intrusion_35
ICSA, Inc.
For more information, call 888-396-8348 35
An Introduction to Intrusion Detection and Assessment
Management Functions
As in intrusion detection, vulnerability-assessment
products have various management functions:
Exporting data in a variety of formats (HTML,
Crystal Reports, ODBC, MDB, etc.) allows system
administrators and managers to utilize a variety
of reporting tools to further analyze the results of
the vulnerability assessment.
Network mapping makes it much easier to
specify which hosts are to be scanned. With net-
work mapping, one can do this selection by point
and click selection of targets. Without it, manually
entering all the addresses of hosts to be scanned
can be an arduous, time-consuming process.
The capability to tailor the coverage of an assess-
ment to a target is an important management
function. This might include the ability to config-
ure which checks runs against which targets, to
add custom user-defined checks, and to configure
certain parameters for individual checks.
System Integrity
As in intrusion detection, there are special security
considerations associated with the design, deploy-
ment, and maintenance of vulnerability assessment
products.
Protection issues: The database of security
checks must be protected, so that it does not
become a primer for attackers. This can be
accomplished by a variety of strategies; encryp-
tion of contents is perhaps the most common.
When encryption is used, however, U.S. gov-
ernment export control policy for encryption
technologies can affect those measures avail-
able for products fielded outside the country.
As new attacks surface daily, product vendors
must provide means for customers to update
the lists of security checks performed by vul-
nerability assessment products. This update
process must, itself, be protected. In distributed
architectures, the communications between
console and agent must be protected, and
using cryptographic techniques may provide
this protection.
As vulnerability assessment systems can them-
selves be used by attackers to identify targets,
there must be countermeasures to prevent this
malicious use. These measures can include the
broadcast of the identification of the source
address of the scanning host to the target, and
strong licensing mechanisms that limit the
coverage of the scanner.
SUMMARY AND CONCLUSION
Wide range of goals for product users
Users of intrusion detection products span public
and private institutions, running the gamut of in-
dustries. The goals realized by users of intrusion
detection systems include:
Support of internal audit
Control of liability exposure
Incident handling and investigative support
Improved damage assessment and recovery
Improved security management process
Discovery of new problems/issues before
damage occurs
Documentation of compliance with legal and
statutory requirements
Recovery of systems suffering security violations