Host Intrusion Detection System Administrator's Guide Release 3.0
Overview
Why Do You Need Intrusion Detection?
Chapter 1
5
Exploitation of Critical Infrastructure Elements
As more business is done over the Internet, more trust is placed in critical infrastructure
elements: the routers, hubs, and web servers that move data around the net. They also
include DNS name servers that allow users to access www.mycompany.com from their
browsers. A DNS server is a computer that maps names such as www.company.com to an
Internet address such as 10.2.3.4. By attacking these important infrastructure
services, an attacker can bring your whole organization to its knees. Sometimes
attackers do not have to steal your information to hurt you. By simply making your
systems unavailable for use, they can cause you losses in both financial terms and in
credibility in your industry.
Misconfigured Software and Hardware
It may seem obvious, but if you misconfigure a critical piece of software or hardware, you
can open yourself up to many security problems. This is a particular problem in the area
of firewalls, where configuration rules are complex: one missed rule can leave your whole
internal network open to attack. Another example is a network where the system
administrator has not taken the time to put some simple security measures in place.
Excessive Privilege for Simple Tasks
Code that runs with privilege (as root on UNIX systems, or as Administrator on
Windows NT systems) is particularly vulnerable because a simple bug can have major
impact. Most security problems are found in code that runs with privilege and is poorly
designed. Moreover, most code runs with more privilege than it needs to accomplish its
task. Often a site will install its web server to run as root, granting it far greater
privilege than it needs to simply serve up web pages and CGI scripts. A web server
running as root is a prime target for an attacker; by exploiting a CGI script vulnerability,
the attacker can gain full root privileges on your systems.
Being Used as a Springboard to Attack the Next Victim
Even if you are not attacked yourself, your company systems can be used to launch an
attack on other victims elsewhere on the Internet.
Why Existing Tools Are Only Part of the Solution
A number of technologies have emerged as potential solutions to the various security
problems faced by companies. Firewalls, encryption, and security auditing tools are
useful in the world of security. After reading this section, you will understand how
HP-UX HIDS integrates with these existing technologies.
Firewalls
A firewall is a system that is placed between two networks to control what traffic is
allowed between those networks. A firewall is usually placed between the Internet and
your internal intranet. It can be viewed as a useful point of policy enforcement through
which you can decide what network traffic is and is not permitted to and from your
organization. When deployed correctly (itself a difficult task in a complex business
environment), a firewall is an efficient tool to prevent attacks on your critical systems
and data. However, a firewall connected to the Internet cannot protect you against an
attack against your systems launched from inside your organization. Often, it cannot
stop an attacker inside your organization from attacking systems on the Internet (you
may be used as a springboard to attack the next victim).