Networks and Security - PowerPoint PPT Presentation

Loading...

PPT – Networks and Security PowerPoint presentation | free to download - id: 6e9b8d-NDQ3Z



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Networks and Security

Description:

Networks and Security – PowerPoint PPT presentation

Number of Views:134
Avg rating:3.0/5.0
Slides: 160
Provided by: webe150
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Networks and Security


1
Networks and Security
2
How Real is the Threat?
  • 88 of IT staff polled in the US recently said
    their organizations had been affected by Internet
    viruses or worms in the past year even though 90
    of firms have an IT security system in place.
    Information Security Magazine, 2001

3
Worm Threats
  • NIMDA and Code Red generated the majority of
    attack activity accounting for 63 of recorded
    attacks
  • Each worm attacked known problems with available
    patches
  • New zero-day worms that hit vulnerabilities not
    posted
  • Future worms will morph

4
Trends
  • 39 seemed to be targeted to breech a specific
    system or company
  • 61 seemed opportunistic with the attacker
    scanning and looking to exploit what was found
  • 42 of the attacks were aimed at large
    corporations of 1,000 or more employees
  • This suggests, higher profile corporations are
    bigger targets than lower profile

5
Majority of Attacks Are Launched From a Small
Number of Countries
  • Ten countries account for 70 of attacks
  • 30 United States
  • 9 South Korea
  • 8 China
  • The largest number of attacks per IP address was
    Israel

6
Attacks and Ports
7
Current Attacks
8
Most Probed Ports
Windows service for conversion Of IP addresses to
names in file sharing apps First step in a scan
to hit file shares
Open when a web server installed
Used by MS-SQL server for remote Clients to query
for network connections
9
Trends
  • The industries with the highest attacks rates
    are
  • Education
  • High Tech
  • Financial Services
  • Media/Entertainment
  • Power and energy companies
  • Each averaged more than 700 attacks per company
    in the last six months
  • Power and energy companies suffered attacks from
    the Mid East at twice the mean of other companies
  • High Tech and Financial companies suffered
    attacks from Asia at a rate that was 50 higher
    than the mean for other companies

10
Top Ten Attacks
  • 47.8 M.S. IIS Server ISAPI overflow
  • 25.1 (Code Red) Generic Root Request Attack of
    root.exe in /scripts directory.
  • 23.5 M.S. IIS Server Traversal Attack
  • 17 M.S. IIS Server Arbitrary Code Attack (code
    URL twice)
  • 16.5 (Code Red) "cmd.exe" Attack
  • 5 Scan for 27374 port for SubSeven (2600
    Magazine)
  • 3.8 Scan for vulnerable or mis-configured FTP
    servers.
  • 2.8 Scans for RPC enabled
  • 1.3 Scans for ssh (Exploit)
  • 1.2 Scans for LPD (Exploit) (Source RipTech)

11
General Types of Hackers
  • Kiddie Scripters
  • Black hats
  • Network-savvy employees
  • Government Entities

12
Kiddie Scripters
  • Run scripts from hacker sites
  • Rarely recompile to change ports or affect attack
    signatures
  • Poor resources - usually tied to an ISP
  • Usually want a quick hit or break-in and are
    largely indiscriminate about targets
  • Leave behind lots of evidence

13
Take Your Pick of Hacker Groups
14
Places for Evil
15
Know Your Enemy--Places to Visit
  • http//www.hacktech.org/
  • http//surf.to/damage_inc
  • http//www.oninet.es/usuarios/darknode/
  • http//b0iler.eyeonsecurity.org/tutorials/index.ht
    ml
  • http//ist-it-true.org/pt
  • http//hackersplayground
  • http//packetstorm.widexs.nl/exploits20.shtm
  • http//astalavista.box.sk.

16
Black Hats
  • Re-compile code of others to change attack
    signatures
  • Write programs that may or may not be shared
  • Moderate resources - usually tied to an ISP but
    can have own domains and domain servers
  • Much more cautious and attacks may be spread over
    weeks
  • Mafia organizational models key talented hackers
    with high skills are generally isolated by layers
    of kiddie scripters for protection

17
Reconnaissance
Look for a file that Doesnt exist on a
web Server 404 error will Reveal server and
version
18
Network-Savvy Employees
  • Never share or use code of others unless it is an
    intentional deception
  • Inside knowledge of infrastructure enables more
    sophisticated approach

19
Governments
  • Attacks and coordinated probes may stretch over a
    period of months or years and are calculated to
    bypass the best IDS
  • Launched as part of policy
  • Has direct access to tier 1 Internet service
    providers (ISP) or uses government resources
  • Able to manipulate domain, WHOIS databases, and
    root server and Internet routing paths
  • May be recruited from Black hats or federal
    agencies

20
Nuisance Threats
  • These individuals may evolve from online trespass
    and vandalism to more criminal activity such as
    theft of information, extortion, and credit card
    fraud
  • In addition, this group is a pool of potential
    resources for more traditional criminal elements
    to exploit either directly or indirectly

21
Low Level Threats
  • On-line Trespass
  • Vandalism
  • Script Kiddies compile existing hacker code
  • Existing vulnerabilities

22
Malicious Threats
  • Launch virus or self-propagating bots that
    harvest e-mail addresses, credit card numbers, or
    other valuable data
  • Identity theft is big business

23
Doomsday Threats
  • After key financial information that can be
    leveraged for money
  • Scan likely unfriendly nations for critical
    infrastructure weak points
  • Characterized by long term stealth (not noisy)
    scans and probes
  • Access to resources
  • Undetectable

24
Criminal Activity Categories
  • Extortion
  • Organized Crime
  • Political Groups (Terrorists)
  • Industrial Espionage and Sabotage
  • International Intrusions

25
Criminal Activity
  • 49 of information security professionals'
    companies have had personnel who have physically
    destroyed or stole computing equipment -- up from
    42 in 2000. Industry Survey from Information
    Security Magazine, 2001. See http//www.vectec.org
    /researchcenter/stats.html?category9

26
Hacker Pattern Reuse
  • Each hacker has a signature for attack
    methodologies
  • It is often possible to describe each separate
    attacker by their trademark styles and choice of
    tools and exploits
  • Once they find a sequence or type of attack that
    works they use the same choice of tools each time

27
Seven Step Attack Profile Overview
  • Reconnaissance gathering information on your
    organization
  • Foot printing get the network details.
  • Port Scanning find the actual services
    available.
  • Enumeration - Promising targets are identified in
    more detail.
  • Gaining Access - choose an informed hack/crack.
  • Escalating Privileges - elevate to system access.
  • Pilfering - Grab any interesting/profitable data.
  • Covering Tracks - Hide interlopers machine romp

28
Profiling
  • Objective
  • Gathering information about the organization
  • Technique
  • Web searches, public documents, and legal
    databases
  • Web browsers most public or legally available
    information is now available on line

29
Sniffers Are Your Friend and Foe
  • Everything that touches your machine from a data
    network can be seen on a sniffer Passwords,
    account names, social security numbers, birth
    dates, and other personal information
  • Hackers frequently use sniffers to ply their
    trade
  • Sniffers also help the good guys by catching
    issues that IDS and firewall logs will miss

30
Network Associates (NAI) Sniffer
31
Network Associates (NAI) Sniffer
  • Premier network diagnostic program available to
    network professionals
  • A great number of hacker sniffers tend to
    concentrate on capturing and logging targeted
    information such as user names, passwords and
    commands
  • dsniff is a package of password grabs including
    mailsnarf an e-mail grabber

32
dsniff
33
Sniffer Exploits
  • Sniffers are programs that use promiscuous
    drivers
  • These specialized drivers allow network
    information to be sniffed off of the local
    network segment
  • In segments that utilize Ethernet hubs, as
    opposed to switches, the attacker can log every
    users information off the network

34
Dsniff De-encrypting Password Sniffer
  • dsniff listens patiently for passwords to come
    along
  • It will decode NETBios-based Windows, IMAP, POP3,
    SNMP, and many other types of passwords
  • If you are using the network diagram programs
    like Visio, TGV (Computer Associates) and HP
    OpenView with the read/read-write SMP password
    you are giving it away to attackers

35
Sniffer Defenses
  • Ethernet switches are not a security panacea
  • Flooding the switch with bogus MAC addresses can
    flood the bridge table and cause one of two of
    the following switch behaviors to users
  • 30 of the time switch starts forwarding ALL
    packet to ALL ports (hub behavior)
  • 70 of the time the switch crashes

36
Sniffer Defense
  • Monitor your switch reboots with simple
    networking management protocol (SNMP)
  • Send SNMP traps to your central security
    monitoring console when switches reboot or have
    switch table full error events
  • It is also very valuable to centrally log switch
    and router SNMP AUTH events which send login
    authorization failures!

37
Sniffer Defense
  • _at_stake, makes a sniffer detector AntiSniff
    available for trial and sale
  • Promiscuous drivers take notably longer to
    process network requests
  • This detector makes detection available based on
    the noted delays in the surrounding IP client
    software on hosts

38
L0PHT (_at_stake) antisniff
39
Foot Printing
  • Objective
  • Get address range, namespace details, contacts,
    and reverse domain info
  • Technique
  • Open source info, DNS, iterative reverse DNS or
    zone transfer
  • Tools
  • nslookup, dig, whois, ARIN whois, etc.,
  • Plain old HTTP lookups on their favorite search
    engine, Google, Altavista

40
Foot printing
  • whois
  • nslookup
  • http//www.arin.net/whois/index.html
  • Department of Defense
  • RIPE
  • APNIC
  • Web Search Engines
  • Google

41
Domain Name Service (DNS)
  • Domain name services (DNS) map text strings by a
    hierarchical directory to a specific IP address
    that the computer application can use
  • Domain name servers are also called name servers

42
Domain Name Services (DNS)
  • DNS servers use forward and reverse zone text
    files that contain domain entries
  • Forward files include INFO records
  • INFO type A records for IP addresses
  • INFO HINFO records for software and platform
    information
  • INFO CNAME or canonical names for aliases
  • INFO MX or mail exchange records for email

43
Whois
  • Domain Lookup
  • http//www.arin.net/whois/index.html
  • http//www.geektools.com/cgi-bin/proxy.cgi

44
Geektools.com
45
DNS Exploit Information Grabbing
  • Programs like Sam Spade and whois reveal an
    enormous amount of information about your company
    Internet connections, managers, and
    administrative contacts.

46
Sam Spade
47
Sam Spade
48
Sam Spade
49
DNS Exploit Information Grabbing
  • Defense
  • Use two DNS servers, one inside your network, and
    another outside. This is called the split
    domain name server architecture.
  • By blocking the inside name server that has all
    the network information from outside access it
    is possible to hide inner host information from
    interlopers
  • Allow only the most essential information to be
    available to the general Internet.
  • Secure the servers the Internet knows about.

50
Split Domain Servers
51
Denial of Service Exploit
  • Lots of connections entering the open TCP state
    with the host machines sending SYN packets to
    synchronize sequence numbers
  • During the open state the host machine consumes
    CPU time allocating memory buffers consuming
    limited resources on the host machine
  • Host machine may many times be sending replies
    back to a spoofed attacker address
  • If enough TCP open states are started on the
    target machine . . .
  • It runs out of memory or CPU resources and stops
    accepting new connections or crashes

52
Denial of Service Defense
  • Specialized intrusion detection systems recognize
    DoS attacks and issue RST packets to either the
    sender or destination or both and kill the
    network connection
  • The host machine immediately releases resources
    upon receipt of a packet with the RST flag set

53
Denial of Service Defense
  • Reduce the TCP wait timer on your servers from
    the default 600 seconds to about 3
  • This times out the connection state and allows
    your server to recoup its resources faster and
    resist this attack
  • Increase the server resources-- Memory is cheap
  • Allocate additional memory buffers to handle the
    attack-- Bumping from 10 to 200 should do it

54
Logical Data Network Structure
  • Networks are made up of network devices that pass
    packets based on addresses and network paths
  • Routers and switches keep track of these
    addresses and routes in internal tables
  • What are some examples of these internal tables?

55
Logical Data Network Structure
  • Switch tables
  • Switch mappings associated with a physical
    interface
  • ARP table layer 3 network addresses associated
    with a L2 address and usually a physical interface

56
Logical Data Network Structure
  • Layer 3 network route mappings associated with a
    L1 (physical) interface

57
Internet Command and Management Protocol (ICMP)
  • Routers that become congested return an ICMP
    source quench message as a simple form of flow
    control
  • Some routers send an ICMP source quench if
    their communication buffers get full
  • ICMP is the traffic cop for IP networks

58
RARP, BOOTP, and DHCP
  • RARP (earlier slide) - given the MAC (L2) address
    give me the network (L3) address
  • BOOTP - an improvement on RARP that gave us
    automated IP addresses, automated boot images,
    gateway addresses, etc.,
  • DHCP - Dual host configuration protocol - a later
    protocol (Microsoft) that added user specified
    fields, and advanced abilities such as redundancy

59
Crafted Packets Exploit
  • Build what you want and create a hack - a
    thousand different ways.
  • if ( (packet malloc(1500)) NULL )
    perror("malloc ") exit(-1)
  • if ( (sock libnet_open_raw_sock(IPPROTO_RAW))
    -1 ) perror("socket ") exit(-1)
  • libnet_build_ip(len, / Size
    of the payload /
  • / ICMP Header for Parameter Problem
  • ---------------------------------------------
    --------------
  • Type (12) Code (0) Checksum
  • ---------------------------------------------
    --------------
  • Pointer unused
  • ---------------------------------------------
    --------------
  • Internet Header 64 bits of original datagram
    data....
  • /
  • / Need to embed an IP packet within the ICMP /
  • ip (struct ip ) (packet IP_H 8) / 8
    icmp header /
  • ip-gtip_v 0x4 / IPV4
    /
  • ip-gtip_hl 0xf / Some
    IP Options /
  • ip-gtip_tos 0xa3 /
    Whatever /
  • ip-gtip_len htons(data_len) / Length
    of packet /
  • ip-gtip_id 30241 /
    Whatever /

60
DNS Exploit Cache Poisoning
  • DNS queries are heavily cached on servers. What
    if an attacker could craft a packet that
    poisons the DNS cache with the wrong
    information?
  • Could a hacker/cracker redirect domain name
    server queries to the wrong machine?

61
What Else Could Crafted Packets Do?
  • Distribute bad route to your core date network
    routers dumping much of your network traffic
  • Foul up switched networks with bogus bridge data
    unit (BDU) packets that would switch off network
    interfaces
  • Block router IP interfaces with bad ARP replies

62
Crafted Packets Defense
  • Turn everything off!
  • Do not require or allow ICMP features like
    gateway redirection, source quench, or router
    advertisement
  • Turn off spanning tree algorithm (STA) where it
    makes sense
  • Use the authenticated and encrypted versions of
    any available protocols i.e., OSPF not RIP ver. I
  • Tie your routers together with access control
    lists (ACLs) to control inbound broadcasts
  • Dont do it by the book. Cisco design
    principles are wrong as they value speed of the
    network over security. Application server speed
    is king and people on LANSs dont perceive LAN
    speed optimization as delays

63
netcat
  • netcat, the swiss army knife of hacking.
  • Can attach to an arbitrary client port to
    listen for data
  • Can be set up to send out crafted packet data to
    an arbitrary port
  • Usually after capturing traffic into a hex file,
    the data is edited, and sent out to the same
    network it came from

64
Netcat options scary!!!
65
Netcat listener
66
Netcat Listener Receiving Test Text
67
Port Scanning
  • Target ID and assessment for attack
  • What looks most promising?
  • Technique
  • ICMP sweep, TCP/UDP scans, OS detection. What
    is the version of Windows they are running?
    What are the publicly available hacks/cracks for
    this version?
  • Tools
  • fping, hping, nmap, ncat -p, fscan, queso

68
Ports or Service Addresses
  • Service or port, is a 16 bit base 10 number
    Example 31337
  • Port addresses allow the program to know what
    application the data packet is intended
  • Popular service addresses or ports are 80 for
    http, 23 for telnet, 20 and 21 for file transfer
    protocol, 22 for remote shell

69
How Do I Know What Services Are Running?
netstat!
70
UDP Packet Ports
71
TCP Addresses
72
How Do Hackers Generate Port Scans?
nmap
lt O.S. Guess!
73
How do hackers generate port scans?
nmapfe
74
Features of TCP Packets
  • Sequence Numbers what packet is this in a
    sequence or flow of packets?
  • Windows Size - how many IP packets do I send at a
    time before requiring an acknowledgement packet?
  • Flags -
  • RST - set, for errors, may be used as a session
    stopper in active intrusion detection.
  • SYN - set to synchronize sequence numbers
  • ACK - acknowledges data and session information

75
TCP A Connection Oriented Protocol
  • The TCP protocol for IP packets (TCP/IP) has
    features which enable TCP packets to keep track
    of
  • How many packets need to be sent?
  • How many packets have been sent?
  • How many packets are left to be sent?
  • If there is an error, which packets are needed to
    be sent again?

76
Man in the Middle Attacks
  • There exist TCP session grabbing programs, such
    as Juggernaut and Hunt, that if attackers are
    at a place on the network where they can
    eavesdrop both sides of the data connection, they
    can intercept one end of the conversation and
    take it over.

77
TCP Sequence Prediction
  • Yes, it is possible to do whats called TCP
    sequence prediction and pick up another session
    even if you cant eavesdrop.
  • Hunt and Juggernaut are two programs that connect
    to a computer, usually a server, and by
    interacting with it characterize the type of TCP
    sequence that the machine expects in connections.
    It then tries to break into another connection
    that machine may be having with another user.
  • Normally, you will detect Juggernaut, and its big
    brother Hunt, trying to break into established
    web site connections to other customers to steal
    personal information or identities.

78
Enumeration
  • Objective
  • Promising targets are identified in more detail.
  • Technique
  • List user accounts, trusts, find IP addresses to
    attack, file shares, ID apps, etc. Are campus
    wide directories available? LDAP?
  • Tools
  • LDAP directories, Legion, NIS, DumpACL, sid2user,
    Onsite, etc.,

79
Address Resolution Protocol Table Entries
  • Address resolution protocol (ARP) is an internal
    table within routers that associates IP addresses
    to the PCs ethernet address and also to a
    physical interface.
  • ARP Table Entries
  • 00-0c-34-23-af-bc 128.12.43.44 intf0
  • 00-0c-34-23-af-bc 128.12.43.44 intf0
  • 00-0c-34-23-af-bc 128.12.43.44 intf0
  • 00-0c-34-23-af-bc 128.12.43.44 intf1

If an attacker could get your networks ARP
information they would have the keys to your
network.
80
Arpwatch Very Common In Unix
  • Monitors the address resolution protocol as the
    network works to capture and send to the user (or
    attacker) the IP and ethernet address information
    of your network
  • This can give an attacker all the specific
    information they need to cull a sheep out the
    herd

81
Firewalls Definition
  • What are they?
  • Firewalls are network devices that pass or drop
    packets based on a programmed rule set
  • Firewall rule sets are based on physical port, IP
    address, transport address (port) or other
    parameters

82
Firewalls Definition
  • Firewalls are generally categorized into three
    groups
  • State less, does not maintain state or track
    packet history
  • State full, maintains state, is able to
    defragment packets
  • Proxy, may redirect traffic to other machines
    based on FW policy. Typically used to redirect
    e-mail through virus scanning software.

83
Basic Firewall Platforms
  • Types
  • Packet dropping filters (stateless) commonly
    seen as access control lists (ACLS) in routers.
    Cisco dominates this market.
  • Complex or state-full firewalls generally seen
    in firewall appliances, Lucent Brick, Cisco PIX,
    Check Point and Nokia all have entries in this
    market.

84
Firewalls Network Based
85
Firewalls -- Bridge Based
86
Bridging Firewalls are Better
  • Why?
  • Because routing firewalls depend on IP address
    gateways to route packets.
  • Any external IP addresses are subject to attack
    and may limit your data when they are attacked.
  • Bridge based firewalls have no external IP
    addresses that are required to route packets and
    as such do not have routing interfaces that can
    be attacked!

87
FW May Block Based On IP Address
88
FW May Block Based On Port Address
89
What Does A Basic Firewall Setup Look Like?
90
Firewalls come in other flavors
  • The market is full of smart firewalls.
  • A layer 7 or application layer firewall acts to
    block packet streams from certain applications
    such as peer-to-peer media sharing programs like
    Gnutella.
  • These are also known as traffic shaping devices
  • Traffic shaping firewalls can block MP3 (audio)
    even if the data is using a common well known
    service (WKS) port such as FTP or HTTP. They
    detect the type of data not just the IP address
    and port that is being used.

91
Host Based Firewalls
  • Excellent protection one host at a time.
  • Software running under the operating system
  • Many host software firewalls also use intrusion
    detection algorithms in tune with the firewall to
    protect the host
  • Commercial software such as Norton, McAfee, Black
    Ice Defender, and Zone Alarm dominate this market

92
Host Based Firewalls Black Ice Defender
93
Host Based Firewalls Black Ice Defender
94
Host Based Firewalls Norton
95
Host Based Firewalls Tiny Firewall
96
Network Address Translation (NAT)
  • Firewalls that hide multiple IP addresses
    behind a single IP address!
  • This has the effect of confusing attackers. In
    particular, an nmap O scan which will
    determine the operating system will be all over
    the map and genrally fail through NAT with
    multiple machines.
  • The NAT algorithm is easily modified to control
    or block inbound versus outbound connections

97
Network Address Translation (NAT)
98
FW Rule Sets - Examples
  • Loose (Higher Education)
  • Accept all, specifically deny dangerous ports
    (services)
  • Moderate (Corporate)
  • Deny all except for well know services on known
    machines
  • Tight (Defense)
  • Deny all except the generals to nba.com.

99
  • Sub 7 Trojan BOTH GI064A pass
  • Quake and Derivatives BOTH GI064B pass
  • Hack-a-Tack BOTH GI068A pass
  • Sub 7 Artifact BOTH GI035A pass
  • Sub 7 Trojan BOTH GI034B pass
  • NetSphere Trojan BOTH GI064B pass
  • SANs Russian Trojan SD423439 Host Blocks This
    one was mine!
  • BOTH GI021A pass
  • mstream DoS attack BOTH GI087g pass
    Interesting port to monitor.
  • GNUTELLA BOTH GI086 pass Peer to peer
    stuff. Season to your taste.
  • Deep Throat Trojan Back Door SANs
  • BOTH GI085 pass

100
GRC.COMs IPAgent Scan (free)
IPAgent is a small program that works with a
server at the grc.com web site and does a quick
service scan on your Internet web address and
then gives the results to you in a web page.
Very cool and a good way to get a good nights
Sleep.
101
Cryptographic Signatures for Log Files
  • cd /var/log
  • md5 ltfilegt gt files.signed
  • (Results on next slide.)
  • What should happen to the cryptographic log
    signature?

102
Cryptographic Signatures for Log Files
  • MD5 (DumpACL.bmp) 605a3a25509ae2544be6226d80f03f
    88
  • MD5 (Google on 1.2.doc) 754ca03e3d9ebda8417a6077
    ca6a0d01
  • MD5 (L0PHTAntiSniff.bmp) bf103290401593b6facd734
    8af8e8176
  • MD5 (L0PHTCrack3init.jpg) 7ed453ee8e3dfb49109deb
    48bc3e49ad
  • MD5 (LANguard01.bmp) 4a5b1d9ebb705a40d692e771bd3
    008be
  • MD5 (LANguard02.bmp) 0d9e0bcac7996e5aebe194e99be
    6be06
  • MD5 (LANguard03.bmp) 112069b54acf47e638987f02b77
    bd3f3
  • MD5 (LANguard04.bmp) 2596984869bb792735c34ae8aa2
    94ff2
  • MD5 (LANguard05.bmp) 2b662e5ef494a4bc7aff0b983a5
    48d46
  • MD5 (LANguard06.bmp) c97ccaef49926c77fb2bc62c44f
    06e9b
  • MD5 (NAISniffer.bmp) cf0e4cbd7569718e284a71f4a7b
    30ef6
  • MD5 (SamSpade.bmp) fb918f4fceb8b6c97c97255583241
    27a
  • MD5 (SamSpade2.bmp) 52c0d752b7dd4661466a9a011232
    59cf
  • MD5 (SamSpade3.bmp) c49ecd049e47135b481166abbf67
    ffb9
  • MD5 (inzider2.jpg) eb0fb6b0f8df47f7c63ba7b8d15eb
    dfc
  • MD5 (md5.txt) d41d8cd98f00b204e9800998ecf8427e
  • MD5 (netstata.txt) 35642c009d287a329fb783b6ab1a9
    fbd
  • MD5 (nmap.txt) d663bb68fbf4a215fb9daa30f33b0aba

103
Firewall Logs
104
Firewall Logs
  • Incredible amounts of information is available
    from FW logs!
  • Napster_Sharing, 8888,"c\xxx old
    drive\corel\suite8\movies\Currency.avi"
  • Napster_Sharing,8888,"c\xxx old drive\program
    files\napster\incomplete\09_The Making of Brain
    Salad Surgery.mp3"
  • Napster_Sharing,8888,"c\xxx old drive\program
    files\napster\incomplete\Copy of Bob Dylan -Like
    A Rolling Stone.mp3"
  • Napster_Sharing,8888,"c\xxx old drive\program
    files\napster\incomplete\Tenacious D - With
    Karate Ill Kick Your Ass.mp3"
  • Napster_Sharing,8888,"c\xxx old drive\program
    files\napster\incomplete\TechnoSm_Trax_-_Got_the
    _Groove.mp3"
  • Napster_Sharing,8888,"c\xxx old
    drive\corel\suite8\movies\Currency.avi"
  • Napster_Sharing,8888,"c\xxx old drive\program
    files\napster\incomplete\Copy of Bob Dylan -Like
    A Rolling Stone.mp3"
  • Napster_Sharing,8888,"c\xxx old drive\program
    files\napster\incomplete\Tenacious D - With
    Karate Ill Kick Your Ass.mp3"

105
Honey Pots
  • PCs that wait for the hacker to connect.
  • Port connection detection
  • Shell Scripts that span small programs that
    answer in a predefined manner on popular ports
    typical of standard operating systems.
  • Operating system sensors
  • Psionic Port Sentry for Linux (Unix)
  • Windows operating system based connection

106
Honey pots?
107
Intrusion Detection Systems
  • PCs that monitor network traffic looking for
    specific data packet patterns indicative of
    harmful network traffic such as
  • Trojans hidden remote access programs.
  • Software viruses
  • E-mail subject and attachments types and content.
  • Suspicious FTP/TFTP transfers.
  • ssh and scp versions and session information.
  • Peer-to-Peer program login information.
  • Service scans or attacks of hackers.

108
Intrusion Detection Logging
109
Event Severity Levels
  • 95 Informational/False Positives
  • Network-wide Port Scans
  • 4 Warning
  • Per host scans - but no compromise
  • lt.1 Critical
  • Continuous attack from one IP address
  • lt.01 Emergency
  • Successful exploit of system

110
Intrusion Detection Systems
  • Long Term Database Queries
  • Packet databases against which SQL queries can
    answer the question who issued a single ping in
    the last six months not associated with any web,
    e-mail, FTP or ssh connections?
  • This technique is predicated on a large database
    comprised of suspicious packets
  • Can discover complex relationships over a number
    of months
  • This is a method to discover the talented or
    professional attackers!

111
Intrusion Detection Market
Network Associates 13
Axent 3
Others 10
L3 4
Internet Security Systems 71
Source IDC and ISS
112
Port Scans
  • nmap is the preferred tool along with fping
    and hping.
  • Src Host Src Port Dst Host Dst Port Pcol Service
  • 212.177.241.99 3486 137.190.3.212 143 TCP imap
  • 212.177.241.99 3487 137.190.3.212 110 TCP pop3
  • 212.177.241.99 3488 137.190.3.212 111 TCP 6/111/34
    88
  • 212.177.241.99 3489 137.190.3.212 6000 TCP x11
  • 212.177.241.99 3490 137.190.3.212 79 TCP finger
  • 212.177.241.99 3491 137.190.3.212 53 TCP dns
  • 212.177.241.99 3492 137.190.3.212 31337 TCP 6/3133
    7/3492
  • 212.177.241.99 3493 137.190.3.212 2766 TCP 6/2766/
    3493
  • 212.177.241.99 3494 137.190.3.212 139 TCP netbios-
    ssn
  • 212.177.241.99 3495 137.190.3.212 25 TCP smtp
  • 212.177.241.99 3496 137.190.3.212 21 TCP ftp
  • 212.177.241.99 3497 137.190.3.212 22 TCP ssh
  • 212.177.241.99 3498 137.190.3.212 1114 TCP 6/1114/
    3498
  • 212.177.241.99 3499 137.190.3.212 1 TCP 6/1/3499
  • 212.177.241.99 3500 137.190.160.2 80 TCP http
  • 212.177.241.99 3501 137.190.160.2 23 TCP telnet
  • 212.177.241.99 3502 137.190.160.2 143 TCP imap

113
Intrusion Detection System Logs
  • Severity (icon), Time, Attack, Intruder, Count,
  • 1, 02/12/01 145601, UDP port probe,
    204.113.234.2, 6
  • 1, 02/16/01 111100, DNS port probe,
    213.69.97.66, 1
  • 2, 02/23/01 110941, SNMP discovery broadcast,
    WS10060926, 1
  • 1, 02/25/01 201812, DNS port probe,
    cr644852-a.rchrd1.on.wave.home.com, 2
  • 2, 02/26/01 004330, SNMP discovery broadcast,
    wsuidrive.weber.edu, 9
  • 1, 02/26/01 112242, HTTP port probe,
    204.113.234.2, 5
  • 1, 02/28/01 110158, TCP port probe,
    204.113.234.2, 127
  • 2, 02/28/01 110223, TCP SYN flood,
    204.113.234.2, 13
  • 2, 02/28/01 110409, TCP port scan,
    204.113.234.2, 59
  • 1, 02/28/01 110409, TCP port scan,
    204.113.234.2, 5531
  • 1, 02/28/01 110412, UDP port probe,
    204.113.234.2, 2
  • 2, 02/28/01 110412, TCP OS fingerprint,
    204.113.234.2, 6
  • 1, 02/28/01 110412, TCP ACK ping,
    204.113.234.2, 4
  • 2, 02/28/01 110412, NMAP OS fingerprint,
    204.113.234.2, 4
  • 2, 03/06/01 164110, UDP port scan,
    kappa.weber.edu, 1
  • 1, 03/07/01 100000, DNS port probe,
    integrex.colo.magmom.net, 1
  • 1, 03/07/01 122300, FTP port probe,
    cr330368-a.etob1.on.wave.home.com, 3
  • 3, 03/14/01 134009, PPTP malformed,
    pipeline1.weber.edu, 1

114
Gaining Access
  • Objective
  • To compile enough knowledge to choose an informed
    hack/crack
  • Technique
  • Back doors, social engineering, buffer overflows,
    promiscuous password grabs, hacks, etc.,
  • Tools
  • Telephone, war dialing, crack, Legion, pwdump2,
    bind and LPR hacks, etc.,

115
Gaining Access
  • The NULL session. Microsofts master key to any
    Windows box under WIN2K
  • Buffer overflows to known port services might do
    it

116
Buffer Overflows
  • Diagram - typical buffer overflow

117
Mechanics of Buffer Overflows
  • Goal Exploit buffer overflow vulnerability to
    perform malicious function on a target system.
  • Identify open port or local access is available
  • Test the input string types and boundaries
    accepted by the program
  • Construct an input value that will perform the
    malicious function when executing with the
    programs privileges in the hosts programs space
  • Execute the program so that it jumps to
    additional the malicious code

118
Buffer Overflows Fuel Network Based Worms
  • Recent worm attacks
  • L1on Linux worm
  • SQL Slammer
  • Ramen Linux Worm
  • Code Red worm for Windows
  • Nimda Windows worm

119
Windows Processes
120
Unix processes (ps ex or ps auwx)
121
Inzider2 What Your Mother Didnt Tell You
  • Attackers routinely bypass operating system
    memory and process management to hide trojan
    programs.
  • inzider2 does a brute force memory check for
    processes. Its important for virus checkers to
    look in memory for viruses and not just on disk.

122
Forensic Analysis of Packets
  • Hackers hidden? No, the evidence is on the
    wire!
  • TCP, UDP, and ICMP packets hold numerous clues!
  • Sequence numbers
  • window size
  • target and source ports
  • IP addresses
  • flags and more offer an insight into your
    attacker

123
Forensic Analysis of Packets
  • Lets try it! Whats going on in the following
    capture? Polymorphic destination and timing.
  • 2000/03/23 08 20 00 18 OUT 192.72.120.74
    204.113.223.234 ping_resp none 10 1120
  • 2000/03/23 07 36 32 18 OUT 192.72.120.74
    204.113.34.112 ping_resp none 7 784
  • 2000/03/23 08 31 51 18 OUT 192.72.120.74
    204.113.79.122 ping_resp none 9 1008
  • 2000/03/23 07 46 15 18 OUT 195.238.2.19
    204.113.86.205 1/3/3 none 6 576
  • 2000/03/23 07 40 48 18 OUT 195.238.2.19
    204.113.81.71 1/3/3 none 2 224
  • 2000/03/23 07 32 35 18 OUT 195.238.2.19
    204.113.81.71 1/3/3 none 6 672
  • 2000/03/23 07 50 43 18 OUT 195.238.2.19
    204.113.58.18 1/3/3 none 2 224
  • 2000/03/23 07 59 27 18 OUT 195.238.2.19
    204.113.58.24 1/3/3 none 6 672
  • 2000/03/23 08 07 28 18 OUT 195.238.2.19
    204.113.58.24 1/3/3 none 6 672
  • 2000/03/23 07 32 48 18 OUT 195.238.2.19
    204.113.81.71 1/3/3 none 2 224
  • 2000/03/23 07 50 23 18 OUT 195.238.2.19
    204.113.58.18 1/3/3 none 4 448
  • 2000/03/23 07 59 40 18 OUT 195.238.2.19
    204.113.58.24 1/3/3 none 2 224

124
Polymorphism and Distracters
  • Polymorphic destinations, sources, and ports.
    Whats an IDS to do?
  • 2000/03/30 14 21 53 2 IN 192.41.60.38
    204.113.124.89 6/13643/1971 1 40
  • 2000/03/30 14 21 54 2 IN 209.252.122.37
    204.113.169.21 6/65457/47868 1 40
  • 2000/03/30 14 21 57 2 IN 130.49.68.73
    204.113.230.81 6/20443/11946 1 40
  • 2000/03/30 14 22 04 2 IN 145.101.193.19
    204.113.147.45 6/64071/7698 1 40
  • 2000/03/30 14 22 08 2 IN 209.252.122.37
    204.113.144.80 6/56431/28396 1 40
  • 2000/03/30 14 22 11 2 IN 209.252.122.37
    204.113.119.121 6/11602/9082 1 40
  • 2000/03/30 14 22 11 2 IN 208.28.236.81
    204.113.110.4 6/23201/49700 1 40
  • 2000/03/30 14 22 17 2 IN 192.41.60.38
    204.113.112.82 6/59299/63684 1 40
  • 2000/03/30 14 22 18 2 IN 199.183.9.105
    204.113.234.88 6/43377/65316 1 40
  • 2000/03/30 14 22 19 2 IN 199.183.9.105
    204.113.230.106 6/59932/28865 1 40
  • 2000/03/30 14 22 22 2 IN 209.252.122.37
    204.113.202.17 6/19822/61999 1 40
  • 2000/03/30 14 22 22 2 IN 209.247.108.212
    204.113.205.71 6/46531/28491 1 40
  • 2000/03/30 14 22 23 2 IN 208.28.236.81
    204.113.253.118 6/65448/43557 1 40
  • 2000/03/30 14 22 24 2 IN 194.47.143.229
    204.113.43.81 6/64904/14091 1 40
  • 2000/03/30 14 22 31 2 IN 204.113.53.34
    204.113.63.255 netbios gm 5 1145
  • 2000/03/30 14 22 34 2 IN 209.247.108.212
    204.113.250.115 6/8463/38040 1 40

125
Escalating Privileges
  • Objective
  • If user access - elevate to system access.
  • Technique
  • Password cracking, known exploits. Buffer
    overflows in known user level programs
  • Tools
  • L0PHTcrack, john, getadmin, sechole, lc_messages,
    etc. Sendmail had numerous hacks to raise
    privilege to root. Getadmin is a user level
    program designed to raise an unprivileged user to
    admin on Windows 95 and 98

126
Pilfering
  • Objective
  • Grab any interesting/profitable data on machine
  • Technique
  • Evaluate trusts, look for clear text passwords
  • Tools
  • cat, type, rhosts, search e-mail, LSA secrets,
    user data, config files, and registry data.

127
Covering Tracks
  • Objective
  • Hide interlopers machine romp
  • Technique
  • Clear or modify logs, hide tools, install "root"
    kits and trojans
  • Tools
  • zap, rm .log, B.O., SubSeven, NetBus, etc.,

128
Trojans
  • I want to come back and show the others in my
    clan!
  • Trojans BackOrifice, NetBus, and SubSeven.
  • If you find a trojan make sure you understand
    how it got there!

129
Covering Tracks
  • Generally, but not always, a malicious exit.
  • Crash the server.

130
Password Cracking
  • L0PHT Crack III (LC4)

131
Case Study Nimda Worm
  • Worm self-replicating malicious code
  • Discovered September 18, 2001
  • Derivative of Code Red worm (June 2001)
  • Affects all Windows platforms
  • Estimated 500 million downtime and clean up cost
    in first 24 hours
  • Unique in its variety of propagation techniques

132
Intrusion Detection Hits on NIMDA
First sign - explosive TFTP activity.
133
Intrusion Detection Hits on NIMDA
Second sign, all the same File transferred!
Admin.dll
134
(No Transcript)
135
Nimda Lessons Learned
  • Mimics and automates attacker behavior
  • Threats are not confined to high profile targets
  • There is no silver bullet
  • Depth and diversity of defense is required
  • Strong methodology is only proven way to address
    complex security challenges

136
Nimda Lessons Learned
Use patches to address vulnerabilities
Update policy to require hardening of servers and
desktops
137
References
  • Security Web Sites and Alerts Lists
  • http//nsi.org
  • http//www.cs.purdue.edu/coast/
  • http//www.telstra.com.au/info/security.html
  • http//www.nsi.org/Compsec.html
  • http//www.securityportal.com/
  • http//www.ntbugtraq.com/
  • http//www.icsa.net/
  • http//www.phrack.com/

138
References
  • Security Web Sites
  • http//www.2600.com/
  • http//www.securityfocus.com/
  • ftp//ftp.porcupine.org/pub/security/index.html
  • http//www.l0pht.com/
  • http//www.ibiblio.org/matusiak/bkmrk.html/

139
References
  • Security Vulnerabilitieshttp//xforce.iss.net/ht
    tp//seclab.cs.ucdavis.edu/projects/vulnerabilitie
    s/database/http//www.cerias.purdue.edu/coast/pr
    ojects/vdb.htmlhttp//www.rootshell.com/

140
References
  • Security Toolshttp//packetstorm.securify.com/ft
    p//ciac.llnl.gov/pub/ciac/sectools/unix/ftp//co
    ast.cs.purdue.edu/pub/tools/ftp//ftp.cert.org/pu
    b/tools/ftp//ftp.win.tue.nl/pub/security/ftp//
    ftp.funet.fp/pub/unix/security/

141
References
  • Securing Wireless Ethernet
  • http//c\CISO_CDROM\Protecting 802.11b
    Networks.txt

142
References
  • Encryptionhttp//www.gnupg.org/ - GNU Privacy
    Guard (pgp replacement)http//www.openssl.org/ -
    OpenSSL (Free SSL toolkit)http//www.pgpi.com/ -
    PGP (International)http//www.pgp.com/ - PGP
    (US)http//www.ssh.fi/ - SSH Communicaitons
    http//net.lut.ac.uk/psst/ - psst - gnu's ssh
    replacementhttp//www.ssleay.org/ - ssleay (use
    OpenSSL now)

143
Resources
  • Conferences
  • http//www.sans.org/newlook/home.php
  • http//www.gocsi.com/wkshop.shtml/
  • http//www.nsa.gov/isso/programs/coeiae/index.htm
  • http//www.misti.com/
  • http//csrc.nist.gov/ATE/

144
References
  • Security Trends
  • http//c\CISO_CDROM\Hack Attacks Global
    Concern.html
  • http//www.vnunet.com/News/1126993.html
  • http//C\CISO_CDROM\Managing the CyberThreat.htm
    , Control Risks Group.
  • http//www.esat.kuleuven.ac.be/cosic/news-981028.h
    tml
  • http//www.sans.org/, See http//C\CSO_CDROM\Thre
    ats.htm

145
References
  • Security Trends
  • http//www.vectec.org/researchcenter/stats.html?ca
    tegory9
  • http//www.securitysoftwaretech.com/antisniff/purp
    ose.html
  • Software Description
  • http//c\CISO_CDROM\Software Description.html

146
References
  • Covert TCP Connections
  • http//c\CISO_CDROM\Covert.txt covert.tcp.tar
  • Firewall Information
  • http//www.linuxdoc.org/HOWTO/IP-Masquerade-HOWTO.
    html
  • Intrusion Detection Information
  • http//www.snort.org

147
References
  • Denial of Service
  • http//c\CISO_CDROM\DoS_trends.pdf
  • http//c\CISO_CDROM\grc.txt
  • http//media.grc.com8080/files/grcdos.pdf
  • http\\c\CISO_CDROM\DDoS //c\CISO_CDROM\E-mail
    Log (raw).txt
  • http//www.silicondefense.com/software/snortsnarf/
  • SMTP Body Parts http//www.cis.ohio-state.edu/cgi
    -bin/rfc/rfc821.html

148
References
  • Setting Security Standards
  • http//www.gcn.com/vol19_no6/news/1564-1.html
  • http//csrc.nist.gov/csrc/maillist.html
  • http//csrc.nist.gov/csrc/standards.html
  • http//csrc.nist.gov/publications/nistpubs/800-7/n
    ode280.html (IEEE)
  • http//csrc.nist.gov/publications/nistpubs/800-7/n
    ode278.html (CCIT)
  • http//csrc.nist.gov/publications/nistpubs/800-7/n
    ode279.html (ECMA)

149
References
  • Threats
  • Known Exploits and Prevention
  • http//ist-it-true.org/pt,
  • http//hackersplayground,
  • http//packetstorm.widexs.nl/exploits20.shtml
  • http//astalavista.box.sk.

150
References
  • Daemon9, aka Route. "Project Neptune." (Phrack
    48, Article 13, 1996)
  • Irwin, Vicki and Pomeranz, Hal. "Advanced
    Intrusion Detection and Packet Filtering." (SANS
    Network Security 99, 1999)
  • Newsham, Tim, and Ptacek, Tom. "Insertion,
    Evasion, and Denial of Service Eluding Network
    Intrusion Detection." (Secure Networks, Inc.,
    1998)
  • Northcutt, Stephen. Network Intrusion Detection
    An Analyst's Handbook. (Indianapolis, Indiana
    New Riders, 1999)
  • Postel, Jon (ed.). "RFC 793 Transmission
    Control Protocol. (Defense Advanced Research
    Projects Agency, 1981)
  • Stevens, W. Richard. TCP/IP Illustrated, Volume
    1 The Protocols. (Reading, Massachusetts
    Addison-Wesley, 1994)

151
Windows O.S. Security How Tos
  • http//www.microsoft.com/technet/itsolutions/howto
    /sechow.asp
  • Get help securing your corporate network with
    these step-by-step How-To guides. Windows 2000
    Professional

152
System Security in Windows 2000
  • Apply Predefined Security Templates in Windows
    2000
  • Change the Policy Settings for a Certification
    Authority (CA) in Windows 2000
  • Configure a Certificate Authority to Issue Smart
    Card Certificates in Windows 2000
  • Configure a Domain EFS Recovery Policy in Windows
    2000
  • Configure Certificate Trust Lists in Internet
    Information Services 5.0
  • Configure Security for a Simple Network
    Management Protocol Service in Windows 2000
  • Configure Windows 2000 Server to Notify You When
    a Security Breach Is Being Attempted
  • Control Access to a Database on a Web Server in
    Windows 2000
  • Create Automatic Certificate Requests with Group
    Policy in Windows
  • Define Security Templates in the Security
    Templates Snap-in in Windows 2000
  • Disable the Automatic L2TP/IPSec Policy
  • Enforce a Remote Access Security Policy in
    Windows 2000

153
Windows 2000
  • Export Certificates in Windows 2000
  • Find and Clean Up Duplicate Security Identifiers
    with Ntdsutil in Windows 2000
  • Get a Certificate Signed by an Off-Network Root
    Authority in Windows 2000
  • Harden the TCP/IP Stack Against Denial of Service
    Attacks in Windows 2000
  • Install a Smart Card Reader in Windows 2000
  • Keep Domain Group Policies from Applying to
    Administrator Accounts and Selected Users in
    Windows 2000
  • Prevent the Last Logged-On User Name from Being
    Displayed in Windows 2000
  • Publish a Certificate Revocation List in Windows
    2000
  • Use Group Policy to Apply Security Patches in
    Windows 2000
  • Use IPSec Policy to Secure Terminal Services
    Communications in Windows 2000
  • Use the Directory Services Store Tool to Add a
    Non-Windows 2000 Certification Authority (CA) to
    the PKI in Windows 2000
  • Back Up Your Encrypting File System Private Key
    in Windows 2000

154
Windows 2000 Server
  • Configure a Primary Internet Authentication
    Service Server on a Domain Controller
  • Configure Remote Access Client Account Lockout in
    Windows 2000
  • Configure Security for Files and Folders on a
    Network (Domain) in Windows 2000
  • Monitor for Unauthorized User Access in Windows
    2000
  • Prevent Users From Changing a Password Except
    When Required in Windows 2000
  • Prevent Users From Submitting Alternate Logon
    Credentials in Windows 2000
  • Restore an Encrypting File System Private Key for
    Encrypted Data Recovery in Windows 2000

155
Windows 2000 Server
  • Perform Security Planning for Internet
    Information Services 5.0
  • Configure the Security for a Server That Uses
    Microsoft NNTP Service in Windows 2000
  • Configure User and Group Access on an Intranet in
    Windows NT 4.0 or Windows 2000
  • Provide Secure Point-to-Point Communications
    Across the Internet in Windows 2000
  • Safely Connect Your Company to the Internet in
    Windows 2000
  • Set SMTP Security Options in Windows 2000
  • Use IPSec Monitor in Windows 2000
  • Deploy
  • Enable SSL for All Customers Who Interact with
    Your Web Site in Internet Information Services
  • View or Change Authentication Methods in IIS
  • Operate
  • View or Change Authentication Methods in IIS
  • Prevent Users from Accessing Unauthorized Web
    Sites in ISA Server
  • Provide Internet Access Through a Firewall in
    Internet Security and Acceleration Server
  • Add an Authorized Page Warning in Windows 2000

156
Windows 2000 Server
  • Configure IIS 5.0 Web Site Authentication in
    Windows 2000
  • Install Imported Certificates on a Web Server in
    Windows 2000
  • Prevent Mail Relay in the IIS 5.0 SMTP Server in
    Windows 2000
  • Prevent Web Caching in Windows 2000
  • Secure XML Web Services with Secure Socket Layer
    in Windows 2000
  • Set Secure NTFS Permissions on IIS 5.0 Log Files
    and Virtual Directories in Windows 2000
  • Use Internet Protocol Security to Secure Network
    Traffic Between Two Hosts in Windows 2000
  • Use NTFS Security to Protect a Web Page Running
    on IIS 4.0 or 5.0

157
Windows XP
  • Access an EFI Partition in Windows XP 64-Bit
    Edition
  • Audit User Access of Files, Folders, and Printers
    in Windows XP
  • Change the Logon Window and the Shutdown
    Preferences in Windows XP
  • Configure a Preshared Key for Use with Layer 2
    Tunneling Protocol Connections in Windows XP
  • Create and Disable Administrative Shares on
    Windows XP
  • Delegate Security for a Printer in Windows XP
  • Disable the Local Administrator Account in
    Windows
  • Encrypt a File in Windows XP
  • Encrypt a Folder in Windows XP
  • Encrypt Offline Files to Secure Data in Windows
    XP
  • Manage Stored User Names and Passwords on a
    Computer in a Domain in Windows XP
  • Manage Stored User Names and Passwords on a
    Computer That Is Not in a Domain in Windows XP
  • Prevent a User From Running or Stopping a
    Scheduled Process in Windows XP
  • Remove File Encryption in Windows XP

158
Windows XP
  • Set Up a .NET Passport Account in Windows XP
  • Set WMI Namespace Security in Windows XP
  • Set, View, Change, or Remove File and Folder
    Permissions in Windows XP
  • Set, View, Change, or Remove Special Permissions
    for Files and Folders in Windows XP
  • Share Access to an Encrypted File in Windows XP
  • Turn On Remote Desktop Automatic Logon in Windows
    XP
  • Use Cipher.exe to Overwrite Deleted Data in
    Windows
  • Use the Autologon Feature in the Remote Desktop
    Connection in Windows XP
  • Use the Group Policy Editor to Manage Local
    Computer Policy in Windows XP
  • Use the Microsoft Personal Security Advisor Web
    Site in Windows
  • Internet Security and Acceleration Server
  • Configure Logging in Internet Security and
    Acceleration Server
  • Set Up and Allocate Bandwidth in ISA Server
  • Configure the ISA Server 2000 HTTP Redirector
    Filter in Windows 2000
  • Enable Reporting in Internet Security and
    Acceleration Server 2000
  • Filter ISA Server Web Proxy Cache Entries in
    Windows 2000

159
Windows XP
  • Monitor Server Activity in Internet Security and
    Acceleration Server 2000
  • Securely Publish Multiple Web Sites by Using ISA
    Server in Windows 2000
  • Set Bandwidth Configuration in Microsoft Internet
    Security and Acceleration Server
About PowerShow.com