Risk Management The Big Picture – Part III

Host-based intrusion detection could also be called host-specific intrusion detection, in that itsprimary purpose is to detect suspicious activity or known attack patterns on the specific host it isinstalled on.Some host-based intrusion detection systems (HIDS) have a number of host detectors reporting to acentral management console that can flag alerts, centralize logs, and update the host detectors’policies. Other HIDS are stand-alone.
Nội dung trích xuất từ tài liệu:
Risk Management The Big Picture – Part III Risk Management The Big Picture – Part III Host-based Intrusion Detection Information Risk Management - SANS ©2001 1Host-based intrusion detection could also be called host-specific intrusion detection, in that itsprimary purpose is to detect suspicious activity or known attack patterns on the specific host it isinstalled on.Some host-based intrusion detection systems (HIDS) have a number of host detectors reporting to acentral management console that can flag alerts, centralize logs, and update the host detectors’policies. Other HIDS are stand-alone.The boundaries between HIDS, anti-virus packages, and personal firewalls are blurring. 3-1 Need for Host-based ID • Very fast networks • Switched networks • Back doors in local network • Insider on network • Network-based IDS may miss attack • Don’t trust corporate security that much Information Risk Management - SANS ©2001 2To cut straight to the chase, you can’t do a thorough job of detection or protection without softwarelayers at the host. In the future, it may be possible for the network fabric itself to have a significantrole in these capabilities, but it isn’t going to happen in the next six to twelve months. Speed and thevisibility limitation of switched and encrypted networks are network intrusion detection systems’biggest limitations. We’ll examine them in a bit more depth in the next two slides.Host-based intrusion detection can be very valuable in detecting back doors into your network, suchas unsecured modems or links from other organization units or business partners. It’s no good relyingon your network sensors that watch your front door if the back door is wide open.Another aspect of host-based intrusion detection is that it can catch insider attacks that don’t crossthe network or don’t pass through the instrumented perimeter. Network-based systems can misssome sophisticated attacks - for example, fragrouter – that HIDS will detect.Finally, HIDS have a lower cost of entry down to the level of protecting a single person or home PCfor $50, versus the $10,000 or so for commercial network intrusion detection systems (NIDS). Theyalso do not require a dedicated machine. 3-2 Very Fast Networks • The current limits for network-based IDS boxes are about 80 MB/sec fully loaded • A 200 MHz Pentium bus would only partially increase this • Bandwidth at large sites will probably always exceed network detection and processing speed Information Risk Management - SANS ©2001 3There will always be a finite limit to the speed a network-based intrusion detection system canoperate, and it will always be possible to engineer a network that confounds network-based intrusiondetection technology. Therefore, host-based ID will be an important player for the long haul.High bandwidth is a major challenge for NIDS. Be wary of taking that 80Mbps as a solid number,since it is based on assumptions of packet size and the number and complexity of the filters. Once asensor’s bandwidth limit is exceeded, its performance tends to degrade rapidly, not just discardingexcess packets, but thrashing from resource exhaustion. Graceful degradation into “statisticalsampling” is desirable.A response to the bandwidth limits of network sensors is to move the sensors downtream towards theleaf nodes of your network, trading multiple sensors for less bandwidth per sensor. One can viewHIDS as this trend is taken to its logical conclusion but beware that you have traded your bandwidthproblem for a deployment problem. 3-3 Switched Networks • Network-based intrusion detection systems rely on promiscuous mode for their NICs; this is not possible with switched networks • Intrusion detection in the switch is the future direction, not really here yet • Host-based is one reasonable solution Information Risk Management - SANS ©2001 4Promiscuous mode allows the network interface adapter to collect all the packets, not just the onesaddressed to the machine. Until switched networks, this was a very efficient way to collect packets.A switch is ...