, 130
assignment of addresses, 130
authentication headers (AH), IPsec, 138–139
binding addresses, 140
broadcast addresses, 131
classes of addresses, 130
common data security architecture (CDSA), 151
decimal notation in addresses, 130
denial of service attacks, 133, 137
domain name system (DNS), 140–141
encapsulation security payload (ESP), IPsec, 138, 139
firewalls, 129, 150–151
gateways, 130
hijacking sessions, 136
hop routing, 130, 131
ICMP Echo, 133
impersonation, 132, 133–137
Internet Activities Board (IAB), address assignment, 130
Internet control message protocol (ICMP), 130, 133–134
IP security (IPsec), 128–129, 138–139, 151
multicast addresses, 131
multicast backbone (Mbone) addresses, 131
nameservers, 140
namespaces, 140
network security, 128–141
octets in addresses, 130
one-half of session impersonation, 135–136
ping attacks, 133, 134–135
Ping of Death, 134–135
problems at IP layer, 132–138
risk assessment, 135, 136–137
routers, 130
routing interchange protocol (RIP), 141
single message attacks, 133
sniffing, 132
spoofing, 132, 133–137
supporting protocols, 139–141
time to live (TTL) values, 130
timeouts, 131
traceroute applications, 131
tracking attacks, 137–138
transmission control protocol (TCP/IP), 142–146
tunnel vs. transport mode transmissions, 139
virtual private networks (VPN), 129
Internet Scanner, 218–223, 220, 221
Internet security, 188–189
Internet Worm attack, passwords, 45
inter-process communication (IPC), access control, 85
interval-based security products, 24, 173–174
intrusion detection systems (IDS), 3, 23, 25–26, 157–159
access control, 104, 111, 163–164
accountability, 163
activity profiles, 176–178, 177
application level security, 176
audit IDs (AUID), 199–200
audit logs, 244–245
audit trails, 198–200
auditing, 175, 244–245
buffer overflow attack, 258–259
bugs, 245–246, 260–261
capturing packets for IDS analysis, 264–265, 266
combined products, 323
complex attacks, 206–207
concepts and definitions, 169–179
configuration errors, 245–246
cryptography/encryption, 175
data source security, 174–176, 193–200
denial of service attacks, 249–251
distributed intrusion detection, 241
engine categories, 170–173
event logs, 195
event monitoring, 244
events, 176–178, 177
firewalls, 194
generic model, 176–178, 177
identification & authentication (I&A), 78, 162–163
impersonation, 251–256, 289–290
instrumentation, 176–178, 177
integration into other products, 323
intercept routines, 193
interval-based security products, 173–174
layers of security, 188, 189, 190–193
limitations of IDS, 248
local attacks, 248–261
misuse detection vs., 169
monitoring security, 195–201, 242–243
network IDS advantages, 268–270
network security, 153
PATH hacking, 251–256
pattern matching detection, 170–173, 247–248, 260
privacy issues, 242–243
privilege escalation, 256–258, 288–289
real-time security products, 173–174
research, 323
risk assessment, 157–162, 245
root access problems, 256–258
rule sets, 176–178, 177
scope in pattern matching, 247–248, 255
self referencing and IDS, 324–325
sequence in pattern matching, 247–248
simple attacks, 206–207
sniffers, 263–281
statistical anomaly detection, 170–173
syslog event logger, 195–198
system level attacks, 259–260
tracing path of access, 200–206
vulnerability scanners (See also scanners), 173–174
Windows NT, 283–301
writing to another’s special files, 256
IP forwarding, network security, 148
IP security (IPsec), 128–129, 138–139, 151
IPX, 114
ISS SAFESuite scanner, 214–217, 218, 268

K

Kerberos, 52, 54–67, 327
abstract syntax notation 1 (ASN 1), 66
Andrew File System (AFS) vs., 63
attacks, 63–66
authentication server (AS), 55–61
authentication, bilateral/unilateral, 65
authenticators, 60, 65
benefits of use, 63
checksums, 63
complaints against Kerberos, 63–66
cryptography/encryption, 55, 63
delegation of tickets, 66
forwarding of tickets, 66
generic security services API (GSSAPI), 67
instances, 55
key distribution center (KDC), 54–61
login security (klogin), 57–59, 66
network security, 167
operating system integration, 62
passwords, 64–65
passwords, shadow files, 62
principals, 55
race condition, 65
realm, 55
session keys (SK), 55–61
step-by-step session, 59–61, 61
ticket granting server (TGS), 55–61
tickets, 64
time services/time clocks, 63
UNIX login security, 61–62
user datagram protocol (UDP), 64
Version 5, 66
Kerberos, 54–67
kernel, security kernel, 13–14, 117
key distribution center (KDC), Kerberos, 54–61
keys and locks, 16
keys, cryptographic, 53
keystroke patterns, 78
KSA and KSM (Security Dynamics), Windows NT security, 299–300

L

L0pht Heavy Industries, 243
labels, 18–20
layered network security model, 114–119, 115, 188, 189, 190–193
leakages, network security, 267
link counts, UNIX security, 92–93
local attacks, 248–261
local scanners, 211–212, 317
local security authority (LSA), Windows NT security, 40–41
local vulnerabilities, Windows NT security, 292–293
locked down versions of UNIX/NT, 162
locks, 45
login security, 9, 187–188, 192
brute force attacks (guessed password, etc.), 44
domain controllers, 41–42, 43
failed login and locks, 45
identification & authentication (I&A), 29–79
Kerberos, 57–59, 66
locks, 45
passwords, 42–52
shoulder surfing at login, 34
tracing path of access, 200–206
UNIX security, 34–35
Windows NT security, 40–41, 285, 292–293

M

mail applications (see e-mail)
mail protocols, network security, 123
mandatory access control, 18–20
Memco (SeOS), 104–110
message formats, network security, 119–120
message integrity, 68
Microsoft Internet Information Server (see Internet Information Server)
misuse detection vs. intrusion detection, 169
models (see security models)
monitoring security (See also auditing; event logs), 5, 23, 242–243
auditing, 20–21
event monitoring, 244
network security, 153, 166–168
policy for monitoring, 201
tracing path of access, 200–206
monitors, reference monitor, 10–12, 11
multicast addresses, Internet Protocol (IP), 131
multicast backbone (Mbone) addresses, Internet Protocol (IP), 131
multihomed hosts, network security, 148
mutual authentication, 17

N

nameservers, Internet Protocol (IP), 140
namespaces, Internet Protocol (IP), 140, 122–123
naming, network security, 127
NBSTAT command, Windows NT security, 291–292
NetRanger (IBM) sniffer, 194, 277
Network Flight Recorder, 279–280
network information system (NIS/NIS+), 37–39
network security, 24, 113, 315–316
access control, 126–128
address resolution protocol (ARP), 139–140
address-based authentication, 125
advantages of network IDS, 268–270
application level security, 125–126, 128, 145–146, 149, 191, 320–321, 320
attack recognition by IDS, 267–268
auditing, 169, 175
authentication headers (AH), IPsec, 138–139
bastion hosts, 148
between-layer security, 117
between-peer security, 117–119, 118
binding addresses, 140
boundary between network layers, 116
buffer overflow attacks, 267
bugs, 161–162
capturing packets for IDS analysis, 264–265, 266
common data security architecture (CDSA), 151
common gateway interface (CGI), 160
complexity of network security, 151–152
configuration errors, 158–162
cryptography/encryption, 149, 167–168, 175, 271–272, 274
data source security, 174–176
database management systems (DBMS), 124
database security, 124
denial of service attacks, 133, 137, 161, 267
destination addresses, 124
destination nodes vs. IDS, 273–276
distributed authentication, 120
domain controllers, Windows NT security, 39, 41–42, 43
domain name system (DNS), 127, 140–141, 267
e-mail, 152
encapsulation, 114
encapsulation security payload (ESP), IPsec, 138, 139
evasion attacks, 275
explicit access control, 126
features of IDS, 265–266
firewalls, 146–147, 149, 150–151, 165–166, 168–169, 175, 264
fragmentation, 116, 267, 268
FTP, 145, 151–152, 267
gateways, 148, 160, 165–166, 166, 175
group IDs (GIDs), 123
groups, 122–124
hijacking sessions, 136, 144, 267
HTTP, 145, 152, 160
ICMP Echo, 133
identification & authentication (I&A), 119–126
impersonation, 124, 132, 133–137, 143, 158–159, 267
implicit access control, 126
insertion attacks, 275
Internet control message protocol (ICMP), 130, 133–134
Internet Protocol (IP), 114, 128–141
intrusion detection systems (IDS), 153
IP forwarding, 148
IP security (IPsec), 138–139, 151
IPX, 114
Kerberos, 167
layers of information, 188, 189, 190–193
layers, 114–119, 115, 188, 189, 190–193
leakages, 267
locked down versions of UNIX/NT, 162
mail protocols, 123
message formats, 119–120
Microsoft Internet Information Server (IIS) bugs, 159–160
monitoring security, 153, 166–168
multihomed hosts, 148
nameservers, 140
namespaces, 122–123, 140
naming, 127
network entities, 120–122
network information system (NIS/NIS+), 37–39
network services auditor (NS Auditor), 169
NFS, 267
nodes, 120–122, 124–125
Notes client/servers, 122
one-half of session impersonation, 135–136
operating system security, 117, 121
packet filtering, 128, 147–149, 169, 175, 264
packet headers, 116
passwords, 42–52, 125–126
peer security, 117–119, 118, 165–166
phf hack, 160, 164, 267
ping attacks, 133, 134–135
Ping of Death, 134–135, 159, 176, 267
ports, 141–142
precedence of users, 123
promiscuous mode adapters, 264
protocols, hacker exploitation, 119–120
proxies, 149–150, 168, 169, 175
risk assessment, 135, 136–137, 157–162
rlogin-froot, 176, 267
routers, 127, 148, 158–159, 264
routing interchange protocol (RIP), 141
scope of entities in network, 122
screening routers, 148, 158–159, 161
security account manager (SAM), 40
security associations, IPsec, 138
security identifiers (SIDs), 123
security kernel, 13–14, 117
security within security, 122
sendmail bugs, 267
SeOS (Memco) to improve access control, 104–110
sequence number guessing, 143–144, 267
server security, 165–166
simple mail transfer protocol (SMTP), 123
single message attacks, 133
SMB, 114
sniffers, 49–50, 263–281, 319–320
sockets, socket addresses, 141–142
SOCKS proxies, 168
software applications, 122, 125–126
source addresses, 124
source routing, 148
spoofing, 132, 133–137, 158–159
subnets, 263–264
SYN Flood attack, 144, 159, 176, 267
synchronization, 116
system level attacks, 272–273
System Network Architecture (SNA), 114
Telnet, 121, 151–152
test.cgi attack, 160, 164, 165, 267
traceroute applications, 131
tracing path of access, 200–206
tracking attacks, 137–138
transmission control protocol (TCP/IP), 142–146
Trojan Horse, 175
trust, 128
trusted hosts, 145–146
tunnel vs. transport mode transmission, 139, 167–168, 168
unique identifiers, 127
UNIX systems, 121, 160
user datagram protocol (UDP), 141–142
username IDs (UIDs), 123
users, 122–124
virtual private networks (VPN), 146
vulnerability scanners, 268
weak CGI attacks, 161, 167
wrappers, 116
X.509 digital certificates, 152, 164–165
network services auditor (NS Auditor), network security, 169
network sniffer (see sniffer)
new attack detection, 243
NFS, network security, 267
NIDES project, 191
nodes, network security, 120–122, 124–125
nonce, 42
nonrepudiation, 6
nonvolatile RAM (NVRAM), 96
Notes client/servers, network security, 122
NT (see Windows NT security)
NTbugtraq, 288
ntfsdos.exe attack, Windows NT security, 292

O

objects, 3–4, 9–14, 84, 314
octets in addresses, Internet Protocol (IP), 130
offline attacks, passwords, 46–47
one-time pads, 73
one-time passwords, 72
online attacks, passwords, 44–47
operating system security, 7–9
access control, 7
bugs, 161–162
configuration files, tampering, 8
dependencies of security products, 7
entities, 7, 8
identification & authentication (I&A), 29–79
implementation of OS, 8
Kerberos, 62
layers of information, 188, 189, 190–193
login security, 9
network security, 117, 121
privileged programs, 107
scope of OS, 8
secure attention key (SAK), 49
security kernel, 13–14, 117
SeOS (Memco) to improve access control, 104–110
Trojan Horses, 49
trust boundaries, 7, 8
trust relationships, 7, 8–9
trusted path, 49
X.509 digital certificates, 70
out of band values, passwords, 35

P

packet filtering, 128, 147–149, 169, 175, 189, 194, 193, 264
packet headers, network security, 116
pads, one-time pads, 73
password grabbers, 14
passwords, 15–16, 42–52
brute force attacks, 44–47
bugs, 51
challenge–response authentication, 77–78
choosing a password, 44, 51–52
Crack penetration program, 46
cryptography/encryption, 35–37
data encryption standard (DES), 36
denial of service attacks, 44–47
dictionary of passwords, 45
easily guessed passwords, 44, 51–52
electromagnetic emissions monitoring, 50
grabber programs, 14
guessing attacks, 44–47
hash, cryptographic, 36
heuristics to guess passwords, 45–46
impersonation to gain passwords, 47–48
Internet Worm attack, 45
Kerberos, 62, 64–65
locking terminal, 45
network information system (NIS/NIS+), 37–39
network security, 125–126
nonce, 42
offline attacks, 46–47
one-time pads, 73
one-time passwords, 72
online attacks, 44–47
out of band values, 35
plaintext to ciphertext passwords, 36
reusable passwords, 42–43, 51–52
salt for password enhancement, 36–37
shoulder surfing, 48
sniffing, network sniffers, 49–50
social engineering, 47–49
storing passwords in central server, 37–39
strong authentication, 72–74
TEMPEST security project, 50
Trojan Horses, 49
UNIX security, 31–32, 35–39, 91–93
Windows NT security, 292–293
X.509 digital certificates, 70
PATH hacking, UNIX security, 251–256
pattern matching, 170–173, 239–240, 247–248, 260, 318
peer security, network security, 117–119, 118, 165–166
permissions (See also privilege escalation)
registry permissions, Windows NT security, 102
special permissions, 98–102
standard permissions, 98–102
UNIX security, 89–94, 94–96
Windows NT security, 98–102, 292–293
personal identification numbers (PINs), 75–76
phf hack, 160, 164, 267
Ping of Death, 133, 134–135, 159, 176, 267, 290
plaintext passwords, 36
policy, security policy, 4, 305–308
ports, user datagram protocol (UDP), 141–142
power on self tests (POST), 96
precedence of users, network security, 123
preventing security breaches, 25–26
principals, Kerberos, 55
privacy issues, 242–243
private keys, 53–54
privilege escalation attack, 184–185, 187–188, 256–258, 288–289
privileges
UNIX security, 33, 94–96
Windows NT security, 97–98, 283
privilged programs, 107
process IDs (PIDs), UNIX security, 33
process inheritance, UNIX security, 34
processes, Windows NT security, 283
promiscuous mode adapters, network security, 264
protocols, network security, hacker exploitation, 119–120
proxies, network security, 149–150, 168, 169, 175
public keys, 53–54
X.509 digital certificates, 67–68

R

race condition
Kerberos, 65
UNIX security, 92–93
read access, 10
real group IDs (RGIDs), 87–97, 247–259
real user IDs (RUID), 87–97, 247–259
realm, Kerberos, 55
RealSecure, 194, 277–279, 278, 297–298
real-time security products, 24, 173–174
reference monitor, 10–12, 11
access control, 164
auditing, 20–21
bugs, 164
security kernel, 13–14
registry information, Windows NT security, 39–40
registry permissions, Windows NT security, 102
rehearsing the response, 306–307
remote attacks, Windows NT security, 290–292
remote scanners, 212–213, 317
research in intrusion detection, 323, 327–328
responding to attacks, 25–26, 305–312
alerting others, 310
analyzing the attack, 309–310
auditing, 307–308
backups, 305–308, 310
cryptography/encryption, 308
disconnect/shut down of resources, 309
discovery of attack, 308–309
documentation of system, 305–308
evaluation of situation, 309
evidence collection for litigation, 309
logging events, 307–308
policy, security policy, 305–308
preparing beforehand, 305–308
pursuing the attacker, 311–312
rehearsing the response, 306–307
restoring system, 310
site security, 306
Tivoli Management Environment (TME), 308
training personnel in security, 306–307
warning users of potential threats, 307
restoring the attacked system, 310–311
retinal scans, 16
reusable passwords, 42–43, 51–52
rights, Windows NT security, 97–98
risk assessment, 3–4, 6–9, 245
impersonation likelihood, 136–137
Internet Protocol (IP), 135
network security, 157–162
vulnerability scanners (See also scanners), 173–174
rlogin-froot, 176, 193, 267
role-based models, 110
root access problems, 33, 103, 185–186, 193, 256–258
routers, network security, 127, 130, 148, 158–159, 264
routing interchange protocol (RIP), 141
RSA public-key cryptography, 53
rule sets, 176–178, 177

S

SAFESuite, Windows NT security, 297–298
salt for password enhancement, 36–37
SATAN, 268
saved set-group IDs (SSGID), UNIX security, 88
saved set-user IDs (SSUID), UNIX security, 88
scanners (See also vulnerability scanners), 22–23, 173–174, 181, 317, 324–325
scope in pattern matching, 247–248, 255
scope of entities in network, 122
screening routers, network security, 148, 158–159, 161
secondary group IDs, UNIX security, 87–97, 247–259
secret keys, 53
secure attention key (SAK), operating system security, 49
Secure Networks Inc. (SNI), 225, 243
secure socket layer (SSL), X.509 digital certificates, 69–70
security account manager (SAM), Windows NT security, 40
Security Dynamics, 74–77
security identifiers (SIDs), Windows NT security, 40–41, 97, 123
security kernel, 13–14, 117
security models, 3, 6–9
access control, 18–20, 22, 81–111
auditing, 14, 20–21
augment vs. replace existing security, 25
authorization databases, 10–12
authorization, 10–12
availability of data, 5–6
basic security model, 9–14, 314
centralized security, 24
classic security model, 3–4
classifying security products, 21–25
confidentiality of data, 5–6
distributed computing environments (DCE), 24
distributed security, 24
enhancing the basic security model, 14–21
existing vs. new data sources, 25
firewalls, 26
generic IDS model, 176–178, 177
goals of computer security, 4–6, 4
identification & authentication (I&A), 14–18, 22, 29–79
integrity of data, 5–6,
interval-based security products, 24, 173–174
intrusion detection systems (IDS), 23, 25–26
layered network security model, 114–119, 115, 188, 189, 190–193
monitoring security, 23
network level security, 24
operating system security, 7–9
prevention, detection, response, 25–26
real-time security products, 24, 173–174
reference monitor, 10–12, 11
role-based models, 110
scanners (see vulnerability scanners)
security kernel, 13–14, 117
system level security, 24
Tivoli Management Environment (TME), 110
tradeoffs of security vs. accessibility of data, 23
trusted computing base (TCB), 14
security models, 6–9, 6
security reference monitor (SRM), Windows NT security, 283
security within security, network security, 122
self referencing and IDS, 324–325
sendmail bug, 189, 267
SeOS (Memco) to improve access control, 104–110, 193, 211–212
sequence in pattern matching, 247–248
sequence number guessing, 143–144, 267
servers
ACE/Server (Security Dynamics), 74–77
network information system (NIS/NIS+), 37–39
network security, 165–166
security kernel, 13–14, 117
storing passwords in central server, 37–39
session keys, Kerberos, 55–61
shadow password files, 31–32, 62
shared resource vulnerability, Windows NT security, 291
shoulder surfing, 34, 48
simple mail transfer protocol (SMTP), 123, 189
single message attacks, Internet Protocol (IP), 133
site security, 306
smart cards, 16, 74–76, 75
SMB, 114
sniffers, 263–281, 319–320
comparison of commercial sniffers, 276–280
cryptography/encryption vs., 271–272, 274
destination node setup, 273–276
internal attacks may be missed, 270–271, 271
Internet Protocol (IP), 132
limitations, 270–276
NetRanger (IBM) sniffer, 277
Network Flight Recorder, 279–280
passwords, 49–50
RealSecure, 277–279, 278
system level attacks may be missed, 272–273
Windows NT security, 284–285
social engineering, passwords, 47–49
sockets, socket addresses, user datagram protocol (UDP), 141–142
SOCKS proxies, 150, 168
software applications (See also application security), 122, 125–126
source addresses, network security, 124
source routing, network security, 148
spoofing, 18, 185, 191, 192, 319
Internet Protocol (IP), 132, 133–137
network security, 158–159
SRI, 179
Stalker, 227, 228–235
alternative configurations, 234–235
attacks detected, 232–233
Audit Management, 228, 229–230
choosing to use Stalker, 233–234
distributed intrusion detection, 241
ease of setup, 240–241
Misuse Detector (MD), 228, 231–232
monitoring security, 242–243
privacy issues, 242–243
Storage Manager, 228
threshold detection, 235
Trace/Browser (TB), 228, 230–231
version 3 Stalker, 235
statistical anomaly detection, 170–173, 240, 318
sticky bits, UNIX security, 91
strong authentication, 72–74
subjects (See also objects), 3–4, 9, 314
access control, 84
UNIX security, 33–34
Windows NT security, 40
subnets, 263–264
superuser privilege attacks, 185–186
superusers, UNIX security, 32–33
symbolic links, 92–93, 311
symmetric cryptography, 53
SYN Flood attack, 144, 159, 176, 191, 267, 290, 319
synchronization, network security, 116
syslog event logger, 195–198
system level security, 24, 317–318
network security, 272–273
sniffers, 272–273
UNIX security, 259–260
System Network Architecture (SNA), 114
system security scanners, 214–217, 317

T

tagging UIDs/GIDs, UNIX security, 33
Teardrop attack, 191, 290
Telnet, 121, 151–152, 189, 192
TEMPEST security project, passwords, 50
test.cgi hack, 160, 164, 165, 191, 267
third-party authentication (See also authentication servers), 17, 52–71
threads, Windows NT security, 283
threshold detection, 235
ticket granting server (TGS), Kerberos, 55–61
tickets, Kerberos, 64
time services/time clocks, Kerberos, 63
time to live (TTL) values, Internet Protocol (IP), 130
timeouts, Internet Protocol (IP), 131
Tivoli Management Environment (TME), 110, 244, 308, 322
token cards (See also smart cards), 74–76, 75
trace logs, SeOS, 109
traceroute applications, 131
tracing path of access, 200–206
tracking attacks, Internet Protocol (IP), 137–138
training personnel in security, 306–307
transmission control protocol (TCP), 142–146
application security, 145–146
FTP, 145
hijacking sessions, 144
HTTP, 145
impersonation, 143
sequence number guessing, 143–144
SYN Flood attack, 144
trusted hosts, 145–146
transparent proxies, 150
Tripwire, 94
Trojan Horses, 14, 24
network security, 175
operating system security, 49
passwords, 49
Windows NT security, 284
trust, access control, 128
trust boundaries
attack opportunities, 9
database security, 7
operating system security, 7, 8
trust relationships, 7, 8–9
trusted computing base (TCB), 14
trusted hosts, transmission control protocol (TCP), 145–146
trusted path, operating system security, 49
tunnel vs. transport mode transmission, network security, 139, 167–168, 168
two-factor authentication, 74–77
two-party authentication, 35

U

UC Davis web sites, 178
unilateral or one-way authentication, 35, 65
unique identifiers, network security, 127
UNIX security, 227–261, 327
access control, 81, 84–85, 87–97
audit ID (AUID), 88
audit logs, 244–245
auditing, 229–230, 244–245
background processes, 96
boot records, 96
browsing, 230–231
buffer overflow attack, 258–259
bugs, 245–246, 260–261
computer misuse detection system (CMDS), 227, 235–240
configuration errors, 245–246
credentials for I&A, 33, 34, 96
cryptography/encryption, 35–37
data encryption standard (DES), 36
denial of service attacks, 249–251
detection of attacks by Stalker, 232–233
discretionary access control (DAC), 33
distributed intrusion detection, 241
ease of security setup issues, 240–241,
effective group IDs (EGID), 87–97, 247–259
effective user IDs (EUID), 87–97, 247–259, 247
Event Manager, 244
event monitoring, 244
FILE Delete audit events, 247
group IDs (GIDs), 31, 33, 62, 87–96, 123, 247–259
groups, 30
hard links, 92–93
hash, cryptographic, 36
identification & authentication (I&A), 29, 30–39
impersonation, 251–256
init processes, 96–97
intrusion detection systems (IDS), 111
Kerberos, 61–62
link counts, 92–93
local attacks, 248–261
locked down version, 162
login security, 34–35
monitoring security, 242–243
network information system (NIS/NIS+), 37–39
network security, 121, 160
new attack detection, 243
nonvolatile RAM (NVRAM), 96
out of band values, 35
password system, 31–32, 35–39, 91–93
PATH hacking, 251–256
pattern matching, 247–248, 260
permissions, file and directory, 89–94
permissions, increasing, 94–96
phf hack, 160, 164
plaintext to ciphertext passwords, 36
power on self tests (POST), 96
primary groups, 31
privacy issues, 242–243
privilege escalation attack, 184–185, 256–258
privileges, 33, 94–96
process IDs (PIDs), 33
process inheritance, 34
race condition, 92–93
real group IDs (RGIDs), 87–97, 247–259
real user IDs (RUID), 87–97, 247–259, 247
risk assessment, 245
root access problems, 33, 185–186, 256–258
salt for password enhancement, 36–37
saved set-group IDs (SSGID), 88
saved set-user IDs (SSUID), 88
secondary group IDs, 87–97
secondary groups, 31
security kernel, 13–14
SeOS (Memco) to improve access control, 104–110
shadow password files, 31–32
shoulder surfing at login, 34
Stalker, 227, 228–235
sticky bits, 91
storing passwords in central server, 37–39
subjects, 33–34
superuser privilege attacks, 185–186
superusers, 32–33
symbolic links, 92–93
syslog event logger, 195–198
system level attacks, 259–260
tagging UIDs/GIDs, 33
test.cgi hack, 160, 164, 165
threshold detection, 235
Tivoli Management Environment (TME), 110, 244
tracing, 230–231
two-party authentication, 35
UMASK settings, 185
unilateral or one-way authentication, 35
updating resources, 243
username IDs (UIDs), 30–31, 33, 62, 87–96,123, 247–259
usernames, 30
users, 30
vulnerability scanners, 209
wrapper attacks, 90
writing to another’s special files, 256
updating resources, 243
Usenix Security, 243
user datagram protocol (UDP), 141–142
Kerberos, 64
ports, 141–142
sockets, socket addresses, 141–142
username IDs (UIDs), 30–31, 33, 62, 87–97, 113, 123, 247–259
usernames, UNIX security, 30
users, 122–124
database security, 7
network security, 122–124
precedence of users, 123
UNIX security, 30
Windows NT security, 39–40

V

virtual private networks (VPN), 129, 146
voice prints, 16, 78
vulnerability scanners (See also scanners), 173–174, 209–226, 268, 317
Ballista, 224
how they work, 209–211, 213–214
IBM Network Security Auditor, 224–225
Internet Scanner, 218–223, 220, 221
ISS SAFESuite, 214–217, 218
local scanners, 211–212
remote scanners, 212–213
system security scanners, 214–217
updating scanner products, 225
Windows NT security, 284

W

warning users of potential threats, 307
weak CGI attacks, 161, 167
WheelGroup, 225
Windows NT security, 327
.bat bug, 291
.cmd bug, 291
access control, 81, 84–85, 97–102, 285–287
access control entries (ACE), 98, 283
access control lists (ACL), 98, 283
access tokens, 283
Anonymous vulner-ability, 291
auditing, 285–287
buffer overflow attacks, 292
bugs, 290
Centrax, 294–297, 295, 297, 318–319
comparison of IDS products, 293–300
configuration errors, 292–293
data source security, 284–288
discretionary access control (DAC), 98–102
domain controllers, 39, 41–42, 43
duplicate token system calls, 290
event logs, 195, 285–287
event records, 286–288
file management, 285–287
file system, NT (NTFS), 98
groups, 39–40
hijacking sessions, 290
identification & authentication (I&A), 29, 39–42
impersonation, 289–290
Internet information server (IIS), 284
intrusion detection systems (IDS), 111, 283–301
KSA and KSM (Security Dynamics), 299–300
local security authority (LSA), 40–41
local vulnerabilities, 292–293
locked down version, 162
login security, 40–41, 285, 292–293
NBSTAT command, 291–292
NTbugtraq, 288
ntfsdos.exe attack, 292
passwords, 292–293
permissions, 98–102, 292–293
Ping of Death, 290
privilege escalation, 288–289
privileges, 97–98, 283
processes, 283
RealSecure, 297–298
registry information, 39–40
registry permissions, 102
remote attacks, 290–292
rights, 97–98
SAFESuite, 297–298
security account manager (SAM), 40
security identifiers (SIDs), 40–41, 97, 123
security kernel, 13–14
security reference monitor (SRM), 283
security review, 283
SeOS (Memco) to improve access control, 104–110
shared resource vulnerability, 291
sniffers, 284–285
special permissions, 98–102
standard permissions, 98–102
subjects, 40
SYN Flood attack, 290
system level tools, 318–319
Teardrop attack, 290
threads, 283
Tivoli Management Environment (TME), 110
Trojan Horses, 284
users, 39–40
vulnerability scanners, 209, 284
what to monitor, 288–293
Winlogon, 40
workstations, security kernel, 13–14
wrappers, 90, 116
write access, 10

X

X.509 digital certificates, 54, 67–71, 152, 164–165, 321
attribute-value pairs, 68
bilateral authentication, 67–68
certificate authority (CA), 68, 69
certificate revocation list (CRL), 69
common data security architecture (CDSA), 70
cryptography/encryption, 70
digital signatures, 68
distinguished names, 68
message integrity, 68
operating system security, 70
passwords, 70
public key use, 67–68
secure socket layer (SSL) use, 69–70
X-Force Group, 225, 243

Z

zap program, 200


Table of Contents