Red Hat NETWORK BASIC - USER REFERENCE GUIDE 4.0 Guia do Utilizador descarregar pdf (Página 56)

Windows

C:\ProgramData\Tenable\PVS\pvs\

Mac OS X

/Library/PVS/var/pvs

If the PVS is being managed by the SecurityCenter, it will automatically update the libraries shipped. In this

case, any changes to PVS plugins should be made by disabling specific plugins or by creating new libraries to

augment the plugin set delivered by Tenable.

Detecting Encrypted and Interactive Sessions

The PVS can be configured to detect both encrypted and interactive sessions. An encrypted session is a TCP or UDP

session that contains sufficiently random payloads. An interactive session uses timing and statistical profiling of the

packets in a session to determine if the session involves a human typing at a command line prompt.

In both cases, the PVS will identify these sessions for the given port and IP protocol. It will then list the detected

interactive or encrypted session as a vulnerability.

The PVS has a variety of plugins to recognize telnet, Secure Shell (SSH), Secure Socket Layer, and other protocols. In

combination with the detection of the interactive and encryption algorithms, it is likely that the PVS will log multiple forms

of identification for the detected sessions.

For example, with a SSH service running on a high port, it is likely that the PVS would not only recognize this as an

encrypted session, it would also recognize the version of SSH and determine if there were any vulnerabilities associated

with it.

Routes and Hop Distance

For active scans, one host can find the default route and an actual list of all routers between it and a target platform. To do

this, it sends one packet after another with a slightly larger TTL (time to live) value. Each time a router receives a packet,

it decrements the TTL value and sends it on. If a router receives a packet with a TTL value of one, it sends a message back

to the originating server that the TTL has expired. The server simply sends packets to the target host with greater and

greater TTL values, and collects the IP addresses of the routers in-between when they send their expiration messages.

Since the PVS is entirely passive, it cannot send or elicit packets from the routers or target computers. It can however,

record the TTL value of a target machine. The TTL value is an 8-bit field, meaning it can contain a value between 0 and

255. Most machines use an initial TTL value of 32, 64, 128, or 255. Since there is a maximum of 16 hops between your

host and any other host on the internet, it is a simple algorithm that the PVS uses to map any TTL to the number of hops.

For example, if the PVS sniffed a server sending a packet with a TTL of 126, this is closest to 128 and two hops away.

The PVS does not know the IP address of the in-between routers.

Modern networks have many devices such as NAT firewalls, proxies, load balancers, intrusion prevention,

routers, and VPNs that will rewrite or reset the TTL value. In these cases, the PVS can report some very odd

hop counts.

Alerting

When the PVS detects a real-time event, it can send the event to a local log file or send it via Syslog to a log aggregator

such as Tenable’s Log Correlation Engine as well as internal log aggregation servers and third party security event

management vendors.

New Host Alerting

The PVS can be configured to detect when a new host has been added to the network. This is not as simple as it sounds,

and several parameters can be configured within the PVS to increase or decrease the accuracy of detecting true change.

1 2 ... 51 52 53 54 55 56 57 58 59 60 61 ... 78 79

Sem comentários

Red Hat NETWORK BASIC - USER REFERENCE GUIDE 4.0 Guia do Utilizador Página 56