Vendor Voice: Instrusion Detection

The Need for a Security Triangle

Malicious and complex threats faced by enterprises today require solutions that go beyond anti-virus and firewalls. The use of an IDS along with other security mechanisms provide a high level of security. by Joy Ghosh

The Internet is a powerful tool of empowerment for small businesses. With such wide access, companies can connect to millions of potential customers regardless of geographic location. This facilitates greater customer service and has on the overall, improved the way companies do business. This powerful tool has become a necessity for anyone wishing to reach, serve, and retain customers.

At the same time, the Internet is becoming more dangerous, and attack methods more sophisticated. Recently, the infectious and geographically distributed worm, dubbed 'Slammer' gained high visibility in the press, further increasing the awareness of vulnerabilities present to a connected company.

The worm, which sends out a flood of packets, acts similar to a Denial-of-Service (DoS) attack—a hacker attempt with the sole intention of keeping legitimate users of a network from using that service and/or disrupting normal business operations.

Blended threats

Previously, two 'blended threats,' Code Red and Nimda were also widely covered topics in the news. Blended threats combine the characteristics of viruses, worms, Trojan horses, and/or malicious code with server and Internet vulnerabilities to initiate, transmit and spread an attack.

Currently, there are more than 35,000 Nimda-related attacks occurring everyday. And according to Computer Economics, the economic costs of downtime and subsequent cleanup is more than half a billion dollars. The calculated global cost of the Code Red worm alone is $2.6 billion.

Firewalls and Intrusion Detection Combined

Although anti-virus software and firewalls are now commonplace in many small businesses, the increased knowledge and resources available to hackers has taught them techniques to bypass such protection, and access valuable company assets.
Therefore, today's sophisticated threats require an additional level of security, known as intrusion detection. An Intrusion Detection System (IDS) is a complementary solution to firewall technology.

Firewalls can control traffic in and out of a computer. However, a security threat may still exist if unwanted traffic gets through the firewall, tries to take advantage of vulnerabilities within a legitimate application, and evade detection by anti-virus software.

With intrusion detection, another layer of security is added by examining the content of Internet traffic for malicious code and attacks. The intrusion detection component identifies intrusions based on the signature, and then automatically triggers an appropriate response, which can terminate the Internet connection to prevent further access.

New threats and IDS

Many new threats have been programmed to get into a network in whatever way possible. They can enter even with a personal firewall and anti-virus software running on the computer. A blended threat, like Nimda, may still be able to get by the firewall through common Internet applications, like Internet Explorer or Internet Information Server. And since many blended threats do not execute on a computer's hard drive, it can go unnoticed by anti-virus programs.

Implementing intrusion detection gives potential intruders no place to hide. Nevertheless, it cannot replace a firewall or anti-virus program, as it must be used in conjunction with the two. When all three of these security technologies are integrated, they provide a figurative triangle of security, which is a synergistic barrier around the computer and network.

IDS analogy

An easy way to understand intrusion detection is to use the analogy of airport security. When passengers arrive at an airport, they proceed through a security checkpoint where airport personnel confirm possession of a plane ticket. If cleared, the passengers and their belongings proceed through an X-ray machine that checks for questionable and illegal items.

Similarly, a firewall determines if Internet traffic can enter a computer. If allowed, the IDS will X-ray the traffic, examining it for suspicious attack patterns. When an attack is found, the IDS automatically cuts off the incoming traffic.

Components of an IDS

IDSs vary greatly in features and complexity. Standalone desktop systems need to employ a different type of intrusion detection than a large corporation with thousands of workstations. Still, a few important points must be considered when selecting an IDS.

Updated attack signatures - An IDS should offer an easy and quick way to obtain the most up-to-date attack signatures. Security software is only as effective as it is current, which underscores the significance of having the most efficient updating mechanism for keeping all components current against the latest threats. Good IDSs will search for updates automatically, in the background.

Much like a police officer recognizes patterns at a crime scene to be that of a particular villain, an IDS recognizes incoming traffic as an attack by relying on the signature or mark of an attack. An IDS solution that automatically updates signatures whenever a user accesses the Internet, quickly recognizes the signature of an attacker and blocks further access.

Integration with firewall and anti-virus programs - A sound IDS will be integrated to work seamlessly with the firewall and anti-virus program. Such integration not only simplifies the task of purchasing, installing and supporting individual products, but more importantly, makes it easier to obtain the most up-to-date attack signatures from the same vendor.

Ability to identify unpublished attack signatures - New technology allows many IDSs to be intelligent enough to detect malicious behavior that may not yet be identified in published attack signatures. Such detection technology is known as anomaly detection, traffic rate monitoring, protocol state tracking, and IP packet reassembly.

By not having to rely on previously identified attack signatures, these hybrid detection systems are more proactive and intelligent in their monitoring techniques. These systems can look for any type of suspicious behavior, whether identified as a known threat or not, which in turn protects a computer from the newest and most unique threats.

Looking at the future

Complex security threats still plague the computers and networks of small businesses. More than a year after their discovery, blended threats are expected to appear with greater regularity and complexity, thus signaling the urgent need for integrated tools that provide effective protection at multiple layers. The intelligence in an IDS plays a vital role in both identifying and eliminating these new and complex threats.

The author is Country Manager of Symantec. He can be reached at jghosh@symantec.com