HostedDB - Dedicated UNIX Servers
intrusion_22 ICSA, Inc. For more information, call 888-396-8348                 22 An Introduction to Intrusion Detection and Assessment logons for mail. This pattern is now recognized as authorized. FREQUENTLY ASKED QUESTIONS About Intrusion Detection What is an Intrusion Detection System? An intrusion detection system monitors computer systems, looking for signs of intrusion (unautho- rized users) or misuse (authorized users overstepping their bounds). What does it do? Intrusion Detection Systems monitor a variety of information sources from systems, analyzing this information in a variety of ways. The first, most common, is that it compares this information to large databases of attack signatures, each reflecting an attempt to bypass or nullify security protections. The second is that it looks for problems related to authorized users overstepping their permissions (e.g., a shipping clerk searching executive payroll records). Finally, some intrusion detection systems perform statistical analysis on the information, looking for patterns of abnormal activity that might not fall into the prior two categories (e.g., accesses that occur at strange times, or an unusual number of failed logins.) But we already have a firewall–why do we need an intrusion detection system, too? The firewall is the security equivalent of a security fence around your property and the guard post at the front gate. It can keep the most unsavory of characters out, but cannot necessarily tell what is going on inside the compound. Intrusion detection systems are the equivalent of multi-sensor video monitoring and burglar alarm systems. They cen- tralize this information, analyze it for patterns of suspicious behavior in much the same way a guard at a monitoring post watches the feeds from security cameras, and in some cases, deals with problems they detect. Most loss due to computer security incidents is still due to insider abuse. Intrusion detection systems, not firewalls, are capable of detecting this category of security violation. Perhaps more importantly, firewalls are subject to circumvention by a variety of well-known attacks. What can an intrusion detection system catch that a firewall can’t? Firewalls are subject to many attacks. The two considered most worrisome are tunneling attacks and application-based attacks. Tunneling attacks arise due to a property of network protocols. Firewalls filter packets, and make pass/ block decisions based on the network protocol. Rules typically check a database to determine whether a particular protocol is allowed, if so, the packet is allowed to pass. This represents a prob- lem when an attacker masks traffic that should be screened by the firewall by encapsulating it within packets corresponding to another network protocol. Application-based attacks refer to the practice of exploiting vulnerabilities in applications by send- ing packets that communicate directly with those applications. Therefore, one could exploit a problem with Web software by sending an HTTP com- mand that exercises a buffer overflow in the web application. If the firewall is configured to pass HTTP traffic, the packet containing the attack will pass.