[Moderator: I found a few articles on IDS recently and will post
the relevant ones. However, I highly recommend that you read SNI's
technical paper released on February 9, 1997 about IDS shortcomings. The
paper can be found at http://www.securenetworks.com/papers/ids-html/ ]
http://www.techweb.com/wire/story/TWB19980427S0001
[Hacker Stoppers?] Companies bought $65 million worth of network-intrusion
tools last year, but capabilities still lag behind what's promised.
(04/27/98; 10:02 a.m. ET)
By Deborah Kerr, InformationWeek
Neal Clift no longer sleeps on the floor of his office. Ten years ago, he
slept under his Digital VAX at Leeds University in England, listening for
the telltale clicks and hums that signal an intruderon his network. For
weeks, a hacker had been shamelessly crashing his machine, deleting files,
and reconfiguring controls. Clift tracked the hacker's movements, recorded
the keystrokes, and eventually closed up the hacker's entry points.
At the time, pulling late-nighters was the only way to catch a hacker,
since poring over system logs could only establish the hacker's patterns
after the fact. Now, intrusion-detection technology lets network security
managers and administrators catch trespassers without spending the night
on the office floor.
Intrusion-detection tools are a $65 million industry that will grow as
large as the firewall market, which reached about $255 million in 1997,
according to the Hurwitz Group, in Framingham, Mass. Touted as network
burglar alarms, intrusion-detection systems are programmed to watch for
predefineds2000] attack "signatures," or predefined bytecode trails of
prespecified hacks. Intrusion-detection systems also send out real-time
alerts of suspicious goings-on inside the network. enger]
But don't bet the server farm on intrusion-detection systems yet. They're
still new, and their capabilities are limited. No matter what you buy,
some portion of the enterprise will be unprotected. Intrusion-detection
systems also can break down under certain types of attacks, in some cases
even turning on their own networks under the guidance of a truly
knowledgeable hacker.
"There's no one tool to solve all the security problems throughout your
network," says Jim Patterson, vice president of security and
telecommunications at Oppenheimer Funds, in Denver. Oppenheimer, which
manages $90 billion in assets, recently spent about $50,000 to install
Intruder Alert from Axent Technologies on 20 of its key servers. Even so,
Patterson says he still worries about the rest of his network, which is
protected by a specially designed firewall.
Providing complete coverage is a key problem for intrusion-detection
systems. They can provide either host- or network-based monitoring.
Network-based intrusion-detection systems put remote monitoringlike
sensors on the wire that watch for attack signatures in packets coming
into the network. But this approach leaves the system vulnerable to
internal attack. Host-based systems use intelligent agents on key servers
to sift through system logs for known signatures. But this means an
attacker has already entered the network and gotten to the servers where
the agents are deployed.
Not surprisingly, Internet connections are becoming the primary point of
network attack. The Net was the source of 54 percent of attacks on
networks reported by 520 IS security managers, according to the March 1998
Computer Security Institute/Federal Bureau of Investigation Computer
Crimes Survey.
For this reason, many IS departments choose network-based
intrusion-detection systems. Typically set up at a switch or router
between the Web server and the firewall (commonly referred to as the
demilitarized zone), these systems listen to network traffic and send
alerts when they read packets containing known attack signatures.
Sometimes they take automatic action such as terminating TCP connections.
Network Associates' CyberCop, Cisco's NetRanger (formerly sold by
WheelGroup), Internet Security Systems' RealSecure, Netect's Netective,
AbirNet's SessionWall-3, Internet Tools' ID-Trak, and MimeStar's SecureNet
Pro all take this approach. With some variations, these systems are sold
as consoles, along with sensors that are priced separately.
The Money Store, in Union, N.J., uses Network Associates' CyberCop to
protect its Internet segment. "With a name like the Money Store, you're
going to get hack attempts," says Keith Bowyer, senior network engineer at
the Money Store. "We've had quite a few."
-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: Dimensional Communications (www.dim.com)
Received on Wed Apr 29 14:08:28 1998