HostedDB - Dedicated UNIX Servers
intrusion_33 ICSA, Inc. For more information, call 888-396-8348                 33 An Introduction to Intrusion Detection and Assessment Network-based Assessment Network-based vulnerability assessment uses active, invasive techniques to determine whether a given system is vulnerable to a set of attacks. In network- based assessment, a variety of attack scenarios are reenacted against the target system(s), and results analyzed in order to determine the system’s vulner- ability to attack. In some cases, network assess- ment is used to scan for network-specific problems (e.g., port scanning.) Network-based vulnerability assessment is often used for penetration testing (specifically, testing a firewall) and security auditing. Advantages: •  It finds security holes on a variety of platforms and systems •  Because it is not as platform dependent as host- based vulnerability assessment, it is easy to deploy quickly •  As it does not assume host-level access, it is easier to deploy from a political point of view Disadvantages: •  As it does not consider platform-specific vul- nerabilities, it is often less accurate than host- based assessment •  It can affect network operations and performance Integrated Assessment Integrated vulnerability assessment combines both active, network-based assessment with pas- sive, host-based assessment techniques, often combining them with a centralized management function. We note here that Windows NT envi- ronments do not recognize as crisp a policy boundary between host and network-based access. Advantage: •  It combines the host-based advantages of improved identification of platform-specific vulnerabilities with the network-based capabili- ties to identify problems across wide ranges of affected systems and networks. Disadvantage: •  The effort required to deploy and maintain the combined assessment engines is greater. Location of Analysis Collecting data is the first step in vulnerability assessment; data analysis is the second. In large complex network installations, it is helpful to or- ganize vulnerability assessment using a console- agent architecture. This architecture is particularly helpful where networks are heterogeneous, i.e., with a wide range of operating system platforms. Advantages: •  Centralized architectures can tailor agents to specific operating system platforms, and vary the coverage and rigor of assessments based on the threat environment •  Distributed architectures allow one to scan across network or NT policy domains Disadvantages: •   Distributed architectures require additional remote privileges on the networks scanned 8 Garfinkel, Simson, and Spafford, Gene, Practical UNIX and Internet Security, Second Edition, Sebastopol, CA, O’Reilly and Associates, 1996.