[ISN] Hacker Stoppers? (ids)

From: mea culpa (jerichot_private)
Date: Tue Apr 28 1998 - 15:03:34 PDT

  • Next message: mea culpa: "Re: [ISN] Security Stats from Gartner Group"

    [Moderator: I found a few articles on IDS recently and will post
     the relevant ones. However, I highly recommend that you read SNI's
     technical paper released on February 9, 1997 about IDS shortcomings. The
     paper can be found at http://www.securenetworks.com/papers/ids-html/ ]
    
    
    http://www.techweb.com/wire/story/TWB19980427S0001
    
    [Hacker Stoppers?] Companies bought $65 million worth of network-intrusion
    tools last year, but capabilities still lag behind what's promised. 
    
    (04/27/98; 10:02 a.m. ET)
    By Deborah Kerr, InformationWeek
    
    Neal Clift no longer sleeps on the floor of his office. Ten years ago, he
    slept under his Digital VAX at Leeds University in England, listening for
    the telltale clicks and hums that signal an intruderon his network. For
    weeks, a hacker had been shamelessly crashing his machine, deleting files,
    and reconfiguring controls. Clift tracked the hacker's movements, recorded
    the keystrokes, and eventually closed up the hacker's entry points. 
    
    At the time, pulling late-nighters was the only way to catch a hacker,
    since poring over system logs could only establish the hacker's patterns
    after the fact. Now, intrusion-detection technology lets network security
    managers and administrators catch trespassers without spending the night
    on the office floor. 
    
    Intrusion-detection tools are a $65 million industry that will grow as
    large as the firewall market, which reached about $255 million in 1997,
    according to the Hurwitz Group, in Framingham, Mass. Touted as network
    burglar alarms, intrusion-detection systems are programmed to watch for
    predefineds2000] attack "signatures," or predefined bytecode trails of
    prespecified hacks.  Intrusion-detection systems also send out real-time
    alerts of suspicious goings-on inside the network.  enger]
    
    But don't bet the server farm on intrusion-detection systems yet. They're
    still new, and their capabilities are limited. No matter what you buy,
    some portion of the enterprise will be unprotected. Intrusion-detection
    systems also can break down under certain types of attacks, in some cases
    even turning on their own networks under the guidance of a truly
    knowledgeable hacker. 
    
    "There's no one tool to solve all the security problems throughout your
    network," says Jim Patterson, vice president of security and
    telecommunications at Oppenheimer Funds, in Denver. Oppenheimer, which
    manages $90 billion in assets, recently spent about $50,000 to install
    Intruder Alert from Axent Technologies on 20 of its key servers. Even so,
    Patterson says he still worries about the rest of his network, which is
    protected by a specially designed firewall. 
    
    Providing complete coverage is a key problem for intrusion-detection
    systems.  They can provide either host- or network-based monitoring.
    Network-based intrusion-detection systems put remote monitoringlike
    sensors on the wire that watch for attack signatures in packets coming
    into the network. But this approach leaves the system vulnerable to
    internal attack. Host-based systems use intelligent agents on key servers
    to sift through system logs for known signatures.  But this means an
    attacker has already entered the network and gotten to the servers where
    the agents are deployed. 
    
    Not surprisingly, Internet connections are becoming the primary point of
    network attack. The Net was the source of 54 percent of attacks on
    networks reported by 520 IS security managers, according to the March 1998
    Computer Security Institute/Federal Bureau of Investigation Computer
    Crimes Survey. 
    
    For this reason, many IS departments choose network-based
    intrusion-detection systems. Typically set up at a switch or router
    between the Web server and the firewall (commonly referred to as the
    demilitarized zone), these systems listen to network traffic and send
    alerts when they read packets containing known attack signatures.
    Sometimes they take automatic action such as terminating TCP connections. 
    
    Network Associates' CyberCop, Cisco's NetRanger (formerly sold by
    WheelGroup), Internet Security Systems' RealSecure, Netect's Netective,
    AbirNet's SessionWall-3, Internet Tools' ID-Trak, and MimeStar's SecureNet
    Pro all take this approach. With some variations, these systems are sold
    as consoles, along with sensors that are priced separately. 
    
    The Money Store, in Union, N.J., uses Network Associates' CyberCop to
    protect its Internet segment. "With a name like the Money Store, you're
    going to get hack attempts," says Keith Bowyer, senior network engineer at
    the Money Store.  "We've had quite a few." 
    
    
    -o-
    Subscribe: mail majordomot_private with "subscribe isn".
    Today's ISN Sponsor: Dimensional Communications (www.dim.com)
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:51:57 PDT