Intrusion Detection Systems: What you Should Know
(ICSA Inc. White Paper and Robert Graham Web Site)
"Those reporting their Internet connection as a frequent point of attack rose for the third straight
year; from 37% of respondents in 1996 to 57% in 1999."
- from the 1999 CSI/FBI Computer Crime and Security Survey
The widespread misconception that "there is nothing interesting for a hacker on my computer" is dangerous for at
least two reasons. First of all, hackers may use your system as a starting point for breaking into other systems and for
disguising the origin of the attack. Moreover, most of us have some data worth stealing -- credit card numbers and
other financial information, passwords, etc. Why bother breaking into a well-guarded system of a large corporation
when you can achieve the same result by robbing a few dozen little guys?
Before rushing into deploying an Intrusion Detection System (IDS), you should thoroughly weigh potential benefits
against total cost of using such systems.
Why firewalls aren't enough. Not all access to the Internet occurs through the firewall. Some systems have a
dial-up access point located behind the firewall. Not all threats originate outside the firewall. Many security
incidents are traced to insiders. Security breaches of other server software can be exploited to gain access to
essential system resources. "For example, in April of 1999, many sites were hacked via a bug in ColdFusion.
These sites all had firewalls*" says Robert Graham, a computer security expert (http://www.robertgraham.com).
IDSs are not silver bullets. Intrusion detection systems are only one part of the security infrastructure (other
parts are physical security, user and access authentication, encryption, anti-virus systems, firewalls, etc.). None
of the IDS solutions available offer you complete protection. IDSs are classified into "anomaly detection" and
"misuse detection" categories (http://www.nfr.net/forum/publications/id-myths.html).
Anomaly detection systems utilize heuristic algorithms to detect "abnormal" network traffic and alert the
administrator. They tend to generate large numbers of "false positives" -- false alarms -- and sooner or later
become ignored. To properly configure those systems and then constantly monitor and analyze their reports
you will have to hire a dedicated security specialist, or your investment in IDS will be useless.
Misuse detection systems work in a similar way to virus scanners, trying to match network patterns with
their database of "attack signatures." They don't bother you with many false alarms, but cannot detect
something they do not "know" about. As a result, they provide your system with protection only from known
automated hacking tools and "script kiddies" (mostly young, inexperienced hackers armed with tools created
by more experienced hackers). More serious attackers can avoid any type of activities that trigger the alarm.
Intrusion detection is not the only benefit of deploying a good IDS. What comes with it is the ability to perform
vulnerability assessments of your systems and close the security breaches before they are exploited, a greater
degree of integrity to the rest of your security system, and tools for gathering information for building a sound
security policy.
If your company cannot afford (or cannot justify) purchasing and supporting a comprehensive IDS solution, using a
simple misuse detection system might be a good option. You may be still vulnerable to the attacks of experienced
hackers, but they are much more rare that those of automatic bots and script kiddies. However, if you run a
mission-critical online system that just lures hackers with its informational content, consider hiring security experts and
deploying a best-of-breed IDS.
The following resources will help you better understand the area of intrusion detection, its terms and definitions, and
where IDS fits in the overall picture of network security.
1.First, read ICSA, Inc.'s white paper "Introduction to Intrusion Detection & Assessment" at
http://www.icsa.net/services/consortia/intrusion/educational_material.shtml.
2.Next, check out Robert Graham's FAQs on Network Intrusion Detection Systems at
http://www.robertgraham.com/pubs/network-intrusion-detection.html.
3.Finally, take a look at Network World Fusion's survey of the leading commercially available IDSs at
http://www.nwfusion.com/reviews/1004bg.html.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:44:41 PDT