Intrusion-detection systems (IDS) are quickly becoming an integral part of any organization's network. For most companies, implementing an IDS is the next logical step after deploying a firewall, since it provides a second layer of security by helping to identify an attack or malicious traffic that makes it through the firewall. As with any technology, several IDS variants are available. Traditionally, two main models have been used: signature systems and anomaly-based systems.
A signature system contains a database of known attack signatures and alerts administrators when it identifies traffic on the network that matches one of these signatures. Detractors are quick to point out the faults of these systems, which include the need to keep the signature database updated, the fact that attacks using packet fragmentation go unnoticed, and the sheer inability of some systems to keep up with network bandwidth, dropping packets when they're overloaded with data.
Anomaly-based systems were designed to combat the database signature problems and be a bit more proactive than signature systems. These systems understand protocols such as file transfer protocol, HTTP and Telnet. Exploits usually don't follow the standards, or they make an unexpected request; anomaly-based systems look for these events and alert administrators when they occur.
Although anomaly-based systems removed the signature database from the picture, they still don't address two main problems: large numbers of false positives, meaning they raise alerts against valid traffic, and the fact that they're still very reactive solutions -- by the time an administrator has received an alert, the attack has usually already occurred.
ForeScout Technologies Inc. in San Mateo, Calif., has introduced an approach to intrusion detection that aims to decrease the number of false positives and be a bit more proactive in its response. ForeScout ActiveScout recognizes network reconnaissance -- ping sweeps, port scans and user-name enumeration -- or the tools attackers use to gather information about a given network to launch a targeted attack.
For example, when ActiveScout identifies a port scan, it tags the traffic and sends back an answer to the attacker that appears to be a valid response but isn't. ActiveScout may return a value for the port scan saying that FTP is open on port 21, when it isn't actually open on the server. When the attacker tries to exploit this nonexistent FTP server, ActiveScout knows this is an exploit attempt and sends an alert. Once an alert has been sent, ActiveScout can take several actions: monitor activity, report activity or block traffic from the source.
IDSes provide value in any organization as long as they can handle the amount of traffic thrown at them and they limit the number of false positives reported to administrators. New developments in IDS technology are working to resolve these issues, with ForeScout's ActiveScout being the latest addition.
No single type of IDS solution can provide adequate protection. The best approach is a hybrid that combines the better aspects of signature detection, protocol analysis and network reconnaissance. Once the integration of Network ICE Corp.'s IDS technology is complete, Atlanta-based Internet Security Services Inc.'s Real Secure product will be a strong signature/protocol analysis hybrid. ForeScout is adding a small signature database to ActiveScout with the addition of some known malicious or suspicious Web addresses. Expect to see more and more hybrid solutions on the market in the future.
Andress covers security for the InfoWorldTest Center. Contact her at mandy_andress@infoworld.com.
The Security Action Plan
Stories in this report:
- The Security Action Plan
- The Story So Far: IT Security and Disaster Recovery
- Maximum Security Returns
- Manage Those Patches!
- Build a Computer Incident Response Team
- Let the Pros Investigate Computer Crimes
- Watch Out for Wireless Rogues
- For Disaster Recovery, Put Your IT Eggs in Different Baskets
- Denying Network Service
- Think Like a Terrorist
- Field Report: Out from the Shadows
- How to Thrive in the IT Security Market
- The Next Chapter: Predictions about IT security
- IBM's view of the hot trends in IT security
- Case studies in IT security and disaster recovery
- Intrusion-detection systems are evolving
- Reporter's Notebook: IT Security
- Top 10 Vulnerabilities in Today's Wi-Fi Networks
This story, "Intrusion-detection systems are evolving" was originally published by InfoWorld.