intrusion_33
ICSA, Inc.
For more information, call 888-396-8348 33
An Introduction to Intrusion Detection and Assessment
Network-based Assessment
Network-based vulnerability assessment uses active,
invasive techniques to determine whether a given
system is vulnerable to a set of attacks. In network-
based assessment, a variety of attack scenarios are
reenacted against the target system(s), and results
analyzed in order to determine the systems vulner-
ability to attack. In some cases, network assess-
ment is used to scan for network-specific problems
(e.g., port scanning.)
Network-based vulnerability assessment is often
used for penetration testing (specifically, testing a
firewall) and security auditing.
Advantages:
It finds security holes on a variety of platforms
and systems
Because it is not as platform dependent as host-
based vulnerability assessment, it is easy to
deploy quickly
As it does not assume host-level access, it is
easier to deploy from a political point of view
Disadvantages:
As it does not consider platform-specific vul-
nerabilities, it is often less accurate than host-
based assessment
It can affect network operations and performance
Integrated Assessment
Integrated vulnerability assessment combines
both active, network-based assessment with pas-
sive, host-based assessment techniques, often
combining them with a centralized management
function. We note here that Windows NT envi-
ronments do not recognize as crisp a policy
boundary between host and network-based access.
Advantage:
It combines the host-based advantages of
improved identification of platform-specific
vulnerabilities with the network-based capabili-
ties to identify problems across wide ranges
of affected systems and networks.
Disadvantage:
The effort required to deploy and maintain
the combined assessment engines is greater.
Location of Analysis
Collecting data is the first step in vulnerability
assessment; data analysis is the second. In large
complex network installations, it is helpful to or-
ganize vulnerability assessment using a console-
agent architecture. This architecture is particularly
helpful where networks are heterogeneous, i.e.,
with a wide range of operating system platforms.
Advantages:
Centralized architectures can tailor agents to
specific operating system platforms, and vary
the coverage and rigor of assessments based
on the threat environment
Distributed architectures allow one to scan
across network or NT policy domains
Disadvantages:
Distributed architectures require additional
remote privileges on the networks scanned
8
Garfinkel, Simson, and Spafford, Gene, Practical UNIX and Internet Security, Second Edition, Sebastopol, CA, OReilly and
Associates, 1996.