Tipos de evaluación educativa La evaluación educativa se clasifica según el momento en que se ejecuta o realiza, de la mano de quienes evalúan, conforme su

When taking into account e-mail protection, we often resort to e-mail virus-scan- ning software to mitigate exposure.These programs have matured over the years and have become a formidable defense against attacks stemming from e-mail. Snort has many rules that can detect e-mail viruses such as the QAZ worm, NAVIDAD worm, and the newest versions of ExploreZip. In response to a brand-new threat or a revision of an existing virus, Snort rules can be modified immediately. Viruses are often in the wild for a considerable amount of time before virus-scanning companies respond with updates; this delay can prove to be costly.

In addition, one should develop a comprehensive approach to e-mail security by considering the possibility of an attack on the server itself. Snort has the capability to detect viral e-mail content while simultaneously protecting the e-mail server from attack.This added functionality makes Snort stand out.You can configure Snort to detect and block e-mail bombers, as well as other exploits that might disable your e- mail services.

Using an IDS to Monitor My Company Policy

In today’s litigious society, given the enormous legal interest in subjects such as downstream litigation and intellectual property rights, it would be prudent to con- sider monitoring for compliance with your company’s security policy. Major motion picture companies have employed law firms specializing in Internet theft of intellec- tual property. Recently, many companies were sued because their employees illegally downloaded the motion picture Spiderman. Some of the employees involved were not aware that their computers were taking part in a crime. Nevertheless, the fines for damages were stiff—up to $100,000 in some cases.

Many file-sharing programs, such as Kazaa and Gnutella, are often used to share content that is federally prohibited. Computers are networked with computers in other countries that have differing laws. In the United States, the possession of child pornog- raphy is a federal offense. One is liable under the law simply for possessing it and can be held accountable whether one deliberately downloaded the content or not.

What About Intrusion Prevention?

A hot topic among security administrators is the idea of an intrusion prevention system, or IPS. Recent years have seen an explosion of IPSes on the market,

promising everything from attack prevention to attacker profiling, and, most contro- versially, active response which may even include striking back against intruders. Many people see an inherent conflict between firewall priorities and IDS priorities, as firewalls are dedicated to blocking or allowing traffic on the network and trans- port layers of the OSI model, where IDSes primarily dedicate their resources to deep packet inspection and alerting. Although it is possible to do both on one device, in cases of scant computing resources and fast pipes, that can become increas- ingly difficult.

It may be useful to clarify the difference between inline-IDS and IPSes.An inline IDSis deployed at a choke point in one’s network topology, forcing all traffic to flow through the inline IDS device.This allows the IDS to selectively drop traffic that matches its signature base of malicious attack traffic. (Chapter 11 covers the deployment of Snort-inline as this sort of inline IDS in some detail.) An IPS, on the other hand, generally takes an even more active stance than an inline IDS. Most IPSes are deployed in an inline configuration, but not all are. IPSes deployed in the less-common one-armed configuration generally attempt to prevent malicious traffic from continuing by issuing TCP resets to one or both participants in the conversa- tion. However, this is less effective than being inline and simply dropping, disrupting, or otherwise controlling the traffic. IPSes may optionally take additional action such as dynamically adding the attacking machine to block lists, performing network block ownership lookup, and in some cases scanning the attacking system back. Active response that includes blocking or session reset is generally accepted, though false positives in this have a greater network impact than IDS alerts. However, strike- back is still greatly controversial, not to mention legally ambiguous, and so not gen- erally implemented.

Summary

IDSes can serve many purposes in a defense-in-depth architecture. In addition to identifying attacks and suspicious activity, you can use IDS data to identify security vulnerabilities and weaknesses.

IDSes can enforce security policy. For example, if your security policy prohibits the use of file-sharing applications such as Kazaa and Gnutella, or messaging services such as Internet Relay Chat (IRC) or Instant Messenger, you could configure your IDS to detect and report this breach of policy.

IDSes are an invaluable source of evidence. Logs from an IDS can become an important part of computer forensics and incident-handling efforts. Detection sys- tems are used to detect insider attacks by monitoring outbound traffic from Trojans or tunneling and can be used as incident management tools to track an attack.

You can use a NIDS to record and correlate malicious network activities.The NIDS is stealthy and can be implemented to passively monitor or to react to an intrusion.

The HIDS plays a vital role in a defense-in-depth posture; it represents the last bastion of hope in an attack. If the attacker has bypassed all of the perimeter

defenses, the HIDS might be the only thing preventing total compromise.The HIDS resides on the host machine and is responsible for packet inspection to and from that host only. It can monitor encrypted traffic at the host level, and it is useful for corre- lating attacks that are detected by different network sensors. Used in this manner, it can determine whether the attack was successful.The logs from a HIDS are a vital resource in reconstructing an attack or determining the severity of an incident.

Solutions Fast Track

What Is Intrusion Detection?

Unauthorized access, or intrusion, is an attempt to compromise, or otherwise do harm, to your network.

Intrusion detection involves the act of detecting unauthorized and malicious access by a computer or computers.

IDSes use footprints or signatures to identify malicious intrusions.

A Trilogy of Vulnerabilities

Directory Traversal The Directory Traversal exploit or dot “../” might be used against IIS 4.0 and 5.0 if extended Unicode characters were used to represent the “/” and “\”. If a hacker entered the string using this pattern into his browser, he could force the victim’s computer to execute any command he wanted.

CodeRed On July 19, 2001, the CERT Advisory CA-2001-19 “CodeRed”

Worm Exploiting Buffer Overflow in Indexing Service DLLwas released.The

overview stated that CERT/CC had received reports of a new self- propagating malicious code that exploits IIS systems susceptible to the vulnerability described in Advisory CA-2001-13. By the time the second advisory was released, the CodeRed worm had already infected more than 250,000 servers.

NIMDA On September 18, 2001, an advisory describing the third in a related group of exploits was posted on the CERT.org site.The CERT

Advisory CA-2001-26 Nimda Wormoverview stated that CERT had

received reports of a new malicious code known as the W32/Nimda worm. A virtual Swiss army knife of exploits, this new worm appeared to spread by multiple vectors.

Why Are Intrusion Detection Systems Important?

No network is too small to be left unprotected. If a hacker can use your computer, he will.

Multiple computers operating in concert perform DDoS attacks. Hacker masters need zombies.

Internet pirates use any system available on the Web to store contraband and to distribute stolen software or pornographic content.

Without your knowledge or consent, your system can be used as a relay for nefarious, and oftentimes illegal, activities.

Logs from IDSes are an important part of computer forensics and incident- handling efforts.

IDSes can detect failed administrator login attempts and recognize password-guessing programs.

Inline IDSes can halt active attacks on your network while alerting administrators to their presence.

You can use IDSes to identify vulnerabilities and weaknesses in your perimeter protection devices; in other words, firewalls and routers.

You can use IDS logs to enforce company policy.

You can verify firewall rules and router access lists regularly for functionality.

Buffer overflow attacks represent a large percentage of today’s computer exploits. Snort has a large arsenal of rules designed to detect these attacks.

Backdoors and Trojans are remote control programs that are malicious code designed to take control of your computer. Snort can detect the

communications of these Trojans and alert you to their presence.

E-mail servers are prime targets for intrusions.They must be accessible from the Internet, and thus are vulnerable to attack. Snort has many signatures that guard against direct attacks on the server, as well as detect e- mail borne viruses.

What Else Can You Do with Intrusion Detection?

You can use IDSes for a variety of functions in addition to detection of intrusions, including monitoring database access, monitoring DNS services, protecting your e-mail server, and monitoring corporate policies.

Q:

I have a firewall. Do I need an IDS?

A:

Yes. Firewalls perform limited packet inspection to determine access to and from your network. IDSes inspect the entire packet for malicious content and alert you to its presence.

Q:

What is promiscuous mode operation?

A:

Normally, when a NIC receives a packet addressed to another device it drops the packet.This type of operation is known as nonpromiscuous mode. In promis- cuous mode, the entire packet will be processed regardless of its address. A NIDS must operate in promiscuous mode.

Q:

How many IDSes do I need?

A:

The number of IDSes in an organization is determined by policy and budget. Network topologies differ greatly; security requirements vary accordingly. Public networks might require minimal security investment, whereas highly classified or sensitive networks might need more stringent controls.

Q:

Can an IDS cure a virus?

A:

No. Although an IDS can detect the signatures of some e-mail viruses, curing a virus is the function of antivirus software.

Q:

Can an IDS stop an attack?

A:

Yes. An inline IDS can detect and block an intrusion.

Q:

Do I need both HIDS and NIDS to be safe?

A:

Although the use of both NIDS and HIDS can produce a comprehensive design, network topologies vary. Some networks require only a minimum invest- ment in security, and others demand specialized security designs.

Frequently Asked Questions

The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutionsand click on the “Ask the Author”form.

Introducing

Snort 2.6

Solutions in this chapter:

■ What Is Snort?

■ What’s New in Snort 2.6?

■ Snort System Requirements

■ Exploring Snort’s Features

■ Using Snort on Your Network

■ Snort and Your Network Architecture

■ Pitfalls When Running Snort

■ Security Considerations with Snort

In document El uso de error a través de la evaluación en línea confución pedagógico para el aprendizaje de las matemáticas en los grados séptimo y octavo de dos instituciones educativas del Tolima (página 38-41)