Red Hat NETWORK BASIC - USER REFERENCE GUIDE 4.0 Guida Utente Pagina 54
- Pagina / 79
- Indice
- SEGNALIBRI
Valutato. / 5. Basato su recensioni clienti
54
In the above picture, three sessions labeled A, B, and C are shown communicating to, from, and inside a focus network.
In session A, the PVS only analyzes vulnerabilities observed on the server inside the focus network and does not report
client side vulnerabilities. In session B, the PVS ignores vulnerabilities on the destination server, but reports client side
vulnerabilities. In session C, both client and server vulnerabilities are reported.
There is one more filter that the PVS uses while looking for unique sessions. This is a dependency that requires the host
to be running a major service. These dependencies are defined by a list of PVS plugin IDs that identify SSL, FTP and
several dozen other services.
Finally, the entire process of detecting these sessions can be filtered by specific network ranges and ports. For example, if
a University ran a public FTP server that had thousands of downloads each hour, it would make sense to disable
interactive sessions on port 21 on that FTP server. Similarly, disabling encryption detection on ports such as 22 and 443
will also eliminate some noise for the PVS.
Detecting Server and Client Ports
The method used by TCP connections to initiate communication is known as the “three-way handshake”. This method can
be compared to how a common telephone conversation is initiated. If Bob calls Alice, he has effectively sent her a “SYN”
packet, in TCP terms. She may or may not answer. If Alice answers, she has effectively sent a “SYN-ACK” packet. The
communication is still not established, since Bob may have hung up as she was answering. The communication is
established when Bob replies to Alice, sending her an “ACK”.
The PVS configuration option “connections to services” enables PVS to log network client to server activity.
Whenever a system within the monitored network range tries to connect to a server over TCP, the connecting system will
emit a TCP “SYN” packet. If the port the client is connecting to is open, then the server will respond with a TCP
“SYN/ACK” packet. At this point, PVS will record both the client address and the server port the client is connecting to. If
the port on the server is not open, then the server will not respond with a TCP “SYN/ACK” packet. In this case, since PVS
never sees a TCP “SYN/ACK” response from the server, PVS will not record the fact that the client tried to connect to the
server port, since the port is not available to that client.
The “connections-to-services” option does not track how many times the connection was made. If the same host
browses the same web server a million times, or browses a million different web servers once, the host will still be marked
as having browsed on port 80. This data is logged as Nessus ID #00002.
The PVS detects many applications through plugin and protocol analysis. At a lower level, the PVS also detects open
ports and outbound ports in use on the monitored networks. By default, the PVS will detect any TCP server on the
protected network if it sees a TCP “SYN-ACK” packet.
In combination, the detection of server ports and client destination ports allows a network administrator to see who on
their network is serving a particular protocol and who on their network is speaking that protocol.
Detecting Specific Server and Client Port Usage
Another PVS configuration option provides more specific details about server and client port usage. This is the “show-
connections” keyword on the configuration page. This setting keeps track of host communication within the focus
network. When the “show-connections” option is enabled, every time a host connects to another host, PVS records the
client, server, and server port, if one of the hosts is in the defined focus network. It does not track the frequency or time
stamp of the connections – just that a connection was made.
The “show-connections” option provides a greater level of detail than the “connections-to-services” option. For
example, if your IPv4 address is 1.1.1.1 or your IPv6 address is 2001:DB8::AE59:3FC2 and you use the SSH service to
connect to “some_company.com”, use of these options would record the following:
show-connections:
some_company.com:SSH
2001:DB8::AE59:3FC2 -> some_company.com
connections-to-services
- User Guide 1
- Table of Contents 2
- Introduction 5
- Pre-Installation 6
- Upgrading 7
- Upgrading PVS on Windows 8
- Upgrading PVS on Mac OS X 11
- Initial Installation 17
- Mac OS X Installation 26
- Removing PVS 32
- Removing PVS for Mac OS X 33
- Using the PVS Interface 35
- Monitoring 37
- Results 41
- Configuration 42
- Command Line Operation 47
- File Locations 49
- Starting and Stopping PVS 50
- Common Command Line Options 51
- Focus Network 53
- Routes and Hop Distance 56
- Alerting 56
- New Host Alerting 56
- Plugin Keywords 58
- Plugin Libraries 61
- Case Insensitive Example 62
- Negative Matches 64
- Time Dependent Plugins 65
- Real-Time Plugin Model 66
- New Keywords 66
- For Further Information 73
- Architecture 74
- Managing Vulnerabilities 74
Prodotti e manuali riguardandi Software Red Hat NETWORK BASIC - USER REFERENCE GUIDE 4.0
(158 pagine)© 2020, manymanuals.it. Tutti i diritti riservati | 0.023 s |
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Commenti su questo manuale