Information Technology Reference
In-Depth Information
to go back and collect critical environmental information to confirm or exonerate
the suspicions.
2.
Host-based and network-based IDS
. Host-based IDS works by monitoring system
generated events, correlating them with other information such as user or
application profiles, to detect intrusions. Network based IDS works by examining
network traffic, most often IP packets, to recognized known attack patterns such as
spoofing or flooding. One major problem is the separation of network IDS and
host-based IDS. When today's attack happens, it cuts across multiple platforms —
network and host devices. There is no limitation as to what the intruder can do. In
fact, many hacking tools available for download from the web actually offer the
combined network and host attacks. When attacks happen across network and
hosts, it is necessary to detect by analyze network and host events together. Failing
to do so implies many missed opportunities. Realizing this, today's network and
host IDS products are adding each other's functionality and coming together
slowly. However, at this stage, IDS lack the capability for effective coordinated
protection.
3.
Network-based IDS
. There is a difficult for network based IDS to scale up dealing
with network traffic volume. The variety of protocols adds to the burden of
performance. Encryption creates opaque tunnels that cannot be analyzed. The
encryption problem is particular serious because when coupled with traffic volume,
it creates large and opaque pipes that are almost impossible to audit. Also, as the
infrastructures move toward switched environment. Visibility in this environment
presents yet another challenge to network based IDS. In a switched environment, if
two machines are connected via a switch at two different ports, their
communication will never go higher than the switch itself. With a hierarchical
switch architecture, local traffic will never be visible for network IDS to monitor.
One solution is to deploy IDS on each switch all the way down to the lowest level.
This is an extremely expensive solution with serious performance consequences.
Switched environment does not implied no attacks, it simply means the
fundamental working principles of network based IDS is facing a real challenge.
4.
Static Data collection.
Today's IDS' static data collection method contributes to
high false positive (false alarm) rate. Traditionally, IDS are setup to monitor a fix
set of events. This fix set is adjust only when the operator change the auditing
parameters. The model works well as long as there is a knowledgeable operator
sitting in front of the console around the clock to respond the attacks in real time
and to adjust the parameters to trace the progression of the attack. Without this, the
traces of the attack can be easily lost and the system ended up with a large set of
irrelevant data — more false alarms. Today's IDS has very little audit tuning
taking place to ensure right set of data is being collected. The issue of high false
positives will remain and it is a critical real-life operation problem.
5 A Real-Life Awakening
Examining the real-life failures of today's on-line transaction systems provides useful
insights into how the traditional IA is failing by just protecting the castles and moats.
