Vendor Voice: Instrusion Detection
The Need for a Security Triangle
and complex threats faced by enterprises today require solutions that go beyond
anti-virus and firewalls. The use of an IDS along with other security mechanisms
provide a high level of security. by Joy Ghosh
The Internet is a powerful tool of empowerment for small
businesses. With such wide access, companies can connect to millions of potential
customers regardless of geographic location. This facilitates greater customer
service and has on the overall, improved the way companies do business. This
powerful tool has become a necessity for anyone wishing to reach, serve, and
At the same time, the Internet is becoming more dangerous,
and attack methods more sophisticated. Recently, the infectious and geographically
distributed worm, dubbed 'Slammer' gained high visibility in the press, further
increasing the awareness of vulnerabilities present to a connected company.
The worm, which sends out a flood of packets, acts
similar to a Denial-of-Service (DoS) attacka hacker attempt with the sole
intention of keeping legitimate users of a network from using that service and/or
disrupting normal business operations.
Previously, two 'blended threats,' Code Red and Nimda
were also widely covered topics in the news. Blended threats combine the characteristics
of viruses, worms, Trojan horses, and/or malicious code with server and Internet
vulnerabilities to initiate, transmit and spread an attack.
Currently, there are more than 35,000 Nimda-related
attacks occurring everyday. And according to Computer Economics, the economic
costs of downtime and subsequent cleanup is more than half a billion dollars.
The calculated global cost of the Code Red worm alone is $2.6 billion.
Firewalls and Intrusion Detection Combined
Although anti-virus software and firewalls are now
commonplace in many small businesses, the increased knowledge and resources
available to hackers has taught them techniques to bypass such protection, and
access valuable company assets.
Therefore, today's sophisticated threats require an additional level of security,
known as intrusion detection. An Intrusion Detection System (IDS) is a complementary
solution to firewall technology.
Firewalls can control traffic in and out of a computer.
However, a security threat may still exist if unwanted traffic gets through
the firewall, tries to take advantage of vulnerabilities within a legitimate
application, and evade detection by anti-virus software.
With intrusion detection, another layer of security
is added by examining the content of Internet traffic for malicious code and
attacks. The intrusion detection component identifies intrusions based on the
signature, and then automatically triggers an appropriate response, which can
terminate the Internet connection to prevent further access.
New threats and IDS
Many new threats have been programmed to get into a
network in whatever way possible. They can enter even with a personal firewall
and anti-virus software running on the computer. A blended threat, like Nimda,
may still be able to get by the firewall through common Internet applications,
like Internet Explorer or Internet Information Server. And since many blended
threats do not execute on a computer's hard drive, it can go unnoticed by anti-virus
Implementing intrusion detection gives potential intruders
no place to hide. Nevertheless, it cannot replace a firewall or anti-virus program,
as it must be used in conjunction with the two. When all three of these security
technologies are integrated, they provide a figurative triangle of security,
which is a synergistic barrier around the computer and network.
An easy way to understand intrusion detection is to
use the analogy of airport security. When passengers arrive at an airport, they
proceed through a security checkpoint where airport personnel confirm possession
of a plane ticket. If cleared, the passengers and their belongings proceed through
an X-ray machine that checks for questionable and illegal items.
Similarly, a firewall determines if Internet traffic
can enter a computer. If allowed, the IDS will X-ray the traffic, examining
it for suspicious attack patterns. When an attack is found, the IDS automatically
cuts off the incoming traffic.
Components of an IDS
IDSs vary greatly in features and complexity. Standalone
desktop systems need to employ a different type of intrusion detection than
a large corporation with thousands of workstations. Still, a few important points
must be considered when selecting an IDS.
Updated attack signatures - An IDS should offer an
easy and quick way to obtain the most up-to-date attack signatures. Security
software is only as effective as it is current, which underscores the significance
of having the most efficient updating mechanism for keeping all components current
against the latest threats. Good IDSs will search for updates automatically,
in the background.
Much like a police officer recognizes patterns at a
crime scene to be that of a particular villain, an IDS recognizes incoming traffic
as an attack by relying on the signature or mark of an attack. An IDS solution
that automatically updates signatures whenever a user accesses the Internet,
quickly recognizes the signature of an attacker and blocks further access.
Integration with firewall and anti-virus programs -
A sound IDS will be integrated to work seamlessly with the firewall and anti-virus
program. Such integration not only simplifies the task of purchasing, installing
and supporting individual products, but more importantly, makes it easier to
obtain the most up-to-date attack signatures from the same vendor.
Ability to identify unpublished attack signatures -
New technology allows many IDSs to be intelligent enough to detect malicious
behavior that may not yet be identified in published attack signatures. Such
detection technology is known as anomaly detection, traffic rate monitoring,
protocol state tracking, and IP packet reassembly.
By not having to rely on previously identified attack
signatures, these hybrid detection systems are more proactive and intelligent
in their monitoring techniques. These systems can look for any type of suspicious
behavior, whether identified as a known threat or not, which in turn protects
a computer from the newest and most unique threats.
Looking at the future
Complex security threats still plague the computers
and networks of small businesses. More than a year after their discovery, blended
threats are expected to appear with greater regularity and complexity, thus
signaling the urgent need for integrated tools that provide effective protection
at multiple layers. The intelligence in an IDS plays a vital role in both identifying
and eliminating these new and complex threats.
The author is Country Manager of Symantec. He can be reached