Existing Data Source or New Data Source

A network monitoring program usually sits on the network and examines network traffic. The program does not add a new data source, rather it relies on data already being shipped throughout the network. Other programs introduce a new data source for making security decisions.

For example, you might want to monitor your Web site for suspicious behavior. In order to accomplish this, your Web server could write a log record each time a remote system accessed a file in a protected directory. These log records are currently not being kept but need to be stored if you expect to monitor activities. The program that monitors this log for suspicious activities depends upon this data to work properly. Thus, a new data source has been introduced into your environment. Consequences of adding this new data source include the need for additional storage and a possible performance degradation due to logging.

Note that all of these design alternatives involve tradeoffs. Know the tradeoffs and decide what you are willing to accept. You will be doing both the vendor and yourself a favor if you candidly discuss your opinions on the tradeoffs chosen. You do not want to invest time in a product that will not meet your needs in the long run, and no vendor is capable of satisfying everyone.

Prevention, Detection, and Response with Intrusion Detection

Experienced security professionals realize the value of the triad prevention, detection, and response (Smaha and Winslow, 1994). One of the best defenses is to build formidable preventative mechanisms. However, in practice, prevention alone is insufficient. Program bugs and other human errors have resulted in numerous security breaches in the past.

A security policy also must be monitored for violations. That is, you want to detect any security breaches that are caused by configuration problems or slack policies. Finally, because security solutions must scale, it should be possible to define automated responses to security incidents. Care is, of course, needed. You do not want a response policy that tries to terminate all of the processes running on behalf of a perpetrator, especially if this affects availability of resources that are crucial to your business.

In addition to knowing whether a product falls into one of the four product categories, consider to what degree a security offering provides features for prevention, detection, or response. Preventative tools that improve upon I&A, access control, and network security are now being augmented with intrusion detection and responses. Connecting to the Internet at a minimum requires a firewall. To install the best solution, you also should use IDSs to scan for problems and detect intruders in real time. To successfully secure your environment, a mix of products is required. Understanding the benefits and features each product brings to your environment is the focus of the remaining chapters.

Where to Go from Here

Now you see how intrusion detection enhances the traditional approach to security. You definitely need I&A solutions. Certainly, preventative tools are required to lock down your systems and networks. As you see in the first part of this book, ways to get around these traditional products still exist, and this is where intrusion detection can help. You need to add detection and response to your preventative techniques.

In this chapter, you learned the fundamental components needed to create a secure environment. Three primary goals of security were identified. A security model was gradually constructed from basic principles beginning with subjects and objects. The reference monitor concept was introduced to control access requests by subjects to objects. Identification and authentication, an access control database, and auditing were added to the model. The purpose of starting with these fundamentals is to provide a context within which to discuss products in subsequent chapters. When you read about products in chapters to come, continually ask yourself these questions:

•  What are the subjects?

•  What are the objects?

•  How do they interact?

•  Where is the reference monitor?

•  How do you specify a security policy?

•  How do you specify access control within the security policy?

•  How are subjects identified and authenticated to the system?

•  How does the product assist with confidentiality, integrity, and availability?

•  Does the product interact with other products? Does it have trust relationships?

•  What are the boundaries of the product? Are there weaknesses at the boundaries?

Only by critically examining these issues will you be able to carefully evaluate whether a product meets your needs. As you discover the answers to these questions when they are applied to traditional security products, you will see the value that intrusion detection can bring to your site.