On intrusion detection, what open standards exist?
Intrusion detection so far had not come to open standards. But we are in this direction.
Internet Engineering Task Force (IETF) is developing Internet standards entities. They have a working group dedicated to the development of a common format for IDS alarm. The group has completed the investigation phase of the demand, the specific design has been basically completed, but the specific details may change slightly. Implementation of the initial work will probably be conducted to finalize the standard small changes. Now the design is similar to HTTP connection through the format of XML-based IDS to send a warning. In order to meet the needs of IDS analysis, and so the agreement can be in a natural way through the firewall, people have done a lot of work.
We welcome more staff involved. IEFT Working Group would like to participate in any and skillful people who are open. This is because the individual is always able to put forward the best way to solve the problem, rather than the boss's agenda to give the answer.
The purpose of the working group can refer to http://www.ietf.org/html.charters/idwg-charter.html, mailing list: http://www.semper.org/idwg-public/ working group documents can view http : / / www.silicondefense.com / idwgISO of T4 Committee also paid a lot of efforts, intrusion detection framework proposed. The progress of the project is still unknown, FAQ authors have also not have access to known data.
Common intrusion detection framework (CIDF) is the U.S. Defense Advanced Research Projects Agency (DARPA) for the IDS data exchange made an attempt. CIDF not want to get a commercial product can affect the standard, it is just a research project. Now CIDF development seems to have stopped. CIDF similar to Lisp's format used to exchange information on the invasion-related events, and to use these messages define a large number of system prototypes. Http://www.gidos.org you can get more information.
How heavy traffic in a network environment to achieve the exchange of intrusion detection system (web-based)?
In exchange environment to achieve the main difficulty of intrusion detection system is different from the hubs and switches caused. The concept of the hub is not connected, so each packet received from one port will be copied to other ports. However, the switch is based on the connection, when a data packet from the switch port to enter a temporary connection, the packet will be forwarded to the destination port. Therefore, the hub environment, we can probe into any of our locations, but for the switch, you must use some means of making the detector can monitor the traffic needs.
The current choices are TAPS (in Chinese meaning for the faucet), hubs and cross-port (spanning port, in some places, also known as Mirror Port mirroring ports), cross-port switch can be configured in pairs as a port as hub work. For example, in Figure 1, we want to monitor the switch and resource machine (Resource Machine) the connection between the conditions. So we can switch the resource base of data transmitted through the port where the IDS port. We can send resources to machine data packets sent or received data packets, or both. Some of the existing switches can not guarantee 100% will be sent to the span port to monitor traffic, so even if the intrusion detection system is set to monitor all the attacks, some attacks may also be undetected. Sometimes the switch port only allows transmission of a packet, so monitor multiple hosts at the same time very difficult, even impossible.
TAP is to use a hub or similar solutions. Hub or tap is placed in the middle of the monitored link, usually located between the two switches or between switches and routers, or between servers and switches, and so on. In Figure 2, the hub is placed between the resource hosts and switches. In this way, resources between the host and switch networks are still running, but due to the characteristics of the hub, the network data is copied to the IDS on. Some of this and similar across the port, but across the port can only monitor a single host. Hub to connect multiple machines to cause network problems offset the benefits of the switch the other, using a fault-tolerant hub will greatly increase costs. Tap is used to design pairs of primary connection (that is host to a switch from the resource connection) fault tolerance, and use the hardware to ensure that no error occurred.
Figure 3, a tap is used to monitor a host of resources. Tap is one-dimensional, allowing only the host from the switch and resources to the IDS between the traffic through. This prevents the IDS host to a switch or a resource flow, the flow rate will not go back to IDS. Since the tap is one-dimensional, we can tap the network traffic from several leading to the hub, and ultimately by the IDS to monitor, so it will not cause network problems, see Figure 4
What is a honeypot? How to use the honeypot?
Honeypots are programs that can simulate the specified port on your computer to run one or more network services. Attacker will think you run some of the loopholes in the service, to break through those systems. Honeypots can be used to record all the activities connected to those ports, even including the attacker's keystrokes record. This will provide you with early warning of some joint attacks.
A honeypot program called cheat Kit (Deception Tool Kit), can be downloaded from the http://www.all.net/dtk/index.html. You can configure a port to connect to each reaction.
Honeypot server running on the well-known, such as Web, e-mail or domain name server, and it is appropriate, because these systems are often the object of attack. Honeypots can also be used to replace the system being attacked.
Recommended links:
runtime error 1721 it can be fixed Now
Operation of Supermarkets to dealers Suggestions
PS texture Text SERIES: Python pattern word
Picked Audio RECORDERS
GIS work?
Infomation Timers And Time Synch
The reliability of SAS
MP4 To 3G2
DivX to MPEG
Training into the domestic game Breakthrough
Open-source can not be anti-monopoly
FLV to VOB
Element UNION and day encounter in the rubber of the Kingdom of thinking
No comments:
Post a Comment