HostedDB - Dedicated UNIX Servers
intrusion_35 ICSA, Inc. For more information, call 888-396-8348                 35 An Introduction to Intrusion Detection and Assessment Management Functions As in intrusion detection, vulnerability-assessment products have various management functions: Exporting data in a variety of formats (HTML, Crystal Reports, ODBC, MDB, etc.) allows system administrators and managers to utilize a variety of reporting tools to further analyze the results of the vulnerability assessment. Network mapping makes it much easier to specify which hosts are to be scanned. With net- work mapping, one can do this selection by point and click selection of targets. Without it, manually entering all the addresses of hosts to be scanned can be an arduous, time-consuming process. The capability to tailor the coverage of an assess- ment to a target is an important management function. This might include the ability to config- ure which checks runs against which targets, to add custom user-defined checks, and to configure certain parameters for individual checks. System Integrity As in intrusion detection, there are special security considerations associated with the design, deploy- ment, and maintenance of vulnerability assessment products. • Protection issues: The database of security checks must be protected, so that it does not become a primer for attackers. This can be accomplished by a variety of strategies; encryp- tion of contents is perhaps the most common. When encryption is used, however, U.S. gov- ernment export control policy for encryption technologies can affect those measures avail- able for products fielded outside the country. • As new attacks surface daily, product vendors must provide means for customers to update the lists of security checks performed by vul- nerability assessment products. This update process must, itself, be protected. In distributed architectures, the communications between console and agent must be protected, and using cryptographic techniques may provide this protection. • As vulnerability assessment systems can them- selves be used by attackers to identify targets, there must be countermeasures to prevent this malicious use. These measures can include the broadcast of the identification of the source address of the scanning host to the target, and strong licensing mechanisms that limit the coverage of the scanner. SUMMARY AND CONCLUSION Wide range of goals for product users Users of intrusion detection products span public and private institutions, running the gamut of in- dustries. The goals realized by users of intrusion detection systems include: •  Support of internal audit •  Control of liability exposure •  Incident handling and investigative support •  Improved damage assessment and recovery •  Improved security management process •  Discovery of new problems/issues before damage occurs •  Documentation of compliance with legal and statutory requirements •  Recovery of systems suffering security violations