The Security Choices

In response to the above threats, security vendors have introduced a host of new products and capabilities that provide information protection for the modern open systems environment. These products can be divided into two distinct categories: passive or static technology, and active or real-time systems.

A) Static Security Technology

While firewall and system logs provide information that can prove valuable to response or recovery, this action takes place after the fact. Information is gathered but there is no knowledge base from which to identify an attack, nor mechanism to follow up with an alarm or response. Additionally, sometimes even the logs themselves are useless — too much time has passed and the backups have since been overwritten or the system has been rebooted and the logs not saved.

Firewals. Firewalls are electronic packet filters and proxy servers that function as perimeter guards around a network. Usually deployed in front of Internet access links, WAN links, and dial-in servers, firewalls regulate and monitor the protocols and services that can flow in and out of a network. Although effective, they have no true means of detecting suspicious activity. And performance/cost drawbacks make them inappropriate for deployment on the internal network.

Host-based Security. This consists of software loaded on a host to make that device less vulnerable to attack. System wrappers are software that behave like firewalls for servers, by wrapping around host operating systems and network stacks, restricting access to defined users and processes. Wrappers can also create secure logs of all network and user activity on that server.

Encription and Authentication. Encryption is a method of scrambling information so that a sender can send a message in the open, past observers, to a trusted receiver. Encryption algorithms form the basis for most computer authentication schemes. This technology is usually used to defeat the threat of unauthorized users who may try to "look" in on your physical or vital network links, but since some encryption schemes strip the encryption security once entering the internal network, the inside network is not protected.

Limited Protection. A key drawback to perimeter devices like firewalls and encryption is that they address only external threats. An insider — or any outsider who successfully vaults the perimeter — goes undetected. The same with authentication methods: once authentication is established with the latest authentication system, a user usually has uncontested access to most of the internal network.

Additionally, firewalls tend to be vulnerable to gradual compromise. While packet filters and proxy servers can limit access to IP addresses and specified services, inevitably some users will demand access. So, the administrator ends up opening "holes" in the firewall and trying to remember to close them later — creating a "Swiss cheese" effect that leaves the network less protected.

Maintenance and Performance Costs. Another drawback to passive security technology is the effort required to implement and use it. Passive devices don't perform active functions like tracking intruders — this must be handled by an administrator at a considerable investment of time and effort.

Firewalls are a good example of this. While firewalls are widely used to secure the corporate electronic perimeter, they are cumbersome, with high maintenance costs and loss of network performance. Money and time are spent whenever a system administrator loads security agent software on a host, analyzes firewall logs for attacks, takes a router off line to reconfigure filters, or establishes a proxy to protect a new service on the network. And, in the event of an attack, there are the costs of dedicating personnel to perform the lengthy process of investigation, recovery and future prevention.

Additionally, a number of security products, just by running on the network, significantly degrade overall network performance, having an adverse effect on normal business operations.

B) Active Security Technology

Seek-out technologies include: vulnerability audit/scanning tools which test networks, systems, and applications for vulnerabilities; monitoring services, which alert network managers to router problems, network intrusions or suspicious activity; and virus detectors.

In an additional category is active intrusion detection. Combining seek-out capacity with automatic response capabilities, intrusion detectors employ algorithms to identify certain types of attack activity and issue alarms and responses when patterns are identified.

Let's take a closer look at these active security technologies.

Vulnerability Audit Tools. Also called scanning tools, vulnerability auditors are test software which run over the network and check for areas of weakness. While active in the testing sense, they still require the user to take action to patch, fix or eliminate vulnerabilities, and are valid only for that "snapshot" in time.

Monitoring Services. Similar to fault and performance monitoring tools, security monitoring tools continually check the network for router problems, network intrusions or suspect activity. While proactive in the monitoring sense, these tools also still require follow-up action on the part of a user.

Virus Detection. Virus detection software can reduce the risk of stray infections. But even secured networks can be vulnerable since viruses can travel in the code given out by software vendors, software downloaded from home, and e-mail. Some virus detection software can detect and eliminate viruses from programs with little or no user input. While an effective method of protection, loading virus detection software on every desktop and server system is time-consuming and costly.

Intrusion Detection

Some intrusion detection systems are host-based, in which system software focuses on user-level and authentication activities, file access, system actions and shoring up known OS weaknesses. The drawbacks are a) the software must be loaded onto every host (expensive) and b) its host-focused view lacks system-wide visibility (for instance, it would fail to see a network reconnaissance sweep as a threat, since it would see only reconnaissance on itself).

The other type of intrusion detection system is network-based. A network-based system typically consists of intelligent distributed probes (or sensors) working in concert with information repositories and front-end management software. The sensors do most of the expert analysis of the data stream and send only alarm data to a central manager — reducing the added traffic burden on the network and minimizing interference with normal operations. Additionally, network-based systems that are architected for promiscuous attachment can fit into existing networks without bottlenecks or information rerouting.



Figure 3: Strategically placed intrusion detection sensors protect essential elements at the perimeter and inside the network.

The Key Components

Real-time Component. Since the most powerful weapon in the hands of an intruder is time, a real-time component to all security systems is essential.

Real-time detection means an intrusion is identified within seconds of network misuse or compromise, before damage can occur. Real-time automatic response means that the attack is met with an instant reaction — the triggering of an automatic logging function, alarms to the right parties via e-mail, pager or SNMP traps, or automatic programmed response.

Event Blocking. Event blocking is an added function that can augment the logging and alarming features by performing an automatic connection disconnect (or block) in response to certain highly destructive attacks such as SYN flooding or TCP hijacking.

Smart Alarms. Unreliable alarms and false positives will prompt system operators to ignore not only false alarms, but all alarms. It's critical to minimize false positives and allow administrators to tune their devices according to their own network.

For this reason, intrusion detection technology has gravitated toward a misuse- or signature-based technology — built-in analytical intelligence can recognize hundreds of attack, misuse, and intrusion signatures. For instance, some attacks are simply a collection of lesser events that would go undetected, but collectively signify an intrusion. A smart system knows the difference, which makes the system more secure and reduces the likelihood of false alarms.

Logs and Trace Files. Log files are essential for tracing an intrusion. They keep a record of key attack information for pinpointing the originating address and following the intruder's course. This log helps with post-attack response too, assisting with recovery and case-building.

Evidence trace files are the detailed packet records from an attacking address that can be automatically captured once an intrusion is detected. These evidence trace files follow the intruder's "footprints" and can be used to determine attacker intent, destination, and techniques. If captured correctly, the trace files can also be off-loaded to be read by a Sniffer® Network Analyzer, or used as evidence for law enforcement.

Secure and Transparent Transmission. A detection system that uses the latest security technology to authenticate, encrypt and manage communications helps eliminate spoofing, denial of service, and snooping attacks. Additionally, transparent intrusion detection technology means that an intruder as well as authorized users cannot tell that they are being tracked.