| About InfoWorld : Advertise : Subscribe : Contact Us : Awards : Events : Store |
 |
||||
|
||||
 | ||||
 |
|
|||
 |
||||
|
|
|
||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||
 TEST CENTER IDSes evolve to better bolster defense By Mandy Andress May 10, 2002 IDSES (INTRUSION DETECTION SYSTEMS) are quickly becoming an integral part of any organization's network. For most companies, implementing an IDS is the next logical step after deploying a firewall, as it provides a second layer of security by helping to identify an attack or malicious traffic that makes it through the firewall. As with any technology, several IDS variants are available. Traditionally, two main models have been used: signature systems and anomaly-based systems.
Anomaly-based systems were designed to combat the database signature problems and to be a bit more proactive than signature systems. These systems understand protocols, such as FTP, HTTP, and Telnet. Exploits usually do not follow the standards, or else they are unexpected request; anomaly-based systems look for these events and alert administrators when they occur. Although anomaly-based systems removed the signature database from the picture, they still do not address two main problems: large numbers of false positives, meaning they raise alerts against valid traffic, and the fact that they are still very reactive solutions. By the time an administrator has received an alert, the attack has usually already occurred. ForeScout has introduced a new approach to intrusion detection that aims to decrease the number of false positives and be a bit more proactive in its response. (See the InfoWorld Test Center review, "Be prepared.") ForeScout ActiveScout recognizes network reconnaissance -- ping sweeps, port scans, and user-name enumeration. -- or the tools attackers use to gather information about a given network to launch a targeted attack. For example, when ActiveScout identifies a port scan, it tags the traffic and sends back an answer to the attacker that appears to be a valid response. In reality, the response is invalid. ActiveScout may return a value for the port scan saying that FTP is open on port 21 when it is not actually open on the server. When the attacker tries to exploit this nonexistent FTP server, ActiveScout knows this is an exploit attempt and sends an alert. Once an alert has been sent, ActiveScout can take several actions: monitor activity, report activity, or block traffic from the source. IDSes provide value in any organization as long as they can handle the amount of traffic thrown at them and they limit the number of false positives reported to administrators. New developments in IDS technology are working to resolve these issues, with ForeScout's ActiveScout being the latest addition. No single type of IDS solution can provide adequate protection. The best approach is a hybrid that combines the best aspects of signature detection, protocol analysis, and network reconnaissance. Once the integration of the Network Ice IDS technology is complete, ISS's Real Secure product will be a strong signature/protocol analysis hybrid. ActiveScout is adding a small signature database to its product with the addition of some known malicious or suspicious URLs. Expect to see more and more hybrid solutions on the market in the future.
 RELATED ARTICLES  Be preparedSecure IT with LinuxFree, dependable IDSRELATED SUBJECTS SecurityNetworkingSPONSORED WHITE PAPERS 
SPONSORED LINKS
|
|||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||||||||
|
||||||||||
