HP-UX Host Intrusion Detection System Version 4.7 Administrator Guide HP-UX 11i v3 (766144-001, March 2014)
greater privileges than it needs to serve up websites and CGI scripts. Web servers that run as root
are easy targets for attack. CGI scripts are easily accessible, and any individual can gain complete
root privileges to such systems.
Springboards to Attack the Next Target
Even if you are not attacked, your company systems can be used to launch an attack on other
victims on the Internet.
Existing Tools Are Only Part of the Solution
A number of technologies have emerged as potential solutions to the various security problems
faced by companies. Firewalls, encryption, and security auditing tools are useful. HP-UX HIDS
integrates with these existing technologies to enhance system and network security.
Firewalls
A firewall is a system that is placed between two networks to control what traffic can pass between
those networks. A firewall is usually placed between the Internet and your company intranet. It
can be viewed as a useful point of policy enforcement through which you can decide what network
traffic is and is not permitted to pass in and out of your organization. When deployed correctly,
a difficult task in a complex business environment, a firewall is an efficient tool to prevent attacks
on critical systems and data. However, a firewall connected to the Internet cannot protect against
an attack on systems launched from inside an organization. Often, it cannot stop an attacker inside
your organization from attacking systems on the Internet, that is, your systems can be used as a
springboard to attack another victim.
A further complication in deploying firewalls is that it is difficult to establish clearly where the
boundary exists between inside and outside. At one time, it was obvious that the Internet was
outside and the intranet was inside. However, more and more corporations are joining their
intranets in multiple-partner arrangements, often termed extranets. If internal and external systems
are included under the same extranets, it becomes difficult to place the firewall at the required
location. In such an environment, some form of continuous security monitoring tool is needed to
ensure that critical systems are not attacked and valuable data is not being pilfered by partners.
Encryption
Encryption is a mathematical technique that prevents unauthorized reading and modification of
data. With encryption, the intended recipients of data can read it, but no intermediate recipient
can read or alter the data. Encryption also authenticates the sender of a message. It ensures that
the claimed sender really is the intended sender of the message.
In any well-designed cryptographic system, the heart of the security is the key used to encrypt the
message. Knowing this key enables hackers to decrypt any message, alter it, and retransmit it to
the sender. Even if the inner workings of the encryption software are known, without the key,
hackers cannot read or alter messages.
The problem with relying on encryption lies in system vulnerability. In this case, the weakest link
is not the encryption technology but the systems on which the key is stored. How can you be sure
that the program you are using to encrypt data has not saved your key to a temporary file on your
disk, from which an attacker can later retrieve it? If attackers gain access to your key, not only can
they decrypt your data, they can impersonate you and send messages claiming to be signed only
by you.
Encryption does not protect data while it is in the clear (not encrypted) as you process it, for
example, preparing a document for printing. Moreover, encryption cannot protect your systems
against denial-of- service attacks. Despite all the advantages of encryption, it is only part of an
overall security solution.
Importance of Intrusion Detection 13