intrusion_20
ICSA, Inc.
For more information, call 888-396-8348 20
An Introduction to Intrusion Detection and Assessment
They CANNOT deal with modern network
hardware and features
Dealing with fragmented packets can also be
problematic. This problem has serious ramifications
when one considers modern high-speed ATM
networks that use packet fragmentation as a
means of optimizing bandwidth. Other problems
associated with advances in network technologies
include the effect of switched networks on
packet-capture-based network intrusion detection
systems. As the effect of switched networks is to
establish a network segment for each host, the
range of coverage for a network intrusion system
is reduced to a single host. This problem can be
mitigated in those switches offering monitoring
ports or spanning capability; however, these features
are not universal in current equipment.
Case Studies for Intrusion
Detection and Related Products
Case 1: Integrity Analysis
In 1996, one of the early on-line web-based stock
trading sites was placed in full operation, and was
infiltrated by an outside attacker. The trading system
consisted of approximately twenty web servers
connected to a central database server. When the
system manager realized that an attacker was on
the loose inside the firewall, and was actively logging
into the server, there was an understandable
amount of alarm.
In situations like this, damage containment should
be the first priority. However, in this case, shutting
down or disconnecting all the web servers from
the Internet was not an acceptable option. First,
doing so would constitute a trading halt event,
and would cause the corporation to be fined in
15-minute increments by the SEC. Second, the
damage to reputation caused by a shutdown
would be extremely high, as would the damage
associated with the possibility of word leaking
out that an intruder had successfully broken into
the system.
Because the system manager had already deployed
a product utilizing Integrity analysis, it was possible
to ascertain quickly which machines were compro-
mised and to determine the scope of the infiltra-
tion. The customer computed that they saved
about 260 hours of system administration time,
in a case where each minute was valued at an ex-
treme premium. Time is critical when an attacker
is on the loose in your network.
This story ends happily. Only a fraction of the
machines were compromised, and were promptly
shut down. The database server was found to be
intact, which allowed the web site continue func-
tioning on the remaining web servers. The system
administration team conducted damage eradica-
tion and recovery at a more leisurely pace.
Case 2: Vulnerability Assessment
A consulting company that does network design,
security assessment and integration services is
frequently called in when a company is initially
establishing a network, restructuring an existing
one or adding new and complex capabilities. In
the words of their President, Many companies
do not realize that when Windows NT is installed
out of the box, its designed to be wide open to
allow for flexible network implementations.
And its pretty difficult to get a global picture of
your environment, because you have to go through
a lengthy process of machine by machine, or
share by share, or domain by domain. They
simply do not have the training, background and
expertise to know what specific rights and permis-
sions to turn off.