Helps you overcome your fastest-growing security problem: internal, client-based attacks. This is a comprehensive guide to preventing, detecting, and mitigating security breaches from the inside out.It offers clear explanations of client-based threats and effective, step-by-step solutions, demonstrated against real traffic and data.

Foreword. Preface. I. DETECTING AND CONTROLLING INTRUSIONS. 1. Network Security Monitoring Revisited.     Why Extrusion Detection?     Defining The Security Process     Security Principles     Network Security Monitoring Theory     Network Security Monitoring Techniques     Network Security Monitoring Tools     Conclusion 2. Defensible Network Architecture.     Monitoring the Defensible Network     Controlling the Defensible Network     Minimizing the Defensible Network     Keeping the Defensible Network Current     Conclusion 3. Extrusion Detection Illustrated.     Intrusion Detection Defined     Extrusion Detection Defined     History of Extrusion Detection     Extrusion Detection Through NSM         Conclusion 4. Enterprise Network Instrumentation.     Common Packet Capture Methods     PCI Tap     Dual Port Aggregator Tap     2X1 10/100 Regeneration Tap     2X1 10/100 SPAN Regeneration Tap     Matrix Switch     Link Aggregator Tap     Distributed Traffic Collection with Pf Dup-To     Squid SSL Termination Reverse Proxy     Conclusion 5. Layer 3 Network Access Control.     Internal Network Design     Internet Service Provider Sink Holes     Enterprise Sink Holes     Using Sink Holes to Identify Internal Intrusions     Internal Intrusion Containment     Notes on Enterprise Sink Holes in the Field         Conclusion II. NETWORK SECURITY OPERATIONS. 6. Traffic Threat Assessment.     Why Traffic Threat Assessment?     Assumptions     First Cuts     Looking for Odd Traffic     Inspecting Individual Services: NTP     Inspecting Individual Services: ISAKMP     Inspecting Individual Services: ICMP     Inspecting Individual Services: Secure Shell     Inspecting Individual Services: Whois     Inspecting Individual Services: LDAP     Inspecting Individual Services: Ports 3003 to 9126 TCP     Inspecting Individual Services: Ports 44444 and 49993 TCP     Inspecting Individual Services: DNS     Inspecting Individual Services: SMTP     Inspecting Individual Services: Wrap-Up     Conclusion 7. Network Incident Response.     Preparation for Network Incident Response     Secure CSIRT Communications     Intruder Profiles     Incident Detection Methods     Network First Response     Network-Centric General Response and Remediation     Conclusion 8. Network Forensics.     What Is Network Forensics?     Collecting Network Traffic as Evidence     Protecting and Preserving Network-Based Evidence     Analyzing Network-Based Evidence     Presenting and Defending Conclusions     Conclusion III. INTERNAL INTRUSIONS. 9. Traffic Threat Assessment Case Study.     Initial Discovery     Making Sense of Argus Output     Argus Meets Awk     Examining Port 445 TCP Traffic     Were the Targets Compromised?     Tracking Down the Internal Victims     Moving to Full Content Data     Correlating Live Response Data with Network Evidence     Conclusion 10. Malicious Bots.     Introduction to IRC Bots     Communication and Identification     Server and Control Channels     Exploitation and Propagation     Final Thoughts on Bots     Dialogue with a Bot Net Admin     Conclusion     Epilogue Appendix A: Collecting Session Data in an Emergency. Appendix B: Minimal Snort Installation Guide. Appendix C: Survey of Enumeraiton Methods. Appendix D: Open Source Host Enumeration. Index.

Overcome Your Fastest-Growing Security Problem: Internal, Client-Based Attacks Today's most devastating security attacks are launched from within the company, by intruders who have compromised your users' Web browsers, e-mail and chat clients, and other Internet-connected software. Hardening your network perimeter won't solve this problem. You must systematically protect client software and monitor the traffic it generates. Extrusion Detection is a comprehensive guide to preventing, detecting, and mitigating security breaches from the inside out. Top security consultant Richard Bejtlich offers clear, easy-to-understand explanations of today's client-based threats and effective, step-by-step solutions, demonstrated against real traffic and data. You will learn how to assess threats from internal clients, instrument networks to detect anomalies in outgoing traffic, architect networks to resist internal attacks, and respond effectively when attacks occur. Bejtlich's The Tao of Network Security Monitoring earned acclaim as the definitive guide to overcoming external threats. Now, in Extrusion Detection, he brings the same level of insight to defending against today's rapidly emerging internal threats. Whether you're an architect, analyst, engineer, administrator, or IT manager, you face a new generation of security risks. Get this book and protect yourself. Coverage includes Architecting defensible networks with pervasive awareness: theory, techniques, and tools Defending against malicious sites, Internet Explorer exploitations, bots, Trojans, worms, and more Dissecting session and full-content data to reveal unauthorized activity Implementing effective Layer 3 network access control Responding to internal attacks, including step-by-step network forensics Assessing your network's current ability to resist internal attacks Setting reasonable corporate access policies Detailed case studies, including the discovery of internal and IRC-based bot nets Advanced extrusion detection: from data collection to host and vulnerability enumeration About the Web Site Get book updates and network security news at Richard Bejtlich's popular blog, taosecurity.blogspot.com, and his Web site, www.bejtlich.net.

Overcome Your Fastest-Growing Security Problem: Internal, Client-Based Attacks Today's most devastating security attacks are launched from within the company, by intruders who have compromised your users' Web browsers, e-mail and chat clients, and other Internet-connected software. Hardening your network perimeter won't solve this problem. You must systematically protect client software and monitor the traffic it generates. Extrusion Detection is a comprehensive guide to preventing, detecting, and mitigating security breaches from the inside out. Top security consultant Richard Bejtlich offers clear, easy-to-understand explanations of today's client-based threats and effective, step-by-step solutions, demonstrated against real traffic and data. You will learn how to assess threats from internal clients, instrument networks to detect anomalies in outgoing traffic, architect networks to resist internal attacks, and respond effectively when attacks occur. Bejtlich's The Tao of Network Security Monitoring earned acclaim as the definitive guide to overcoming external threats. Now, in Extrusion Detection, he brings the same level of insight to defending against today's rapidly emerging internal threats. Whether you're an architect, analyst, engineer, administrator, or IT manager, you face a new generation of security risks. Get this book and protect yourself. Coverage includes *Architecting defensible networks with pervasive awareness: theory, techniques, and tools *Defending against malicious sites, Internet Explorer exploitations, bots, Trojans, worms, and more *Dissecting session and full-content data to reveal unauthorized activity *Implementing effective Layer 3 network access control *Responding to internal attacks, including step-by-step network forensics *Assessing your network's current ability to resist internal attacks *Setting reasonable corporate access policies *Detailed case studies, including the discovery of internal and IRC-based bot nets *Advanced extrusion detection: from data collection to host and vulnerability enumeration About the Web Site Get book updates and network security news at Richard Bejtlich's popular blog, taosecurity.blogspot.com, and his Web site, www.bejtlich.net.

Prevent, detect, and mitigate breaches from the inside--build security in from the get-go Learn theory, techniques, and tools to implement network security monitoring for internal intrusions A big advantage of Richard's writing style is that he explains the important concepts from a high level, and then provides a description of how to implement the processes Richard authored the acclaimed Tao of Network Security Monitoring in 2004