427 Botnet fm qxd

■
Layer 7 switches, unlike the Layer 2 switches discussed earlier, inspect
application layer services (HTTP or DNS, for example) and make
rule-based routing decisions.The technique’s origins in load bal-
ancing makes it potentially effective in countering DoS attacks, and
vendors such as TopLayer, Foundry, and Arrowpoint have developed
solutions in this area.
■
Hybrid switches combine this approach with a policy based on appli-
cation-level activity rather than on a simple rule set.
■
Hogwash (http://hogwash.sourceforge.net) is an interesting open-
source variation on the theme of an inline NIDS (a system that
transparently inspects and passes/rejects traffic). Hogwash uses the
Snort signature detection engine (much more about Snort in a
moment) to decide whether to accept traffic without alerting a pos-
sible attacker to the failure of his or her attempt, but it can also act as
a “packet scrubber,” passing on a neutered version of a malicious
packet.
But there’s no real either/or when it comes to intrusion management. Any
number of other measures contribute to the prevention of intrusion: sound
patch management, user education, policy enforcement, e-mail content fil-
tering, generic filtering by file type, and so forth. First we’ll take a look at the
best-known and yet least understood technology for countering intrusion by
malicious code.
Virus Detection on Hosts
How do you manage the botnet problem—or indeed, any security problem?
Here’s a simplification of a common model describing controls for an opera-
tional environment:
■
Administrative controls (policies, standards, procedures)
■
Preventative controls (physical, technical, or administrative measures
to lower your systems’ exposure to malicious action)
■
Detective controls (measures to identify and react to security breaches
and malicious action)

Download 6,98 Mb.

Do'stlaringiz bilan baham: