TY - BOOK AU - Bejtlich,Richard TI - The tao of network security monitoring: beyond intrusion detection SN - 0321246772 PY - 2005/// CY - Boston PB - Addison-Wesley KW - SEGURIDAD EN REDES KW - SEGURIDAD Y PROTECCIÓN KW - propiedades de red N1 - Contiene índice; Part I Introduction to network security monitoring -- Chapter 1 The security process -- What is security? -- What is risk? -- A case study on risk -- Security principles: characteristics of the intruder -- Security principles: phases of compromise -- Security principles: defensibe networks -- Conclusion -- Chapter 2 What is network scurity monitoring -- Indications and warnings -- Collection, analysis, and escalation -- Detecting and responding to intrusions -- Why do IDS deployments often fail? -- Outsiders principles: what is NSM'sfocus? -- Security principles: detection -- Security principles: limitations -- What NSM is not -- NSM in action -- Conclusion -- Chapter 3 Deployment considerations -- Threat models and monitoring zones -- Accesing traffic in each zone -- Wireless monitoring -- Sensor management -- Conclusion -- Part II Network security monitoring products -- Chapter 4 The reference intrusion model -- The scenario -- The attack -- Conclusion -- Chapter 5 Full content data -- A note on software -- Libpcap -- Tcpdump -- Tethereal -- Snort as packet logger -- Finding specific parts of packets with tcpdump, tethereal, and snort -- Ethereal -- A note on commercial fill content colection options -- Conclusion -- Chapter 6 Additional data analysis -- Editcap and mergecap -- Tcpslice -- Tcpreplay -- Tcpflow -- Ngrep -- Ipsumdump -- Etherape -- Netdude -- P0f -- Conclusion -- Chapter 7 Session data -- Form of session data -- Cisco's netflow -- Fprobe -- Ng_tools -- sFlow and sFlow Toolkit -- Argus -- Tcptrace -- Conclusion -- Chapter 8 Statistical data -- What is statistical data? -- Cosco accounting -- Ipcad -- Ifstat -- Bmon -- Trafshow -- Ttt -- Tcpdstat -- MRTG -- Ntop -- Conclusion -- Chapter 9 Alert data: bro and prelude -- Bro -- Prelude -- Conclusion -- Chapter 10 Alert data: NSM using sguil -- Why sguil? -- So what is sguil? -- The basic sguil interfece -- Sguil's answer to "now what?" -- Making desicions with sguil -- Sguil versus the reference intrusion model -- Conclusion -- Part III Network security monitoring processes -- Chapter 11 Best practices -- Assessment -- Protection -- Detection -- Response -- Back to assessment -- Conclusion -- Chapter 12 Case studies for managers -- Introduction to hawke helicopter supplies -- Case study 1: emergency network security monitoring -- Case study 2: Evaluating managed security monitoring providers -- Case study 3: Deploying an in-house NSM solution -- Conclusion -- Part IV Network security monitoring people -- Chapter 13 Analyst training program -- Weapons and tactics -- Telecommunications -- System administration -- Scripting and programming -- Management and policy -- Training in action -- Periodicals and web sites -- Case study: staying current with tools -- Conclusion -- Chapter 14 Discovering DNS -- Normal port 53 traffic -- Suspicious port 53 traffic -- Malicious port 53 traffic -- Conclusion -- Chapter 15 Harnessing the power of session data -- The session scenario -- Session data from the wireless segment -- Session data from the DMZ segment -- Session data from the VLANs -- Session data from the external segment -- Conclusion -- Chapter 16 Packet monkey heaven -- Truncated TCO options -- SCAN FIN -- Chained covert channels -- Conclusion -- Part V The intruder versus network security monitoring -- Chapter 17 Tools for attacking network security monitoring -- Packit -- IP Sorcery -- Fragroute -- LFT -- Xprobe2 -- Cisco IOS denial of service -- Solaris sadmin exploitation attempt -- Microsoft RPC exploitation -- Conclusion -- Chapter 18 Tactics for attacking network security monitoring -- Promote anonymity -- Evade detection -- Appear normal -- Degrade or deny collection -- Self-inflicted problems in NSM -- Conclusion -- Epilogue The future of network security monitoring -- Remote packet capture and centralized analysis -- Integration of vulnerability assessment products -- Anomaly detection -- NSM beyond the gateway -- Conclusion ER -