HostedDB - Dedicated UNIX Servers
intrusion_19 ICSA, Inc. For more information, call 888-396-8348                 19 An Introduction to Intrusion Detection and Assessment They CANNOT intuit the contents of your organizational  security policy. Intrusion-detection expert systems increase in value when they are allowed to function as both hacker/ burglar alarms and policy-compliance engines. These functions can not only spot the high-school hacker executing the “teardrop” attack against your file server, but also spot the programmer accessing the payroll system after hours. However, this policy compliance checking can exist only if there is a security policy to serve as a template for constructing detection signatures. They CANNOT compensate for weaknesses in network protocols TCP/IP and many other network protocols do not perform strong authentication of host source/ destination addresses. This means that the source address that is reflected in the packets carrying an attack does not necessarily correspond to the real source of the attack. It is difficult to identify who is attacking one’s system; it is very difficult to prove the identity of an attacker in a court of law—for example, in civil or criminal legal processes. They CANNOT compensate for problems in the quality or integrity of information the system provides In other words, “garbage in garbage out” still applies. System information sources are mined from a variety of points within the system. Despite the best efforts on the part of system vendors, many of these sources are software-based; as such, the data are subject to alteration by attackers. Many hacker tools (for example “cloak” and “zap”) explic- itly target system logs, selectively erasing records corresponding to the time of the attack and cov- ering the intruders’ tracks. This argues for the value of integrated, sometimes redundant, informa- tion sources; each additional source increases the possibility of obtaining information not corrupted by an attacker. They CANNOT analyze all of the traffic on a busy network Network-based intrusion detection is capable of monitoring traffic of a network, but only to a point. First, given the vantage point of network- based intrusion detection sources that rely on network adapters set to promiscuous mode, not all packets are visible to the systems. Second, as traffic levels rise, the associated processing load required to keep up becomes prohibitive and the analysis engine either falls behind or fails. In fact, vendors themselves characterized the maximum bandwidth at which they had demonstrated their products to operate without loss with 100% analysis coverage at 65 MBPS. They CANNOT always deal with problems involving packet-level attacks There are weaknesses in packet-capture-based network intrusion detection systems. The heart of the vulnerabilities involves the difference between the IDSs’ interpretation of the outcome of a network transaction (based on its reconstruction of the network session) and the destination node for that network session’s actual handling of the transaction. Therefore, a knowledgeable adversary can send series of fragmented and otherwise doctored packets that elude detection, but launch attacks on the destination node. Worse yet, an ad- versary can use this sort of packet manipulation to accomplish a denial of service attack on the IDS itself by overflowing memory allocated for incoming packet queues.