Slides - TERENA Networking Conference 2000

advertisement
Practical Network Security:
Experiences with ntop
Luca Deri
<deri@ntop.org, l.deri@finsiel.it>
Stefano Suin
<stefano@ntop.org>
Daily Network Security
Problems
• Frequent security violations.
• Need to detect unauthorized services
installed by users.
• Who is generating suspicious traffic?
• Identification of misconfigured and faulty
hosts.
Terena 2000
Practical Network Security
2
What Do We Need ?
• Traffic measurement.
• Traffic characterisation and monitoring.
• Detection of network security violations.
• Network optimisation and planning.
Terena 2000
Practical Network Security
3
What’s available on the
Internet?
• Tcpdump, NeTraMet and RMON should
be used by experts and are really not
suitable for security problems.
• NFR and Snort are good, but they
control only what is specified (Misuse
Detection IDS).
Terena 2000
Practical Network Security
4
Requirements: Security
• Ability to automatically (i.e. no
configuration) detect common network
problems.
• Track ongoing attacks and identify
potential security holes.
• Rule language for advanced intrusion
detection.
Terena 2000
Practical Network Security
5
Welcome to ntop
Terena 2000
Practical Network Security
6
ntop Architecture
HTTP
HTTPS
ODBC
SQL
UDP
Report Engine
Plugins
Packet
Analyser
Traf f ic
Rules
Packet Snif f er
Terena 2000
Practical Network Security
7
Ntop Security Features
• TCP/IP Stack Verification.
• Application Misuse.
• Intruders Detection.
Terena 2000
Practical Network Security
8
TCP/IP Stack Verification [1/2]
• Invalid packets (ping of death,
WinNuke).
• Stealth Scanning.
• Improper TCP Three Way Handshaking
(e.g. queso/nmap OS Detection).
• Synflood.
Terena 2000
Practical Network Security
9
TCP/IP Stack Verification [2/2]
• Overlapping Fragments.
• Peak of RST Packets.
• Unexpected SYN/ACK (sequence
guessing) and SYN/FIN (portscan)
packets.
• Smurfing (ICMP to broadcast address).
Terena 2000
Practical Network Security
10
Application Misuse
• Buffer Overflow.
• Unauthorised Application Usage (e.g.
Napster, ICQ).
• Misconfigured Applications (e.g. peak of
DNS, NTP requests).
Terena 2000
Practical Network Security
11
Intruders Detection
• Trojan Horses (e.g. BO2K).
• Spoofing (more MAC addresses match
the same IP address).
• Spy Detection (neped).
• Network discovery (via ICMP, ARP).
Terena 2000
Practical Network Security
12
Ntop IDS Rules
• icmp route-advertisement
ICMP_REDIRECT !gateway/any action
alarm
• tcp root-ftp any/ftp any/any
contains "230 User root logged
in." action alarm
• udp new-port-open any/any
any/!usedport action alarm
Terena 2000
Practical Network Security
13
Ntop Availability
• Home Page: http://www.ntop.org/
• Platforms: Win32 and Unix.
• License: Gnu Public License (GPL).
Terena 2000
Practical Network Security
14
Download