• No results found

Assessment

Intrusion detection (ID) systems collect information from multiple points and devices in a

system, analyze the information, and either automatically take action based on the analysis or relay the analysis to a third party. Exhibit 131 depicts the conceptual structure of an ID system. Data collected from network, host, application, and operating system sensors is passed to network and application analyzers. The analyzers present the results to a manage- ment console, which may relay the data/results to other parties.

Firewall Firewall SWITCH SWITCH HOST SENSOR HOST SENSOR OS/Host Sensor OS/Host Sensor Application Sensor Application Sensor Web Server

Web Server Analyzer

(host/application) Analyzer (host/application) Network Sensor Network

Sensor NetworkSensor Network

Sensor NetworkSensor

Network Sensor Analyzer (Network) Analyzer (Network) MANAGEMENT CONSOLE ANALYSIS RESULTS To other sites To public networks SENSOR DATA

Exhibit 131 Sample Deployment of an Intrusion Detection System

Source: RBC Capital Markets

Intrusion detection technologies can be broadly classified into two sets—signature-based detection and anomaly-based detection. In signature-based detection, one is essentially searching for a recognizable or known pattern/signature of attack. Signatures may vary from specific patterns of information packets flowing through a particular network junction or device to patterns assimilated from multiple sensors distributed across a network. One may use various techniques to design signatures, including manual analysis/decomposition of attack and automatic pattern generation. Signature-based detection, which is limited to known patterns, is inherently unable to detect new attacks. It also suffers from the false

In anomaly-based detection, one is essentially searching for “abnormal” patterns or states, which are then taken as indications of intrusion. This method is much more complex and thorough than signature-based analysis and frequently involves algorithms from statistics, neural networks, artificial intelligence, and the human immune system. While they are able to recognize previously unknown attacks, anomaly-based systems need careful tuning to avoid false positives.

Depending on the location of their deployment and investigative approach, intrusion detection systems may be classified as network-based systems, host-based systems, application-based systems, target-based systems, and integrated systems. Network-based systems look at packets flowing to and from segments of a network. Because of their location of deployment, they can monitor multiple devices and hosts. While they are easy to deploy and generally do not affect the network performance, they can suffer from performance issues related to the speed and scale of the network segments being monitored. The faster a network, the more data needs processing; the larger a network segment, the larger the variety of data generated by various devices.

Host-based systems monitor the activity of a specific host. Inspected activity may include

data logs, application interaction with the operating systems of the host, and information related to other host systems. These systems can monitor application-specific activity (that can not be monitored by the network-based systems), and low-level host-based activity that does not create an observable action at the network level. Because these systems reside on the host, they are a burden on the resources of the host and can substantially affect the performance of other applications running on that host.

Application-based systems focus on monitoring the application level. Examples of monitored

information include logs generated by database management software, Web servers, firewalls, and routers.

Target-based systems utilize integrity analysis, which focuses on analyzing the outcome of

attack rather than analyzing the details of the attack. This approach looks for changes in system files and configuration objects to spot deviations from a “good state” and marks the unauthorized deviations as intrusions. Such a system does not depend on historic data of traffic patterns and thus does not have to be tuned. Because these systems monitor for changes in files, they directly identify affected files, making for an easy recovery by not forcing a complete reinstall of the system software. Finally, such systems require little processing power and communication bandwidth. This approach has two main disadvantages. First, depending on the number of files and objects monitored, and the size of the network, the “good” databases could grow large and complex. Second, because this approach monitors the outcome of the attack and not the attack as it progresses, it has limited suitability for preventing the attack.

Hybrid systems combine aspects from several of the aforementioned approaches. While

such systems can generate much richer data from host, network, and application sensors, which can be co-related for patterns of attack over time, these systems are more difficult to deploy. Furthermore, lack of industry standards for intrusion detection makes it more challenging to integrate and manage components from different vendors.

Vulnerability assessment (VA) solutions (sometimes called scanners) are complementary

to ID systems. VA products conduct proactive checks of the system under test to locate security vulnerabilities. The outcome is a detailed report listing the number, nature, and severity of detected security exposures. Similar to ID systems, VA products are application- based, host-based, system-based, or target-based. Exhibit 132 gives an overview of these methods.

Exhibit 132 Overview of Various Intrusion Detection Methods

Source: RBC Capital Markets

Name Approach Pros Cons

‹ Active and invasive. ‹ Platform independent. ‹ Misses platform specific

‹ Simulates variety of attack scenarios. ‹ Easy to deploy. vulnerabilities.

‹ Often used for penetration testing of network elements (e.g., firewall).

‹ May affect network

operation/performance.

‹ Passive and non-invasive. ‹ ‹ Host specific.

‹ Check system settings and configurations ‹ Platform specific.

(e.g., file permissions, ownership information, OS bug patches).

‹ More complex to deploy

than Network-based solutions.

‹ Passive and non-invasive. ‹ ‹

‹ Check application settings and

configurations for known errors.

‹ Passive and non-invasive. ‹ ‹ More complex.

‹ Checks for integrity of system, data files, and objects.

‹ Operate at file and object level.

‹ Typically, use hash algorithms to watch for

file changes (even if the checksum has not changed).

Application specific.

Target-based Highly accurate.

Network-based

Host-based Straight forward and

accurate.

Application-based Straight forward and

u

Virtual Private

Networks

A virtual private network (VPN) is a private network that uses public infrastructure such as

the Internet for private and secure data transfer. Unlike private networks of owned or leased lines that provide privacy and security by virtue of their closed design, VPNs tunnel through public networks while providing security and privacy (Exhibit 133). The concept of tunnel- ing is explained later in this section.

Intermediate Network

Logical