|
|
| |
|
| |
|
|
|
Computer Systems Security in an Internet Age: Part Three Last month, we discussed the nature of the threat to computer networks connected to the Internet, and the role Firewalls play in securing Internet connections. We will continue that discussion this month, and introduce Intrusion Detection Systems as a possible component of a network security system. Many other threats also loom on the Internet, beyond specific, targeted attacks to break into your network. You have probably heard the term ?Denial Of Service? attacks, which gives new meaning to the old acronym ?DOS.? A Denial Of Service attack isn?t meant to break into your system ? it is meant to take down your system, and deny you, your customers and your partners use of the system. These attacks usually involve either overwhelming the target with traffic to ?smother? the server or firewall, or sending data that is targeted to take down the site (for example, a malformed or corrupt data transmission that a server doesn?t know what to do with, so it crashes). Since these attacks can usually be traced back via logs, the more conventional approach is to take over someone else?s system and launch the attack from there. When an attack is launched from many systems, this is called a Distributed Denial of Service attack, because it is coming from many places. This is what the Code Red worm did when it launched its attack on the White House web site. An Intrusion Detection System (?IDS?) is a specialized device or computer that, essentially, protects your firewall and servers from attack. An IDS looks at all of the traffic coming into (or going out of) your network, and looks for suspicious behavior or patterns. Similar to the way viruses have signatures (files that contain ?traces? of the virus so it can be identified and dealt with) but also patterns of suspicious behavior, so too do network attacks. All of the most common ones (SYN-Flood, Smurf, Teardrop) have specific signatures, and an Intrusion Detection System will recognize them and take appropriate action (log where the attack is coming from, kill connections, shut down ports on the firewall, etc.). An IDS will also recognize patterns of attack, even if there is not a signature, and can take action based on behavior. An IDS is generally used to protect the area between your firewall and the Internet, but can also protect the ?DMZ? (the area where your publicly accessible servers are) or your internal network. If the Firewall is your security guard watching the cameras to see who is coming and going, the IDS is the guard with the gun who handles the break-ins. What is the cost of network downtime if you are using the Internet for email and web browsing, like most businesses? Email is currently used by most businesses as a critical communication medium with customers, partners and suppliers, and down-time can be significant in impact. How does this economic impact change if you are doing B2B eCommerce and online purchasing with partners? How does it further change if you have a client Extranet, or if your customers and partners connect to your web site for business transactions? These are generally the cost justifications for a solid firewall solution, and possibly for an IDS. What is the cost of a day of down-time for your business? Calculate it. As we discussed in our first column two months ago, configuration of your firewall and related security systems should be based on the business rules established in your Security Policy. Your business rules determine who can access what resources on your network, and your Firewall and security systems should apply those rules to force people to comply with them. The firewall should also apply more technically specific rules ? for example, not allowing specific types of traffic that users would not generate, because they represent a threat. Most firewall products apply these rules by creating complex packet filters that drop or allow traffic based on IP address/port of the source and destination, but some actually create a business rule base and convert the rules into the necessary code and distribute it to the ?enforcement points? (firewalls and other gateways). The advantage of this type of approach is that your management is centralized and all enforcement points are following a centrally defined policy ? changes, when they are made, can be easily propagated to all appropriate devices. The market leader in this area is Check Point Software Technologies. Some of the industry leading firewall vendors include Check Point Software Technologies (FireWall-1), Cisco Systems (PIX), Symantec (Raptor), Network Associates (Gauntlet), WatchGuard Technologies, SonicWALL and NetScreen. Novell and Microsoft are also players in this field ? Novell?s BorderManager is a good choice for Novell-centric businesses willing to trade off some advanced features for tight NDS integration, centralized management and fast performance, while Microsoft?s ISA Server is a third generation product that is steadily gaining market share. Internet Security Systems is the market leader in Intrusion Detection Systems with its RealSecure and BlackIce products, but other players include Cisco, Symantec (through its acquisition of Axent), NFR Security and Intrusion.Com. All of these products have different and varying strengths, and you should utilize a qualified security specialist to determine what capabilities you need and what best matches your environment. In next month?s column, we will discuss viruses and other hostile content, and how to protect your network from them.
|
|
This site last updated 01/05/03 |
|
