Scanning for compromised machines - Final Report
This is the final report for
Project 103 - Scanning for compromised machines.
Contents
1. Introduction
The idea of this project was to investigate/prototype ways of detecting self-managed machines on our network which might have been compromised in some way. The self-managed machines involved will be running a mixture of Linux, Mac and Windows.
2. Deliverables
A
report with summary and recommendations.
3. Summary
This investigation seemed unsatisfactory and largely inconclusive - see the
report.
Of the tools investigated, the only one which produced useful results was the commercial offering 'Nessus'. In trial form, that software runs in a somewhat crippled state, but an initial conclusion was that we should probably buy a licence for it (at about £1500 p.a.), try it in earnest for a year, and review its usefulness after that period. However, it's since turned out that the University has purchased a licence for penetration-testing software apparently based on Nessus which we have the opportunity to use. So the suggestion is now to do that instead.
Based on what other people appear to do, it seems like it we ought to investigate the use of sFlow in order to both monitor and visualize our network traffic flows at the IP level. Doing so
might allow us to detect compromised machines by their behaviour; having better visualization of traffic on our network
should be useful, in any case.
Project 98 is immediately relevant.
The work done was spread over 2012T3 and 2013T1. A long break between periods of work on this project was counter-productive: things had to relearned, and redone.
4. Effort
2012T3 |
2.0 weeks |
2013T1 |
2.0 weeks |
Total |
4 weeks |
--
IanDurkacz - 30 Apr 2013
Topic revision: r2 - 05 Jun 2013 - 10:35:26 -
IanDurkacz