tailieunhanh - Real-Time Adaptive Security: A SANS Whitepaper – December 2008
The last tab lets you define whether users are allowed to make changes to the firewall settings or if all the settings should be taken by clients from the console and cannot be altered. Select Override settings modified by users if you do not want to allow users to modify the firewall settings. In this case, even if a password is not set to protect firewall settings and the settings were modified, they will be ovewritten the next time the published configuration is requested. If you want to allow users to modify some settings, select the Allow user to modify. | Sponsored by Source fire Real-Time daptive Security A SANS Whitepaper - December 2008 Written by Dave Shackleford Event Data in Context Additional Real-Time Threat Management Benefits Introduction In today s dynamic threat and networking environments standalone Intrusion Detection Pre-vention Systems IDS IPS cannot protect against ever-changing attacks and vulnerabilities. The reason Standing alone IDS IPS lacks the context it needs to reliably distinguish an event from a non-event and prioritize protection based on business-critical rules. Context can be helpful in determining when an event indicates a security incident such as a deliberate remote buffer overflow exploit attempt as well as when events are nothing more than false positives such as poorly configured applications sending out broadcast packets. IDS IPS also needs context to adapt to changes occurring in enterprise networks. New user-demanded applications such as Voice over IP VoIP Web virtualization and other infrastructure applications open new attack surfaces. In these cases attacks against the Session Initiation Protocol SIP and as well as Web application attacks including Cross-Site Request Forgery CSRF and SQL Injection have become commonplace. Context can also help IDS IPS recognize new types of attacks and vulnerabilities. Commonly-used exploit frameworks and toolkits such as Metasploit allow for obfuscation and modification of attack processes specifically to prevent signature- and behavior-based detection. Meanwhile the mean time between when a vulnerability is published and when the exploit code for that vulnerability is released has narrowed significantly. According to Symantec s Internet Threat Report Volume XI 25 of vulnerabilities had exploit code available within one 1 day of release and 31 had exploit code available within six 6 In the second half of 2007 nine 9 zero-day exploits were found in the For organizations to adapt in real-time to unknown or unknowable
đang nạp các trang xem trước