CompTIA Security_ Deluxe Study Guide_ SY0-201 - Emmett Dulaney [104]
FIGURE 4.12 IDS instructing the firewall to close port 80 for 60 seconds to thwart an IIS attack
FIGURE 4.13 A network honeypot deceives an attacker and gathers intelligence.
The advantage of this type of response is that all activities are watched and recorded for analysis when the attack is completed. This is a difficult scenario to set up, and it’s dangerous to allow a hacker to proceed into your network, even if you’re monitoring the events.
This approach is frequently used when an active investigation is under way by law enforcement and they’re gathering evidence to ensure a successful prosecution of the attacker. Deception allows you to gather documentation without risking live data.
Remember that active responses are the least commonly implemented. Those that are the most effective are the most costly, and the hardest to put into practice.
Working with a Host-Based IDS
A host-based IDS (HIDS) is designed to run as software on a host computer system. These systems typically run as a service or as a background process. HIDSs examine the machine logs, system events, and applications interactions; they normally don’t monitor incoming network traffic to the host. HIDSs are popular on servers that use encrypted channels or channels to other servers.
Figure 4.14 illustrates an HIDS installed on a server. Notice that the HIDS interacts with the logon audit and kernel audit files. The kernel audit files are used for process and application interfaces.
FIGURE 4.14 A host-based IDS interacting with the operating system
Two major problems with HIDS aren’t easily overcome. The first problem involves a compromise of the system. If the system is compromised, the log files the IDS reports to may become corrupt or inaccurate. This may make fault determination difficult or the system unreliable. The second major problem with HIDS is that it must be deployed on each system that needs it. This can create a headache for administrative and support staff.
One of HIDS’s major benefits is the potential to keep checksums on files. These checksums can be used to inform system administrators that files have been altered by an attack. Recovery is simplified because it’s easier to determine where tampering has occurred.
Host-based IDSs typically respond in a passive manner to an incident. An active response would theoretically be similar to those provided by a network-based IDS.
Working with NIPS
As opposed to Network Intrusion Detection Systems (NIDSs), Network Intrusion Prevention Systems (NIPSs) focus on prevention. These systems focus on signature matches and then take a course of action. For example, if it appears as if an attack might be underway, packets can be dropped, ignored, and so forth. In order to be able to do this, the NIPS must be able to detect the attack occurring, and thus it can be argued that NIPS is a subset of NIDS.
The line continues to blur between technologies. For example, NIST now refers to its releases as IDPS. While it is important to stay current on the terminology in the real world, know that the exam is frozen in time and you should be familiar with the older terminology for the questions you will face on it.
Log Files in Linux
There are a number of logs to check for entries that might indicate an intrusion. The primary ones you should examine are listed here:
/var/log/faillog Open a shell prompt and use the faillog utility to view a list of users’ failed authentication attempts.
/var/log/lastlog Open a shell prompt and use the lastlog utility to view a list of all users and when they last logged in.
/var/log/messages Use grep, or a derivative thereof, to find login-related entries in this file.
/var/log/wtmp Open a shell prompt and use the last command to view a list of users who have authenticated