intrusion_19
ICSA, Inc.
For more information, call 888-396-8348 19
An Introduction to Intrusion Detection and Assessment
They CANNOT intuit the contents of your
organizational security policy.
Intrusion-detection expert systems increase in value
when they are allowed to function as both hacker/
burglar alarms and policy-compliance engines.
These functions can not only spot the high-school
hacker executing the teardrop attack against
your file server, but also spot the programmer
accessing the payroll system after hours. However,
this policy compliance checking can exist only if
there is a security policy to serve as a template for
constructing detection signatures.
They CANNOT compensate for
weaknesses in network protocols
TCP/IP and many other network protocols do
not perform strong authentication of host source/
destination addresses. This means that the source
address that is reflected in the packets carrying an
attack does not necessarily correspond to the real
source of the attack. It is difficult to identify who
is attacking ones system; it is very difficult to prove
the identity of an attacker in a court of lawfor
example, in civil or criminal legal processes.
They CANNOT compensate for problems
in the quality or integrity of information the
system provides
In other words, garbage in garbage out still applies.
System information sources are mined from a
variety of points within the system. Despite the
best efforts on the part of system vendors, many
of these sources are software-based; as such, the
data are subject to alteration by attackers. Many
hacker tools (for example cloak and zap) explic-
itly target system logs, selectively erasing records
corresponding to the time of the attack and cov-
ering the intruders tracks. This argues for the
value of integrated, sometimes redundant, informa-
tion sources; each additional source increases the
possibility of obtaining information not corrupted
by an attacker.
They CANNOT analyze all of the traffic on
a busy network
Network-based intrusion detection is capable
of monitoring traffic of a network, but only to
a point. First, given the vantage point of network-
based intrusion detection sources that rely on
network adapters set to promiscuous mode, not
all packets are visible to the systems. Second,
as traffic levels rise, the associated processing load
required to keep up becomes prohibitive and the
analysis engine either falls behind or fails. In fact,
vendors themselves characterized the maximum
bandwidth at which they had demonstrated their
products to operate without loss with 100%
analysis coverage at 65 MBPS.
They CANNOT always deal with problems
involving packet-level attacks
There are weaknesses in packet-capture-based
network intrusion detection systems. The heart of
the vulnerabilities involves the difference between
the IDSs interpretation of the outcome of a
network transaction (based on its reconstruction
of the network session) and the destination node
for that network sessions actual handling of the
transaction. Therefore, a knowledgeable adversary
can send series of fragmented and otherwise
doctored packets that elude detection, but launch
attacks on the destination node. Worse yet, an ad-
versary can use this sort of packet manipulation
to accomplish a denial of service attack on the
IDS itself by overflowing memory allocated for
incoming packet queues.