INTRUSION DETECTION SOLUTIONS
BURGLAR ALARMS FOR YOUR NETWORK

by Heather Randall

   Loss prevention has always been of paramount importance in the brick and mortar world. Large retailers have Loss Prevention departments dedicated to identifying and foiling shoplifting schemes. Many office buildings are equipped with closed circuit cameras that allow security personnel to quickly identify individuals that are not authorized to be in the building. In today’s society, almost all brick and mortar businesses employ some type of surveillance equipment and/or alarm system to detect physical intrusions. Loss of inventory means that customers may be inconvenienced or experience higher prices. In this age of fickle consumers, those factors may translate into lost business. From jewelry stores to convenience stores, owners and operators recognize the threats that exist in their environment and have taken steps to mitigate the risk of someone entering their premises and stealing their inventory.
   Businesses that operate with an Internet presence, such as merchants and, service providers that enable payment transactions, handle “inventory” that is no less precious than that which inhabits the brick and mortar world. Dealing in data presents risks of at least the same magnitude as dealing in product. Even brick and mortar stores that simply have Internet connections are vulnerable to Internet originating security breaches that could result in the loss of customer, or other critical data. According to the Federal Trade Commission, identity theft and financial fraud are the fastest growing crimes in the world, resulting in billions of dollars lost from the world economy. The European Union has already acted to establish data security regulations for companies operating within their jurisdiction. The United States has been somewhat slower to act, but has now taken notice of the growing problem. On a state and national level, companies are now being held accountable for losing customer data. One of the common threads in the newly minted legislation is the establishment of baseline security measures. Among these measures is the ability to detect unauthorized access to networks and systems.
   The Gramm-Leach-Bliley Act, in §314.4b, requires companies to “Detect, prevent and respond to attacks, intrusions or other system failures.” The final rule for Sarbanes-Oxley §404 defines the internal controls that are required as, among other things, controls that “provide reasonable assurance of the prevention or timely detection of unauthorized acquisition…of …assets that could have a material effect on the financial statements.” Card association requirements also require the installation of solutions that can detect unauthorized accesses to the network. Visa USA’s Cardholder Information Security Program Requirement 10.5 requires the use of network intrusion detection systems while MasterCard’s Site Data Protection Program recommends the installation of network based intrusion detection systems as a Best Practice. It is clear, then, that the use of intrusion detection systems is becoming mandatory, but many are left wondering exactly what intrusion detection systems are, and how they secure networks.
   According to SANS Institute, Intrusion Detection is the “art of detecting inappropriate, incorrect, or anomalous activity.” This can be accomplished by analyzing both inbound and outbound network traffic to identify suspicious patterns. In more clear terms, Intrusion Detection Systems (IDS) compare current network activities against an established baseline or known attack signatures. The system looks for unusual activity on a host or network and sends alerts to the appropriate personnel. There are several different ways in which IDS can be configured and deployed.
   Intrusion detection can be categorized according to the way in which the solution detects potential intrusions. There are primarily two methods through which IDS can detect potential intrusions to the network or systems: Anomaly Detection and Misuse Detection. Anomaly detection systems work by establishing a baseline measure of normal network activity. Once the profile, or baseline, is established the solution monitors traffic for anything that does not match and logs that activity as being anomalous. An alert is then sent to the appropriate IT personnel to determine if action must be taken. In order for the anomaly-based solution to work properly the profile must be well-defined according to the company’s specific traffic patterns. Some solutions are described as “self-learning,” meaning that once the solution is installed, it monitors the network for an extended period of time and learns from this example what is considered normal. While it still requires some expertise to ensure that the parameters set are accurate, the time required to establish the rules and profile is reduced considerably.
   In contrast, an IDS based on Misuse Detection monitors network traffic searches for known attack signatures. Essentially, the IDS solution will access a database of known attacks and compare those traffic patterns with the patterns that occur on the network or system that it is monitoring. In some respects this is very similar to the way in which many anti-virus applications work. When the solution detects a pattern that is consistent with a known attack, it sends an alert to designated IT personnel. In an ideal world, an IDS would incorporate elements of both methods of detection. In that way, the solution would monitor for known attack methods as well as analyzing network or system traffic for unusual traffic.
   Another common way in which IDS solutions are categorized is according to whether the solution is network-based or host-based. A Network based IDS (NIDS) is deployed at strategic points throughout the network environment. This allows the solution to monitor the traffic from network devices, and systems and to determine whether or not the traffic on the network is appropriate or if it is related to a potential attack. A common implementation is behind the internet-facing firewall to monitor traffic originating from the Internet. Alternatively, an IDS solution can also be placed on a specific system within the network to analyze the traffic to that particular system. This is considered a Host based IDS solution (HIDS). Depending upon the criticality of the information resident on the network it may be prudent to deploy both Network based IDS and an additional IDS solution on specific devices that house critical information. A common implementation of host-based IDS system is on web servers, and database servers.
   A relatively new innovation in the world of Intrusion Detection Solutions is Intrusion Prevention (IPS). IPS systems can identify potential attacks using the methods described above. Rather than simply sending a notification to the designated IT personnel, however, the IPS will block the traffic that is determined to be a potential attack thus stopping the current attack. Many IDS solutions now integrate this preventative component. While this may avert potential attacks, it also carries with it potential negative consequences.
   Network-based IDS can be deployed in either “in-line” or ”listening” mode. If one can imagine the connectivity of two systems, segments, or networks as a path between Point A and Point B, then the in-line solution acts as the gatekeeper sitting between the two points. All traffic between the two points passes through the IDS system. When the in-line IDS detects a potential attack, it will send an alert notifying the company of a potential attack. Intrusion Prevention Systems are employed ‘inline’ to enable the blocking of malicious traffic. In “listening” mode, the IDS will often be placed on a mirrored port of a switch and will simply listen to the network traffic. In the event malicious traffic is identified, the IDS will send alerts but will not take any action to block the traffic in the event of an attack.
   While there is debate over whether it is preferable to employ an IDS in listening or inline mode, there is one major drawback with the inline method. If the IDS fails while inline, there is a high likelihood that all traffic passing through the device will be blocked. In listening mode, this failure of the solutions would not result in a loss of communication. It is suggested that IDS/IPS be employed inline only if sufficient network redundancy exists to prevent a single point of failure.
   As with all security solutions, nothing is entirely bullet-proof. It is essential, therefore, to create multiple layers of defense. Envision the network environment as a house. It may have a fence, motion detector lights, a deadbolt lock on the front door, and a burglar alarm. If there are valuables in the house, they may be further protected by placing them in the safe. Using this analogy, the IDS would be equated to the burglar alarm. It is unlikely that anyone would install a burglar alarm without the benefit of a lock on the front door. If, for some reason, the alarm failed to sound, the mal-intentioned individual would essentially have a free pass in and out of the house. This would introduce a single point of failure, only one obstacle that must be overcome. Similarly, installing an IDS without any complementary security components would do little good. Multiple layers of defense, in which the IDS/IPS is an integral part, are essential to a robust information security program.