Network management Toolkit

IDS: The integrated partner for your firewall

Tags:
Signatures,
CERT,
Hackers,
Stateful Signature Detection

Mitch Bryant Tech Republic

Published: 23 Apr 2003 08:33 BST

Firewalls alone are not enough to ward off today's more highly developed range of attacks. In fact, no single security method can truly detect or stop all attacks -- that is why many companies deploy multiple firewalls as additional security measures. Along those same lines, an Intrusion Detection System (IDS) is powerful tool that IT managers should consider in order to protect their information resources. In fact, IDS should be considered a part of your overall security strategy because it can provide proactive response protection (detect the attack and stop the attack). Let's take a look at IDS and see where it fits in to your network security plans.

Coming from all sides
From Web vulnerabilities, which allow hackers to simply deface your Web site, to the theft of your most important asset, namely, your corporate data, attacks and intrusions are no longer limited to the outside world trying to get in -- they are coming from all sides. Because your firewall is deployed just inside your network, it is not concerned with the traffic that originates from within your company.

I recently read about a project where a manufacturing company introduced older PCs, which were not fully patched or protected with current antivirus software, from another location into their main network. A Trojan horse program (Osprev) was immediately able to come alive and exploit the network system from within. It managed to find its way through the network connection and began DoS attacks on 20-plus other IP addresses.

Why IDS?
There is no question that security vulnerabilities are increasing. Vulnerabilities reported by the CERT Coordination Center show that only 417 were reported in 1999. In the first three quarters of 2002, that figure was up to 3,222, a staggering increase of over 132 percent in vulnerabilities reported just within the past three years. This means that, more than ever, you need to be securing your system to the best of your abilities so that these vulnerabilities don't wreak havoc on your network.

But, as a recent poll shows, not every one is doing as much as they can to secure their network. In fact, 38 percent of the respondents indicated they had not considered IDS, while 9 percent indicated that they had considered IDS but had decided against it.

Through software bugs, exploiting protocol weaknesses, and cracking passwords, the dedicated hacker can track down and exploit any open door you have in your line of defense. Deploying an IDS could do a lot to close those doors.

Your IDS solution protects your network assets by the following methods:

Accurately detecting attacks
Stopping the attack
Simplifying security management
Providing the proper documentation
Offering the flexibility needed to conform to your security policy
Double-checking incorrectly configured firewalls
Verifying that current security polices are in effect
Catching attacks that your firewall(s) legitimately allow through
Catching attempts that fail
Catching insider hacking
Detecting abnormal attacks from a terminal left unattended
Finding holes that intruders can exploit
Providing for documentation before, during, and after an attack

Where does IDS fit in?
Intrusion Detection Systems can be deployed at the point of insertion, behind the firewall, on various segments and servers, or in an array of locations as a comprehensive perimeter security guard. By monitoring traffic to safeguard your system from external and internal attacks on the network wire, the IDS system watches for and stops hackers attempting to break into your system. Detection methods include using attack signatures, checking for unusual protocol anomalies, and catching rogue processes.

Types of detection systems
Hackers are constantly exploiting new vulnerabilities daily. By evolving new methods to gain access to your inner network, they launch new and sophisticated attacks that don't follow a set pattern. While signature-based detection is a solid system, protocol-anomaly detection can be used to identify the various attacks that do not follow normal patterns. Here are the types of detection systems should you consider for your IDS security solution:

Stateful signature detection
Protocol anomaly detection
Backdoor detection

It is your responsibility
As the technology evolves faster than patches can be distributed, there is a new worry that companies are potentially liable for damages caused by a hacker using their systems. You must be able to prove to a court that you took "reasonable" measures to defend yourself from hackers. More important, your data is now the most critical commodity you have to protect. The combination of the data available on the network systems and the compounded difficulties involved in protecting that data make internal user and Internet systems large, vulnerable targets.

It is a common occurrence to see the media referring to intruder activities that result in financial loss, data corruption, and loss of public confidence. You have to ask yourself two questions: How much does downtime cost you, and how much will the loss of your data set you back? Ultimately, it is the due diligence of IT managers to bring to bear all technology (such as IDS) that they can to protect the corporate data they are entrusted with.

For a weekly round-up of the enterprise IT news, sign up for the Enterprise newsletter.

Tell us what you think in the Enterprise Mailroom.