CAPÍTULO II MARCO TEORICO
2.11 IMAGENOLOGÍA DEL PACIENTE POLITRAUMATIZADO
2.11.1 RADIOGRAFÍA SIMPLE
CyberSafe Centrax is probably one of the most complete solutions we have looked at as part of this test, in that it includes audit policy control, Host- based IDS (with both real-time and batch policies), Network-based IDS, Network Node IDS and even basic Vulnerability Assessment.
The Command Console runs on Windows NT/2000 and target agents are available for Microsoft Windows NT 3.51 and 4.0, Windows 2000, Sun Solaris 2.5.1, 2.6, 7 and 8, HP-UX 10.2 and 11.0, and IBM AIX 4.2.1 and 4.3.2.
Architecture
Centrax comprises a central Command Console which controls a number of Target Agents.
The Command Console is used to define security policy and control the remote Target Agents, as well as to monitor and respond to real-time alerts raised by the Agents. The Console also controls vulnerability assessments of the Targets, how often log files are collected, and how frequently reports are run.
The Command Console consists of three parts: the GUI, the collection engine, and the detection engine. The graphical user interface is used to manage all aspects of the Command Console and to communicate with the clients. The collection engine receives all files from the target agents and forwards them to the detection engine. The detection engine analyses the audit data, populates the database and archives off the original audit data Target Agents are the “business-end” of Centrax, the bits that do the actual monitoring and alerting. Where Centrax scores is in its provision of a wide range of Target Agents, including both host-based and network-based, and when Agents are first installed they become immediately active with a default security policy. Audit data is reduced based on pattern matches of detected activity signatures and then stored in a database for later analysis and reporting.
There are two types of host-based Agents – Batch-Mode and Real-Time. Batch-Mode Agents collect data and store it at the target host for periodic collection by the Command Console, and parsing of the data is not performed until it is has been collected from the target. Real-Time Agents, on the other hand, perform the same host-based functions but report anomalies and alerts back to the Command Console immediately. This arrangement provides a much more scalable solution than many Host-IDS systems.
For instance, many host-based systems are typically reactive, in that they store data to be analysed at a later date, by which time it may be too late to do anything about it. However, if you want to do everything in real time, you run the risk of overloading both the host itself and the subnet on which it resides. Centrax provides the perfect balance. Both Batch-Mode and Real- Time Agents can use identical policies, allowing them to monitor the same events. However, by splitting the functionality, it is possible to have a small, manageable policy for real-time alerting – monitoring only the most critical events – and a much larger Batch-Mode policy that can collect all the data necessary for forensic investigation at a later date.
There are also two types of network targets – Network and Network Node which broadly follow the functionality description from the Introduction. Network Agents work in promiscuous mode, monitoring all traffic on a particular network segment (and generally require a dedicated machine on which to run), whilst Network Node Agents monitor traffic specific to a particular server or workstation as it arrives at that host’s network card. Both network Agents send alerts directly back to the Command Console for processing.
Centrax uses TCP/IP to communicate between the Command Console and Target Agents. All transmissions of audit policies, collection policies and counter-measure responses between the Console and Agents are encrypted using DES or Triple-DES.
Installation
Installation of Centrax is remarkably easy. Starting off with the Command Console, it is the usual “put in the CD and go” type of Windows installation. After that it gets quite clever. From the Command Console GUI the
administrator can create “Target installations” on the Console machine, which can then be shared via Windows Explorer.
All that is then required to install the Target Agents is to access the share from the target host and run the SETUP program. Unix installations are performed in a similar way, usually by copying the install directory created at the console to the target and running setup.sh. Of course, it is also possible to use the installation CD to install remote detectors too, but the share method is a nice idea. It would be even nicer if it was possible to push the Agent installation from the Console to the remote hosts, which would offer a much more scalable approach to deployment in large, distributed networks. Apparently, CyberSafe is working on such an approach for the next release, whilst in the mean time the product is integrated with Microsoft’s SMS to assist in distribution.
When running SETUP at the remote host, choices are offered as to which Agent (or Agents) is to be installed – Batch, Real-Time or Network. Installing Real-Time also forces an install of the Batch Agent, since that is used to perform the actual event collection. Installation of the Network Agent forces an install of all three components, since the Real-Time Agent is used by the Network Agent for alerting purposes. The same Network Agent is used for Network and Network Node operation, and the choice of which mode is employed is determined from the Command Console.
We installed the Agents on Windows 2000 platforms, and so didn’t even need to reboot once we had finished – very impressive.
Configuration
The Command Console provides the interface to communicate with the remote target agents, the detection engine and a view into the database. The GUI provides editors to define the different policies available to Centrax. These different policies define the both how host operating system will gather information and how Centrax will migrate and process that information.
To the uninitiated, Centrax can appear complicated thanks to the
bewildering array of policies that it is possible – and necessary – to define. The Console GUI provides three panes when started. The top window is the Alert Manager, which is used to display all batch, real-time, network and network node alerts. Columns for each alert display the Priority, Alert Type, User or Source IP Address, Activity ID, Date, Description and Details of the alert. Alert filters can be defined in order to reduce the amount of
information displayed in this window if required.
Figure 16 – Centrax: The main console
Double-clicking an alert message brings up additional information which is limited to a brief description of the problem and three possible solutions, labelled Critical, Concerned and Cautious. These often turn out to offer almost the same advice for each category, and in many cases are not as helpful as they might be. For instance, when bringing up the extra information window for one particular type of DoS attack, all the advice it could offer was “watch out for excessive ACK packets” – no explanation of what they signify or how to avoid them.
The bottom window is the Target Manager, split into two panes and showing which machines are being monitored and their current configuration. The left hand pane is a hierarchical tree view of the Target Agents sorted by
operating system, domain/workgroup and machine name. Targets can be grouped together logically using this window, and check boxes at each level of the tree allow the administrator to quickly and easily focus on groups of machines or individuals, which are then displayed as a list in the right hand pane.
This list shows each target, along with the policies that have been applied, the date and time of the last event processed, and the current assessment status. It is the number of possible policies that can be confusing to the uninitiated.