Red Hat NETWORK 3.6 - Betriebsanweisung PDF herunterladen (Seite 28)

then list the detected interactive or encrypted session as a vulnerability.

The PVS has a variety of plugins to recognize telnet, Secure Shell (SSH), Secure Socket

Layer and other protocols. In combination with the detection of the interactive and

encryption algorithms, it is likely that the PVS will log multiple forms of identification for the

detected sessions.

For example, with a SSH service running on a high port, it is likely that the PVS would not

only recognize this as an encrypted session, it would also recognize the version of SSH and

determine if there were any vulnerabilities associated with it.

ROUTES AND HOP DISTANCE

For active scans, one host can find the default route and an actual list of all routers between

it and a target platform. To do this, it sends one packet after another with a slightly larger

TTL (time to live) value. Each time a router receives a packet, it decrements the TTL value

and sends it on. If a router receives a packet with a TTL value of one, it sends a message

back to the originating server that the TTL has expired. The server simply sends packets to

the target host with greater and greater TTL values, and collects the IP addresses of the

routers in-between when they send their expiration messages.

Since the PVS is entirely passive, it cannot send or elicit packets from the routers or target

computers. It can however, record the TTL value of a target machine. The TTL value is an 8-

bit field, meaning it can contain a value between 0 and 255. Most machines use an initial

TTL value of 32, 64, 128, or 255. Since there is a maximum of 16 hops between your host

and any other host on the internet, it is a simple algorithm that the PVS uses to map any

TTL to the number of hops.

For example, if the PVS sniffed a server sending a packet with a TTL of 126, this is closest

to 128 and two hops away. The PVS does not know the IP address of the in-between

routers.

Modern networks have many devices such as NAT firewalls, proxies, load

balances, intrusion prevention, routers, and VPNs that will rewrite or reset the

TTL value. In these cases, the PVS can report some very odd hop counts.

ALERTING

When the PVS detects a real-time event, it can send the event to a local log file or send it

via SYSLOG to a log aggregator such as Tenable’s Log Correlation Engine and the

SecurityCenter, as well as internal log aggregation servers and third party security event

management vendors.

NEW HOST ALERTING

The PVS can be configured to detect when a new host has been added to the network. This

is not as simple as it sounds, and several parameters can be configured within the PVS to

increase or decrease the accuracy of detecting true change.

Initially, the PVS has no knowledge of your network’s active hosts. The first packets that the

PVS sniffs would send an alert. To avoid this, the PVS can be configured to learn the

network over a period of days. Once this period is over, any “new” traffic would be from a

host that has not communicated during the initial training.

1 2 ... 23 24 25 26 27 28 29 30 31 32 33 ... 60 61

Keine Kommentare

Red Hat NETWORK 3.6 - Betriebsanweisung Seite 28