[Moderator: I found a few articles on IDS recently and will post the relevant ones. However, I highly recommend that you read SNI's technical paper released on February 9, 1997 about IDS shortcomings. The paper can be found at http://www.securenetworks.com/papers/ids-html/ ] http://www.techweb.com/wire/story/TWB19980427S0001 [Hacker Stoppers?] Companies bought $65 million worth of network-intrusion tools last year, but capabilities still lag behind what's promised. (04/27/98; 10:02 a.m. ET) By Deborah Kerr, InformationWeek Neal Clift no longer sleeps on the floor of his office. Ten years ago, he slept under his Digital VAX at Leeds University in England, listening for the telltale clicks and hums that signal an intruderon his network. For weeks, a hacker had been shamelessly crashing his machine, deleting files, and reconfiguring controls. Clift tracked the hacker's movements, recorded the keystrokes, and eventually closed up the hacker's entry points. At the time, pulling late-nighters was the only way to catch a hacker, since poring over system logs could only establish the hacker's patterns after the fact. Now, intrusion-detection technology lets network security managers and administrators catch trespassers without spending the night on the office floor. Intrusion-detection tools are a $65 million industry that will grow as large as the firewall market, which reached about $255 million in 1997, according to the Hurwitz Group, in Framingham, Mass. Touted as network burglar alarms, intrusion-detection systems are programmed to watch for predefineds2000] attack "signatures," or predefined bytecode trails of prespecified hacks. Intrusion-detection systems also send out real-time alerts of suspicious goings-on inside the network. enger] But don't bet the server farm on intrusion-detection systems yet. They're still new, and their capabilities are limited. No matter what you buy, some portion of the enterprise will be unprotected. Intrusion-detection systems also can break down under certain types of attacks, in some cases even turning on their own networks under the guidance of a truly knowledgeable hacker. "There's no one tool to solve all the security problems throughout your network," says Jim Patterson, vice president of security and telecommunications at Oppenheimer Funds, in Denver. Oppenheimer, which manages $90 billion in assets, recently spent about $50,000 to install Intruder Alert from Axent Technologies on 20 of its key servers. Even so, Patterson says he still worries about the rest of his network, which is protected by a specially designed firewall. Providing complete coverage is a key problem for intrusion-detection systems. They can provide either host- or network-based monitoring. Network-based intrusion-detection systems put remote monitoringlike sensors on the wire that watch for attack signatures in packets coming into the network. But this approach leaves the system vulnerable to internal attack. Host-based systems use intelligent agents on key servers to sift through system logs for known signatures. But this means an attacker has already entered the network and gotten to the servers where the agents are deployed. Not surprisingly, Internet connections are becoming the primary point of network attack. The Net was the source of 54 percent of attacks on networks reported by 520 IS security managers, according to the March 1998 Computer Security Institute/Federal Bureau of Investigation Computer Crimes Survey. For this reason, many IS departments choose network-based intrusion-detection systems. Typically set up at a switch or router between the Web server and the firewall (commonly referred to as the demilitarized zone), these systems listen to network traffic and send alerts when they read packets containing known attack signatures. Sometimes they take automatic action such as terminating TCP connections. Network Associates' CyberCop, Cisco's NetRanger (formerly sold by WheelGroup), Internet Security Systems' RealSecure, Netect's Netective, AbirNet's SessionWall-3, Internet Tools' ID-Trak, and MimeStar's SecureNet Pro all take this approach. With some variations, these systems are sold as consoles, along with sensors that are priced separately. The Money Store, in Union, N.J., uses Network Associates' CyberCop to protect its Internet segment. "With a name like the Money Store, you're going to get hack attempts," says Keith Bowyer, senior network engineer at the Money Store. "We've had quite a few." -o- Subscribe: mail majordomot_private with "subscribe isn". Today's ISN Sponsor: Dimensional Communications (www.dim.com)
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:51:57 PDT