Network Management Strategies for the CIO
Intrusion is different from traditional firewalls because it involves the detecting of a security breach. In most cases it translates into defending against a security breach, in my opinion it's sort of part system administration. If you look at the way IDS evolved originally the idea was that if I set up a particular probe or a particular application, I'll be able to detect unauthorized access.
|
Requires Free Membership to View
|
 |
There are three approaches. The first is a blind a barricade, which is similar to a firewall. You implement a wrapper or some sort of a scanner that looks for specific events. When it sees the event it correlates it and decides whether or not it's an acceptable event or an unacceptable event. So if I try and log into a system and it tells me that I don't have the right credentials, when that failure occurs an application will then alarm some other console to say that there is an unauthorized access. What is the last approach?
Profile or anomaly detection, the most recent. As an administrator you create profiles of your system and you determine what their normal operational parameters are, and you look for events that are out of profile. So for instance I have a Web server and as a Web server it only runs SSH. Then one day all of a sudden it starts running HTTP clients that should set up a major flag. It would be an indication, if I was running a Microsoft server for example, that I've got Code Red virus or something like that. Please give an example.
If I am running is a firewall environment, and the firewall administrator doesn't want me to run AOL Instant Messenger (AIM), he doesn't permit the service to happen. If I turn on Secure Socket Layer (SSL) now all of a sudden I can run AIM and the firewall administrator can't do anything about it. So the idea is that this sort of working around will be incorporated into the tools that hackers make and they will be able to completely evade IDS because they will be interpreted as normal traffic. Can you explain the concept of deep packet inspection and how it relates to IDS?
The problem with most signature-based events is basically that they are looking at just the (packet) header to be able to determine the potential attack. The idea of deep packet inspection now is that you can actually look inside the data-stream to determine whether or not an attack is really being perpetrated. This is a very relevant form of IDS that is just starting to be developed. Developers are getting smart enough now so that they can write around firewalls so that they can keep their applications in use. What is the second way?
Signature based. Signature based works on a host or a network basis where a particular type of packet or data stream is looked for. When the scanner sees it, it generates an alarm. The issue with signature based applications is that they're really only as good as the signatures are. So they leave a large area to be desired in terms of total effectiveness. What factors should be considered when tuning an Intrusion Detection System to your network?
It is all based on success and cost. Success means that IDSes need to be tuned, and they need an enormous amount of tuning. That is probably the biggest problem with them. Secondly, they cost an excessive amount of money.
|
|
So what typically happens is a company will decide that they need to implement IDS. So they will go out and buy a product and they will put the product in and the product will sit dormant, because nobody wants to take the time to actually fix it. Or they'll implement it without dealing with all the underlying issues which is not running a secure environment to begin with, and they'll have just spent a lot of money. What has the IDS market been doing?
There has been a lot of fluctuation. Enterasys has been severely impacted in the market overall, so they are making a desperate attempt to try and grow their product out. It has a very big following so I tend to believe the product will survive and continue to grow. ISS has been very aggressively developing a globalized system, integrating technologies from other companies that they've acquired to build out their original product base. Cisco is radically redesigning its IDS package. The Cisco Security Policy Manager is growing out and they are beginning to integrate IDS functionality in both their switches and routers. There is a potential growth market here. Describe a typical IDS architecture in terms of its components and their functions.
That's driven by cost, but the ideal architecture would be multi-faceted. It would start with a standard border filter where you're just filtering out all the noise, stuff that just happens randomly, people looking for holes in your network that shouldn't be there if you're running any type of security at all. The second component would typically be some sort of network probe for looking at network-based events. The third level might be some sort of host or signature-based system. Then depending on what you are looking at and what you are defending, an anomaly-based system is also a big value. What are some emerging trends in IDS technology?
People are going to be looking for are centralized collection, analysis and reporting. Also people will be looking at things like profiler trending. That is looking at how the network is behaving in the context of a multi-faceted system, and using that profiling to detect events that you wouldn't see with a signature based system. With profiling you can detect anomalies ahead of time before they have significant impact on your network.
FOR MORE INFORMATION
Best Web Links on security
Join the conversationComment
Share
Comments
Results
Contribute to the conversation