HP-UX Host Intrusion Detection System Version 4.4 Administrator Guide (5900-1634, April 2011)
Encryption does not protect data while it is in the clear (not encrypted) as you process it, for
example, preparing a document for printing. Moreover, encryption cannot protect your systems
against denial-of- service attacks. Despite all the advantages of encryption, it is only part of an
overall security solution.
Security Auditing Tools
A security auditing tool probes systems and networks for potential vulnerabilities that attackers can
exploit, generates a report identifying holes and recommends fixes. Whenever the system
administrator finds the holes, he or she must quickly patch them before they are exploited. If a
security audit tool used is executed or run regularly, it is a valuable tool to handle security threats
or attacks.
Attacks can occur at any point in the day; an attacker can penetrate a system, cover up the tracks,
and install a variety of ways to re-enter the system easily and quickly. Running auditing tools every
hour gives attackers a good opportunity to exploit your system, before you ever detect them. It is
obvious that if some form of continuously running security audit tool is available, it is easier to
monitor systems and make them more secure. An intrusion detection system provides this type of
security.
Intrusion Detection Technology
Intrusion detection can be summarized quite simply: after you have erected the barbed wire fence,
an intrusion detection system is like adding closed circuit TV cameras so that security guards can
monitor the facilities to forestall an attack.
Intrusion detection detects illegal and improper use of computing resources by unauthorized people,
before such misuse results in excessive damage. This detection system constantly monitors critical
systems and data to protect them from attacks.
An intrusion detection system (IDS) monitors user and system activity to detect patterns of misuse
that can correspond to security violations. Monitoring is automatic and constant on all the systems
on which the IDS is deployed. It imposes a low overhead on the systems and network, so as not
to disrupt your business activities. In addition, an IDS can monitor a server machine, a whole
network, or even an application (such as a database or web server).
Before attacking your systems, an attacker needs to identify potential vulnerabilities that can be
exploited to subvert your system’s security. A vulnerability is a feature of the implementation, or
operation of a computer system or network that leaves it open to subversion by an unauthorized
(or authorized) user. Having identified a vulnerability to exploit, the attacker then creates an attack
script, which is often just a shell script or simple program that performs a series of fixed steps to
exploit the vulnerability. Often the script that the attacker needs has already been written and is
available on a website, in which case the attacker’s job is much easier.
Despite the multitude of attacks that are known and reported, there can be small variations on a
theme. In several situations, attackers can use shell scripts used in previous attacks. What follows
is usually a flood of attacks that exhibit common patterns and follow similar steps. Given a specific
attack, you can codify it to express it in terms that an IDS can use. HP-UX HIDS uses the concept
of a detection template to express some fundamental aspect of an attack that makes it different
from legitimate behavior, while permitting detection.
The amount of information that flows through a typical corporate intranet and the level of activity
on most corporate servers make it impossible for any one person to continually monitor them
manually. Traditional network management and system monitoring tools do not address the issue
of helping to ensure that systems are not misused and abused. Nor can they help detect theft of a
company’s critical data from important servers. The potential impact of computer-based crime is
significant to most corporations; their entire intellectual property often resides on servers. A tool
that can detect security-related threats and attacks as they occur significantly eases the burden that
most network administrators face.
16 Introduction