21.3 ALTERNATIVE APPROACHES AND TECHNOLOGIES

Previous page
Table of content
Next page
Team-Fly

21.3 ALTERNATIVE APPROACHES AND TECHNOLOGIES

Given the difficulties of performing formal risk analyses, IT security professionals are looking into alternative approaches and technologies to manage the relevant risks. The two most promising approaches and technologies are security scanning to perform vulnerability analyses, and intrusion detection to identify and respond to potentially malicious activities. One major difference between security scanning and intrusion detection is related to the temporal use. A security scanner is running in real time when it is started (i.e., it is rarely run all of the time). Contrary to that, intrusion detection tools and products are designed to run in real time and to constantly monitor systems and networks for possible attacks [4]. Security scanning and intrusion detection are overviewed and briefly discussed next.

21.3.1 Security Scanning

The term security scanning refers to the process of performing vulnerability analyses, whereas the term security scanner refers to a tool that can be used to automatically perform such analyses. In essence, a security scanner holds a database that includes known vulnerabilities of operating systems and corresponding configurations. Each system can be compared against this database to detect and identify the vulnerabilities that are relevant.

Security scanning tools and security scanners can be partitioned into host-based scanners and network-based scanners:

  • A host-based scanner runs on a system and looks into the configuration of the system from the inside. For example, a host-based scanner can check whether files that contain user authentication information (e.g., user passwords) can be read by nonprivileged processes.

  • Contrary to that, a network-based scanner runs on a system and looks into the configurations of systems from the outside. For example, a network-based scanner can check what systems are accessible and what services are running on the ports of these systems.

Ideally, a scanner is host-based and network-based, meaning that it can investigate on and take into account information that is available on either side. As of this writing, there are many security scanners commercially or freely available on the Internet. The most widely used and deployed security scanners on the Internet are developed and marketed by Internet Security Systems, Inc.[4] In addition, there are many security scanners publicly and freely available on the Internet. For example, the Nessus security scanner was developed in an open source project of the same name.[5]

21.3.2 Intrusion Detection

According to [5], an intrusion refers to "a sequence of related actions by a malicious adversary that results in the occurrence of unauthorized security threats to a target computing or networking domain," and the term intrusion detection refers to the process of identifying and responding to intrusions.

There are many tools that can be used to automate intrusion detection. These tools are commonly referred to as intrusion detection systems (IDSs). Although the research community has been actively designing, developing, and testing IDSs for more than a decade, corresponding products have only recently received wider market interest. Furthermore, the IETF has chartered an Intrusion Detection Exchange Format (IDWG) WG "to define data formats and exchange procedures for sharing information of interest to intrusion detection and response systems, and to management systems which may need to interact with them." Refer to the IDWG's home page[6] to get more information about the relevant Internet-Drafts and RFC documents.

There are basically two technologies that can be used to implement an IDS: attack signature recognition and anomaly detection.

  • Using attack signature recognition, an IDS uses a database with known attack patterns (or attack signatures) and an engine that uses this database to detect and recognize attacks. The database can either be local or remote. In either case, the quality of the IDS is as good as the database and its attack patterns as well as the engine that makes use of this database. The situation is similar and quite comparable to the antivirus software (i.e., the database must be updated on a regular basis).

  • Using anomaly detection, an IDS uses a database with a formal representation of "normal" (or "normal-looking") user activities and an engine that makes use of this database to detect and recognize attacks. For example, if a user almost always starts up his or her e-mail user agent after having successfully logged onto a system, the IDS's engine may get suspicious if he or she starts a Telnet session to a trusted host first. The reason for this activity may be an attacker misusing the account to gain illegitimate access to a remote system. Again, the database can either be local or remote, and the quality of the IDS is as good as the database and its statistical material.

Again, it is possible to combine both technologies in an IDS. More information about intrusion detection technologies and IDSs that employ these technologies and are commercially available can be found in [5-9].

[4]http://www.iss.net/

[5]http://www.nessus.org/

[6]http://www.ietf.org/html.charters/idwg-charter.html

Team-Fly

Previous page
Table of content
Next page
Internet and Intranet Security
Internet & Intranet Security
ISBN: 1580531660
EAN: 2147483647
Year: 2002
Pages: 144
Authors: Rolf Oppliger, Rolf Oppliger
BUY ON AMAZON
Database Modeling with MicrosoftВ® Visio for Enterprise Architects (The Morgan Kaufmann Series in Data Management Systems)
Oracle Developer Forms Techniques
Logistics and Retail Management: Emerging Issues and New Challenges in the Retail Supply Chain
After Effects and Photoshop: Animation and Production Effects for DV and Film, Second Edition
.NET System Management Services
Quantitative Methods in Project Management
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy