Contact:http://www.packetnexus.com
Viewpoint Is Network Intrusion Detection Software Being Used Correctly? By Marcus J. Ranum ------------------------------------------------------------------------ -------- It's early Sunday morning and the network manager is sleeping at home. A stealth hacker program is unfolding itself behind the company's firewall, preparing to open a path into the network. Immediately, the network manager's pager is activated: "Attack in progress!" Within minutes, the network manager has logged in over a secure link, accessed the company's intrusion detection system, and obtained complete details of the origin and nature of the attack. After a few quick phone calls, the penetration is blocked, and law enforcement agents will soon be knocking on the hacker's front door. Sounds great, doesn't it? Unfortunately, the reality of network intrusion detection and response doesn't even come close to this hypothetical scenario. For one thing, most intrusion detection systems--software and hardware components that detect incursions into a network--cannot trace an attacker back to his or her point of origin. Yet many network managers are purchasing intrusion detection systems anyway. Are they getting their money's worth? Are their networks any safer? The evidence suggests that the answer is no to both questions, but that need not be the case. IDS type. Researchers have been working on intrusion detection systems for a long time without achieving what could be called a major breakthrough. Currently, users have two choices: anomaly detection and misuse detection. But each has serious limitations. Anomaly detection. The usual line of research focuses on what is called the anomaly detection intrusion detection system (AD-IDS). An AD-IDS "learns" what constitutes normal network traffic, developing sets of models that are updated over time. These models are applied against new traffic. Traffic that doesn't match the normal model is flagged as suspicious. These systems are attractive conceptually, but it is hard to create a reliable model for normal traffic. As networks grow, the mix of applications becomes so complex that traffic looks random. A patient hacker may even generate his or her own traffic to generate a distorted model of normal so that, sooner or later, an attack may look normal and get past the IDS. On the other hand, if the IDS is set up with a narrow definition of normal, the system will generate large numbers of false positives, and the IDS will be ignored. Much research is still being done on AD-IDS, but for now these systems are not the answer. Misuse detection. Many companies offer an easier to operate form of IDS called misuse detection intrusion detection systems (MD-IDS). The MD-IDS resembles a virus scanner attached to a network. It is usually programmed with signature sets representing the types of connections and traffic that indicate a particular attack. Other forms of these systems rely on host platform information, such as C2 audit logs (which record information such as file accesses), to detect patterns of suspicious activity. These systems are fast and don't generate false positives because they "understand" what attacks look like. But, like virus scanners, MD-IDSs cannot detect something that the network manager doesn't know about--the type of attack the network manager most wants to detect. For an MD-IDS to be useful, its signature sets must be constantly updated. Even so, the network will still be vulnerable to new attacks. It is also distressingly easy f