Internet Security Systems 3.5, Desktop Protector Back Tracing

Chapter 4: Configuring RealSecure Desktop P rotector

Back Tracing

Introduction RealSecure Desktop Protector can track an intruder’s activities to help you determine

what an intruder did to your computer. This topic explains how to gather and use this

information.

How does back

tracing work?

Back tracing is the process of tracing a network connection to its origin. When somebody

connects to your system over a network such as the Internet, your system and the

intruder's system exchange packets. Before an intruder's packets reach your system, they

travel through several routers. RealSecure Desktop Protector can read information from

these packets and identify each router the intruder's packets had to travel through.

Desktop Protector can often identify the intruder's system in this way.

Back tracing

information

When Desktop Protector back traces an intruder, it attempts to gather the IP address, DNS

name, NetBIOS name, Node, Group name, and MAC address. Skilled intruders will often

try to block Desktop Protector from acquiring this information.

Procedure To set up back tracing:

1. From the Main Menu, select To ols ÆEdit BlackICE Settings.

2. Select the Back Trace tab.

3. Type the severity level for an indirect trace in the Indirect Trace Threshold box.

Note: The default threshold for an indirect trace is 3. With this setting, any event with

a severity of 3 or above triggers an indirect back trace.

4. Do you want Desktop Protector to query Domain Name Service servers for

information about the intruder?

■If yes, select DNS lookup.

■If no, clear DNS lookup.

5. Type the severity level for a direct trace in the Direct Trace Threshold box.

Note: The default threshold for the direct trace is 6. With this setting, any event with a

severity of 6 or above triggers a direct back trace.

6. Do you want Des ktop Protector to determine the computer address of the intruder's

computer?

■If yes, select NetBIOS nodestatus.

■If no, clear NetBIOS nodestatus.

Direct and indirect

tracing

Desktop Protector can trace intruders directly or indirectly.

●An indirect trace uses protocols that do not make contact with the intruder's system,

but collect information indirectly from other sources along the path to the intruder's

system. Indirect back tracing does not make contact with the intruder's system, and

therefore does not acquire much information. Indirect traces are best suited for lower-

severity attacks.

●A direct trace goes all the way back to the intruder's system to collect information.

Direct back tracing makes contact with the intruder's system and therefore can acquire

a lot of information. Direct back traces are best for high-severity attacks, when you