Rabu, 08 Juli 2009

The key to network security: intrusion-prevention systems augment the defenses provided by firewalls and antivirus software

Communications News, Sept, 2005 by Mark Heslop

Today, enterprises should seriously consider integrating intrusion-prevention systems (IPS) as a critical element in existing security infastructure to thwart both internal and external network attacks. One of the most misunderstood threats is the one coming from inside the firewall--the credentialed user. The problem is compounded by mobile users with laptops that unwittingly obtain and release threats contracted from other networks they previously interacted with that are less secure than their own enterprise network.

In addition, there are an increasing number of unauthorized services, users and applications living on networks today. These include instant messaging, peer-to-peer applications, rogue e-mail, FTP and Web servers. Most companies have policies in place that prohibit these kinds of services; however, a lack of visibility increases the difficulty in policing this traffic, so many rogue services live on, and networks remain vulnerable.

For example, popular file- and music-sharing applications may open up ports and allow unauthorized back door access, increasing vulnerability. End-users have no idea they are downloading malicious code hidden inside the music, video or other file type.

Worms such as Sobig and Bagle propagate this way and can cause mass mailings to a user's personal contact list, or others can install applications like IRC bots that run at predesignated times and execute specific instructions to cause harm. For example, Internet relay chat bots can issue timed-distributed denial-of-service attacks (DDoS) on well-known Internet sites.

Today's networked businesses are no longer simple architectures requiring just a firewall and antivirus to protect the perimeter. Extension of the business network through virtual private networks (VPNs) and Web-enabled applications has blurred the distinction between internal and external users.

Most businesses are now highly interconnected, and advances in networking and communication technologies, combined with Web-enabled applications, have reduced the financial barriers or the traditional "cost of connectivity." Inexpensive access has created highly efficient communications with both partners and employees, bringing together the right people with essential data and applications at the optimal time.

The benefits of these connections are obvious; however, they come with little control over the security at these "semi-trusted" networks. Traffic of these external networks should be rigorously monitored.

An offshore contractor, for example, directly linked into your software development group, may not be as vigilant regarding security and may deliver some infected traffic into the network. Having an IPS system in place would analyze and mitigate that traffic before it could inflict any significant havoc.

Various emerging threats should cause concern for any network administrator, and could be combated in part or fully by an effective IPS installation. These include:

* Phishing (including pharming and spear phishing). These information traps require some human intervention; however, the reliance on spam to propagate gives the IPS a chance to contribute to their detection and disarming.

* Mobile malicious code. PDAs and smartphones are increasingly becoming targets for viruses and worms. Most of these devices are unprotected and must be monitored as their use for external network access increases.

* Blended threats. Worms with multiple infection and entry methods that require a combination of strong policies, updated signature files and visibility to stop their lightening-quick movement.

* Industrial system security. Power and gas companies, traditionally siloed networks, are becoming internet-worked and increasingly customer facing, which opens up these vital services to external threats.

Today's IPS products support multiple detection methods (signature, protocol anomaly and behavioral anomaly), as well as addressing a range of performance needs. These systems are effective in protecting against a wide range of threats from both inside and outside the network. The real challenge that an IPS faces is in its ability to:

* monitor and manage an ever-increasing volume of network security data;

  • handle a large volume of threats from multiple IPS devices across large enterprise networks; and
  • validate attacks with aggregation and correlation of information from devices like intrusion-detection systems (IDS), firewalls and vulnerability-assessment devices, including accurate analysis and actionable reporting.

A high-performance, low-cost complementary threat-management solution--tightly integrated with the IPS solution and able to manage a wide range of events in real-time across the enterprise--is what is needed. Additionally, these systems should be able to analyze packet flow reports, anomaly warnings and other security information from IPS devices, and rapidly correlate viruses/worms, hackers, spyware and off-policy user behavior.

IPS solutions should scale to manage the volume of security threats occurring across the network. Functionality that aggregates and correlates large amounts of data in real time across hundreds of distributed IPS units is essential. Future IPS requirements will include the ability to collect and analyze threats and data from other devices, such as firewalls, IDS and vulnerability-assessment tools. Improved reporting functionality, including real-time flow monitoring that captures and analyzes every packet flowing through the network, will also become increasingly critical over time.

Tidak ada komentar:

Posting Komentar