 |
|
|
Summary It is indisputable that the security market has taken off in the last couple of years as Internet connectivity becomes an essential part of every business and home user’s communications armoury. Unfortunately for the potential purchase of security solutions, the market is simply not mature enough to make purchasing decisions as simple and safe as they should be. Everyone now accepts that they need a firewall if they are going to connect computer systems to the outside world, but it is only recently that the firewall market has reached sufficient levels of maturity that the products could be considered “commodity” or “off the shelf” items. And some would argue that, given their complexity, they should never be considered in such a light. At this year’s NSS Group conference on Internet Security and eCommerce held in Monaco we were fortunate to witness a panel of distinguished experts in the field of Intrusion Detection. Rather shockingly, they concluded that the IDS market is still probably four years behind the firewall market in terms of maturity. That is a lot of catching up to do for these products, and there will undoubtedly be some singed corporate fingers on the way. But it is not all doom and gloom. The technology is improving all the time and we are seeing new products appearing on a regular basis. It is certainly not worth waiting four years to see what happens – if we accept the analogies raised in the introduction to this report, then would you really want to risk not installing a burglar alarm in your home or office, just because it is difficult to do? Most of the press coverage seems to focus on Network IDS, because that is the “fashionable” or “sexy” technology of the moment. But FBI figures are still pointing to the fact that over 70 per cent of all “hacks” are perpetrated by insiders. These are not “script kiddies” who are trying to break through your firewall or launch Denial of Service attacks against your servers. They are your own users trying to sneak a look at the payroll files, or steal vital product design data or customer names and addresses to take with them when they leave to work for your competitor at the end of the month. To tackle these problems, the “old fashioned” Host IDS is what you need, a technology that has been around for a long time and is now enjoying something of a resurgence thanks to the interest in IDS in general brought about by the new and sexy network-based products. In most organisations today, host-based IDS should be the first IDS product you consider purchasing. The security administrator who wants to cover all his bases will undoubtedly install both network- and host-based IDS, however. To date, there is not one single vendor who has managed to produce a top-performing product in all sectors (though if you are a fan of one-stop-shopping, Axent certainly has all the bases covered). Therefore, do not be afraid to mix best of breed products in order to provide optimum coverage. One example would be to choose CyberSafe Centrax as your host-based system, Tripwire for File Integrity Assessment and BlackICE Sentry for high-performing Network IDS. Certainly when selecting your network-based IDS product, you should concentrate mainly on the performance and detection rates (and packet reassembly capabilities) rather than the prettiest GUI. Not even the number of signatures matters as much as you might think, since many products are capable of employing more of a “generic” detection mechanism (and BlackICE uses protocol decodes) in order to detect a number of different attacks from a single signature. The VA market place also suffers from some serious misconceptions. With VA products, it is important to differentiate between the host-based assessment products – such as Axent ESM – and the network-based assessment products – such as NetRecon, CyberCop Scanner, e-secure, and so on. Though network scanning tools are maturing, they are fundamentally different from host-based assessment tools. Host-based tools provide a privileged view of security from the inside, whilst network-based tools provide an unprivileged outsider's view of the same systems. Most security experts would agree that there is a place in most organisations for both. It is also apparent from the testing we have carried out for this report that there is an enormous difference in coverage and quality of reporting of VA scanners from product to product. Organisations that are serious about their security assessment practices would be well advised to consider purchasing two different commercial products, as well as supplementing those with some of the more reputable freeware products from the Internet. Finally, it would be remiss of us not to cover the most essential element of your security coverage. We mentioned earlier in this summary that some products employ a “generic” signature database that allows them to raise alerts for multiple attacks based on a single signature. This approach is essential as signature databases grow and grow – matching every attack to a unique signature is no longer efficient and reduces the chances of detecting attacks under load. The problem is that the administrator may be faced with an alert that simply says “impossible IP packet”. What does this mean? It could be a Land attack (chances are that it is, at the time of writing), but as new variants appear, that same message could be triggered by a number of different attacks. The administrator who is not security literate might well look at the alert and decide that he has already patched his systems for that particular attack and thus neglect to apply a more recent patch that addresses a more recent variant. More likely, the non-security literate administrator will simply have no idea what an impossible IP packet is, and will thus ignore it. So, what is the solution? Having already decided that it is no longer possible to have an all-encompassing signature database, the only component that is capable of being improved is – the administrator. Education is the key, and all the wonderful graphical interfaces and slick deployment methods in the world will not make these products simple to use, because they deal with a complex subject. Before any administrator is let loose on a corporate network with a VA scanner or an IDS – in fact, even before such products are purchased - he or she should be thoroughly educated in the basics of security and hacking. What sort of attacks are possible – both from the inside and the outside. Where to go to research the latest vulnerabilities and acquire the most up-to-date patches. How to perform an effective VA scan, and how to deploy a Network IDS in the most efficient manner in both a switched and shared network environment. Without such a basic grounding, they could cause more harm than good. Click here to return to the IDS Index Section
|
 |
Send mail to [email protected] with
|
