Page 177 - DCAP516_COMPUTER_SECURITY
P. 177
Unit 14: Intrusion Detection System and Secure E-mail
should be allowed to pass. In addition, they enforce access control over the ports they leave Notes
open, so that only traffic from allowed IP addresses gets through. For these reasons, firewalls
have proven effective against many types of intrusions.
Of course, organizations can’t use a firewall to block everything from passing through, as key
business critical applications are require to access external networks and allow access from
outside. Security is always a balance between accessibility and potential vulnerability, and
organization need to keep this balance. Potential attackers will learn to exploit any entry left
open.
Attacks can take many forms and manifest in multiple ways against which the firewall, which is
access control based, are not built to protect. Hybrid attacks, Denial of Service (DoS) attacks,
Distributed Denial of Service (DDoS) attacks and application level attacks and protocol anomalies
get through most firewall deployments.
Some companies deploy Intrusion Detection Systems (IDS), which inspect the network traffic
and report their findings to log files and databases. IDS tools continue to be instrumental in
providing forensics about attacks and in determining over time what segments of the network
become compromised. While IDS’s facilitate record-keeping, an alarm function, and eventual
analysis and remediation, they do not prevent or mitigate damage from malicious attacks in
real-time, like the proverbial horse that bolted.
14.1 Intruders
One of the most publicized threats to security is the intruder generally referred to as a hacker or
cracker. In an important early study of intrusion. Anderson identified three classes of intruders:
Masquerader: An individual who is not authorized to use the computer and who penetrates
a systems’ access controls to exploit a legitimate user’s account.
Misfeasor: A legitimate user who accesses data, programs, or resources for which such
access is not authorized, or who is authorized for such access but misuses his or her
privileges.
Clandestine user: An individual who seizes supervisory control of the system and uses
this control to evade auditing and access controls or to suppress audit collection.
The masquerader is likely to be an outsider the misfeasor generally is an insider and the
clandestine user can be either an outsider or an insider.
Intruder attacks range from the benign to the serious. At the benign end of the scale there are
many people who simply wish to explore internets and see what is out there. At the serious end
are individuals who are attempting to read privileged data perform unauthorized modifications
to data, or disrupt the system.
Benign intruders might be tolerable although they do consume resources and may slow
performance for legitimate users. However, there is no way in advance to know whether an
intruder will be benign or malign. Consequently, even for systems with no particularly sensitive
resources there is a motivation to control this problem.
Intruders attempt to exploit networks in various ways. Some use other computers to launch
attacks. This is done by customizing malicious software to cripple a system. Malware is currently
one of the biggest threats facing computer networks today. Targeted attacks that focus on a
single network are often able to avoid signature detection. Because the malware is designed to
penetrate a certain form of network computer security, it’s likely that no signature exists. This
means that no detection mechanism will be able to identify it whether it’s an anti-virus or
intrusion detection solution. Malicious software can also be hidden from detection through
LOVELY PROFESSIONAL UNIVERSITY 171
