Manualshelf

HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software
21222324252627282930
Security Auditing Tools
A security auditing tool probes systems and networks for potential vulnerabilities that
attackers can exploit, generates a report identifying holes and recommends fixes.
Whenever the system administrator finds the holes, he or she must quickly patch them
before they are exploited. If a security audit tool used is executed or run regularly, it
is a valuable tool to handle security threats or attacks.
Attacks can occur at any point in the day; an attacker can penetrate a system, cover up
the tracks, and install a variety of ways to re-enter the system easily and quickly.
Running auditing tools every hour gives attackers a good opportunity to exploit your
system, before you ever detect them. It is obvious that if some form of continuously
running security audit tool is available, it is easier to monitor systems and make them
more secure. An intrusion detection system provides this type of security.
Intrusion Detection Technology
Intrusion detection can be summarized quite simply: after you have erected the barbed
wire fence, an intrusion detection system is like adding closed circuit TV cameras so
that security guards can monitor the facilities to forestall an attack.
Intrusion detection detects illegal and improper use of computing resources by
unauthorized people, before such misuse results in excessive damage. This detection
system constantly monitors critical systems and data to protect them from attacks.
An intrusion detection system (IDS) monitors user and system activity to detect patterns
of misuse that can correspond to security violations. Monitoring is automatic and
constant on all the systems on which the IDS is deployed. It imposes a low overhead
on the systems and network, so as not to disrupt your business activities. In addition,
an IDS can monitor a server machine, a whole network, or even an application (such
as a database or web server).
Before attacking your systems, an attacker needs to identify potential vulnerabilities
that can be exploited to subvert your system’s security. A vulnerability is a feature of
the implementation, or operation of a computer system or network that leaves it open
to subversion by an unauthorized (or authorized) user. Having identified a vulnerability
to exploit, the attacker then creates an attack script, which is often just a shell script or
simple program that performs a series of fixed steps to exploit the vulnerability. Often
the script that the attacker needs has already been written and is available on a website,
in which case the attacker’s job is much easier.
Despite the multitude of attacks that are known and reported, there can be small
variations on a theme. In several situations, attackers can use shell scripts used in
previous attacks. What follows is usually a flood of attacks that exhibit common patterns
and follow similar steps. Given a specific attack, you can codify it to express it in terms
that an IDS can use. HP-UX HIDS uses the concept of a detection template to express
some fundamental aspect of an attack that makes it different from legitimate behavior,
while permitting detection.
Importance of Intrusion Detection 25