Red Hat NETWORK 3.6 - Betriebsanweisung PDF herunterladen (Seite 25)

In the above picture, three sessions labeled A, B, and C are shown communicating to, from,

and inside a focus network. In session A, the PVS only analyzes vulnerabilities observed on

the server inside the focus network and does not report client side vulnerabilities. In session

B, the PVS ignores vulnerabilities on the destination server, but reports client side

vulnerabilities. In session C, both client and server vulnerabilities are reported.

There is one more filter that the PVS uses while looking for unique sessions. This is a

dependency that requires the host to be running a major service. These dependencies are

defined by a list of PVS plugin IDs that identify SSL, FTP and several dozen other services.

Finally, the entire process of detecting these sessions can be filtered by specific network

ranges and ports. For example, if a University ran a public FTP server that had thousands of

downloads each hour, it would make sense to disable interactive sessions on port 21 on that

FTP server. Similarly, disabling encryption detection on ports such as 22 and 443 will also

eliminate some noise for the PVS.

DETECTING SERVER AND CLIENT PORTS

The method used by TCP connections to initiate communication is known as the “three-way

handshake”. This method can be compared to how a common telephone conversation is

initiated. If Bob calls Alice, he has effectively sent her a “SYN” packet, in TCP terms. She

may or may not answer. If Alice answers, she has effectively sent a “SYN-ACK” packet. The

communication is still not established, since Bob may have hung up as she was answering.

The communication is established when Bob replies to Alice, sending her an “ACK”.

The PVS configuration interface (pvs.conf file) enables PVS to log network client activity.

On Unix systems, this is accomplished via the “connections-to-services” keyword in the

pvs.conf file.

Whenever a system within the monitored network range tries to connect to a server over

TCP, the connecting system will emit a TCP “SYN” packet. If the port the client is connecting

to is open, then the server will respond with a TCP “SYN/ACK” packet. At this point, PVS will

record both the client address and the server port the client is connecting to. If the port on

the server is not open, then the server will not respond with a TCP “SYN/ACK” packet. In

this case, since PVS never sees a TCP “SYN/ACK” response from the server, PVS will not

record the fact that the client tried to connect to the server port, since the port is not

available to that client.

The Unix “connections-to-services” option does not track how many times the

connection was made. If the same host browses the same web server a million times, or

browses a million different web servers once, the host will still be marked as having

browsed on port 80. This data is logged as Nessus ID #00002.

1 2 ... 20 21 22 23 24 25 26 27 28 29 30 ... 60 61

Keine Kommentare

Red Hat NETWORK 3.6 - Betriebsanweisung Seite 25