(1)What is a “Null session” problem?

(2) How can an intrusion detection system actively respond to an
attack?

(3) What is a good way to centralize networking equipment logs (such
as for switches and routers)?

(4) What Microsoft tool can be used to analyze the system security
policy, file access rights, an registry ACLs based on templates?

(5) What UNIX tool can be used to analyze the file system to determine
if files have changed?

Hi Chiriguaya,

quite a list of question you have, for a proposed fee of $3. Well,
this you even get for free ;-)

2) By alerting administrators via email/pager/phone
   By changig firewall configurations to 
   - increase logging of suspect sessions
   - block certain sensitive areas inside or
   - block offending areas outside
   - throttle offending or suspect traffic
   - bring down the Internet connection

3) SNMP

5) Consider using tripwire

As a general hint, a collection of tools etc. is outlined on
http://www.cert.org/security-improvement/implementations/i042.07.html

Good luck,

  Philip Lynx

Thanks, SNMPv3 is more secure, the answer to #2 is very good.

1)What is a “Null session” problem? 
 
A Null session problem is commonly a problem that exists on many
systems
especially microsoft based systems where the system allows a person or
other system to connnect to it without use of username and/or password
such as shares.


(2) How can an intrusion detection system actively respond to an 
attack? 
 
As phillip_lynx has stated there are many ways it can respond and
he/she
has given excellent responses.  I would like to add though, there are
customer filters that can be configured for signatures that an IDS
system looks for and there are standard "out of the box" attack
signatures that are known attacks.
If the IDS is not configured properly it may send what are know as
"false positives" or alerts to an over abundance of traffic, therefore
overwhelming people with alerts.  While such alerts are active
responses, they (as stated above) may become overwhelming.

(3) What is a good way to centralize networking equipment logs (such 
as for switches and routers)? 

As, phillip has stated, such devices can send traffic via SNMP,
however, this traffic is in the clear.  Therefore be sure to have your
logs backed up to a centralized source and tested.  Change your SNMP
information as it is listed as "public" by default. Having your SNMP
defaults in place is bad as anyone (including unwanted guests) can
poll such routers etc for the same information.

 
(4) What Microsoft tool can be used to analyze the system security 
policy, file access rights, an registry ACLs based on templates? 
 
Microsoft has many tools available for free. There are also many "host
assesment" tools that may offer a simular/better solution.  I don't
get into branding here though.

(5) What UNIX tool can be used to analyze the file system to determine
if files have changed? 

Tripwire, while an excellent tool may be hard to configure,
there may be several other MD5 tools that check for file integrity.
MD5 is a hashing algorithm that checks the file using encryption type
techniques.
You may also be able to use such tools as snort for IDS on the Unix
system.

> From: philip_lynx-ga on 29 Aug 2002 03:54 PDT  
>
> quite a list of question you have, for a proposed fee of $3. Well,
> this you even get for free ;-)

agree.
 
> 3) SNMP

SNMP would send traps to a server. Those traps could be recorded, but
they have
limited logging capabilities. Traps are very useful to send critical
messages to
a network management console like: "disk XYZ is 95% full",
"temperature is too high".
However, I think the best answer to the question is: Syslog.
Syslog is a standard logging subsystem present in all flavours of
Unix. Almost all network equipment can send log messages to a syslogd.