NetBait Honeypot

What is a NetBait?
NetBait is a proprietary technology developed by NetBait, Inc. to prevent, detect and analyze intruders' attacks on companies' networks. NetBait is based on the concept of a "Honeypot," which means that it is a decoy which lures intruders away from actual network data and instead gives them "bait" with false information. NetBait is a set of sophisticated technologies made seamless to license, configure, maintain and adapt to changes in any organization's network security needs.

What type of Honeypot is NetBait?
There are two general types of Honeypot systems: production for improving security and research for learning more about the sources of threats. NetBait can be configured to act as either Production or Research, or a combination of both.

How does NetBait Service work?
The technology behind NetBait is a distributed network of multiple NetBait Nodes independently communicating with our servers and performing attack traffic redirection. Among other things, this architecture allows clients to enjoy a number of wide-reaching benefits that include configuration simplicity, the highest level of resistance to intruder attacks, and low cost of ownership.

What are the hardware and software requirements for setting up a NetBait Host? 
There are no specific hardware or software requirements. The only thing you need is a Personal Computer (i386 will do) with a 1.44 floppy drive, 16MB+ RAM, a Network Interface Card and TCP/IP Internet connectivity. Practically any system up to 10 years old may be seamlessly transformed into a NetBait Host without any hardware or software preparation - just insert your NetBait floppy disk into floppy drive and reboot the PC.

The need of Firewalls for Personal Use

• For home use, firewalls work much more simply.

• The main goal of a personal firewall is to protect your personal computer and private network from malicious mischief.

• Malware, malicious software, is the primary threat to your home computer. Viruses are often the first type of malware that comes to mind. A virus can be transmitted to your computer through email or over the Internet and can quickly cause a lot of damage to your files. Other malware includes Trojan horse programs and spyware.

• These malicious programs are usually designed to acquire your personal information for the purposes of identity theft of some kind.

• There are two ways a Firewall can prevent this from happening.

• It can allow all traffic to pass through except data that meets a predetermined set of criteria, or it can prohibit all traffic unless it meets a predetermined set of criteria.

  Common Vulnerabilities and Exposures

MITRE Corporation's documentation defines CVE Identifiers (also called "CVE names", "CVE numbers", "CVE-IDs", and "CVEs") as unique, common identifiers for publicly known information-security vulnerabilities in publicly released software packages. Historically, CVE identifiers had a status of "candidate" ("CAN-") and could then be promoted to entries ("CVE-"), however this practice was ended some time ago and all identifiers are now assigned as CVEs (the collective noun for which is an "infestation" of CVEs. The assignment of a CVE number is not a guarantee that it will become an official CVE entry (e.g. a CVE may be improperly assigned to an issue which is not a security vulnerability, or which duplicates an existing entry). CVEs are assigned by a CVE Numbering Authority (CNA); there are three primary types of CVE number assignments:

1. The MITRE Corporation functions as Editor and Primary CNA
2. Various CNAs assign CVE entries for their own products (e.g. Microsoft, Oracle, HP, Red Hat, etc.)
3. Red Hat also provides CVE numbers for open source projects that are not a CNA

When investigating a vulnerability or potential vulnerability it helps to acquire a CVE number early on. CVE numbers may not appear in the MITRE or NVD CVE databases for some time (days, weeks, months or potentially years) due to issues that are embargoed (the CVE number has been assigned but the issue has not been made public), or in cases where the entry is not researched and written up by MITRE due to resource issues. The benefit of early CVE candidacy is that all future correspondence can refer to the CVE number. Information on getting CVE identifiers for issues with open source projects is available from Red Hat.

CVEs are for software that has been publicly released; this can include betas and other pre-release versions if they are widely used. Commercial software is included in the "publicly released" category, however custom-built software that is not distributed would generally not be given a CVE. Additionally services (e.g. a Web-based email provider) are not assigned CVEs for vulnerabilities found in the service (e.g. an XSS vulnerability) unless the issue exists in an underlying software product that is publicly distributed.

Statefull vs Stateless Packet Filtering

The biggest difference between simple IP filtering and stateful IP filtering is that simple IP filters have no recollection of packets that have already passed through the filter. Every packet is handled on an individual basis. Previously forwarded packets belonging to a connection have no bearing on the filter's decision to forward or drop the packet.

Stateful firewall (any firewall that performs stateful packet inspection or stateful inspection) is a firewall that keeps track of the state of network connections (such as TCP streams) travelling across it. The firewall is programmed to distinguish legitimate packets for different types of connections. Only packets matching a known connection state will be allowed by the firewall; others will be rejected.

stateless firewall is a firewall that treats each network frame (or packet) in isolation. Such a firewall has no way of knowing if any given packet is part of an existing connection, is trying to establish a new connection, or is just a rogue packet.

Real-time operating system

 Real-Time Operating System (RTOS) is an operating system (OS) intended to serve real-time application process data as it comes in, typically without buffering delays. Processing time requirements (including any OS delay) are measured in tenths of seconds or shorter.

A key characteristic of an RTOS is the level of its consistency concerning the amount of time it takes to accept and complete an application's task; the variability is jitter.^[1]A hard real-time operating system has less jitter than a soft real-time operating system. The chief design goal is not high throughput, but rather a guarantee of a soft or hard performance category. An RTOS that can usually or generally meet a deadline is a soft real-time OS, but if it can meet a deadline deterministically it is a hard real-time OS.^[2]

An RTOS has an advanced algorithm for scheduling. Scheduler flexibility enables a wider, computer-system orchestration of process priorities, but a real-time OS is more frequently dedicated to a narrow set of applications. Key factors in a real-time OS are minimal interrupt latency and minimal thread switching latency; a real-time OS is valued more for how quickly or how predictably it can respond than for the amount of work it can perform in a given period of time.^[3]

Honeypot

A honey pot is a computer system on the Internet that is expressly set up to attract and "trap" people who attempt to penetrate other people's computer systems. (This includes the hacker, cracker, and script kiddy.)

• Install the operating system without patches installed and using typical defaults and options
• Make sure that there is no data on the system that cannot safely be destroyed
• Add the application that is designed to record the activities of the invader

Maintaining a honey pot is said to require a considerable amount of attention and may offer as its highest value nothing more than a learning experience (that is, you may not catch any hackers).

Server Message Block (SMB)

In computer networking, Server Message Block (SMB), one version of which was also known as Common Internet File System (CIFS, /ˈsɪfs/),^[1][2] operates as an application-layer network protocol^[3] mainly used for providing shared access to files, printers, serial ports, and miscellaneous communications between nodes on a network. It also provides an authenticated inter-process communication mechanism. Most usage of SMB involves computers running Microsoft Windows, where it was known as "Microsoft Windows Network" before the subsequent introduction of Active Directory. Corresponding Windows services are LAN Manager Server (for the server component) and LAN Manager Workstation (for the client component).

Features

SMB can run on top of the Session (and lower) network layers in several ways:

• Directly over TCP, port 445;^[5]
• Via the NetBIOS API, which in turn can run on several transports:^[6]
  • On UDP ports 137, 138 & TCP ports 137, 139 (NetBIOS over TCP/IP);
  • On several legacy protocols such as NBF (incorrectly referred to as NetBEUI^{[original research?]}).

The SMB "Inter-Process Communication" (IPC) system provides named pipes and was one of the first inter-process mechanisms commonly available to programmers that provides a means for services to inherit the authentication carried out when a client^{[clarification needed]} first connected to an SMB server.^{[citation needed]}

Some services that operate over named pipes, such as those which use Microsoft's own implementation of DCE/RPC over SMB, known as MSRPC over SMB, also allow MSRPC client programs to perform authentication, which over-rides the authorization provided by the SMB server, but only in the context of the MSRPC client program that successfully makes the additional authentication.

SMB signing: Windows NT 4.0 Service Pack 3 and upwards have the capability to use cryptography to digitally sign SMB connections. The most common official term is "SMB signing". Other terms that have been used officially are "[SMB] Security Signatures", "SMB sequence numbers"^[7] and "SMB Message Signing".^[8] SMB signing may be configured individually for incoming SMB connections (handled by the "LanManServer" service) and outgoing SMB connections (handled by the "LanManWorkstation" service). The default setting from Windows 98 and upwards is to opportunistically sign outgoing connections whenever the server also supports this. And to fall back to unsigned SMB if both partners allow this. The default setting for Windows domain controllers from Server 2003 and upwards is to not allow fall back for incoming connections.^[9] The feature can also be turned on for any server running Windows NT 4.0 Service Pack 3 or later. This protects from man-in-the-middle attacks against the Clients retrieving their policies from domain controllers at login.^[10]

The design of Server Message Block version 2 (SMB2) aims^{[citation needed]} to mitigate this performance-limitation by coalescing SMB signals into single packets.

SMB supports opportunistic locking — a special type of locking-mechanism — on files in order to improve performance.

SMB serves as the basis for Microsoft's Distributed File System implementation.

Application Aware Firewalls

What are Application Aware Firewalls (AAF)?

Application Aware Firewalls (AAF) adopt the latest innovations in software and hardware to provide

unprecedented network security for todays demanding IT infrastructures.

With the ability to view and identify all network traffic, AAF provides granular control on application usage and behaviour. You now have full control of what leaves and enters your network using a single appliance and apply security policies based on applications and users rather than traditional methods of port and protocol.

Traditional firewalls may be giving enterprises a false sense of security, because they are failing to cope with ever-changing digital threats.

NetBIOS Extended User Interface (NetBEUI)

NetBEUI


Pronounced net-booey, NetBEUI is short for NetBios Extended UserInterface. It is an enhanced version of the NetBIOS protocol used by network operating systems such as LAN Manager, LAN Server, Windows for Workgroups, Windows 95 and Windows NT. 

Netbeui was originally designed by IBM for their Lan Manager server and later extended by Microsoft and Novell.

(Windows Software Update Service (WSUS

WSUS feature improvements 

• Auto-Approval Rules: Auto-approval rules now include the ability to specify the approval deadline date and time for all computers or specific computer groups. 
• Update Files and Languages: Improved handling of language selection for downstream servers includes a new warning dialog that appears when you decide to download updates only for specified languages.
• Easy Upgrade: WSUS 3.0 SP2 can be installed as an in-place upgrade from earlier versions of WSUS and preserves all settings and approvals. The user interface is compatible between WSUS 3.0 SP1 and SP2 on the client and the server. 
• Reports: New Update and Computer Status reports let you filter on updates that are approved for installation. You can run these reports from the WSUS console or use the API to incorporate this functionality into your own reports. 

Software updates
• Stability
• and reliability fixes are included for the WSUS server, such as support for IPV6 addresses that are longer than 40 characters. 
• The approval dialog now sorts computer groups alphabetically by group name. 
• Computer status report sorting icons are now functional in x64 environments. 
• A new release of Windows Update Agent is included with WSUS 3.0 SP2 that provides improvements and fixes, such as support for APIs called by nonlocal system callers in a noninteractive session.

Network Address Translation (NAT)

NAT (Network Address Translation or Network Address Translator) is the translation of an Internet Protocol address (IP address) used within one network to a different IP address known within another network. One network is designated the inside network and the other is theoutside. Typically, a company maps its local inside network addresses to one or more global outside IP addresses and unmaps the global IP addresses on incoming packets back into local IP addresses. This helps ensure security since each outgoing or incoming request must go through a translation process that also offers the opportunity to qualify or authenticate the request or match it to a previous request. NAT also conserves on the number of global IP addresses that a company needs and it lets the company use a single IP address in its communication with the world. 

Attack surface

Attack surface


The attack surface of a software environment is the sum of the different points (the "attack vectors") where an unauthorized user (the "attacker") can try to enter data to or extract data from an environment.

Examples of attack vectors include user input fields, protocols, interfaces, and services.


Surface Reduction

The basic strategies of attack surface reduction are to reduce the amount of code running, reduce entry points available to untrusted users, and eliminate services requested by relatively few users. One approach to improving information security is to reduce the attack surface of a system or software. By turning off unnecessary functionality, there are fewer security risks. By having less code available to unauthorized actors, there will tend to be fewer failures. Although attack surface reduction helps prevent security failures, it does not mitigate the amount of damage an attacker could inflict once a vulnerability is found.

Distance Vector Routing Protocols

Most routing protocols fall into one of two classes: distance vector or link state. The basics of distance vector routing protocols are examined here; the next section covers link state routing protocols. Distance vector algorithms are based on the work done of R. E. Bellman,¹ L. R. Ford, and D. R. Fulkerson² and for this reason occasionally are referred to as Bellman-Ford or Ford-Fulkerson algorithms.

The name distance vector is derived from the fact that routes are advertised as vectors of (distance, direction), where distance is defined in terms of a metric and direction is defined in terms of the next-hop router. For example, "Destination A is a distance of 5 hops away, in the direction of next-hop router X." As that statement implies, each router learns routes from its neighboring routers' perspectives and then advertises the routes from its own perspective. Because each router depends on its neighbors for information, which the neighbors in turn may have learned from their neighbors, and so on, distance vector routing is sometimes facetiously referred to as "routing by rumor."

Distance vector routing protocols include the following:

• Routing Information Protocol (RIP) for IP
• Xerox Networking System's XNS RIP
• Novell's IPX RIP
• Cisco's Internet Gateway Routing Protocol (IGRP)
• DEC's DNA Phase IV
• AppleTalk's Routing Table Maintenance Protocol (RTMP)

Drive-By Downloads

Drive-by downloads are malicious pieces of software that are downloaded to a computer, tablet or smartphone when the user views a compromised Web page or an HTML-based email message that links to a website.

In many cases, the malware will be automatically installed on the system; in almost all cases, the user won't be aware of it.

MORE: Trojan Horses: What They Are and How to Avoid Them

The malware delivered by a drive-by download is usually classified as a Trojan horse, or Trojan for short, because it deceives the user about the nature of the website or email. In most cases involving compromised websites, the operator of the website has no idea his site is distributing malware.

Once installed, malware delivered by a drive-by download can do a number of different things: log keystrokes, scan the system for files of a personal nature, herd the system into a botnet of similarly compromised machines, infect the Web browser with a banking Trojan that hijacks online-banking sessions or install a "backdoor" that will let in even more malware.

(Microsoft Baseline Security Analyzer (MBSA

The MBSA provides built-in checks to determine if Windows administrative vulnerabilities are present, if weak passwords are being used on Windows accounts, the presence of known IIS and SQL administrative vulnerabilities, and which security updates are required on each individual system.  The MBSA provides dynamic assessment of missing security updates.  The MBSA can scan one or more computers by domain, IP address range or other grouping.  Once complete, the MBSA provides a detailed report and instructions on how to help turn your system into a more secure working environment. The MBSA will create and store individual XML security reports for each computer scanned and will display the reports in the graphical user interface in HTML.

To use the MBSA tool, users will need either Windows Server 2008 R2, Windows 7, Server 2003, Server 2008, Vista, XP or Windows 2000 and will need administrator privileges sufficient to scan the target computers.

After installing MBSA and running the tool, users are taken to the screen seen below which provides quick access to three different sides of the application.  Users can scan a computer using its name or IP address, scan multiple computers within a domain name or a range of IP addresses, or view existing security scan reports.  There are even more options available through the command-line interface to support scripting and fine-tuned control over MBSA’s scanning and reporting features

Systems Management Server (SMS)

System Center Configuration Manager 

(officially called ConfigMgr 2012 or ConfigMgr 2007 or simply ConfigMgr), formerly Systems Management Server (SMS), is a systems management software product by Microsoft for managing large groups of computers running Windows, Windows Embedded, Mac OS X, Linux or UNIX, as well as various mobile operating systems such as Windows Phone, Symbian, iOS and Android.^[1] Configuration Manager provides remote control, patch management, software distribution, operating system deployment, network access protection and hardware and software inventory.

SMS went through three major iterations:

• The 1.x versions of the product defined the scope of control of the management server (the site) in terms of the NT domain being managed.
• Since the 2.x versions, that site paradigm has switched to a group of subnets that will be managed together.
• Since SMS 2003, the site could also be defined as one or more Active Directory sites.

The most frequently used feature is inventory management, which provides both hardware and software inventory across a business enterprise.

The major difference between the 2.x product and SMS 2003 is the introduction of the Advanced Client. The Advanced Client communicates with a more scalable management infrastructure, namely the Management Point. A Management Point (MP) can manage up to 25000 Advanced Clients.

The Advanced Client was introduced to provide a solution to the problem where a managed laptop might connect to a corporate network from multiple locations and thus should not always download content from the same place within the enterprise (though it should always receive policy from its own site). When an Advanced Client is within another location (SMS Site), it may use a local distribution point to download or run a program which can conserve bandwidth across a WAN.

Microsoft released the current generation of the product, System Center 2012 Configuration Manager, in March 2012.

Windows Server Update Services (WSUS)

WSUS can display precise information
about which updates each client needs

Windows Server Update Services (WSUS)

Previously known as Software Update Services (SUS), is a computer program developed by Microsoft Corporation that enables administrators to manage the distribution of updates and hotfixes released for Microsoft products to computers in a corporate environment. WSUS downloads these updates from the Microsoft Update website and then distributes them to computers on a network. WSUS runs on Windows Server and is free to licensed Microsoft customers.

ASP( Active Server Pages)

What is ASP?

As you can see by the title, ASP is an acronym for Active Server Pages.

ASP is developed by Microsoft. It is not really a standard ASP is neither a real programming language nor is it a programming language, but it's a Microsoft technology that lets you use so-called scripting in your documents.

To describe what an ASP page is, you could say that it is a file with the extension .asp that contains a combination of HTML tags and scripts that run on a web server.

How does ASP work?

The best way to explain how ASP works is by comparing it with standard HTML. Imagine you type the address of an HTML document (eg.http://www.mysite.com/page.htm) in the address line of the browser. This way you request an HTML page. It could be illustrated like this:

As you can see, the server simply sends an HTML file to the client. But if you instead type http://www.mysite.com/page.asp - and thus request an ASP page - the server is put to work:

The server first reads the ASP file carefully to see if there are any tasks that need to be executed. Only when the server has done what it is supposed to do, the result is then sent to the client. It is important to understand that the client only sees the result of the server's work - not the actual instructions.

This means that if you click "view source" on an ASP page, you do not see the ASP codes - only basic HTML tags. Therefore, you can not see how an ASP page is made by using "view source". You have to learn ASP in other ways, for example, by reading this tutorial.

MILS (Multiple Independent Levels of Security)

Multiple Independent Levels of Security/Safety (MILS) is a high-assurance security architecture based on the concepts of separation and controlled information flow; implemented by separation mechanisms that support both untrusted and trustworthy components; ensuring that the total security solution is non-bypassable, evaluatable, always invoked and tamperproof. 

A MILS system employs one or more separation mechanisms (e.g., Separation kernel, Partitioning Communication System, physical separation) to maintain assured data and process separation. A MILS system supports enforcement of one or more application/system specific security policies by authorising information flow only between components in the same security domain or through trustworthy security monitors (e.g., access control guards, downgraders, crypto devices, etc). 

At a high level the MILS architecture allows for the execution of multiple applications at potentially multiple security levels or classifications. Each is protected from others and each may communicate with the others based on the methods and policy enforcements discussed. The architecture supports consolidation of multiple applications and their computer components on to a single system. This allows for the combination of multiple safety and security certified systems on to a single computer based on the underlying MILS architecture certification.


There are multiple real-time operating systems (RTOS) certified or being certified to support the MILS architecture. These provide the framework to support multiple applications running on the same computer at potentially different security levels. There is an absence of tool sets to support the development and certification of these applications at top security levels. GNAT Pro High-Security is a product package containing a language, support tools and libraries specifically designed to allow developers to meet these top security requirements.