Host Intrusion Detection System Administrator's Guide Release 3.0
Overview
Why Do You Need Intrusion Detection?
Chapter 1
6
A further complication in deploying a firewall is that it is difficult to establish clearly
where the boundary exists between inside and outside. At one time it was obvious that
the Internet was outside and the intranet was inside. However, more and more
corporations are joining their intranets in multiple-partner arrangements, often termed
extranets. A firewall becomes difficult to deploy in an extranet environment; if inside
and outside have been joined together, where can you draw the line and place your
firewall? In such an environment, some form of continuous security monitoring tool is
needed to ensure that critical systems are not being abused and valuable data is not
being pilfered by your erstwhile partners.
Encryption
Encryption is a mathematical technique that prevents the unauthorized reading and
modification of data. It does this in such a way that the intended recipients of the data
can read it but no intermediate recipient can read or alter the data. It also allows
authentication of the sender of a message: is the claimed sender really the person who
sent the message?
In any well-designed cryptographic system, the heart of the security is the key which is
used to encrypt the message. Knowing the key allows you to decrypt any message, alter
it, and retransmit it to the sender. Even if the inner workings of the encryption software
are known completely, without knowing the key you cannot read or alter messages.
The problem with relying on encryption lies in the old adage that a chain is only as
strong as its weakest link. In this case, the weakest link is not the encryption technology
but the systems on which the key is stored. After all, how can you be sure the program
you are using to encrypt your data hasn’t saved your key to a temporary file on your
disk, from which an attacker can later retrieve it? If attackers gain access to your key,
not only can they decrypt your data, they can impersonate you and send messages
claiming to be signed only by you.
Encryption does not protect your data while it is in the clear (not encrypted) as you
process it (for example, preparing a document for printing). Moreover, encryption cannot
protect your systems against denial of service attacks. So despite the advantages in the
space of privacy and authentication that encryption brings, it is still only part of an
overall security solution.
Security Auditing Tools
A security auditing tool probes your systems and networks for potential vulnerabilities
that an attacker could exploit, and generates a report identifying holes and
recommending fixes. Of course, the assumption is that once you find the holes, you will
quickly patch them before they are exploited. If it is used in this fashion, and run
regularly, a security auditing tool can be a very valuable weapon against attackers.
But how regularly should you run the tool? Attacks can occur at any point in the day; an
attacker can penetrate your systems, cover up his or her tracks, and install a variety of
back doors all within a matter of minutes. Running your tools every hour gives attackers
a very large window of opportunity to exploit your systems, steal your data, and cover
their tracks before you ever detect them. It is obvious that if some form of continuously
running security audit tool were available, life would be much simpler and your systems
more secure. This brings us to the need for an Intrusion Detection System.