| Previous | Table of Contents | Next |
Most people think of computer security as trying to prevent things from going wrong. Even in recent history, which includes firewalls, this approach by itself has not been successful. In the first part of this book, you see how regularly deployed security products fit your needs and how they leave you looking for more. Knowing the strengths and weaknesses of different types of security products is key to seeing how intrusion detection can add value at your site. To accomplish this goal, you learn about the following:
Intrusion detection is a hot topic. In the last few months, several intrusion-detection companies have been gobbled up by larger security companies. All vendors want to make their security solutions different from their competitors, and adding an intrusion detection system (IDS) is one way to get ahead. But, why does anyone need an IDS? To really understand the answer, you have to get back to basics.
Computer security is a complex topic. To be precise about what you say, and what other people are saying as well, it’s best to think in simple terms. Therefore, this chapter describes a basic security model that is at the heart of your environment. No matter how complicated your computers or networks might be, you can look at any subset and think about it in terms of subjects, objects, and access control.
The universe is a complex beast, but it can also be reduced to a few simple nouns and verbs at the subatomic level, although you don’t need to understand the universe at this level to drive to work. To deploy computer security solutions, you do need to think about the underlying details of each part of your environment in order to reduce the likelihood of security breaches. You should challenge yourself to understand components at your site and ask, “Hey, what’s really happening under the covers here?” If someone approaches you and wants to deploy a new application, you should start with the same questions each time: Who are the subjects? What are the objects? How are accesses regulated? Who administers the security?
You’ll want to ask plenty of other questions, which all stem from your understanding of a basic computer security model. In the first section of this chapter, you find some generally accepted goals of computer security. When you know what to expect from computer security, the next task is to find a useful way of determining whether your expectations are being met. To accomplish this, you gradually construct the security model beginning with simple abstract principles. The chapter closes with a classification scheme useful for understanding the relative roles of different products you might have at your site and how an IDS fits into the scheme.
Each site should have a well-defined security policy describing how information is to be handled. This same security policy might be enforced by a combination of different security models, because a security model is an abstraction that can be implemented in numerous ways. A product that implements a security model provides a vehicle which you can use to enforce a security policy. The same security model can support other security policies, too. Every product you use to enhance your site security could introduce its own security model. Many of the models interact when products are combined at a site. For example, a firewall and the operating system work together to provide a secure Internet connection for your company. Both the firewall and the operating system have different roles and responsibilities in delivering the total solution. The firewall depends upon the operating system to provide a safe environment in which the firewall’s programs can run. If the operating system’s kernel has been compromised, the firewall cannot be depended upon to fulfill its role. Because of interactions like this, you need to know what constitutes a basic security model and how you might evaluate one.
Briefly, a security model defines entities and the rules that govern how these entities interact or reference one another. You already are familiar with many different entities in your networks—users, groups, files, routers, workstations, printers, disk drives, application programs, clients, servers, and network adapters. These entities interact and reference each other in many different ways in computer networks. Access control rules constrain how entities reference and interact with each other. An access control rule you frequently encounter is one limiting which users are allowed to read a particular file on a computer. You probably can think of several other examples, which indicates that you already understand the concepts underlying security models.
Before exploring the basic security model, think about why security is needed in the first place. A security model, implemented by one or more products, should provide value for you, by attempting to satisfy three primary goals.
To appreciate why intrusion-detection products are now being added to improve security, you need to know the goals that security products are trying to satisfy. Because these goals are not being completely achieved with traditional products, enterprises are now deploying or investigating intrusion-detection solutions.
The acronym CIA is a clever, easily remembered string that represents three central goals in computer security:
| Previous | Table of Contents | Next |