From Web vulnerabilities, which allow hackers to simply deface your Web site, to the theft of your most important asset, namely, your corporate data, attacks and intrusions are no longer limited to the outside world trying to get in -- they are coming from all sides. Because your firewall is deployed just inside your network, it is not concerned with the traffic that originates from within your company. I recently read about a project where a manufacturing company introduced older PCs, which were not fully patched or protected with current antivirus software, from another location into their main network. A Trojan horse program (Osprev) was immediately able to come alive and exploit the network system from within. It managed to find its way through the network connection and began DoS attacks on 20-plus other IP addresses. Why IDS?
There is no question that security vulnerabilities are increasing. Vulnerabilities reported by the CERT Coordination Center show that only 417 were reported in 1999. In the first three quarters of 2002, that figure was up to 3,222, a staggering increase of over 132 percent in vulnerabilities reported just within the past three years. This means that, more than ever, you need to be securing your system to the best of your abilities so that these vulnerabilities don't wreak havoc on your network. But, as a recent poll shows, not every one is doing as much as they can to secure their network. In fact, 38 percent of the respondents indicated they had not considered IDS, while 9 percent indicated that they had considered IDS but had decided against it. Through software bugs, exploiting protocol weaknesses, and cracking passwords, the dedicated hacker can track down and exploit any open door you have in your line of defense. Deploying an IDS could do a lot to close those doors. Your IDS solution protects your network assets by the following methods:
- Accurately detecting attacks
- Stopping the attack
- Simplifying security management
- Providing the proper documentation
- Offering the flexibility needed to conform to your security policy
- Double-checking incorrectly configured firewalls
- Verifying that current security polices are in effect
- Catching attacks that your firewall(s) legitimately allow through
- Catching attempts that fail
- Catching insider hacking
- Detecting abnormal attacks from a terminal left unattended
- Finding holes that intruders can exploit
- Providing for documentation before, during, and after an attack
Intrusion Detection Systems can be deployed at the point of insertion, behind the firewall, on various segments and servers, or in an array of locations as a comprehensive perimeter security guard. By monitoring traffic to safeguard your system from external and internal attacks on the network wire, the IDS system watches for and stops hackers attempting to break into your system. Detection methods include using attack signatures, checking for unusual protocol anomalies, and catching rogue processes. Types of detection systems
Hackers are constantly exploiting new vulnerabilities daily. By evolving new methods to gain access to your inner network, they launch new and sophisticated attacks that don't follow a set pattern. While signature-based detection is a solid system, protocol-anomaly detection can be used to identify the various attacks that do not follow normal patterns. Here are the types of detection systems should you consider for your IDS security solution:
- Stateful signature detection
- Protocol anomaly detection
- Backdoor detection
As the technology evolves faster than patches can be distributed, there is a new worry that companies are potentially liable for damages caused by a hacker using their systems. You must be able to prove to a court that you took "reasonable" measures to defend yourself from hackers. More important, your data is now the most critical commodity you have to protect. The combination of the data available on the network systems and the compounded difficulties involved in protecting that data make internal user and Internet systems large, vulnerable targets. It is a common occurrence to see the media referring to intruder activities that result in financial loss, data corruption, and loss of public confidence. You have to ask yourself two questions: How much does downtime cost you, and how much will the loss of your data set you back? Ultimately, it is the due diligence of IT managers to bring to bear all technology (such as IDS) that they can to protect the corporate data they are entrusted with. For a weekly round-up of the enterprise IT news, sign up for the Enterprise newsletter. Tell us what you think in the Enterprise Mailroom.
