One way for IT managers to make corporate networks more secure is to use intrusion-detection and vulnerability-assessment tools. There are a range of commercial and free products for this purpose currently available.
Firewalls have been difficult to use for many years now, requiring specialist knowledge, but more recently, security products have appeared that benefit from intuitive graphical interfaces. Managers are now able to buy these products off the shelf in order to help secure their networks.
However, many firms are keen to do more than just secure the perimeter of their networks. They also want to monitor the activity occurring inside the firewall. As a result, there are two principal types of intrusion-detection tools Ã, one is network-based and monitors traffic, the other is host-based and monitors applications.
Sniffer technology
Network intrusion detection tools use sniffer programs to monitor packets on a specific part of the network, much as closed-circuit video cameras might watch the corridors of a building. The sniffer looks at packets, matching them against a database of known attack signatures to determine what is and is not a genuine attack.
This type of intrusion detection is currently the most widely deployed, but host-based products have been growing in popularity as companies increasingly combine the two approaches to guard against both internal and external threats. The FBI has reported that 70 percent or more of attacks originate from inside the firewall. Therefore, host-based methods of intrusion detection, which detect misuse of applications, are likely to provide the most effective line of defence.
Firms can use these security tools to keep an eye out for staff who might be involved in industrial espionage. But the scope may be wider than this, monitoring, for instance, which employees are attempting to access colleagues' salary details on the payroll server.
There is a third type of intrusion-detection tool that combines the methods of the other two. In this case a sniffing agent is installed on one particular machine, implementing a cross between host-based and network-based approaches. It is sniffing, but only looking for packets that are destined for a specific machine.
Network testing organisation the NSS Group has spent four months carrying out testing on some of the current intrusion-detection and vulnerability-assessment products. NSS scanned Windows 2000, Windows NT and Linux servers with several popular products.
NSS did not make any attempt to secure the servers before testing, but installed them out of the box to ascertain the vulnerabilities that the various software packages would identify. The results are shown below.
Network intrusion detection is a hot topic, and host-based detection will become essential for most organisations worried about internal attacks. Firms will probably need two types of vulnerability-assessment scanner. Some are very good at the active attacks and are able to spot them. Others are better at identifying which registry settings are wrong, if the password policy is weak, if there are accounts with no passwords or if there are easily guessed passwords.
