intrusion_22
ICSA, Inc.
For more information, call 888-396-8348 22
An Introduction to Intrusion Detection and Assessment
logons for mail. This pattern is now recognized as
authorized.
FREQUENTLY ASKED QUESTIONS
About Intrusion Detection
What is an Intrusion Detection System?
An intrusion detection system monitors computer
systems, looking for signs of intrusion (unautho-
rized users) or misuse (authorized users overstepping
their bounds).
What does it do?
Intrusion Detection Systems monitor a variety of
information sources from systems, analyzing this
information in a variety of ways. The first, most
common, is that it compares this information to
large databases of attack signatures, each reflecting
an attempt to bypass or nullify security protections.
The second is that it looks for problems related
to authorized users overstepping their permissions
(e.g., a shipping clerk searching executive payroll
records). Finally, some intrusion detection systems
perform statistical analysis on the information,
looking for patterns of abnormal activity that
might not fall into the prior two categories (e.g.,
accesses that occur at strange times, or an unusual
number of failed logins.)
But we already have a firewallwhy do we
need an intrusion detection system, too?
The firewall is the security equivalent of a security
fence around your property and the guard post at
the front gate. It can keep the most unsavory of
characters out, but cannot necessarily tell what is
going on inside the compound. Intrusion detection
systems are the equivalent of multi-sensor video
monitoring and burglar alarm systems. They cen-
tralize this information, analyze it for patterns of
suspicious behavior in much the same way a
guard at a monitoring post watches the feeds
from security cameras, and in some cases, deals
with problems they detect. Most loss due to
computer security incidents is still due to insider
abuse. Intrusion detection systems, not firewalls,
are capable of detecting this category of security
violation.
Perhaps more importantly, firewalls are subject to
circumvention by a variety of well-known attacks.
What can an intrusion detection system
catch that a firewall cant?
Firewalls are subject to many attacks. The two
considered most worrisome are tunneling attacks
and application-based attacks.
Tunneling attacks arise due to a property of network
protocols. Firewalls filter packets, and make pass/
block decisions based on the network protocol.
Rules typically check a database to determine
whether a particular protocol is allowed, if so, the
packet is allowed to pass. This represents a prob-
lem when an attacker masks traffic that should
be screened by the firewall by encapsulating it
within packets corresponding to another network
protocol.
Application-based attacks refer to the practice of
exploiting vulnerabilities in applications by send-
ing packets that communicate directly with those
applications. Therefore, one could exploit a problem
with Web software by sending an HTTP com-
mand that exercises a buffer overflow in the web
application. If the firewall is configured to pass
HTTP traffic, the packet containing the attack
will pass.