ResearchPaper:Information Security Technologies

8/12/2019 ResearchPaper:Information Security Technologies

1/50

Research Paper: Information SecurityTechnologies

by

Benjamin Tomhave

November 10, 2004

Prepared for:

Professor Dave CarothersE!E 21"

The #eor$e %ashin$ton &niversity

This paper or presentation is my o'n 'or() *ny assistan+e re+eived in its preparation isa+(no'-ed$ed 'ithin the paper or presentation, in a++ordan+e 'ith a+ademi+ pra+ti+e) f .sed data, ideas, 'ords, dia$rams, pi+t.res, or other information from any so.r+e, have+ited the so.r+es f.--y and +omp-ete-y in footnotes and bib-io$raphy entries) This in+-.desso.r+es 'hi+h have /.oted or paraphrased) .rthermore, +ertify that this paper orpresentation 'as prepared by me spe+ifi+a--y for this +-ass and has not been s.bmitted, in'ho-e or in part, to any other +-ass in this &niversity or e-se'here, or .sed for anyp.rpose other than satisfyin$ the re/.irements of this +-ass, e+ept that am a--o'ed tos.bmit the paper or presentation to a professiona- p.b-i+ation, peer revie'ed jo.rna-, orprofessiona- +onferen+e) n addin$ my name fo--o'in$ the 'ord !i$nat.re, intend thatthis +ertifi+ation 'i-- have the same a.thority and a.thenti+ity as a do+.ment ee+.ted'ith my hand3'ritten si$nat.re)

!i$nat.re Benjamin 5) Tomhave

Benjamin 5) Tomhave 126762004 1


2/50

Research Paper: Information SecurityTechnologies

by

Benjamin 5) Tomhave

Abstract

The fo--o'in$ resear+h paper provides ana-ysis of thirteen 819 information se+.rityte+hno-o$y topi+s, arran$ed in ten 810 $ro.ps, that are either +ommon-y fo.nd or

emer$in$ 'ithin the information se+.rity ind.stry) These topi+s in+-.de: *++ess Contro-ana$ement, *ntivir.s, *.dit Data ;ed.+tion, ire'a--s, ntr.sion Dete+tion !ystems8D!, ntr.sion Prevention !ystems 8P!, *noma-y Dete+tion !ystems 8*D!, Event

Corre-ation !ystems 8EC!, Net'or( appin$, Pass'ord Cra+(in$, P.b-i+ in$ea+h te+hno-o$y 'ithin the modern information se+.rity and b.siness +ontet, -oo(in$ atho' it meets b.siness needs 'hi-e addressin$ Confidentia-ity, nte$rity and *vai-abi-ity

as a Co.ntermeas.re that Dete+ts, Corre+ts and6or Prote+ts)



3/50

Table of Contents

)NT;?D&CT?N *ND ?=E;=E% ? *PP;?*C@))))))))))))))))))))))))))))))))))))))))))))))))) 4)*CCE!! C?NT;?5 *N*#EENT))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) A

*)B.siness *na-ysis)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))A

B)!e+.rity *na-ysis))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))7)*NT=;&!))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) *)B.siness *na-ysis)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))11B)!e+.rity *na-ysis))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))11

=)*&DT D*T* ;ED&CT?N)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 19*)B.siness *na-ysis)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))19B)!e+.rity *na-ysis))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))14

=);E%*55! ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 1A*)B.siness *na-ysis)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))17B)!e+.rity *na-ysis))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))17

=)NT;&!?N DETECT?N *ND *N*5!! !!TE!)))))))))))))))))))))))))))))))))))))))) 1"*)ntr.sion Dete+tion !ystems 8D! ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))1

1)B.siness *na-ysis))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 212)!e+.rity *na-ysis)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 22

B)ntr.sion Prevention !ystems 8P!))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))291)B.siness *na-ysis))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 242)!e+.rity *na-ysis)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 2A

C)Event Corre-ation !ystems 8EC!)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 2A1)B.siness *na-ysis))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 272)!e+.rity *na-ysis)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 27

D)*noma-y Dete+tion !ystems 8*D! ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 271)B.siness *na-ysis))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 22)!e+.rity *na-ysis)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 90

=)NET%?;< *PPN#)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 90*)B.siness *na-ysis)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))91B)!e+.rity *na-ysis))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))92

=)P*!!%?;D C;*C



4/50

Research Paper: Information Security

Technologies

by

Benjamin 5) Tomhave

)NT;?D&CT?N *ND ?=E;=E% ? *PP;?*C@

This resear+h paper introd.+es and ana-y>es ten 810 information se+.rity te+hno-o$ies)

Ea+h of the fo--o'in$ se+tions fo+.ses on a spe+ifi+ te+hno-o$y and adheres to the

fo--o'in$ $enera- format:

o Te+hno-o$y ?vervie': * hi$h3-eve- introd.+tion to the te+hno-o$y)

o B.siness *na-ysis: *n eva-.ation of the .sef.-ness, +ost, +omp-eity, and .ti-ity

of the te+hno-o$y in the modern b.siness environment)

o !e+.rity *na-ysis: The se+.rity te+hno-o$y is 'ei$hed a$ainst the tenets of

Confidentia-ity, nte$rity and *vai-abi-ity as 'e-- as eva-.atin$ its ro-e as a

+o.ntermeas.re 8dete+t, +orre+t, prote+t)

The ten se+.rity te+hno-o$ies addressed in this paper are:

1) *++ess Contro- ana$ement

2) *ntivir.s

9) *.dit Data ;ed.+tion

4) ire'a--s

A) ntr.sion Dete+tion and *na-ysis !ystems

) Net'or( appin$



5/50

7) Pass'ord Cra+(in$

") P.b-i+


6/50

bein$ to +-assify data systems a++ordin$ to va-.e and a--o+ate prote+tion me+hanisms in

a++ordan+e 'ith the va-.e of the reso.r+e) *++ordin$ to Tipton and


7/50

in+reasin$ in pop.-arity and are predi+ted to savin$ +ompanies mi--ions of do--ars in the

+omin$ years)9

B)!e+.rity *na-ysis

*n a++ess +ontro- mana$ement system has the potentia- for impa+tin$ a-- three tenets of

information se+.rity 8Confidentia-ity, nte$rity and *vai-abi-ity) The primary ro-e of an

*C so-.tion is to prote+t the +onfidentia-ity of a reso.r+e by restri+tin$ a++ess to the

reso.r+e) *dditiona--y, an *C so-.tion 'i-- +ontro- the attrib.tes of the a++ess, s.+h as

read, 'rite and ee+.te) or eamp-e, in the +ase of a data fi-e, an *C system may

$rant a .ser read a++ess, b.t deny a++ess to 'rite or modify the data 'ithin the fi-e)

&nder a D*C mode-, a++ess +ontro-s are mana$ed dire+t-y by the reso.r+e o'ner) n a

*C mode-, the system di+tates 'hat -eve- of a++ess may be $ranted to a reso.r+e)

ina--y, ;B*C assi$ns a++ess based on the ri$hts of a $ro.p 8or ro-e 'ithin the system)

*-- .sers 'ho share a $iven ro-e have the same a++ess) This approa+h +ontrasts to D*C

'here ea+h .ser may have a .ni/.e set of ri$hts) *C is simi-ar to ;B*C in terms of

.sin$ a ro-e3based approa+hed based on -abe-in$) @o'ever, the inner operations of a

*C vary distin+t-y from an ;B*CF dis+.ssion of 'hi+h e+eeds the s+ope of this

do+.ment)

*++ess +ontro- mana$ement systems hin$e on the proper identifi+ation of s.bje+ts tryin$

to a++ess obje+ts) The pro+ess of positive-y identifyin$ a s.bje+t is +a--ed a.thenti+ation)

9Nationa- nstit.te of !tandards and Te+hno-o$y, JKN!T P-annin$ ;eport 0231: E+onomi+ mpa+t*ssessment of N!TLs ;o-e3Based *++ess Contro- 8;B*C Pro$ramJK 8%ashin$ton: N!T, 2002,a++essed 12 ?+tober 2004F avai-ab-e from http:66+sr+)nist)$ov6rba+6rba+3impa+t3s.mmary)do+F nternet)



8/50

The a.thenti+ation pro+ess .s.a--y o++.rs 'hen a s.bje+t se-f3identifies and then

responds to a systemati+ +ha--en$e of the identity) This +ha--en$e is based on 'hat yo.

(no', 'hat yo. have or 'ho yo. are) * pass'ord is an eamp-e of somethin$ that yo.

may (no', and is +.rrent-y the most +ommon method of provin$ identity) * to(en is an

eamp-e of somethin$ that yo. have, and biometri+s is an eamp-e of 'ho yo. are)

Biometri+s is a method of identifi+ation based on the physi+a- +hara+teristi+s of a h.man

bein$, s.+h as a fin$erprint, iris s+an or retina- s+an) Biometri+s, tho.$h ho-din$

si$nifi+ant promise as part of an a++ess +ontro- mana$ement system, a-so has si$nifi+ant

dra'ba+(s, s.+h as to a++eptabi-ity to .sers, re-iabi-ity and resistan+e to +o.nterfeitin$)4

The f.t.re of a++ess +ontro- mana$ement systems appears to be in the dire+tion of m.-ti3

fa+tor a.thenti+ation, oftentimes ma(in$ .se of pass'ords in +ombination 'ith to(ens or

biometri+s) Beyond the +.rrent trend, it seems -i(e-y that pass'ords 'i-- event.a--y be

rendered +omp-ete-y obso-ete in favor of some form of to(en or biometri+ be+omin$ the

first, if not on-y, form of a.thenti+ation) !pe+ifi+a--y, .se of n.meri+ or data to(ens is on

the in+rease and proje+ted to +ontin.e $ainin$ in pop.-arity and a++eptan+e) ajor

internationa- nternet !ervi+e Provider *meri+a ?n-ine has re+ent-y anno.n+ed the

avai-abi-ity of n.meri+ to(ens for .sers as a se+ond fa+tor for a.thenti+ation)

*dditiona--y, as p.b-i+ (ey infrastr.+t.re so-.tions 8see !e+tion be-o' mat.re and

$ain in preva-en+e, the .se of data to(ens 'i-- in+rease in importan+e) or eamp-e, a

ban( 'i-- be ab-e to iss.e a &!B3based data to(en to a +.stomer) ?n the data to(en 'i--

be the +.stomers .ni/.e identifier in the form of a di$ita- +ertifi+ate) This +ertifi+ate 'i--

4Dona-d ;) ;i+hards, GBiometri+ dentifi+ation,G in JKnformation !e+.rity ana$ement @andboo(, 4thEditionJK, ed) @aro-d ) Tipton and i+(i


9/50

be mana$ed thro.$h a +entra- Certifi+ate *.thority and 'i-- be .sed both for

a.thenti+ation and for en+ryptin$ and di$ita--y si$nin$ +omm.ni+ation and transa+tions)

Th.s, a++ess +ontro- mana$ement 'i-- not on-y +ontin.e its +entra- ro-e 'ithin

information se+.rity, b.t it 'i-- a-so $ro' in s+ope, addin$ more etensive +apabi-ities for

positive-y impa+tin$ +onfidentia-ity and inte$rity) *dditiona--y, besides prote+tin$

reso.r+es, it may a-so in+-.de etended +apabi-ities that 'i-- a--o' for easier dete+tion of

atta+(s and possib-y even a.tomati+ methods for +orre+tin$ vio-ations of inte$rity)

)*NT=;&!

The first +omp.ter vir.s +redited 'ith bein$ fo.nd Gin the 'i-dG is be-ieved to be a

pro$ram +a--ed GE-( C-onerG that tar$eted *pp-e D?! 9)9)A The term Gvir.sG may

a+t.a--y have ori$inated in the 170s in s+ien+e fi+tion -iterat.re, tho.$h as a +on+ept it

has -i(e-y been aro.nd sin+e the 10s) Traditiona--y, GHaI vir.s is simp-y a +omp.ter

pro$ram that is intentiona--y 'ritten to atta+h itse-f to other pro$rams or dis( boot se+tors

and rep-i+ate 'henever those pro$rams are ee+.ted or those infe+ted dis(s are

a++essed)G7 n the modern +ontet, this traditiona- form of ma-i+io.s +ode, or ma-'are, is

-ess +ommon) nstead, it is far more +ommon to see variations on this ori$ina- theme in

the form of G'ormsG and GTrojan horsesG that infe+t a +omp.ter system either thro.$h

dire+t ee+.tion or thro.$h some form of net'or(3based rep-i+ation method) n the

A%i(ipedia, Computer virus8!t) Petersb.r$: %i(ipedia, 2004, a++essed 0 November 2004F avai-ab-efrom http:66en)'i(ipedia)or$6'i(i6Comp.tervir.sF nternet)%i(ipedia, Computer virus8!t) Petersb.r$: %i(ipedia, 2004, a++essed 0 November 2004F avai-ab-efrom http:66en)'i(ipedia)or$6'i(i6Comp.tervir.sF nternet)7Bob


10/50

modern +ontet, hybrid ma-'are pro$rams typi+a--y rep-i+ate thro.$h 'orm3-i(e

behavio.r that preys on v.-nerabi-ities in operatin$ systems or thro.$h so+ia- en$ineerin$

atta+(s, and then set.p ba+(doors via the Trojan horse me+hanism) This ba+(door +an

then a--o' the atta+(er to remote-y a++ess and +ontro- an infe+ted system, a--o'in$ for the

perpetration of other i--i+it a+tivities, s.+h as sendin$ !P* or .sin$ the +ompromised

system as a proy, or re-ay, thro.$h 'hi+h remote a++ess +an be $ained to other'ise3

prote+ted reso.r+es)

*ntivir.s soft'are has been aro.nd for at -east the past 1031A years, tho.$h no referen+es

'ere fo.nd that indi+ated a spe+ifi+ date 'hen s.+h pro$rams 'ere first made avai-ab-e)

*ntivir.s soft'are 'as deve-oped to dete+t the presen+e, and event.a--y the attempted

infe+tion, of a system by ma-'are) There are $enera--y t'o types of antivir.s s+annin$

soft'are: si$nat.re3based and he.risti+) !i$nat.re3based s+annin$ re-ies on a database of

(no'n ma-'are si$nat.res) t m.st be .pdated on a re$.-ar basis in order to ens.re a

+.rrent database of (no'n ma-'are) *++ordin$ to eBC=#, an T !e+.rity +ompany, a

he.risti+ s+anner G-oo(s at +hara+teristi+s of a fi-e, s.+h as si>e or ar+hite+t.re, as 'e-- as

behaviors of its +ode to determine the -i(e-ihood of an infe+tion)G" The do'nside to

he.risti+ s+anners is that they often $enerate res.-ts that misidentify soft'are as bein$

ma-'are 8a)()a) Gfa-se positivesG)

The most pop.-ar operatin$ system, in terms of p.re n.mbers, is i+rosoft %indo's) *s

s.+h, it is a-so the most tar$eted p-atform by ma-'are) There are severa- +ompanies 'ho

provide *= soft'are for %indo's) There are a-so versions of *= soft'are for other

"eBC=# T !e+.rity,Heuristic Scanning - Where to e!t"8Te-3*viv: eBC=#, 2004, a++essed 12 ?+tober2004F avai-ab-e from http:66''')eb+v$)+om6arti+-es)phpidO24F nternet)



11/50

p-atforms, -i(e a+ ?!, &N and 5in.) @o'ever, there are very fe' +ases of ma-'are

for those p-atforms, d.e in part to their distin+t differen+es from %indo's)

*)B.siness *na-ysis

n the modern a$e of +omp.tin$, antivir.s 8*= soft'are is very inepensive, very

+ommon, $enera--y easy to dep-oy, and oftentimes re-ative-y easy to maintain 8easier than

pat+hin$ operatin$ systems and app-i+ations, b.t sti-- more +ha--en$in$ than bein$ f.--y

se-f3+ontained) .rthermore, the preva-en+e and avai-abi-ity of antivir.s as a very basi+

+o.ntermeas.re is s.+h that a -e$a- ar$.ment +o.-d be s.++essf.--y made that the fai-.re

of a b.siness to imp-ement *= soft'are thro.$ho.t the or$ani>ation +o.-d be deemed an

a+t of ne$-i$en+e) *s s.+h, the .ti-ity and .sef.-ness of *= soft'are is very obvio.s,

both from the standpoint of minimi>in$ the threat of ma-'are and from -imitin$ -e$a-

-iabi-ity res.-tin$ from a ma-'are infe+tion)

*= soft'are itse-f is $enera--y not +omp-e) ost *= pa+(a$es re-y primari-y on

si$nat.re3based s+annin$ 'ith minor he.risti+ s+annin$ +apabi-ities inte$rated) The

soft'are is .s.a--y simp-e to insta-- and is +onfi$.red by defa.-t to a.tomati+a--y .pdate

the .nder-yin$ s+annin$ en$ine and the si$nat.re database on a re$.-ar basis from the

nternet)

B)!e+.rity *na-ysis

%hereas b.sinesses are epe+ted to insta-- and maintain antivir.s soft'are on most, if not

a--, systems as a matter of -imitin$ -e$a- -iabi-ity, the effe+tiveness of *= soft'are



12/50

diminishes ea+h day) The *= ind.stry has $enera--y rea+hed a p-atea. in the -ast five

years and has not made any major advan+es in the abi-ity to dete+t and prevent ma-'are

infe+tion) .rthermore, the $ro'th in pop.-arity of the nternet has +a.sed the +omp.tin$

'or-d to be+ome hi$h-y inter+onne+ted, -eadin$ to the deve-opment of so3+a--ed G>ero3day

ep-oits)G These ep-oits +orrespond to v.-nerabi-ities that are re-eased on the same day

in 'hi+h the ep-oit itse-f is re-eased) n the 'orst3+ase s+enario, a major or$ani>ation

-i(e i+rosoft 'i-- anno.n+e the presen+e of a v.-nerabi-ity in their pop.-ar %indo's

operatin$ system mid3day, and by that evenin$ a 'orm 'i-- be +ir+.-atin$ on the nternet

that is a+tive-y -oo(in$ for v.-nerab-e systems and attemptin$ to infe+t them thro.$h this

ne' v.-nerabi-ity) !ad-y, s.+h events have happened in re+ent history, and oftentimes

before a pat+h is even avai-ab-e to fi the v.-nerabi-ity and before *= si$nat.res have

been deve-oped and re-eased)

The p.rpose of *= is to dete+t, prote+t and +orre+t) !pe+ifi+a--y, antivir.s soft'are is

desi$ned to dete+t ma-'are infe+tions, b.t it is a-so ab-e to prote+t a$ainst an a+tive

infe+tion attempt, and it is a-so often ab-e to +orre+t by disinfe+tin$ a system, dependin$

on the +hara+teristi+s of the ma-'are) rom the standpoint of Confidentia-ity, nte$rity

and *vai-abi-ity, *= soft'are primari-y addresses nte$rity) The $oa- of *= soft'are is

to prote+t the nte$rity of the operatin$ system, app-i+ation or data) *dditiona--y, it has a

se+ondary benefit of ens.rin$ the avai-abi-ity of an obje+t by dete+tin$, prote+tin$ or

+orre+tin$ ma-'are infe+tions) Confidentia-ity may a-so be prote+ted indire+t-y for

ma-'are that may +a.se data to be sent o.t random-y, s.+h as %ord do+.ments as

atta+hments, for'ardin$ emai-s, et+)



13/50

=)*&DT D*T* ;ED&CT?N

*.dit Data ;ed.+tion is an emer$in$ fie-d of st.dy in information se+.rity) The *.dit

Data ;ed.+tion #ro.p, part of the C?*!T 5aboratory at P.rd.e &niversity in the Center

for Ed.+ation and ;esear+h in nformation *ss.ran+e and !e+.rity 8CE;*!, appears to

be a -eader in innovative resear+h and thin(in$ on the s.bje+t) The prob-em bein$

addressed re-ates to the amo.nt of a.dit data +reated, o.t of ne+essity, by +riti+a- systems)

These +riti+a- systems often $enerate +opio.s amo.nts of a.dit -o$s, 'hi+h are often

diffi+.-t to po.r thro.$h for si$ns of ma-feasan+e) The $oa-s of a.dit data red.+tion

systems are to +ontrib.te to mis.se and anoma-y dete+tion) These types of systems are

dis+.ssed f.rther in !e+tion =)

*)B.siness *na-ysis

*.dit data red.+tion 8*D; 'i-- in+reasin$-y be+ome a .sef.- and ne+essary part of the

information se+.rity so-.tion too-set) B.sinesses are in+reasin$-y in.ndated 'ith a.dit

-o$s $enerated by a-- +riti+a- systems) The advent of federa- re$.-ations that re/.ire

thoro.$h -o$$in$, s.+h as 'ithin finan+ia--y si$nifi+ant systems,Q 'i-- f.rther +ontrib.te

to this trend) *s a res.-t, in order to maimi>e the va-.e of these a.dit -o$s 'ith an eye

to'ard red.+in$ ris( to the overa-- b.siness, it 'i-- be+ome in+reasin$-y ne+essary to

+ondense these ra' -o$s into a more .sef.- format)

P.rd.e &niversity, C#$%AS Audit 'rail $eduction (roup8%est 5afayette: CE;*!, .ndated, a++essed12 ?+tober 2004F avai-ab-e from http:66''')+erias)p.rd.e)ed.6abo.t6history6+oast6proje+ts6a.dit3trai-s3red.+e)phpo.tp.tOprintab-eF nternet)



14/50

Today, a.dit data red.+tion systems are sti-- ear-y in a+ademi+ and +ommer+ia-

deve-opment) !o-.tions tend to be re-ative-y +omp-e and +ost-y) @o'ever, it seems

very -i(e-y that these systems 'i-- improve over time and de+rease in +omp-eity) n the

end, 'e 'i-- -i(e-y see -ar$e a.dit data repositories b.i-t, based on data 'areho.sin$

+on+epts that then -evera$e data minin$ te+hni/.es for reportin$ and ana-ysis) These data

feeds 'i-- then be p.mped into systems that estab-ish a base-ine for performan+e and have

b.i-t3in artifi+ia- inte--i$en+e that +an dete+t anoma-o.s behavio.r indi+ative of a an

instan+e of mis.se or ab.se, f-a$$in$ and es+a-atin$ the event a++ordin$-y)

B)!e+.rity *na-ysis

The p.rpose of an a.dit data red.+tion system is to red.+e the overa-- +ost and

+omp-eity asso+iated 'ith +ombinin$ a.dit -o$s into one -o+ation and interfa+e) These

systems may have dire+t or indire+t impa+t on the Confidentia-ity, nte$rity or

*vai-abi-ity of data or systems, dependin$ on the so.r+e of the -o$s and the type of

mis.se or ab.se dete+ted) n $enera-, *D; systems are a +o.ntermeas.re desi$ned to

better dete+t instan+es of mis.se or ab.se) *s the systems mat.re and f.rther inte$rate

'ith intr.sion dete+tion and ana-ysis systems, the +apabi-ity 'i-- a-so emer$e to ta(e

prote+tive and +orre+tive a+tions) or eamp-e, intr.sion dete+tion and prevention

systems 8as 'i-- be dis+.ssed be-o' a-ready have the +apabi-ity to rea+t dynami+a--y and

in rea-3time to dete+ted threats) &sin$ a.dit data red.+tion systems to a++.rate-y dete+t

mis.se or ab.se in rea-3time ho-ds the promise of inte$ratin$ 'ith these a+tive response

systems and th.s etend its +o.ntermeas.re +apabi-ities)



15/50

=);E%*55!1011121914

* fire'a-- is defined as a G+omponent or set of +omponents that restri+ts a++ess bet'een a

prote+ted net'or( and the nternet, or bet'een other sets of net'or(s)G 1A

ire'a--s are

net'or( se+.rity reso.r+es that are defined to +ontro- the f-o' of data bet'een t'o or

more net'or(s) rom a hi$h3-eve- perspe+tive, they +an serve as a +ho(e3point, desi$ned

to restri+t, or +ho(e, the f-o' of net'or( traffi+, or as a $ate'ay that performs f.rther

pro+essin$ on the traffi+ beyond simp-e +ho(in$ restri+tions) *++ordin$ to R'i+(y, et a-,

fire'a--s +an $enera--y be p-a+ed into t'o +ate$ories: Pa+(et i-ters or Proies) Per

dis+.ssion in E!E 21", these +ate$ories +an be broadened to in+-.de +ir+.it3-eve-

$ate'ays and statef.- inspe+tion devi+es) B-andin$1adds a third +ate$ory of hybrid or

+omp-e $ate'ays to R'i+(yLs initia- pair)

n rea-ity, the B-andin$ definition is probab-y the most +orre+t in that fire'a--s either

perform as a pa+(et fi-ter, a proy, or as some +ombination of the t'o) ?ther types of

fire'a-- simp-y epand .pon those ori$ina- base types) or eamp-e, most proies today

have additiona- +apabi-ities to perform +ontent mana$ement at the app-i+ation -eve-,

dete+tin$ inappropriate or .na++eptab-e +ontent, s.+h as thro.$h a 'eb or mai- session)

10an.,)irewall *asics8&n(no'n: !e+.rityDo+s)+om, 2004, a++essed 0 November 2004F avai-ab-efrom http:66''')se+.ritydo+s)+om6-ibrary62419F nternet)11E-i>abeth D) R'i+(y and others,*uilding %nternet )irewalls+ ,nd #dition8Cambrid$e: ?;ei--y, 2000)12!imson #arfin(e- and #ene !pafford,ractical .ni! & %nternet Security+ ,nd #dition8Cambrid$e:?;ei--y, 1)195e+t.re notes from E!E 21", ta(en 20 ?+tober 2004)14P.rd.e &niversity,)irewalls8%est 5afayette: CE;*!, .ndated, a++essed 12 ?+tober 2004F avai-ab-efrom http:66''')+erias)p.rd.e)ed.6abo.t6history6+oastreso.r+es6fire'a--s6F nternet)1AE-i>abeth D) R'i+(y and others,*uilding %nternet )irewalls+ ,nd #dition8Cambrid$e: ?;ei--y, 2000,p102)1!teven ) B-andin$, G!e+.red Conne+tions to Eterna- Net'or(s,G in JKnformation !e+.rityana$ement @andboo(, 4th EditionJK, ed) @aro-d ) Tipton and i+(i


16/50

*-so, many fire'a--s provide +apabi-ities -i(e Net'or( *ddress Trans-ation 8N*T that

provide a -o$i+a- separation bet'een net'or(s by +han$in$ the .nder-yin$ n.mberin$

s+heme 8P addressin$) N*T is an important feat.re be+a.se it a--o's or$ani>ations to

inter+onne+t their reso.r+es interna--y .sin$ P address spa+e that is reserved for interna-

.se by ;C 11") This reserved spa+e is not ro.tab-e on the nternet, and th.s is not

dire+t-y a++essib-e to atta+(ers o.tside the fire'a-- performin$ the N*T)

* s.rvey of vario.s vendor 'eb sites, s.+h as Cis+o, Che+(point, Net!+reen,

Cyber#.ard, B-.eCoat and !e+.re Comp.tin$, ref-e+ts the rea-ity that most fire'a--s are

no' hybrids) This notion is f.rther reinfor+ed 'hen readin$ thro.$h the ire'a-- Criteria

v4)117 for C!* 5absL ire'a-- Certifi+ation pro$ram) No fire'a-- +an re+eive a

+ertifi+ation today 'itho.t bein$ a'are of state, th.s ma(in$ it a statef.- inspe+tion

fire'a--) @o'ever, basi+ fire'a--s, -i(e those so-d by Cis+o, Che+(point and Net!+reen,

are essentia--y j.st pa+(et fi-terin$, 'ith the additiona- +apabi-ities of tra+(in$ the state of

a net'or( session) Che+(point etends this base desi$n f.rther by a-so providin$ some

app-i+ation3spe+ifi+ proy +omponents) Cyber#.ard, B-.eCoat and !e+.re Comp.tin$,

on the other hand, prod.+e fire'a--s that are primari-y proies) *$ain, ho'ever, be+a.se

of their adheren+e to the C!* +riteria, they a-so are a'are of state, at -east to some

de$ree, and th.s are ab-e to perform basi+ pa+(et fi-terin$ f.n+tions, too) Therefore,

today, it is probab-y safe to say that there is on-y one (ind of fire'a--, and that is a hybrid

or +omp-e $ate'ay)

17http:66''')i+sa-abs)+om6htm-6+omm.nities6fire'a--s6+ertifi+ation6+riteria6+riteria4)1)shtm-



17/50

*)B.siness *na-ysis

The +ost of a fire'a-- today is minima-, and is $reat-y o.t'ei$hed by the vast .ti-ity it

serves) ire'a--s need not be epensive so-.tions, b.t +an be based on $eneri+ +omp.ter

+omponents that ma(e .se of free, open3so.r+e operatin$ systems and soft'are)

.rthermore, these simp-e so-.tions do not re/.ire etensive and epensive hard'are, b.t

+an oftentimes simp-y in+-.de a pro+essor, memory and a stora$e devi+e 8-i(e a CD3

;?) f the se+.rity re/.irements for an environment are stri+ter, then there are a-so

many +ommer+ia--y viab-e so-.tions that ran$e in pri+e and +apabi-ity) !evera- vendors

se-- fire'a--s of varyin$ types that +an hand-e a variety of net'or( se+.rity needs)

%hether those needs be for app-i+ation proies, or red.ndant pa+(et fi-terin$ 'ith

a.tomati+ fai-over and re+overy +apabi-ities, or 'eb proies 'ith +ontent mana$ement

+apabi-ities to prote+t end3.sers a$ainst the ha>ards of .nsafe 'eb bro'sin$, the on-y

-imitation today is in the si>e of the b.d$et)

B)!e+.rity *na-ysis

Gire'a--s are po'erf.- too-s, b.t they sho.-d never be .sed insteadof other se+.rity

meas.res) They sho.-d on-y be .sed in additionto s.+h meas.res)G1" The primary ro-e

of a fire'a--, in the traditiona- sense, is to prote+t a$ainst .na.thori>ed a++ess of

reso.r+es via the net'or( as part of a defense in depthQ so-.tion) This ro-e serves to

ens.re the inte$rity of data and systems 'hi-e a-so -imitin$ the avai-abi-ity of those

reso.r+es to ma-feasants) Despite a-- the advan+es in fire'a-- te+hno-o$y over the past 20

years, the f.ndamenta- ro-e of the fire'a-- has not +han$ed) %hat has +han$ed is the

1"!imson #arfin(e- and #ene !pafford,ractical .ni! & %nternet Security+ ,nd #dition8Cambrid$e:?;ei--y, 1, p97)



18/50

abi-ity to inte$rate fire'a--s 'ith other te+hno-o$ies, s.+h as intr.sion dete+tion and

ana-ysis systems) !.+h inte$ration +an -ead to providin$ an a+tive response +apabi-ity

that b-o+(s a++ess to dete+ted atta+(ers in a rea-3time manner) .rthermore, in addition to

servin$ in a prote+tin$ ro-e, the a.dit and a+tivity -o$s prod.+ed by a fire'a-- +an be .sed

for dete+tin$ atta+(s, 'hi+h +an in t.rn res.-t in the initiation of +orre+tive a+tions, as has

a-ready been mentioned)

ire'a--s, today, serve as a basi+ b.i-din$ b-o+( 'ithin se+.rity infrastr.+t.res) *t the

same time, as /.oted above, they are not the si-ver b.--etQ of information se+.rity)

mp-ementation of a fire'a-- is no $.arantee of se+.rity and sho.-d be +ombined 'ith the

other se+.rity te+hno-o$ies des+ribed 'ithin this paper)

=)NT;&!?N DETECT?N *ND *N*5!! !!TE!

The +on+ept of intr.sion dete+tion has been aro.nd sin+e 1"0)1 n its most essentia-

form, intr.sion dete+tion is desi$ned to dete+t mis.se or ab.se of net'or( or system

reso.r+es and report that o++.rren+e) This dete+tion o++.rs as a res.-t of identifyin$

behavio.r based on anoma-ies or si$nat.res) The most +ommon form of intr.sion

dete+tion system 8D! today re-ies on si$nat.re3based dete+tion)

The se+.rity ind.stry has $reat-y epanded intr.sion dete+tion over the past years to

in+orporate severa- advan+ed +on+epts) Beyond basi+ dete+tion and a-ertin$, most

systems today bi-- themse-ves as havin$ Gintr.sion preventionG +apabi-itiesF other'ise

1Pa.- nne--a, 'he #volution of %ntrusion /etection Systems8&n(no'n: !e+.rityo+.s)+om, 2001,a++essed 12 ?+tober 2004F avai-ab-e from http:66''')se+.rityfo+.s)+om6info+.s61A14F nternet)

Benjamin 5) Tomhave 126762004 1"


19/50

(no'n as a+tive response) The +on+ept of intr.sion prevention is that an a+tivity +an be

dete+ted re-iab-y and then stopped, either at the host or net'or( -eve-, by the dete+tin$

system) rom the net'or( perspe+tive, this response +o.-d be as simp-e as dete+tin$ an

ab.sive TCP3based net'or( +onne+tion and iss.in$ a TCP ;eset 8;!T pa+(et to both

the so.r+e and destination hosts, for$in$ the P header information to impersonate ea+h

side)

*dditiona--y, si$nifi+ant advan+es have been made in the areas of event +orre-ation and

anoma-y dete+tion) Event +orre-ation is an approa+h 'herein m.-tip-e a-erts that may

appear disparate are ab-e to be -in(ed to$ether based on +ommon +riteria, s.+h as time or

method or tar$et, and res.-t in an es+a-ated a-ert, if not a +oordinated a.tomati+ response)

*noma-y dete+tion is simi-ar to event +orre-ation, tho.$h its primary ro-e is to

s+ientifi+a--y determine a base-ine for performan+e, s.+h as a+ross a net'or( or $ro.p of

hosts, and then $enerate a-erts 'hen performan+e deviates si$nifi+ant-y from that

base-ine)

The fo--o'in$ se+tions dis+.ss ea+h of these te+hno-o$ies, providin$ an overvie' and

then a respe+tive b.siness and se+.rity ana-ysis)

A0ntr.sion Dete+tion !ystems 8D!

,1

ntr.sion dete+tion systems are typi+a--y +-assified a++ordin$ to their primary method of

dete+tion: net'or(3based, host3based, hybrid, or net'or(3node) Net'or(3based dete+tion

20Pa.- nne--a, 'he #volution of %ntrusion /etection Systems8&n(no'n: !e+.rityo+.s)+om, 2001,a++essed 12 ?+tober 2004F avai-ab-e from http:66''')se+.rityfo+.s)+om6info+.s61A14F nternet)



20/50

+apt.res pa+(ets dire+t-y off the net'or(, 'hi-e host3based dete+tion resides on a host and

+apt.res data as it f-o's into and o.t of that host) @ybrid systems a$$re$ate the

+apabi-ities of net'or(3based and host3based systems 'hereas net'or(3node systems try

to f.n+tion -i(e a net'or(3based system 'hi-e residin$ on a host)

Today, D! has be$.n to mat.re to the point 'here most systems +an be operated as a

hybrid, if the b.siness desires) The main approa+h .sed, s.+h as thro.$h the open3so.r+e

prod.+t !nort, is to +ond.+t net'or(3 and6or host3based s+annin$ .sin$ a si$nat.re set

and then a$$re$ate a-erts to a sin$-e host for mana$ement of those a-erts) ore advan+ed

systems have additiona- +apabi-ities, as 'i-- be dis+.ssed in the fo--o'in$ se+tions, s.+h

as intr.sion prevention, anoma-y dete+tion, and event +orre-ation)

ntr.sion dete+tion systems, as a 'ho-e, have a +o.p-e (ey -imitations) irst, they are

typi+a--y -imited in the same 'ay that antivir.s is -imited in that s.++essf.- dete+tion is

based on havin$ a $ood si$nat.re that mat+hes (no'n bad traffi+) %ith net'or(

dete+tion, this si$nat.re -imitation is parti+.-ar-y +ha--en$in$ be+a.se too -itera- of a

strin$ +an res.-t in a dete+tion fai-.re) .rthermore, D! are -imited by ho' m.+h

net'or( traffi+ they +an pro+ess in a $iven period of time) or eamp-e, most D! today

'i-- +-aim to be ab-e to monitor 1#bps of traffi+ in rea-3time, tho.$h a+t.a- testin$, s.+h

as in the D! 5ab at C!* 5abs, has proven that these prod.+ts are a+t.a--y often

performin$ at m.+h -ess than 1#bps) Even 'orse, ba+(bone net'or( providers are often

r.nnin$ at m.+h hi$her speeds than 1#bps, s.+h as over ?C34" or ?C312 net'or(s,

'hi+h are 2)4"" #bps and )A2 #bps, respe+tive-y) This means that the needs and



21/50

epe+tations for performan+e and thro.$hp.t are very hi$h and not reasonab-y bein$ met

by +ommer+ia- prod.+tions)

n addition to bein$ -imited by si$nat.res and performan+e, most D! a-so in+-.de

mana$ement +on+erns 'ith respe+t to the n.mber of si$nat.res bein$ mana$ed and the

n.mber of a-erts bein$ $enerated) r.strations arisin$ from these many -imitations have

-ed to advan+es in mana$ement of the base D!, and 'i-- be dis+.ssed in the *noma-y

Dete+tion !ystems and Event Corre-ation !ystems se+tions be-o')

1)B.siness *na-ysis

ntr.sion dete+tion systems are sti-- mat.rin$ as a prod.+t) *dvan+es in event +orre-ation,

anoma-y dete+tion and a+tive response have made their .se m.+h more appea-in$)

@o'ever, the +ost of dep-oyment and mana$ement is sti-- a-most at a brea(3even point

'ith the benefits derived) Net'or(s that are parti+.-ar-y mat.re and +-ean have a m.+h

$reater -i(e-ihood of reapin$ -ar$e benefits from an enhan+ed D! dep-oyment, 'hereas

net'or(s that are not 'e--3desi$ned and that are poor-y mana$ed 'i-- have a very diffi+.-t

time t.nin$ si$nat.res to their environment and estab-ishin$ performan+e base-ines)

S.a-ity D! soft'are is free thro.$h open3so.r+e initiatives s.+h as !nort) Than(s to

!nort, a-- a +ompany rea--y needs is a reasonab-y si>ed PC 'ith one or more hi$h3speed

net'or( +ards and the (no'3ho' to insta-- and mana$e the prod.+t on a +ompatib-e

operatin$ system, 'hi+h may a-so be free) @o'ever, the open3so.r+e mana$ement too-s

that are avai-ab-e for .se 'ith !nort, s.+h as *CD and !nortCenter, -eave m.+h to be

desired and often for+e +ompanies to'ard +ommer+ia- so-.tions)



22/50

ost +ommer+ia- so-.tions sti-- tend to be rather epensive and re/.ire +onsiderab-e

trainin$) ?ne interestin$ deve-opment is the inte$ration of intr.sion dete+tion so-.tions

'ith fire'a-- prod.+ts, s.+h as has been done by Cis+o, Che+(point and Net!+reen) *s

'i-- be dis+.ssed in the fo--o'in$ se+tion on intr.sion prevention systems 8P!, this

advan+e has a--o'ed D! to evo-ve to in+-.de a+tive response +apabi-ities, parti+.-ar-y

from the net'or( perspe+tive)

?vera-- D! has va-.e for most or$ani>ations that have their net'or( in $ood 'or(in$

order) @o'ever, .nderstaffed and poor-y ar+hite+ted environments 'i-- -i(e-y see D! as

an .na++eptab-e hass-e and +ost) or those or$ani>ations, there are a-ternative so-.tions)

!evera- se+.rity +ompanies are in the mar(et providin$ o.tso.r+ed insta--ation,

maintenan+e and monitorin$ of D! so-.tions) These Gmana$ed se+.rity so-.tionsG

providers may be benefi+ia- for or$ani>ations that 'ant the benefits of an D!, even in a

-imited +apa+ity, b.t that +annot afford to imp-ement and mana$e the D! themse-ves)

2)!e+.rity *na-ysis

The ori$ina- ro-e of D! 'as to dete+t threats on net'or(s and hosts) This ro-e has

evo-ved to in+-.de a+tive response +apabi-ities that a--o' it to prote+t reso.r+es and

+orre+t mis.se or ab.se on net'or(s or hosts) D! +an today serve in a ro-e that impa+ts

Confidentia-ity, nte$rity and *vai-abi-ity, dependin$ on the si$nat.re set dep-oyed, the

effe+tiveness of a-ert mana$ement, and 'hether or not an a+tive response +apabi-ity

eists)



23/50

*0ntr.sion Prevention !ystems 8P!,2

ntr.sion prevention systems, or P!, are often defined as Gany devi+e 8hard'are or

soft'are that has the abi-ity to dete+t atta+(s, both (no'n and .n(no'n, and prevent the

atta+( from bein$ s.++essf.-)G ,, P! have $ro'n from a desire to +ombine the deep3

inspe+tion +apabi-ities of D! 'ith the b-o+(in$ +apabi-ities of fire'a--s) These b-o+(in$

+apabi-ities, often referred to as a+tive response, a--o's the dete+tion of a po-i+y vio-ation

to be trans-ated in rea-3time into a po-i+y3based a+tion desi$ned to impede or stop the

vio-ation)

There are a fe' variations on P!, b.t the most +ommon is the in-ine net'or(3based

system) *nother variation of P! are the so3+a--ed G5ayer 7 s'it+hesG that have mat.red

to in+-.de Do! and DDo! dete+tion and miti$ation based on an a'areness of traffi+ at the

app-i+ation -ayer of the ?! mode-) *-so, host3based app-i+ation fire'a--s have been

inte$rated 'ith D! +apabi-ities to a--o' for app-i+ation3spe+ifi+ a+tive response

+apabi-ities based on a $enera- po-i+y instead of a si$nat.re set) @ybrid s'it+h so-.tions

are net'or(3based, b.t operate simi-ar to the app-i+ation fire'a--s)

*-- of these types of P! have t'o thin$s in +ommon: they $enerate an a-ert, based either

on a si$nat.re or a po-i+y, and they initiate a response, as has been pro$rammed into the

system) These a-erts may o++.r as the res.-t of a si$nat.re mat+h or a vio-ation of a

21Nei- Desai,%ntrusion revention Systems the e!t Step in the #volution of %/S8&n(no'n:!e+.rityo+.s)+om, 2009, a++essed 12 ?+tober 2004F avai-ab-e fromhttp:66''')se+.rityfo+.s)+om6info+.s6170F nternet)22Nei- Desai,%ntrusion revention Systems the e!t Step in the #volution of %/S8&n(no'n:!e+.rityo+.s)+om, 2009, a++essed 12 ?+tober 2004F avai-ab-e fromhttp:66''')se+.rityfo+.s)+om6info+.s6170F nternet)



24/50

se+.rity po-i+y set.p spe+ifi+ for an app-i+ation, and the response may ran$e from

+ho(in$ the f-o' of traffi+ to terminatin$ or b-o+(in$ the offendin$ traffi+ a-to$ether)

There are a +o.p-e (ey -imitations to P!, as eist for D!) Those -imitations in+-.de

a++.rate dete+tion, the abi-ity to hand-e the f.-- thro.$hp.t of a net'or(, and the abi-ity to

$enerate the response +orre+t-y and in a time-y manner) The thro.$hp.t iss.e has been

dis+.ssed above) The matter of a++.ra+y be+omes in+reasin$-y important 'hen

dis+.ssin$ an a+tive, a.tomated response to a dete+ted event) f proper and a--o'ed

traffi+ is in+orre+t-y dete+ted by a si$nat.re or as a po-i+y vio-ation, that traffi+ may be

inappropriate-y s.bje+ted to the a+tive response) n parti+.-ar, (no'n $ood traffi+ may be

terminated or b-o+(ed, res.-tin$ in a ne$ative impa+t to the b.siness) *s for $eneratin$

the response +orre+t-y in a time-y manner, this -imitation pertains to the abi-ity of the P!

to not on-y dete+t +orre+t-y, b.t to se-e+t the +orre+t response based on a po-i+y, and then

be ab-e to iss.e that response 'hi-e the offense is sti-- o++.rrin$) Choosin$ the proper

response +an be+ome +ha--en$in$ 'hen dea-in$ 'ith a.tomated es+a-ations)

1)B.siness *na-ysis

ost D! systems today in+-.de some manner of P! +apabi-ities) #iven a 'e--3defined

set of si$nat.res or po-i+ies, it ma(es sense to dep-oy an D! 'ith P! +apabi-ities,

parti+.-ar-y on the perimeter of yo.r net'or(, and in front of hi$h-y va-.ab-e assets) The

+ost of these systems is +omparab-e to that dis+.ssed above in the D! B.siness *na-ysis

8=)*)1) &-timate-y, s.++essf.- dep-oyment and ret.rn on investment 'i-- re-ate dire+t-y

to ho' 'e-- the net'or( is ar+hite+ted, ho' 'e-- the so-.tion is mana$ed, and ho' m.+h

tho.$ht has $one into the overa-- se+.rity mana$ement of the or$ani>ation)



25/50

2)!e+.rity *na-ysis

P! epands the basi+ dete+tion +apabi-ities of D! to in+-.de definite +orre+tive

+apabi-ities) These +orre+tive +apabi-ities have the re-ated benefit of prote+tin$ reso.r+es

based on se+.rity po-i+ies) These +apabi-ities 'or( to$ether to prote+t the

Confidentia-ity, nte$rity and *vai-abi-ity of systems and data)

C0Event Corre-ation !ystems 8EC!,3

Event Corre-ation !ystems b.i-d on the s.++esses of ntr.sion Dete+tion !ystems by

providin$ a better me+hanism for a$$re$atin$, mana$in$ and +orre-atin$ D! events, s.+h

as are $enerated thro.$h si$nat.re dete+tions or po-i+y vio-ations) EC! $oes beyond

simp-y p.--in$ to$ether event -o$s from D!, ho'ever) EC! a--o's for the a$$re$ation of

-o$ data from m.-tip-e so.r+es, in+-.din$ fire'a--s, hosts, app-i+ations, and of +o.rse

D!) ost EC! so-.tions serve a d.a- ro-e as a data 'areho.se for -o$s and by providin$

a data minin$ interfa+e 8man.a- and a.tomated to ma(e .se of the data stored in the

'areho.se)

The primary benefit of the Event Corre-ation !ystem is in its abi-ity to +orre-ate events

from m.-tip-e systems and $enerate smart a-erts, a-on$ 'ith the +apabi-ity to es+a-ate

a-erts, based on that +orre-ation) Event Corre-ation !ystems are .s.a--y +omprised of

29;.sse--


26/50

severa- (ey a+tivities: Compression, Co.ntin$, !.ppression, #enera-i>ation and Time3

based +orre-ation) These a+tivities are best defined by


27/50

information +an be $-eaned by +orre-atin$ events that have spe+ifi+ time3based

re-ationships) !ome prob-ems +an be determined on-y thro.$h s.+h tempora-

+orre-ation)

1)B.siness *na-ysis

EC! is the so-.tion that is most desirab-e and has the potentia- for the bi$$est ret.rn on

investment) @o'ever, imp-ementation of s.+h a system has proven to be very

+ha--en$in$ for vendors) *s a res.-t, these systems tend to be very epensive and not

terrib-y re-iab-e) nstead, the *noma-y Dete+tion approa+h, as dis+.ssed be-o', has been

+on+eived and is be$innin$ to re+eive in+reased mar(et share) n the f.t.re, it is hoped

that EC! 'i-- mat.re to the point 'here it +an be inte$rated to ro.nd3o.t the ntr.sion

Dete+tion and *na-ysis !ystem)

2)!e+.rity *na-ysis

The primary f.n+tion of EC! is to better dete+t events 'ithin the enterprise) ?n+e

re-iab-e dete+tion o++.rs, then other +apabi-ities, s.+h as a+tive response, +an be

deve-oped 'ith it) &nti- that time, ho'ever, this so-.tion is primari-y aimed at prote+tin$

the nte$rity of systems and data as a res.-t of dete+tin$ a+tive threats a$ainst them)

/0*noma-y Dete+tion !ystems 8*D!,5,6

2AChristina ip Ch.n$,Anomaly /etection in /ata7ase Systems8Davis: &C Davis Comp.ter !e+.rity5aboratory, 1, a++essed 12 ?+tober 2004F avai-ab-e fromhttp:66se+-ab)+s).+davis)ed.6proje+ts6anoma-y)htm-F nternet)2;oy *) aion and


28/50

*noma-y Dete+tion !ystems are an etension of ntr.sion Dete+tion !ystems 8or is.se

Dete+tion !ystems, as defined by Ch.n$) Per aion and ed

form, *D! dynami+a--y +a-+.-ates the +.rrent performan+e based on a$$re$ate -o$ data

and determines 'hether or not the +.rrent -eve- of performan+e is deviant from epe+ted

-eve-s)

*s o.t-ined in aion and


29/50

somethin$ $enera--y appre+iated by b.sinesses and +o.-d stand to -imit its adoption

'ithin +orporate se+.rity environments)

1)B.siness *na-ysis

*noma-y dete+tion systems are an emer$in$ so-.tion re-ated in part to intr.sion 8or

mis.se dete+tion systems and event +orre-ation systems) This rea-ity as an emer$in$

te+hno-o$y -imits the n.mber of +ommer+ia- so-.tions avai-ab-e and in+reases the +ost of

dep-oyment) !ome or$ani>ations have $one so far as to deve-op r.dimentary *D!

so-.tions in3ho.se in order to defer +ommer+ia- epenses) @o'ever, the overa-- va-.e of

these systems is -imited by the primitive ro.tines performed)

&-timate-y, *D! and EC! represent the idea- so-.tions that 'i-- maimi>e ret.rn on

investment for dete+tion of threats 'ithin a se+.rity infrastr.+t.re) ?n+e so-.tions be$in

to mat.re, +ompetition emer$es, and pri+es be$in to drop, 'e 'i-- -i(e-y see a 'ide

adoption of these types of so-.tions) &nti- that time, on-y the -ar$est or$ani>ations, 'ith

the ne+essary reso.r+es to imp-ement s.+h a so-.tion, 'i-- -i(e-y see the .ti-ity of *D! or

EC!) !ma-- and medi.m si>ed or$ani>ations 'i-- -i(e-y need to be +ontent 'ith basi+

D! and P! +apabi-ities for the foreseeab-e f.t.re, bannin$ a major brea(thro.$h in

performan+e and re-iabi-ity that +an red.+e the overa-- tota- +ost of o'nership 'hi-e

maimi>in$ the va-.e) nte$ration of these so-.tions 'ith a+tive response +apabi-ities and

fire'a--s 'i-- +ontin.e to mat.re as the +ore prod.+ts themse-ves mat.re)



30/50

2)!e+.rity *na-ysis

*D! are primari-y desi$ned to dete+t threats to the or$ani>ation) This dete+t +apabi-ity

may be epanded in the f.t.re to in+-.de prote+t and +orre+t +apabi-ities, b.t on-y after

the prod.+t has mat.red f.rther) The $enera- $oa- of *D!, as is tr.e 'ith most intr.sion

dete+tion re-ated so-.tions, is to primari-y ens.re nte$rity, 'ith se+ondary $oa-s of

ens.rin$ *vai-abi-ity and Confidentia-ity) Dete+tion +an be .sed .niversa--y to ens.re a--

three aspe+ts of the C* approa+h)

=)NET%?;< *PPN#

Net'or( mappin$ is defined as the st.dy of the physi+a- +onne+tivity of the nternet)G2"

n its most +ommon form, net'or( mappin$ is .sed to do+.ment the -ayo.t of a -o+a- area

net'or( 85*N as part of an overa-- se+.rity assessment) This .se is a form of

inte--i$en+e $atherin$ and oftentimes pre+edes the a+t.a- assessment of tar$eted systems)

Net'or( mappin$ has evo-ved over the years from the simp-e performan+e of PN#Q or

C?NNECTQ attempts to more etensive and s.bversive 8or /.ietQ methods of

dete+tion) Today, the most pop.-ar too- for performin$ net'or( mappin$ is the open3

so.r+e too- Nmap)2 Nmap is +apab-e of testin$ for the presen+e of nodes on a net'or(

based on a variety of dete+tion te+hni/.es, in+-.din$ the .se of nternet Proto+o- 8P,

Transmission Contro- Proto+o- 8TCP and &niversa- Data$ram Proto+o- 8&DP) Ea+h of

these proto+o-s has a .ni/.e f-avor, and th.s +an $enerate varyin$ res.-ts) .rthermore,

2"%i(ipedia,etwor8 Mapping8!t) Petersb.r$: %i(ipedia, 2004, a++essed 12 ?+tober 2004F avai-ab-efrom http:66en)'i(ipedia)or$6'i(i6Net'or(appin$F nternet)2yodor,map Security Scanner8&n(no'n: nse+.re)or$, .ndated, a++essed 12 ?+tober 2004F avai-ab-efrom http:66''')inse+.re)or$6nmap6inde)htm-F nternet)



31/50

Nmap has additiona- +apabi-ities for s.bvertin$ net'or( se+.rity devi+es -i(e fire'a--s

and intr.sion dete+tion systems) t +an ta(e as inp.t a host name, an P address, a ran$e

of P addresses, or a net'or( or s.bnet'or() t may a-so ta(e +onfi$.rab-e parameters of

d.mmyQ so.r+e addresses to he-p +amo.f-a$e to net'or( sensors 'hat it is tryin$ to do)

The $oa- of net'or( mappin$ is to determine 'o.-d nodes are a+tive on a net'or() This

basi+ determination +an be deve-oped f.rther to identify ho' far a'ay the nodes are from

the s+annin$ host) ?peratin$ system identifi+ation may a-so be performed by too-s -i(e

Nmap, tho.$h this f.n+tiona-ity is an etension of net'or( mappin$ and not +ore to its

+apabi-ities)

*)B.siness *na-ysis

Net'or( mappin$ is a +heap and va-.ab-e too- for revie'in$ the eisten+e of nodes on a

net'or() ;.nnin$ a net'or( mappin$ too- on a re$.-ar basis and +omparin$ its res.-ts

+an assist an or$ani>ation in ens.rin$ that no nodes are bein$ added to the net'or(

'itho.t proper a.thori>ation) !in+e the most pop.-ar too-, Nmap, is free and has been

ported to many operatin$ systems, in+-.din$ 5in., &N, %indo's and a+ ?!, the

on-y rea- +osts are in terms of performan+e and pro+essin$)

There are a +o.p-e potentia- ris(s and -imitations for net'or( mappin$) irst, some

app-i+ations and systems do not respond 'e-- to probes from net'or( mappin$ too-s)

ainframes, for eamp-e, have been (no'n to respond poor-y to ra' net'or( so+(et

re/.ests) Th.s, net'or( mappin$ +o.-d +a.se instabi-ity in a mainframe, or at -east



32/50

$enerate a -ar$e n.mber of a-erts) *dditiona--y, net'or( mappin$ +an be -imited by

+ertain types of net'or( and fire'a-- r.-es) %hereas net'or( mappin$ .sed to be ab-e to

+ir+.mvent fire'a--s .sin$ vario.s pa+(et manip.-ation te+hni/.es, most fire'a--s today

are a'are of state and th.s effe+tive-y b-o+( +ir+.mvention) *dditiona--y, intr.sion

dete+tion systems, 'hi+h may a-so be +ir+.mvented, have the +apabi-ity today to be t.ned

so as to more optima--y dete+t the o++.rren+e of net'or( mappin$)

B)!e+.rity *na-ysis

Net'or( mappin$ is a form of dete+tion, from the standpoint that it dete+ts nodes on a

net'or(, 'hi+h +an in t.rn be .sed to determine 'hether or not a $iven node is

a.thori>ed to be on the net'or() Net'or( mappin$ may a-so be +onstr.ed as a form of

prote+tion, sin+e the a+tions that derive from +omparin$ net'or( mappin$ data sets +o.-d

res.-t in remova- of .na.thori>ed nodes from the net'or()

rom the standpoint of Confidentia-ity, nte$rity and *vai-abi-ity, net'or( mappin$

primari-y serves the $oa- of ens.rin$ the nte$rity of the net'or() t may a-so be .sed to

verify that +ertain nodes remain avai-ab-e on a net'or() Net'or( mappin$ does not have

any impa+t on Confidentia-ity, .n-ess one 'ere to spin the impa+t a-on$ the fo--o'in$

-ine: a node, s.+h as an D! sensor, is p-a+ed on the net'or( and +onfi$.red so as not to

be dete+tab-e by net'or( mappin$F ho'ever, a mis+onfi$.ration res.-ts in +a.sin$ the

sensor to respond to net'or( mappin$ re/.ests, revea-in$ its -o+ation, and possib-y its

identityF th.s, net'or( mappin$ +an ens.re the +onfidentia-ity of hiddenQ net'or(

nodes)



33/50

=)P*!!%?;D C;*Ced a++ess to a system or data) *dditiona--y, pass'ord +ra+(in$ may be .sed as

a preventative meas.re to ens.re that stron$ pass'ords are bein$ .sed by system .sers)

ost pass'ords today are maintained as a hashed, rather than en+rypted, va-.e) @ashin$

means ta(in$ a pass'ord strin$ and .sin$ it as an inp.t for an a-$orithm that res.-ts in an

o.tp.t that does not resemb-e the ori$ina- inp.t) &n-i(e en+ryption, hashin$ on-y 'or(s

one 'ay and +annot be de+rypted) @ashin$ pass'ords before storin$ them is far more

effi+ient than en+ryptin$ and de+ryptin$ pass'ords on the f-y) Th.s, 'hen a .ser

attempts to -o$in, their s.bmitted pass'ord is hashed, and the hashed va-.e is +ompared

'ith the hashed va-.e stored on the system) #iven an ea+t hash mat+h, the -o$in is

approved and the .ser is +onsidered a.thenti+ated)

The best +ommer+ia- .se of pass'ord +ra+(in$ is as a preventative meas.re, ens.rin$ that

.sers are +hoosin$ hi$h /.a-ity 8or stron$ pass'ords) *++ordin$ to sta(e, ma(er of

the pop.-ar -0pht+ra+( pass'ord +ra+(in$ .ti-ity, Geperts from !*N!, ind.stry,

$overnment, and a+ademia +ite 'ea( pass'ords as one of the most +riti+a- se+.rity threats

90%i(ipedia,assword crac8ing8!t) Petersb.r$: %i(ipedia, 2004, a++essed 12 ?+tober 2004F avai-ab-efrom http:66en)'i(ipedia)or$6'i(i6Pass'ord+ra+(in$F nternet)



34/50

to net'or(s)G91 n the +.rrent +ontet, pass'ords are the primary method for

a.thenti+ation, despite the avai-abi-ity of better so-.tions, as des+ribed in !e+tion

above) Th.s, prote+tion of pass'ords and ens.rin$ stron$ pass'ords a$ainst simp-e

atta+(s is of the .tmost importan+e)

Pass'ords are typi+a--y s.bje+ted to a +ombination of t'o (inds of atta+(s: br.te3for+e

and di+tionary 8or 'ord3-ist) Br.te3for+e atta+(s attempt to iterate thro.$h every possib-e

pass'ord option avai-ab-e, either dire+t-y attemptin$ to the test pass'ord a$ainst the

system, or in the +ase of a +apt.red pass'ord fi-e, +omparin$ the hashed or en+rypted test

pass'ord a$ainst the hashed or en+rypted va-.e in the fi-e) n a di+tionary atta+(, a -ist of

+ommon pass'ords, oftentimes +onsistin$ of re$.-ar 'ords, is /.i+(-y r.n thro.$h and

app-ied in a simi-ar manner as 'ith the br.te3for+e atta+()

Di+tionary atta+(s are oftentimes very effe+tive .n-ess systems re/.ire .sers to +hoose

stron$ pass'ords) or eamp-e, the maintainers of the pop.-ar open3so.r+e pass'ord

+ra+(in$ too- Uohn the ;ipper se-- +o--e+tions of 'ord -ists on CD) The CDs in+-.de

'ord -ists for more than 20 h.man -an$.a$es, p-.s +ommon and defa.-t pass'ords and

.ni/.e 'ords for a-- +ombined -an$.a$es) or aro.nd VA0 an individ.a- 'antin$ to

ee+.te a massive di+tionary3based atta+( +o.-d have a++ess to over 00B of 'ord -ist

data)92 The ready avai-abi-ity of s.+h data sets for .se in di+tionary atta+(s means that,

.n-ess a stron$ pass'ord is se-e+ted, it is very -i(e-y that the pass'ord +an be +ra+(ed in a

91sta(e, :sta8e ;C 58Cambrid$e: sta(e, .ndated, a++essed 12 ?+tober 2004F avai-ab-e fromhttp:66''')atsta(e)+om6prod.+ts6-+6F nternet)92?pen'a-- Proje+t,


35/50

reasonab-e amo.nt of time) This is espe+ia--y tr.e of pass'ords that are based on h.man3

readab-e 'ords)

* stron$ pass'ord is most often defined as a strin$ of ei$ht 8" or more +hara+ters that

mi .pper3 and -o'er3+ase -etters, n.mbers and spe+ia- +hara+ters) !tron$ pass'ords do

not resemb-e 'ords, and are best 'hen $enerated at random)99 ?ne s.$$ested approa+h is

pi+(in$ a passphrase and either .sin$ the passphrase in its entirety or pi+(in$ the -eadin$

-etters from ea+h 'ord in the phrase and s.bstit.tin$ n.mbers and spe+ia- +hara+ters for

some of the -etters) Certain pass'ord hashin$ a-$orithms prod.+e stron$er hash va-.es

'ith -on$er pass'ords 'hi-e others prod.+e stron$er hash va-.es based on in+reased

+omp-eity of the pass'ord)

n addition to re/.irin$ .sers to +hoose stron$ pass'ords, it is a-so in+.mbent .pon

system administrators to re/.ire that pass'ords be +han$ed fre/.ent-y) Conventiona-

'isdom indi+ates that no pass'ord sho.-d have a -ifetime $reater than 0 days, and for

hi$h-y +riti+a- systems the -ifetime sho.-d be 90 days or -ess) ?ne e+eption to this r.-e

invo-ves t'o3fa+tor a.thenti+ation 'here a pass'ord is +o.p-ed 'ith a stron$er

a.thenti+ation method, s.+h as to(ens or biometri+s)

*)B.siness *na-ysis

Pass'ords ho-d a preva-ent p-a+e 'ithin the se+.rity infrastr.+t.re thro.$ho.t most, if

not a--, or$ani>ations) &nti- pass'ords are rep-a+ed by stron$er forms of a.thenti+ation,

99*) C-iff,assword Crac8ers - #nsuring the Security of =our assword8&n(no'n: !e+.rityo+.s)+om,2001, a++essed 12 ?+tober 2004F avai-ab-e from http:66''')se+.rityfo+.s)+om6info+.s6112F nternet)

Benjamin 5) Tomhave 126762004 9A


36/50

s.+h as to(ens or biometri+s, it is abso-.te-y ne+essary that the .se of stron$ pass'ords be

enfor+ed) Therefore, the benefit of b.yin$ 'ord -ists and pass'ord +ra+(in$ soft'are and

r.nnin$ them re$.-ar-y, parti+.-ar-y on (ey systems, $reat-y o.t'ei$hs the +osts) ?ne

do'nside is 'here +entra-i>ed a.thenti+ation has not been imp-emented) n those +ases,

'hi-e it is -i(e-y that .sers 'i-- .se the same pass'ord a+ross m.-tip-e systems, the +ost

in time of r.nnin$ pass'ord +ra+(in$ a$ainst a-- systems be+omes +ha--en$in$) Th.s, in

addition to pass'ord +ra+(in$, it is a-so .sef.- to imp-ement a +entra-i>ed a.thenti+ation

system that res.-ts in fe'er pass'ord fi-es to test)

B)!e+.rity *na-ysis

Pass'ord +ra+(in$ is primari-y a prote+tive +o.ntermeas.re) t is desi$ned to ens.re that

pass'ords .sed in vario.s a.thenti+ation me+hanisms are stron$ eno.$h to prevent +as.a-

di+tionary3based atta+(s) t is ass.med, ho'ever, that a br.te3for+e atta+( +an be 100W

s.++essf.- $iven eno.$h time) *s s.+h, it is vita--y import to +ombine pass'ord +ra+(in$

'ith stri+t systemati+ re/.irements for stron$ pass'ords and re$.-ar pass'ord rotation)

Pass'ord +ra+(in$ he-ps ens.re the Confidentia-ity and nte$rity of data and systems by

proppin$3.p the a.thenti+ation system)

)P&B5C


37/50

P.b-i+ ations !!5 +ertifi+ate +an be verified by a

+-ient 'eb bro'ser as bein$ a.thenti+ and non3revo(ed)

9A;o$er C-ar(e, Conventional u7lic >ey %nfrastructure An Artefact %ll-)itted to the eeds of the%nformation Society8Canberra : C-ar(e, 2000, a++essed 12 ?+tober 2004F avai-ab-e fromhttp:66''')an.)ed.)a.6peop-e6;o$er)C-ar(e66P


38/50

n more +omp-e s+enarios, Pation for vario.s

p.rposes, s.+h as se+.re interna- +omm.ni+ation, providin$ en+ryption servi+es to data

and systems, di$ita--y si$nin$ +ode, and providin$ en+ryption materia-s a--o'in$ .sers to

di$ita--y si$n +omm.ni+ation) Typi+a--y, tho.$h, enterprise Pation of asso+iated te+hno-o$ies)9"

*)B.siness *na-ysis

P


39/50

The .se of Ped soft'are deve-opment +ompanies, it may in fa+t be +heaper to re-y on +ode

si$nin$ from a tr.sted third party rather than to +ond.+t the +ode si$nin$ 'ith an in3ho.se

P


40/50

B)!e+.rity *na-ysis

The main ro-e of P


41/50

)=;T&*5 P;=*TE NET%?;

* =irt.a- Private Net'or( 8=PN is a private +omm.ni+ations net'or( that ma(es .se of

p.b-i+ net'or(s, oftentimes for +omm.ni+ation bet'een different or$ani>ations)40 *

=PN is not inherent-y se+.re, tho.$h in its most +ommon in+arnation it does .ti-i>e

en+ryption to ens.re the +onfidentia-ity of data transmitted) The =PN is often seen as a

+heaper so-.tion for dep-oyin$ a private net'or( than private -eased3-ines)4142 They often

serve to prote+t and ens.re the inte$rity of +omm.ni+ations49and may a-so prote+t the

+onfidentia-ity of those +omm.ni+ations 'hen .ti-i>in$ en+ryption)

*side from the +ost fa+tor, =PNs have t'o main advanta$es: they may provide overa--

en+ryption for +omm.ni+ations and they a--o' the .se of proto+o-s that are other'ise

diffi+.-t to se+.re) 44 n +ontrast, R'i+(ey sites the t'o main disadvanta$es of =PNs

bein$ the re-ian+e on Gdan$ero.sG p.b-i+ net'or(s and etendin$ the net'or( that is

bein$ prote+ted)4A

There are three types of =PNs avai-ab-e today: dedi+ated, !!5 and opport.nisti+)

Dedi+ated =PNs, either in a $ate'ay3to3$ate'ay or +-ient3to3$ate'ay +onfi$.ration,

9*bo.t)+om has severa- -in(s on =PNs that may be 'orth revie'in$)http:66+ompnet'or(in$)abo.t)+om6od6vpn640%i(ipedia, Virtual private networ88!t) Petersb.r$: %i(ipedia, 2004, a++essed 0 November 2004Favai-ab-e from http:66en)'i(ipedia)or$6'i(i6=irt.a-privatenet'or(F nternet)41E-i>abeth D) R'i+(y and others,*uilding %nternet )irewalls+ ,nd #dition8Cambrid$e: ?;ei--y, 2000,p104)42;obert os(o'it>, What %s A Virtual rivate etwor8"8&n(no'n: CP, .ndated, a++essed 12 ?+tober2004F avai-ab-e from http:66''')net'or(+omp.tin$)+om60A60A+o-mos(o'it>)htm-F nternet)49E-i>abeth D) R'i+(y and others,*uilding %nternet )irewalls+ ,nd #dition8Cambrid$e: ?;ei--y, 2000,p11)44E-i>abeth D) R'i+(y and others,*uilding %nternet )irewalls+ ,nd #dition8Cambrid$e: ?;ei--y, 2000,p120)4AE-i>abeth D) R'i+(y and others,*uilding %nternet )irewalls+ ,nd #dition8Cambrid$e: ?;ei--y, 2000,p121)



42/50

appear to +.rrent-y be the most prominent dep-oyment) @o'ever, !!5 =PNs are

in+reasin$ in pop.-arity, servin$ as a -i$ht'ei$ht, p-atform3independent +-ient3to3$ate'ay

prote+tion me+hanism) *dditiona--y, the +on+ept of opport.nisti+ en+ryption, as .sed

'ith =PNs, 'as first posited in 2001 by the ree!6%*N proje+t, 'hos mission 'as to

provide free standards3based =PN soft'are .nder an open3so.r+e initiative) The +on+ept

of opport.nisti+ en+ryption 8?E hin$ed on the notion that a =PN did not need to be in an

G.pG state at a-- times, b.t rather on-y needed to be a+tivated 'hen +omm.ni+ation 'as

o++.rrin$) Th.s, $ate'ays a+ross the nternet +o.-d be +onfi$.red to s.pport en+ryption

on an as3needed basis and 'o.-d on-y have to set.p the =PN 'hen a +onne+tion

from6thro.$h an ?E3a'are $ate'ay 'as initiated) This mode- is simi-ar to the traditiona-

.se of !!5 on the nternet, e+ept that instead of simp-y en+ryptin$ the traffi+ at the

app-i+ation -ayer, the en+ryption 'as a+t.a--y o++.rrin$ at the net'or( and6or transport

-ayer, and a-- happenin$ transparent to the end3.ser)4 The $oa- of imp-ementin$

opport.nisti+ en+ryption 'ithin free P!EC3based =PNs 'as to transparent-y en+rypt a--

nternet traffi+)

ost virt.a- private net'or(s today ma(e .se of P!EC en+ryption) P!EC provides

net'or(3-eve- se+.rity for the nternet Proto+o- 8P and is an etension of the ori$ina-

Pv4 standard) P!EC ma(es .se of the mana$ement and se+.rity proto+o-

!*


43/50

d.rin$ +onne+tion set.p) P!EC in+-.des a n.mber of other feat.res, s.+h as bein$

.sab-e by t.nne-in$ proto+o-s)47

*)B.siness *na-ysis

=irt.a- private net'or(s have a -e$itimate .se in the b.siness environment, espe+ia--y

'hen .sed in a se+.re manner, -evera$in$ avai-ab-e en+ryption options) #iven the

$ro'in$ preva-en+e and avai-abi-ity of +heap nternet a++ess, a =PN +an be .sed to

se+.re-y and re-iab-y rep-a+e more epensive -eased -ines) This rep-a+ement is

parti+.-ar-y ni+e in environments 'here the data bein$ transmitted is sensitive, b.t 'here

interr.ption of +onne+tivity 'i-- not represent a major disr.ption to the b.siness)

any hard'are and soft'are so-.tions are avai-ab-e today, 'ith +osts ran$in$ from free

8ree!6%*N to epensive 8dedi+ated hard'are3based so-.tions tar$etin$ hi$h

thro.$hp.t) ost inepensive net'or(in$ e/.ipment, s.+h as the 5in(sys and Net$ear

-ines of home .ser se+.rity devi+es, no' s.pport P!EC3based =PNs)

B)!e+.rity *na-ysis

The basi+ $oa- of a =irt.a- Private Net'or( is to ens.re the inte$rity of the +onne+tion

and +omm.ni+ations)4" %hen en+ryption is added, the $oa- of preservin$ +onfidentia-ity

may a-so be a+hieved) ?ne do'nside to =PNs is that they tend to be b.i-t on +omp-e

47;obert os(o'it>, What %s A Virtual rivate etwor8"8&n(no'n: CP, .ndated, a++essed 12 ?+tober2004F avai-ab-e from http:66''')net'or(+omp.tin$)+om60A60A+o-mos(o'it>)htm-F nternet)4"E-i>abeth D) R'i+(y and others,*uilding %nternet )irewalls+ ,nd #dition8Cambrid$e: ?;ei--y, 2000,p11)



44/50

systems and are prone to easy disr.ption, red.+in$ the overa-- avai-abi-ity of data and

+omm.ni+ations)

rom the perspe+tive of +o.ntermeas.res, the =PN primari-y serves to prote+t data,

tho.$h it may a-so dynami+a--y +orre+t) f -o$$in$ is enab-ed and monitored, then atta+(s

a$ainst the =PN may a-so res.-t in meetin$ the need of dete+tion, tho.$h that 'o.-d be

an+i--ary)

)=&5NE;*B5T !C*NNN# !!TE!

=.-nerabi-ity s+annin$ is the Ga.tomated pro+ess of proa+tive-y identifyin$ v.-nerabi-ities

of +omp.tin$ systems in a net'or( in order to determine if and 'here a system +an be

ep-oited and6or threatened)G4 =.-nerabi-ity s+annin$ typi+a--y re-ies on a handf.- of

too-s that identify hosts and then pro+eed to test them for (no'n 'ea(nesses) The

a.tomated s+annin$ pro+ess sho.-d in+-.de three hi$h3-eve- steps: re+eivin$ a.thority to

s+an, determinin$ the s+ope of the pro$ram, and estab-ishin$ a se+.rity base-ine 8based on

the n.mber of v.-nerabi-ities fo.nd per n.mber of hosts s+anned)A0 *dditiona--y, a $ood

v.-nerabi-ity s+annin$ pro$ram 'i-- se+.re-y mana$e the res.-ts of the s+ans and 'i--

have a proven p-an and pro+ess in p-a+e for remediation of v.-nerabi-ities that are

.n+overed) =.-nerabi-ity s+annin$ sho.-d o++.r as part of an overa-- ris( mana$ement

frame'or(, not as a standa-one se+.rity +o.ntermeas.re)

4%ebopedia, vulnera7ility scanning8Darien: U.pitermedia, .ndated, a++essed 12 ?+tober 2004F avai-ab-efrom http:66''')'ebopedia)+om6TE;6=6v.-nerabi-itys+annin$)htm-F nternet)A0Christopher Coo(,Managing etwor8 Vulnera7ilities in a /O#?SA #nvironment8


45/50

The most pop.-ar v.-nerabi-ity s+annin$ too- avai-ab-e today is a-so free, open3so.r+e

soft'are) Ness.sA1has be+ome the de fa+to too- for v.-nerabi-ity s+annin$ over the past

five 8A years, rep-a+in$ +ommer+ia- too-s -i(e CyberCop !+anner 8dis+ontin.ed, !!

!e+.rity !+anner, and eEye ;etina) =.-nerabi-ity s+annin$ has been aro.nd sin+e the -ate

"0s or ear-y 0s, pioneered by Dan armer, +o3a.thor of the C?P!A2 se+.rity too-)

?ri$ina--y, v.-nerabi-ity s+annin$ 'as host3based in nat.re, as C?P! and T#E; 'ere,

b.t event.a--y epanded to in+-.de net'or(3based s+annin$) There are sti-- host3based

s+anners avai-ab-e, s.+h as the Center for nternet !e+.ritys ben+hmar( se+.rity too- A9)

ore often, tho.$h, v.-nerabi-ity s+annin$ today is net'or(3based)

Chapp-e provides a ni+e overvie' of the Ness.s s+anner and 'hy itLs preferab-e to its

+ompetition:

GThe Ness.s too- 'or(s a -itt-e different-y than other s+anners) ;ather than

p.rportin$ to offer a sin$-e, a--3en+ompassin$ v.-nerabi-ity database that $ets

.pdated re$.-ar-y, Ness.s s.pports the Ness.s *tta+( !+riptin$ 5an$.a$e

8N*!5, 'hi+h a--o's se+.rity professiona-s to .se a simp-e -an$.a$e to des+ribe

individ.a- atta+(s) Ness.s administrators then simp-y in+-.de the N*!5

des+riptions of a-- desired v.-nerabi-ities to deve-op their o'n +.stomi>ed

s+ans)GA4

A1http:66''')ness.s)or$6A2http:66''')fish)+om6+ops6overvie')htm-A9http:66''')+ise+.rity)+om6A4i(e Chapp-e, Vulnera7ility scanning with essus8&n(no'n: Te+hTar$et)+om, 2009, a++essed 12?+tober 2004F avai-ab-e fromhttp:66sear+hse+.rity)te+htar$et)+om6tip60,2"4"9,sid14$+i9"271,00)htm-tra+(ON5320F nternet)

Benjamin 5) Tomhave 126762004 4A


46/50

*)B.siness *na-ysis

*s 'as the +ase 'ith pass'ord +ra+(in$ in !e+tion = above, v.-nerabi-ity s+annin$ is a

very +heap and .sef.- pra+ti+e) %hen +ond.+ted re$.-ar-y and +aref.--y, the .se of an

a.tomated v.-nerabi-ity s+annin$ too- +an provide +onsiderab-e information abo.t the

overa-- ris( -ands+ape of te+hno-o$ies thro.$ho.t an enterprise) =.-nerabi-ity s+annin$ is

parti+.-ar-y important for ens.rin$ that nternet3a++essib-e reso.r+es are proper-y se+.red

before dep-oyment, and to ens.re that they remain se+.re after dep-oyment)

Be+a.se the most +ommon too-s for +ond.+tin$ v.-nerabi-ity s+ans is free, open3so.r+e

soft'are, there is very -itt-e reason not to ma(e .se of it) .rthermore, the insta--ation

and operation of a too- -i(e Ness.s does not re/.ire m.+h te+hni+a- a+.men) ore

important-y, the information that +an be $athered from the assessment +an be inva-.ab-e)

?peration of a basi+ v.-nerabi-ity s+anner is not +omp-e) a(in$ matters even better,

too-s -i(e Ness.s are thoro.$h-y do+.mented on the nternet and +an often be fo.nd in

pre3pa+(a$ed bootab-e environments)

B)!e+.rity *na-ysis

=.-nerabi-ity s+annin$ +an +ontrib.te to +o.ntermeas.res in a-- three areas of prote+t,

dete+t and +orre+t) The primary ro-e of the s+annin$ is to dete+t v.-nerabi-ities in

systems, b.t 'hen .sed proper-y it 'i-- a-so +ontrib.te to prote+tin$ reso.r+es from bein$

dep-oyed inse+.re-y and by providin$ ade/.ate information to a--o' system

administrators to +orre+t v.-nerabi-ities)



47/50

rom the standpoint of Confidentia-ity, nte$rity and *vai-abi-ity, v.-nerabi-ity s+annin$

most affe+ts the nte$rity of systems, tho.$h there may be an+i--ary benefits to

Confidentia-ity and *vai-abi-ity) n dete+tin$ and reso-vin$ 'ea(nesses in a system, the

inte$rity of the system +an be ass.red) .rthermore, ens.rin$ the inte$rity of a system

'i-- he-p prevent the system from be+omin$ +ompromised, res.-tin$ in a -oss of

+onfidentia-ity, or from bein$ over-y s.s+eptib-e to atta+(s that may res.-t in denyin$ the

avai-abi-ity of the system or asso+iated app-i+ation)



48/50

R!R"CS

1) sta(e) :sta8e ;C 5) Cambrid$e: sta(e, .ndated, a++essed 12 ?+tober 2004Favai-ab-e from http:66''')atsta(e)+om6prod.+ts6-+6F nternet)

2) B-andin$, !teven ) G!e+.red Conne+tions to Eterna- Net'or(s,G in%nformationSecurity Management Hand7oo8+ 4th #dition, ed) @aro-d ) Tipton and i+(i


49/50

12) , ;obert) What %s A Virtual rivate etwor8") &n(no'n: CP, .ndated,a++essed 12 ?+tober 2004F avai-ab-e fromhttp:66''')net'or(+omp.tin$)+om60A60A+o-mos(o'it>)htm-F nternet)

17) Nationa- nstit.te of !tandards and Te+hno-o$y)%S' >% rogram) %ashin$ton:N!T, 2004, a++essed 12 ?+tober 2004F avai-ab-e from http:66+sr+)nist)$ov6p(i6Fnternet)

1") Nationa- nstit.te of !tandards and Te+hno-o$y)%S' lanning $eport 1,-2#conomic %mpact Assessment of %S's $ole-*ased Access Control B$*ACrogram) %ashin$ton: N!T, 2002, a++essed 12 ?+tober 2004F avai-ab-e from

http:66+sr+)nist)$ov6rba+6rba+3impa+t3s.mmary)do+F nternet)

1) ?pen'a-- Proje+t)


50/50

29) ;ot+h(e, Ben)Access Control Systems & Methodology) Ne' or(:!e+.rityDo+s)+om, 2004, a++essed 0 November 2004F avai-ab-e fromhttp:66''')se+.ritydo+s)+om6$o6F nternet)

24) !pen+er, @enry and D) @.$h ;ede-meier, Opportunistic #ncryption) &n(no'n:

rees'an)or$, 2001, a++ess 07 November 2001F avai-ab-e fromhttp:66''')frees'an)or$6frees'antrees6frees'an31)16do+6opport.nism)spe+Fnternet)

2A) Tipton, @aro-d ) and i+(i

ResearchPaper:Information Security Technologies

Documents

Transcript of ResearchPaper:Information Security Technologies