One fine day, an active bank was operating as per its daily schedule when
suddenly the banking database was found to be showing all the wrong records
after which the security management task force was immediately alerted. The
organization was making use of firewalls that did not survey the inbound traffic’s
malicious data that prolonged the process of tracking the virus and alerting the
network. Instead, IDS would have effectively saved the network from damage owing
to its ability to scan not only the outbound traffic as well as the inbound
traffic in a network.
|
Sophisticated viruses like Code Red, Nimda, Code Red II have managed to crack
networks and hamper valuable database information. The sectors that have
undergone these experiences have primarily been banking sectors and corporate
houses with large database. The story has always been that a virus suddenly hits
the network and by the time the company security software has tracked it, the
damage intended by the hacker is already and very successfully done. Thus arose
a need for more sophisticated technology that would be able to track the virus
on the network spontaneously after an attack and also promptly trace the hacker
down to evade further attacks. For several years now, there have been various
changes being incorporated in the network security infrastructure with
implementation ranging from firewalls and their upgrade versions, router
security techniques, host system security, auditing, incident response plan and
intrusion detection systems (IDS).
Though all these technologies have their own complexities and loopholes, IDS
deployment has been more successful as a technology for securing information in
corporate sectors. The sole purpose and advantage of using IDS is its ability to
track the inbound traffic and alert the network users against hacker attacks
which is not possible with a firewall that sniffs only the outbound traffic. IDS
acts like a burglar alarm for the network. Intrusion detection is the process of
monitoring the events occurring in an IT system and analyzing them for signs of
intrusions. These intrusions are defined as attempts to compromise
confidentiality, integrity, or availability, or to bypass the security
mechanisms of an IT system. These intrusions are caused by attackers accessing
systems from the Internet, authorized users of the systems who attempt to gain
additional privileges for which they are not authorized, and authorized users
who misuse the privileges given them. The IDS obtains event information from one
or more information sources, performs a pre-configured analysis of the event
data, and then generates specified responses, ranging from reports to active
intervention when intrusions are detected.
The goal for deploying IDS is to detect, identify, and monitor unauthorized
use, misuse, and abuse of IT systems by both internal network users and external
attackers. These intrusions can be broken down into two main types. Misuse
intrusions, well-defined attacks on known weak points of an IT system, can be
detected by signature analysis or watching for certain actions being performed
on certain objects. Anomaly intrusions, based on observations of deviations from
normal IT system usage patterns, can be detected by pattern analysis or building
up a profile of the IT system being monitored, and noting significant deviations
from this profile. Two states —passive system and active system are the states
where the IDS technologies are deployed. In the passive state or system, the IDS
detects a potential security breach, immediately logs the required information
and signals an alert. In a reactive system, the IDS reacts to any suspicious
activity by disconnecting the user from the network or by reprogramming the
firewall to block network traffic from the suspected malicious source. In that
sense, they are the first line of defense for the computer network. In its basic
philosophy, IDS inspects all inbound and outbound network activity to identify
suspicious patterns in the traffic and catch the intruder at any of the seven
layers of the network. Though Symantec uses honeypots like Manhunt to be able to track the hackers intruding their systems, Network Associates believes that honeypots are an unrequired feature for IDS as long as they are defending the customer's systems from virus attacks and also providing patches to it successfully.
"We do not use honeypots as we consider it a diversification to business, instead we have a learning engine with a sophisticated algorithm that logs files immediately in case of unprecedented attacks and also alerts the network", says Viren Mantri, Regional Technical Manager,
NAI.
Trap at the application layer
Most of the IDS' are structured around a large signature database system
that attempts to compare every packet to every signature in the database. Though
this system is effective to a huge extent, it suffers drawbacks when network
speeds increase and the resources that the IDS sensor uses to track packets
decreases, causing some packets to be discarded and therefore have relevant
attacks undetected. Most IDS sensors can only operate effectively up to about 60
MB per second. Many companies today fully utilize 10/100 on up to 1 GB per
second on their network backbone, where most of their mission critical servers
reside. In the signature-based systems it is the time it takes for the IDS
vendor to identify new attacks, create a signature, and then release an update.
A more successful methodology as mentioned hitherto is the ‘protocol anomaly
detection’ technology that is performed at the application protocol layer. Its
efficiency lies in the fact that it focuses on the structure and content of the
communications occurring in a network. When protocol rules are modeled directly
in the sensors it is easier to identify traffic that violates the rules such as
unexpected data and extra or invalid characters. As soon as the IDS
distinguishes it as a violation of the protocol, it alerts the system
administrator.
Will it last forever?
Though IDS in general talks about a detection system using technology, it is
practically a converged solution handling process in a system involving not only
technology but also people deploying it. Says Raghu Raman, Head- Information
Security, Mahindra Consulting, "Lot of products put in place are not going
to work for a simple reason that an alert has to be looked at by somebody."
|
There have been several issues where the technology of IDS has functioned
effectively and yet not contributed significantly in saving a network from an
attack owing to the lack of spontaneity from the manual workforce detecting the
attack. Says Raghu Raman "We have faced circumstances where our IDS
deployed managed to strike an alarm about an invading virus at the right time,
however which failed to be effective owing to the disinterest and delay in
taking a spontaneous action by the task force allotted for network security and
maintenance."
For IDS to work productively, it is a dire necessity that the people in
maintenance who detect the alarm set by the intrusion detection system act on
the same with immediate effect, also signaling everyone else connected to the
network. Joy Ghosh, country manager, Symantec says, "Companies need to
recognize the urgency of their security upgrade. There are companies with
technology officers who are least bothered about the security of their company’s
data, it is only the COOs who showed concern as they are at the risk of losing
their jobs with any unprecedented breach of their security infrastructure."
Standardizing technology seems almost impossible with the ever evolving and
the growing strength and sophistication of hacker skills. Even IDS in its latest
technique of deployment cannot guarantee any optimum level of security. Claims
Sachin More, manager-IT security and projects, Mahindra & Mahindra
"Although the number of false positives have reduced with IDS, they have
not completely been eliminated and it still involves a lengthy process in
identifying and reacting to a critical and authentic attack." All in all,
IDS has definitely leveraged network security, however users need to constantly
guard against new unpredictable breaches by professional attackers.