Modern Computer NetworksAn Open Source Approach
Chapter 7: Network Security
BJ Chang & DK Liu
Outline
7.1 Issues7.1.1 Introduction of Network Security7.1.2 Data Security (Transport layer: SET, SSL; Network layer: IPSec, VPN)7.1.3 Access Control (application firewall)7.1.4 Intrusion (include DOS, security holes, virus)
7.2 Data Security7.2.1 Cryptograph7.2.2 Digital Signature 7.2.3 Transport layer7.2.4 Network layer
Outline (cont.)
7.3 Firewall7.3.1 Introduction of Firewall 7.3.2 Packet Filter (Ipchains)7.3.3 TIS—Trusted Information System
7.4 Intrusion Detection System7.4.1 Introduction7.4.2 Intrusion
7.4.2.1 Monitoring7.4.2.2 Password Cracking7.4.2.3 Security Holes7.4.2.4 Malicious Code7.4.2.5 Deny of Service7.4.2.6 Scanning7.4.2.7 Examples of attacking
Outline (cont.)
Outline (cont.)
7.4.3 Protection7.4.3.1 Prevent (Encryption, Authentication)7.4.3.2 Access control (firewall)7.4.3.3 Detection (monitoring, scanning)7.4.3.4 Audit (Auditing)
7.5 Open Source Implementation7.5.1 Open Source for IDS, snort7.5.2 Open Source for IDS, nessus
7.2 Data Security
7.2.1 CryptographSecret Key Algorithm
DES, IDEAPublic Key Algorithm
RSA7.2.2 Digital Signature (or Authentication)
Message Digest
MD57.2.3 Transport layer
SSL—Secure Socket LayerSET—Secure Electronic Transaction
7.2.4 Network layerIP Security (IPSec)
RFC 1825~1829, 1851, 2085, 2104
VPN – Virtual Private NetworkVPN Implementation
7.2.1 Cryptograph
Secret Key AlgorithmSymmetric keyDES (Data Encryption Standard)
Public Key AlgorithmAsymmetric keyRSA (Rivest, Shamir, Adleman)
Secret-Key Algorithm
Basic elementsP-BOX: Transition cipherS-BOX: Substitution cipher
Product cipher
DES: Data Encryption Standard
Originally developed by IBM Adopted by the US government in Jan. 1977Encrypted in blocks of 64 bits with 56-bits keyA monoalphabetic substitution cipher using a 64-bit character.
Same input produces same output
AlgorithmTransposition16 iterations (with 56-bit key)32-bit swapInverse transposition
Each Iteration
Breaking DES
56-bit key for international use but 128-bit key within USA56-bit key can be broken
Within 4 hours by super computers (1994)About 22 hours by a network of volunteers and a special purpose computer that was built for less that $250,000 (1999)Chinese Lottery
SolutionRun DES couple times, using different keys?Triple DES encryption
Public-key Algorithm
First proposed by W.Diffie and M.E. HellmanAsymmetric keys:
Encryption (public) key ≠ Decryption (private) key
The Encryption algorithm E and the decryption algorithm D should meet the following requirements
D(E(P)) = PDifficult to deduce D from EE cannot be broken by a chosen plaintext attack
RSA Algorithm
Proposed by Rivest, Shamir, and Adleman at MIT in 1978RSA
Choose two large primes, p and q (> 1010100100))
Compute n=p*q and z=(p-1)*(q-1)Choose a number relatively prime to z and call it dFind e such that e*d=1 mod z
Plaintext Plaintext PP, 0 , 0 ≤≤ P P ≤≤ n (664n (664--bit block is n ~ 10bit block is n ~ 10200200)) encryption key = (encryption key = (nn,,ee)) decryption key = (decryption key = (nn,,dd))
Based on the difficulty of factoring large numbers.Based on the difficulty of factoring large numbers.
) (mod P C e n= ) (modC P d n=
Why does RSA work?
P
nP
nP
nP
nPnn
nn
zed
qped
edd
d
==
=
==
=
−−
mod
mod
mod
modmod)) (mod P(
mod)) (mod P( PProve
1
)mod(
))1)(1mod((
e
e
7.2.2 Authentication
AuthenticationDigital SignatureMessage Digest
MD5
Authentication
What’s Authentication?An unique digital IDExamples
E-transaction via networksE-election via networksPrivacy Enhanced Mail (PEM)
How to AuthenticAuthentication Mechanisms
Based on shared secret keyUsing a key distribution centerUsing kerberos
Digital Signature
3 RequirementsAuthentication
The receiver can verify the claimed identity of the sender.
Non repudiationThe sender cannot later repudiate the contents of the message.
IntegrityThe receiver cannot possibly have concocted the message itself.
Secret-key Digital Signature
BB: trusted server, has all keysBB uses KA to prove the message is from AliceBob uses KBB to prove the message is from BBKBB(A,t,P) is the signed messageR, t are used to prevent replay attack
Public-key Digital Signatures
Problems: key loss, key change
Authentication without Encryption
Authentication only, but without message encryption
e.g., Message broadcast from authorized source
SolutionMessage Digest (MD)
Use a secure (one(one--way) hash function Hway) hash function H to compute a fixedfixed--size tag H(M||Ssize tag H(M||SABAB)), called a message digestmessage digest for a given message M concatenated with a shared secret value SAB
For secret-key digital signature
MD5 message-digest algorithm
Specified in RFC1321, developed by Ron Rivest in 1992.Padded an arbitrary length message to multiples of 512 bits, then produce a 128128--bit message digestbit message digestEvery bit of the hash code is a function of every bit in the inputRivest’s conjecture
The difficulty of coming up with two messages having the same message digest is in the order of 264 operationsThe difficulty of finding a message with a given digest is on the order of 2128 operations
7.2.3 Transport layer
SSL (Secure Socket Layer)SET (Security Electronic Transaction)
SSL (Secure Socket Layer)
Why SSL?Provide encryption layer between Application and TCP layers
ApplicationApplication
SSLSSL
TCPTCP
IPIP
What’s SSL?RFC 2246 :Transport Layer Security (TLS) protocol.Original development by Netscape in 1994Encrypt data with various algorithm
DES, Triple DES, RSA, Digital Signature
SSL ContentsSSL server authenticationSSL client authenticationEncrypted SSL session
SSL Handshake
SSL Client Hello
SSL Server Hello
Server Certification
Request Client Certification
ClientKeyExchange (RSA)
Certificate Verify
ChangeCipherSpec
Client Server
Finished
Encrypted data stream (DES)
SSL Handshake
Encrypted Data
Client Certification
DigitalSignature
Problem with SSLClient SSL ServerServer : illegal using the client’s credit cardClient : send un-authorization credit card
SET (Security Electronic Transaction)
Why SET?SSL is only for securing the communication data between client and serverTwo problems with SSL
Client SSL ServerServer : illegal using the client’s credit cardClient : send un-authorization credit card
SET is a security mechanism for E-transaction via networks
The same procedure as traditional transaction, but with networking
What’s SET?Development by VISA, MasterCard, IBM, Microsoft, and HP in 1996.Members
CardholderMerchantIssuer (Credit card bank)Acquirer (Bank)Certificate Authority , (CA)
Two types of paymentE-walletCredit card
SET MechanismConfidentialityConfidentiality
Data with DES and RSA
AuthenticationAuthenticationDigital Signature with RSACardholder, Merchant, and Bank
IntegrityIntegrityDigital Envelope to exchange DES keyReceiver’s RSA public key(DES key)
Non repudiationNon repudiationDigital Signature with RSA
SET Operation
Merchant Server
Merchant
Payment Gateway
CA
P.S 2341Credit Card
Acquirer (Bank)
Issuer/Credit Card Bank
Internet
Internet
Cardholder
E-wallet
1
6,7
9
10
11
12
2,3
4
5
8
7.2.4 Network layer
IP Security (IPSec)RFC 1825~1829, 1851, 2085, 2104
VPN – Virtual Private Network
IPSec
Why IPSec?Provide interoperable,high quality, cryptographically-based security for IPv4 and IPv6 communication
Security servicesAccess controlIntegrityAuthenticationConfidentiality
Components for IPSec
Traffic securityAuthentication Header (AH)
IntegrityAuthentication
Encapsulation Security Payload (ESP)Confidentiality
Key management and distributionInternet Key Exchange (IKE)
How to implement IPSec
IETF related RFC’sRFC 1825: An overview of a security architectureRFC 1826: Description of a packet authentication extension to IPRFC 1827: Description of a packet encryption extension to IPRFC 1828: A specific authentication mechanismRFC 1829: A specific encryption mechanism
Mandatory for IPv6 and optional for IPv4Implemented as extension headers: Authentication header, Encapsulating Security Payload (ESP) header
Key Concept: Security Association
One-way relationship between a sender and a receiver
For two-way secure exchange, two security associations are required.
Uniquely identified by an IP and SPISPI: security parameter index
ParametersAuthentication algorithm, mode, key(s)Encryption algorithm, mode, transform, key(s)Lifetime of the keys, security associationSecurity level, source IP, ...
Authentication
RFC 1828 specifies the use of MD5 for authentication.The MD5 algorithm is performed over the IP packet plus a secret key and then inserted into the IP packet.At the destination, the same calculation is performed on the IP packet plus the secret key and compared to the received value.Provides both authentication and data integrity.
Authentication
Two ways in which IP authentication service can be used
End-to-endEnd-to-intermediate
Router/FirewallIntranet
Internet
End-to-end authentication
End-to-intermediate
Authentication
Next Header Length Reserved
Security Parameter Index (SPI)
Authentication Data(variable number of 32-bit words)
Authentication Header
0 8 16 31
Length : Length of Authentication Data field in 32Length : Length of Authentication Data field in 32--bits words.bits words.Security Parameters index: Identifies a security association.Security Parameters index: Identifies a security association.Authentication calculation:Authentication calculation:
IPv4: TTL and checksum are set to zeroIPv4: TTL and checksum are set to zeroIPv6: Hop Limit is set to zeroIPv6: Hop Limit is set to zero
Encapsulating Security Payload
Provide support for privacy and data integrity for IP packets.Two modes
Transport-mode ESP mechanism encrypts a transport-layer segmentTunnel-mode ESP mechanism encrypts an entire IP packet
ESP HeaderSPIParameters dependent on the encryption algorithm
Transport-Mode ESP
Encrypt the data carried by IPESP header is inserted into the IP packet immediately prior to the transport-layer header (or Destination Option header is present)
Suspectable to traffic analysis on the transmitted packets
End-to-end transport
IP Header Ext. Header ESP Header Transport layer segment
Unencrypted Encrypted
Tunnel-Mode ESP
Encrypt an entire IP packetCounter traffic analysis problemSource sends encrypted IP packet to firewallFirewall sends to destination firewallDestination firewall forwards to destination
IP Header Ext. Header ESP Header IP header + Transport layer segment
Unencrypted Encrypted
Authentication Plus Privacy
Encryption before authenticationTransport-mode ESP
Authentication applies to the entire IP packet delivered to the ultimate destination
Tunnel-Mode ESPAuthentication applies to the entire IP packet delivered to the firewall
IP Header Auth. Header ESP Header Transport layer segment
Scope of authentication
E-T
E-T : Encapsulating Security Payload trailing fields
Authentication Plus Privacy
Authentication before encryptionOnly appropriate for tunnel mode ESPAuthentication before encryption is better
AH is protected by ESPMore convenient to perform authentication on unencrypted data, then protected by encryption
IP-H IP-H Transport layer segment
Scope of authentication
E-TESP-H A-H
Simple Key-management for IP (SKIP)
圖 (十 二 ) S K IP 階 層 式 金 鑰 管 理 的 架 構 圖
K ij K ij
K ijn = M D 5 (K i j/n )
共 享 密 鑰 K ij
用 K ijn將 K p加 密 後 插 入S K IP H e a d e r送 到 對 方
K p
K ijn = M D 5 (K i j/n )
用 K ijn解 回 K p
E _ K p = M D 5 (K p /0 A _ K p = M D 5 (K p /2 )
加 密 金 鑰 認 證 金 鑰
E _ K p = M D 5 (K p /0 A _ K p = M D 5 (K p /2 )
加 密 金 鑰 認 證 金 鑰
K p
K ij :通 訊 雙 方 真 正 共 享 的 密 鑰 。 n : 離 1 9 9 5年 1月 1日 零 點 的 時 數 。K ijn : 長 期 金 鑰 , 每 隔 1小 時 更 換 一 次 。 K p : 短 期 金 鑰 , 每 隔 2分 鐘 更 換 一 次 。E _ K p : 加 密 金 鑰 A _ K p : 認 證 金 鑰
K p
送 端 收 端
VPN
Why VPNPrivate data network for enterprisesLease line
X.25, Frame Relay , and ATMCustom-made service
Disadvantages of lease lineComplexity configurationHigh cost of network access equipments
VPN
What is VPNBuild private network communication on public network
How to implement VPNTunnelingEncryption & decryptionKey managementauthentication
Tunneling
PPTPMicrosoft-proposed protocol for implementing a VPNTwo communication channels between the client and server
Control channelData channel
Possibly encrypted
L2TPIPSec
Other issues
Encryption and decryptionPreviously described
Key managementDescribed in IPsec section
AuthenticationUser authentication
Password,ID card
Equipment authenticationX.509 certificate
VPN types
Virtual Leased LineSimplest type of VPN
Virtual Private Routed NetworksWorks on network layer
Virtual Private Dial NetworksVirtual Private LAN segment
Works on link layer
Virtual Leased Line (VLL)
Two CPE devices are connected by point to point link
CPE connects to ISP node via link layer connectionIP tunnels are set up between ISP nodes
Link layer typeATM VCCFrame relay circuit
To a customer, it looks like if a single ATM VCC or Frame Relay circuit were used to interconnect the CPE devices
Virtual Leased Line (VLL) example
Virtual Private Routed Network (VPRN)
Packet forwarding is carried out at the network layerA VPRN consists
A mesh of IP tunnels between ISP routersRouting capabilities needed to forward site
A VPRN specific forwarding table is located at each ISP router
BenefitMinimum complexity and configuration of CPE outers
Heavy works are done by ISP edge router
Disadvantagepoor scalability
Full mesh topology are not appropriate in the case of large number of ISP routers
Virtual Private Routed Network (VPRN)
Backup link is used in the case of failure of primary linkBackdoor link refers to a link between two customer sites that does not traverse the ISP network
Virtual Private Dial Networks (VPDN)
Remote user connect through an ad hoc tunnel into another site
User us connected to a public IP network via a dial-up PSTN or ISDN link
L2TP allows for the extension of user PPP session from an L2TP Access Concentrator (LAC) to a remote L2TP Network Server (LNS)
Tunneling mechanisms
Compulsory tunnelingLAC extends a PPP session across a backbone using L2TP to a remote LNS
Dial and network access server act as LAC
Voluntary tunnelingAn individual host connects to a remote site using a tunnel originating on the host, with no involvement from intermediate network nodes
Compulsory tunneling example
Voluntary tunneling example
Virtual Private LAN Segment (VPLS)
Emulation of a LAN segment using Internet facilitiesDifference from VPRN
Each VPLS edge node implements link layer bridging rather than network forwarding
Virtual Private LAN Segment example
Open Source Implementation
Frees/WanMain components
KLIPSkernel IPSECimplements AH, ESP, and packet handling within the kernel
PlutoIKE daemonimplements IKE, negotiating connections with other systems
Administrator interface
Open Source Implementation
Flowchart of Pluto
PLUTO
IKE- INPUT INPUT
OUTPUTIKE- OUTPUT
Public interface
7.3 Firewall
7.3.1 Introduction of Firewall 7.3.2 IP layer: packet filter7.3.3 Application layer: TIS—Trusted Information System
7.3.1 Introduction of Firewall
A system or group of systems that enforces an access control policy between two networks
Redirects request to actual serverHide intranet servers from internetAccess logs, invasion detection and alarms
What can a firewall protect against?
Protect against unauthenticated interactive logins from the “outside” worldRecord and monitor status of the protected network
suspicious data access
Monitor abnormal instruction of the protected network
Intrusion detectionAgainst network-borne attack
Firewall categories
Network layer firewallWorks on the network layer of OSI model
Packet filter
Based on the header of the IP packet and rules defined by administratorFields checked
Protocol IDSource IP addressDestination IP addressSource TCP/UDP portDestination TCP/UDP port
Screened Host Firewall
Screened host firewall
Traffic to and from bastion host is controlled by means of a router operating in the network layerBastion host
A exposed gateway machinehighly-defended and secured strong point that can resist attack
Screened subnet firewall
Traffic to and from a whole network is controlled by means of a router operating in the network layerDMZ
Abbreviation for demilitarized zoneAn area between Internet access router and bastion hostCan be created by putting access control lists on the access router
Screened subnet Firewall
Firewall categories
Application layer firewallWorks on the application layer of OSI model
Proxy server
Dual-Homed gateway
Dual - Homed gateway
Dual – Homed gatewayA highly secured host that runs proxy software
Comparisons for firewalls
More transparency
Less transparency
User transparency
Detailed and intelligent
simpleSecurity degree
fastLowspeed
Lower-level firewall
Higher-level firewall
7.3.2 Packet Filtering
What is packet filteringA packet filter is a special program, may run within a router, that examines the IP packets received and decides what happen to the packets according to a set of user-defined rules.
Why packet filteringControlSecuritywatchfulness
Open Source Implementation-Netfilter
HooksNF_IP_PRE_ROUTING(A)NF_IP_LOCAL_IN(B)NF_IP_FORWARD (C)NF_IP_POST_ROUTING(D)NF_IP_LOCAL_OUT(E)
ROUTEA C D
Local Process
B E
ROUTE
Open Source Implementation
IptablesRule structure
Struct ipt_entryGeneral IP header stuffMatch specific stuffThe target to perform it the rule mathces
Strcut ipt_entry_matchStruct ipt_entry_target
Open Source Implementation
IptablesChain traversal
iptc_first_chain()iptc_next_chain()iptc_first_rule()iptc_next_rule()iptc_get_target()
7.3.3 TIS—Trusted Information System
7.4 Intrusion Detection System
7.4.1 Introduction7.4.2 Intrusion
7.4.2.1 Monitoring7.4.2.2 Password Cracking7.4.2.3 Security Holes
Type of security holesHow to attack security holes?
Remote Exploits v.s. Local Exploits
7.4.2.4 Malicious Code7.4.2.5 Denial of Service7.4.2.6 Scanning7.4.2.7 Examples of attacking
7.4.3 Protection7.4.3.1 Prevent (Encryption, Authentication)7.4.3.2 Access control (firewall)7.4.3.3 Detection (monitoring, scanning)7.4.3.4 Audit (Auditing)
Open Source Implementation7.5.1 Open Source for IDS, snort7.5.2 Open Source for IDS, nessus
7.4.2 Network Intrusion
What’s network intrusion?Intrude a system via networks such as, Internet and Intranet
Server
===== Welcome ======Login: UnsafePassword: HereYouAre
Why network intrusion?For funGather information or resource of the target systemDamage data and filesCrash target system
Intrusion Procedure
Gather
Information
Gather
Information
Crack targetCrack target
IntrudeIntrude
Get InformationGet InformationEmbed backdoor
for next coming
Embed backdoor
for next coming
Clear logClear log
Intrusion Ways
MonitoringPassword CrackingSecurity HolesMalicious CodeDeny of ServiceScanning
Software
SATAN, SAINT, Nessus, Tiger
Scanning
Smurf, Trinoo, TFN, Mstream
Deny of Service
BO2K, NetBusMalicious Code
Crack, L0phtCrackPassword Cracking
Sniffit, NetXrayMonitoring
SoftwareIntrusion Type
7.4.2.1 Monitoring
What’s Monitoring?Monitor the MAC frame, IP packet, and application layer information of the target system
To get MAC addressTo get TCP/IP informationTo get username and passwordTo get some useful information
ToolsSniffit, http://reptile.rug.ac.be/~coder/sniffit/sniffit.htmlNetXray,
7.4.2.2 Password Cracking
How to crack passwordGuessBrute force with dictionary file
Unix, /etc/passwd and /etc/shadow filesWindows 2000, SAM file
Plain text transmission without encryption
ToolsNetcat, http://www.atstake.com/research/tools/nc11nt.zipWWWHack, http://packetstorm.securify.com/Crackers/wwwhack.zipL0phtCrack, http://www.l0pht.com/l0phtcrack/dist/l0phtcrack25.exeJohn-16d.zip, http://www.openwall.com/john
7.4.2.3 Security Holes
What’s security hole?Bugs of systems, applications, or protocols
Types of security holeBuffer overflowInput Validation ErrorConfiguration ErrorSystem bugSoftware bugProtocol bug
Buffer overflow
Put more data to the specified bufferCause buffer overflowPoint to the cracked file //execute the cracked file
stack pointer
return address
buffer (200 bytes)
stack pointer
cracked file address
buffer (200 bytes)
. . . . . .
. . .
. . .
. . .
. . .
Put more data to bufferthen cause buffer overflowand point to the crackedfile address
void called(){ . . . char buffer[200]; . . .
}
7.4.2.4 Malicious Code
What’s Malicious Code?Computer programs are written specifically to cause mischief or, worse, cause damage to infected computersTwo types of Malicious Code
BackdoorBackdoor (i.e., Trojan Horses)
VirusVirus
Backdoor, i.e.,Trojan Horses Unlike a virus, but Trojan horse does not replicate itself.Stay in the target system
Masquerade as a legitimate programInflict damageReport information to the remote attackerAllow remote attacker takes control of the target
VirusSelf-replicatingDestructType of virus
Marco virusCOM and EXE virusBoot virusJoke virus Java Malicious CodeActiveX Malicious Code VBScript、JavaScript and HTML virus.
Examples:First Internet Virus
“Internet Worm” by Robert T. Morris Jr., 1988.
Famous virus via email“I love you”, 2000.
Attack Microsoft IIS “Code Red”, 2001.“Nimda”, 2001.
Virus listhttp://www.wildlist.org/
7.4.2.5 Denial of Service
What’s DoS?Not a intrusion attack, but deny services of target systemExhaust target resourcesStop providing services
How does DoS do?TCP SYN flood with IP spoofing attackICMP reply flood attackPing of DeathTeardrop attackUDP flood attackDDoS – Distributed DoS
Hierarchy of attacker, master, client, and target
TCP SYN flood with IP spoofing attackTCP SYN flood with IP spoofing attackFloods a targeted system with a series of TCP SYN packets with spoofed source IPspoofed source IPTarget keeps waiting for the “never arrivalnever arrival”” ACKACK
Client Server------ ------SYN-------------------->
<--------------------SYN-ACK
ACK-------------------->
Client and server can nowsend service-specific data
ICMP reply flood attack (Ping)ICMP reply flood attack (Ping)Smurfing attackExhaust target network bandwidth
Send an ICMP echo request packet (ping) to the broadcast address of a subnet with spooled source IP (the victim)
DDoSDDoS –– Distributed Distributed DoSDoSLaunch coordinated UDP flood DoS attacks from many sourcesHierarchy of attacker, master, client, and target
Attacker, the IntruderA small number of servers, or mastersA large number of clients, or daemonsTarget, the victim
Two of the tools have seen are known as Trinoo (or trin00)Tribe Flood Network (or TFN), and TFN2K
Master
Agent AgentAgent
Target Target TargetTarget
Master
command command
attack attack
Attacker
commandport 27665/TCP
request: port 27444/UDPreply: port 31335/UDP
1. UDP flood attack2. TCP SYN flood attack3. ICMP echo request flood attack4. M attack5. Targa3 attack
DDoS attack typesTrinoo
UDP flood attack
TFNUDP flood attack
TCP SYN flood attack
ICMP echo request flood attack
Smurf attack
TFN2KMix attack
Targa3 attack
7.4.2.6 Scanning
What’s scanning?Dawn of attackingScanning services and security holes of the target only, but not real attackingScanning types
Local scanningCOPSTIGER
Remote scanningSATAN (Security Administrator’s Tool for Analyzing Networks)SAINT (Security Administrator’s Integrated Network Tool)Fluxay
Local scanningCOPSTIGER
ftp://net.tamu.edu/pub/security/TAMURemote scanning
SATAN (Security Administrator’s Tool for Analyzing Networks)
A previous version of SAINThttp://www.fish.com/~zen/satan/satan.html
SAINT (Security Administrator’s Integrated Network Tool)http://www.wwdsi.com/saint
Fluxay (Local and remote scanning)http://www.netxeyes.com
7.4.2.7 Examples of attacking
Remote exploitConfiguration errorPiranha with Redhat 6.2
Local exploitAccess validation errorLinux “man”Malicious
Remote and local exploits
Design errorGroup Apache 1.3.12
Remote exploitBuffer overflowWu-ftpd 2.6
DoSFailure to Handle Exceptional Conditions
sendmail
Attack TypeSecurity Hole
7.4.4 Protection
7.4.3.1 Prevent (Encryption, Authentication)Refer to 7.2.1 and 7.2.2
7.4.3.2 Access control (firewall)Refer to 7.3
7.4.3.3 Detection (monitoring, scanning)(not yet)
7.4.3.4 Audit (Auditing)(not yet)
7.5 Open Source Implementation
7.5.1 Open Source for IDS, snort7.5.2 Open Source for IDS, nessus