HostedDB - Dedicated UNIX Servers

intrusion_20 ICSA, Inc. For more information, call 888-396-8348                 20 An Introduction to Intrusion Detection and Assessment They CANNOT deal with modern network hardware and features Dealing with fragmented packets can also be problematic. This problem has serious ramifications when one considers modern high-speed ATM networks that use packet fragmentation as a means of optimizing bandwidth. Other problems associated with advances in network technologies include the effect of switched networks on packet-capture-based network intrusion detection systems. As the effect of switched networks is to establish a network segment for each host, the range of coverage for a network intrusion system is reduced to a single host. This problem can be mitigated in those switches offering monitoring ports or spanning capability; however, these features are not universal in current equipment. Case Studies for Intrusion Detection and Related Products Case 1: Integrity Analysis In 1996, one of the early on-line web-based stock trading sites was placed in full operation, and was infiltrated by an outside attacker. The trading system consisted of approximately twenty web servers connected to a central database server. When the system manager realized that an attacker was on the loose inside the firewall, and was actively logging into the server, there was an understandable amount of alarm. In situations like this, damage containment should be the first priority. However, in this case, shutting down or disconnecting all the web servers from the Internet was not an acceptable option. First, doing so would constitute a “trading halt” event, and would cause the corporation to be fined in 15-minute increments by the SEC. Second, the damage to reputation caused by a shutdown would be extremely high, as would the damage associated with the possibility of word leaking out that an intruder had successfully broken into the system. Because the system manager had already deployed a product utilizing Integrity analysis, it was possible to ascertain quickly which machines were compro- mised and to determine the scope of the infiltra- tion. The customer computed that they saved about 260 hours of system administration time, in a case where each minute was valued at an ex- treme premium. Time is critical when an attacker is on the loose in your network. This story ends happily. Only a fraction of the machines were compromised, and were promptly shut down. The database server was found to be intact, which allowed the web site continue func- tioning on the remaining web servers. The system administration team conducted damage eradica- tion and recovery at a more leisurely pace. Case 2: Vulnerability Assessment A consulting company that does network design, security assessment and integration services is frequently called in when a company is initially establishing a network, restructuring an existing one or adding new and complex capabilities. In the words of their President, “Many companies do not realize that when Windows NT is installed ‘out of the box,’ it’s designed to be wide open to allow for flexible network implementations. And it’s pretty difficult to get a global picture of your environment, because you have to go through a lengthy process of ‘machine by machine’, or ‘share by share’, or ‘domain by domain.’ They simply do not have the training, background and expertise to know what specific rights and permis- sions to turn off.