Red Hat NETWORK 3.6 - Guía de usuario descargar pdf (Pagina 27)

occurred at least once. For connections outside of the focus network, the PVS will only log

what ports are browsed, not the actual destinations.

If logging session-by-session network events is a requirement for your network

analysis, Tenable offers the Log Correlation Engine product, which can be used to

log firewall, web server, router, and sniffer logs. For more information, please

visit http://www.tenable.com/products/lce/.

WHAT THIS MEANS FOR FIREWALL RULES

If the PVS is placed immediately behind a firewall, such that all of the traffic presented to

the PVS is flowing through the firewall, then the list of served ports and client side ports and

the respective IP addresses of the users is readily available. By using tools such as the

SecurityCenter’s “browse vulnerabilities” interface, information about these ports (both

client and server) can be browsed, sorted, and reported on. Lists of IP addresses and

networks using these client and server ports can also be viewed.

WORKING WITH THE SECURITYCENTER

When multiple PVS sensors are managed by a SecurityCenter, users of the SecurityCenter

are able to analyze the aggregate types of open ports, browsed ports, and communication

activity occurring on the focus network. Since the SecurityCenter has several different types

of users and privileges, many different IT and network engineering accounts can be created

across an enterprise so they can share and benefit from the information detected by the

PVS.

SELECTING RULE LIBRARIES AND FILTERING RULES

Tenable ships the PVS with two distinct sets of rule libraries.

The first is a library of passive vulnerability detection rules. This file is encrypted and cannot

be modified by the end users of the PVS. However, if certain vulnerability rules should be

disabled, they can be specified through the PVS configuration file, pvs.conf for Unix

systems.

The second set of rules are the PVS real-time plugins. With these plugins enabled, the PVS

can look for a wide variety of successful application and system compromises. They are not

encrypted and can be modified by PVS users for customization.

If the PVS is being managed by the SecurityCenter, it will automatically update

the libraries shipped. In this case, any changes to PVS plugins should be made by

disabling specific plugins or by creating new libraries to augment the plugin set

delivered by Tenable.

DETECTING ENCRYPTED AND INTERACTIVE SESSIONS

The PVS can be configured to detect both encrypted and interactive sessions. An encrypted

session is a TCP or UDP session that contains sufficiently random payloads. An interactive

session uses timing and statistical profiling of the packets in a session to determine if the

session involves a human typing at a command line prompt.

In both cases, the PVS will identify these sessions for the given port and IP protocol. It will

1 2 ... 22 23 24 25 26 27 28 29 30 31 32 ... 60 61

Sin comentarios

Red Hat NETWORK 3.6 - Guía de usuario Pagina 27