Host Intrusion Detection System Administrator's Guide Release 3.1
Overview
Importance of Intrusion Detection
Chapter 1
7
A further complication in deploying a firewall is that it is difficult to establish clearly
where the boundary exists between inside and outside. At one time it was obvious that
the Internet was outside and the intranet was inside. However, more and more
corporations are joining their intranets in multiple-partner arrangements, often termed
extranets. A firewall becomes difficult to deploy in an extranet environment; if inside
and outside have been joined together, where can you draw the line and place your
firewall? In such an environment, some form of continuous security monitoring tool is
needed to ensure that critical systems are not being abused and valuable data is not
being pilfered by your erstwhile partners.
Encryption
Encryption is a mathematical technique that prevents unauthorized reading and
modification of data. With encryption, the intended recipients of the data can read it but
no intermediate recipient can read or alter the data. Encryption also authenticates
senders of a message. It ensures that the claimed sender is, in reality, the intended
sender of the message.
In any well-designed cryptographic system, the heart of the security is the key which is
used to encrypt the message. Knowing the key allows the hacker to decrypt any message,
alter it, and retransmit it to the sender. Even if the inner workings of the encryption
software are known completely, without knowing the key, the hacker cannot read or alter
messages.
The problem with relying on encryption lies in the system being vulnerable. In this case,
the weakest link is not the encryption technology but the systems on which the key is
stored. After all, how can you be sure the program you are using to encrypt your data has
not saved your key to a temporary file on your disk, from which an attacker can later
retrieve it. If attackers gain access to your key, not only can they decrypt your data, they
can impersonate you and send messages claiming to be signed only by you.
Encryption does not protect your data while it is in the clear (not encrypted) as you
process it (for example, preparing a document for printing). Moreover, encryption cannot
protect your systems against denial of service attacks. Despite all the advantages of
encryption, it is only part of the overall solution.
Security Auditing Tools
A security auditing tool probes your systems and networks for potential vulnerabilities
that an attacker could exploit, and generates a report identifying holes and recommends
fixes. Whenever the system administrator find the holes, the admin is expected quickly
patch them before they are exploited. If a security audit tool used is executed or run
regularly, it is a valuable weapon to handle security threats or attacks.
Attacks can occur at any point in the day; an attacker can penetrate your systems, cover
up the tracks, and install a variety of back doors all within a matter of minutes. Running
your tools every hour gives attackers a very large window of opportunity to exploit your
systems, steal your data, and cover their tracks before you ever detect them. It is obvious
that if some form of continuously running security audit tool were available, life would
be much simpler and your systems more secure. This brings us to the need for an
Intrusion Detection System.