Section 23 - Monitoring Types Flashcards
When it comes to monitoring the network, this can be done manually or through an automated means. What are three automated methods?
Signature Based
Anomaly Based
Behavior Based
What is Signature Based monitoring?
Network traffic is analyzed for predetermined attack patterns
*** imagine this is like profiling and evaluating characteristics. If you see someone walk through the door who is 5’8” with brown hair then that would be Alex’s signature.
What is anomaly based monitoring?
A baseline is established and any network traffic that is outside of the baseline is evaluated
*** This is evaluating behaviors. Doing something it doesn’t normally do
What is behavior based monitoring?
Activity is evaluated based on the previous behavior of the applications, executables, and the OS in comparison to the current activity of the system
Often times, in an intrusion detection or intrusion prevention system, we would do what with these monitoring systems?
Combine them into a hybrid approach
These methods do not have to be used in isolation
What is baselining?
Process of measuring changes in networking, hardware, software and applications
*** Doing this allows us to see what is normal and what is abnormal
What is baseline reporting?
Documenting and reporting on the changes in a baseline
What is security posture?
Risk level to which a system or other technology element is exposed
*** You will have a baseline for the system that you create as part of your security posture.
What is performance baselining?
This is focused on the operations and functionality
It is one of the most common types of monitoring
** Ex. how much disk space being used, how much is the network bandwidth being used, etc.
This is important to monitor because if something is being overtaxed it could be because it has malware and the behavior could serve as an indicator only found by monitoring its performance.
What are some different ways you can do performance monitoring?
- A tool called Performance Monitor - This will show you the amount of processing power, memory and disk space being utilized and allows you to set up reports to compare those in the future
(perfmon.exe in command prompt) - Protocol Analyzer
What are protocol analyzers?
These are used to capture and analyzed network traffic
*** Wireshark is an example of a protocol analyzer
How are protocol analyzers connected to your network?
Promiscuous mode
Non-promiscuous mode
What does Promiscuous mode in a protocol analyzer mean?
Network adapter is able to capture all of the packets on the network regardless of the destination MAC address of the frames carrying them
** Of the two options, this one captures the most information but not all network adapters support this so make sure you have one that does
What does non-promiscuous mode in a protocol analyzer mean?
Network adapter can only capture the packets addresses to itself directly
What is port mirroring?
One or more switch ports are configured to forward all of their packets to another port on the switch
** With switches, everything is going based on the MAC address to specific ports based on its CAM table. To be able to get all that data, you set up port mirroring.
What is a SPAN port?
This is being used to do port mirroring of all the other ports so that the protocol analyzer can see it
This is doing using a logical method to replicate the traffic across all of the other ports on to that SPAN port
*** If you cannot configure a SPAN port, then you can use a network tap
What is a network tap?
A physical device that allows you to intercept the traffic between two points on the network
*** You could put this between the router and the switch at the boundary of the network which would allow you to see everything that’s coming in and out of the network that way
What does SNMP stand for?
Simple Network Management Protocol
What is SNMP?
A TCP/IP protocol that aids in monitoring network-attached devices and computers
*** This is heavily incorporated into the concept of management and monitoring
SNMP is broken down into three components. What are they?
Agent
Managed Devices
Network Management Systems
What are SNMP managed devices?
Computers or other network attached devices monitoring through the use of agents by a network management system
What are SNMP agents?
Software that is loaded on a managed device to redirect information to the network management system
What are SNMP Network Management Systems?
Also called NMS, this is software run on one or more servers to control the monitoring of network-attached devices and computers
*** This is going to act as our manager and it’s going to send and receive message to all of our managed devices across the network (your routers, switches and servers)
When your SNMP NMS is running, what are the different requests it can make?
Set Request - Devices will send information back
Get Request - it wants information
Trap Request - Receiving unsolicited information from management devices (where they just send information as needed at periodic intervals)
From a security standpoint, it’s important to know the different versions of SNMP. They are…?
SNMP v1
SNMP v2
SNMP v3