You are a senior manager with the responsibility of overseeing the company's network administration and security. Your platforms range from servers, firewalls, routers, and related equipment. Your employees are above average in their technical skills and do their best to develop and maintain a secure operating environment. Yet, you find yourself dealing with the skills of an aggressive and persistent attacker. Many senior managers put their trust in firewalls and rely on their administrators to lock down network services and workstations. Other managers have enough wisdom and knowledge to marry effective policies and procedures with technology-based security solutions.
For most businesses, a combination of network administrator skills, policy and procedure, and technology solutions are the approaches best addressing system vulnerabilities.
The IDS dream is a set of distributed systems that identify and sound alarms when systems are being attacked in real-time. Regrettably, it is easier to dream the dream than implement the system. Current IDS products are extremely valuable security tools but generally they do not deliver as much as advertised.
Network and Host IDSs
The host-based vs. network-based intrusion-detection strategy debate has been raging for some time. Currently, the consensus is moving toward a unified approach combining the two technologies.
Network-based products are built on the concept of a real-time wiretap. A sensor examines every information packet traveling through the system. These sensors apply a set of rules or attack "signatures" to the captured packets, attempting to identify hostile traffic. Basically, network IDS sensors are network sniffers with built-in, rule-based comparison engines. If a malicious packet is detected, then the network IDS sounds the alarm.
But the network IDS approach has its problems. It does not scale very well in that it has difficulty keeping up at network speeds of 100 Mbps. With gigabit network speeds arriving in business networks, these network IDS systems do not keep up with the traffic. Additionally, network IDS systems are based on attack signatures that will always be a step behind the latest vulnerability exploits. IDS product vendors have not caught up with all the known attacks, and there are new attacks announced every few days.
Nevertheless, network IDS enjoys some advantages. The greatest feature is stealth. Network IDS can be deployed in an unobtrusive manner, with little or no effect on existing systems. Once deployed, network IDS sensors will listen for attacks, regardless of the destination.
Host-Based IDS
Host-based IDS primarily function within the system audit and event logs. In place of identifying attack-profile packets, they aim to identify known patterns of local and remote users doing things they should not be doing. One type of host IDS product produces a one-way hash of critical files located on a host. These files include user accounts, configuration, and audit operations. If anything changes in these accounts, e.g., an intruder establishes an account on the root level, then the host IDS would notify the system administrator. The host IDS cannot identify what, but it can tell the administrator that something important has changed. Host IDSs have their problems in portability. They run only on specific operation systems platforms so it is possible your favorite operation system is not on the list.
IDSs in general are incredibly useful but the hope of turning them loose on your systems and giving them control is not feasible. IDS technology is not very mature but it is getting better. It is strongly recommended that IDS technology is given serious implementation consideration. But it should be considered being used in conjunction with other critical asset preservation measures and not replace any of them.
Popular Posts
-
Often crisis responders will initiate a crisis notification through a verbal briefing. As such, it is imperative that a clear and accurate ...
-
Nessus is a popular open-source scanner for organizations that choose not to spend the money on other proprietary products. There are s...
-
Incident and problem management processes are intended to handle problems that are raised through the service desk as well as responses t...
-
The composition of the crisis and incident response teams should reflect the personnel required to analyze and deal with any events, fro... -
Being able to classify and categorize different types of releases into release models allows one to determine the types of governance and ... -
The IMP should be designed to follow some simple principles in order to be most effective. The plan should reflect the nature of the bus...
-
The inability to effectively gather and share information is a frequent management failure during many crisis events both within the incide... -
The passive analysis approach has several advantages: The analyzer does not interact with the network to discover hosts and their r...
-
Many healthcare organizations confuse emergency operations planning with preparedness. In fact, developing an emergency operations plan (...
-
Each company will define the composition and structure of its own crisis response group dependent on the nature, size, and scope of the ...
0 comments:
Post a Comment