ResearchPaper:Information Security Technologies
Transcript of ResearchPaper:Information Security Technologies
-
8/12/2019 ResearchPaper:Information Security Technologies
1/50
Research Paper: Information SecurityTechnologies
by
Benjamin Tomhave
November 10, 2004
Prepared for:
Professor Dave CarothersE!E 21"
The #eor$e %ashin$ton &niversity
This paper or presentation is my o'n 'or() *ny assistan+e re+eived in its preparation isa+(no'-ed$ed 'ithin the paper or presentation, in a++ordan+e 'ith a+ademi+ pra+ti+e) f .sed data, ideas, 'ords, dia$rams, pi+t.res, or other information from any so.r+e, have+ited the so.r+es f.--y and +omp-ete-y in footnotes and bib-io$raphy entries) This in+-.desso.r+es 'hi+h have /.oted or paraphrased) .rthermore, +ertify that this paper orpresentation 'as prepared by me spe+ifi+a--y for this +-ass and has not been s.bmitted, in'ho-e or in part, to any other +-ass in this &niversity or e-se'here, or .sed for anyp.rpose other than satisfyin$ the re/.irements of this +-ass, e+ept that am a--o'ed tos.bmit the paper or presentation to a professiona- p.b-i+ation, peer revie'ed jo.rna-, orprofessiona- +onferen+e) n addin$ my name fo--o'in$ the 'ord !i$nat.re, intend thatthis +ertifi+ation 'i-- have the same a.thority and a.thenti+ity as a do+.ment ee+.ted'ith my hand3'ritten si$nat.re)
!i$nat.re Benjamin 5) Tomhave
Benjamin 5) Tomhave 126762004 1
-
8/12/2019 ResearchPaper:Information Security Technologies
2/50
Research Paper: Information SecurityTechnologies
by
Benjamin 5) Tomhave
Abstract
The fo--o'in$ resear+h paper provides ana-ysis of thirteen 819 information se+.rityte+hno-o$y topi+s, arran$ed in ten 810 $ro.ps, that are either +ommon-y fo.nd or
emer$in$ 'ithin the information se+.rity ind.stry) These topi+s in+-.de: *++ess Contro-ana$ement, *ntivir.s, *.dit Data ;ed.+tion, ire'a--s, ntr.sion Dete+tion !ystems8D!, ntr.sion Prevention !ystems 8P!, *noma-y Dete+tion !ystems 8*D!, Event
Corre-ation !ystems 8EC!, Net'or( appin$, Pass'ord Cra+(in$, P.b-i+ in$ea+h te+hno-o$y 'ithin the modern information se+.rity and b.siness +ontet, -oo(in$ atho' it meets b.siness needs 'hi-e addressin$ Confidentia-ity, nte$rity and *vai-abi-ity
as a Co.ntermeas.re that Dete+ts, Corre+ts and6or Prote+ts)
Benjamin 5) Tomhave 126762004 2
-
8/12/2019 ResearchPaper:Information Security Technologies
3/50
Table of Contents
)NT;?D&CT?N *ND ?=E;=E% ? *PP;?*C@))))))))))))))))))))))))))))))))))))))))))))))))) 4)*CCE!! C?NT;?5 *N*#EENT))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) A
*)B.siness *na-ysis)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))A
B)!e+.rity *na-ysis))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))7)*NT=;&!))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) *)B.siness *na-ysis)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))11B)!e+.rity *na-ysis))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))11
=)*&DT D*T* ;ED&CT?N)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 19*)B.siness *na-ysis)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))19B)!e+.rity *na-ysis))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))14
=);E%*55! ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 1A*)B.siness *na-ysis)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))17B)!e+.rity *na-ysis))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))17
=)NT;&!?N DETECT?N *ND *N*5!! !!TE!)))))))))))))))))))))))))))))))))))))))) 1"*)ntr.sion Dete+tion !ystems 8D! ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))1
1)B.siness *na-ysis))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 212)!e+.rity *na-ysis)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 22
B)ntr.sion Prevention !ystems 8P!))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))291)B.siness *na-ysis))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 242)!e+.rity *na-ysis)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 2A
C)Event Corre-ation !ystems 8EC!)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 2A1)B.siness *na-ysis))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 272)!e+.rity *na-ysis)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 27
D)*noma-y Dete+tion !ystems 8*D! ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 271)B.siness *na-ysis))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 22)!e+.rity *na-ysis)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 90
=)NET%?;< *PPN#)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 90*)B.siness *na-ysis)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))91B)!e+.rity *na-ysis))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))92
=)P*!!%?;D C;*C
Benjamin 5) Tomhave 126762004 9
-
8/12/2019 ResearchPaper:Information Security Technologies
4/50
Research Paper: Information Security
Technologies
by
Benjamin 5) Tomhave
)NT;?D&CT?N *ND ?=E;=E% ? *PP;?*C@
This resear+h paper introd.+es and ana-y>es ten 810 information se+.rity te+hno-o$ies)
Ea+h of the fo--o'in$ se+tions fo+.ses on a spe+ifi+ te+hno-o$y and adheres to the
fo--o'in$ $enera- format:
o Te+hno-o$y ?vervie': * hi$h3-eve- introd.+tion to the te+hno-o$y)
o B.siness *na-ysis: *n eva-.ation of the .sef.-ness, +ost, +omp-eity, and .ti-ity
of the te+hno-o$y in the modern b.siness environment)
o !e+.rity *na-ysis: The se+.rity te+hno-o$y is 'ei$hed a$ainst the tenets of
Confidentia-ity, nte$rity and *vai-abi-ity as 'e-- as eva-.atin$ its ro-e as a
+o.ntermeas.re 8dete+t, +orre+t, prote+t)
The ten se+.rity te+hno-o$ies addressed in this paper are:
1) *++ess Contro- ana$ement
2) *ntivir.s
9) *.dit Data ;ed.+tion
4) ire'a--s
A) ntr.sion Dete+tion and *na-ysis !ystems
) Net'or( appin$
Benjamin 5) Tomhave 126762004 4
-
8/12/2019 ResearchPaper:Information Security Technologies
5/50
7) Pass'ord Cra+(in$
") P.b-i+
-
8/12/2019 ResearchPaper:Information Security Technologies
6/50
bein$ to +-assify data systems a++ordin$ to va-.e and a--o+ate prote+tion me+hanisms in
a++ordan+e 'ith the va-.e of the reso.r+e) *++ordin$ to Tipton and
-
8/12/2019 ResearchPaper:Information Security Technologies
7/50
in+reasin$ in pop.-arity and are predi+ted to savin$ +ompanies mi--ions of do--ars in the
+omin$ years)9
B)!e+.rity *na-ysis
*n a++ess +ontro- mana$ement system has the potentia- for impa+tin$ a-- three tenets of
information se+.rity 8Confidentia-ity, nte$rity and *vai-abi-ity) The primary ro-e of an
*C so-.tion is to prote+t the +onfidentia-ity of a reso.r+e by restri+tin$ a++ess to the
reso.r+e) *dditiona--y, an *C so-.tion 'i-- +ontro- the attrib.tes of the a++ess, s.+h as
read, 'rite and ee+.te) or eamp-e, in the +ase of a data fi-e, an *C system may
$rant a .ser read a++ess, b.t deny a++ess to 'rite or modify the data 'ithin the fi-e)
&nder a D*C mode-, a++ess +ontro-s are mana$ed dire+t-y by the reso.r+e o'ner) n a
*C mode-, the system di+tates 'hat -eve- of a++ess may be $ranted to a reso.r+e)
ina--y, ;B*C assi$ns a++ess based on the ri$hts of a $ro.p 8or ro-e 'ithin the system)
*-- .sers 'ho share a $iven ro-e have the same a++ess) This approa+h +ontrasts to D*C
'here ea+h .ser may have a .ni/.e set of ri$hts) *C is simi-ar to ;B*C in terms of
.sin$ a ro-e3based approa+hed based on -abe-in$) @o'ever, the inner operations of a
*C vary distin+t-y from an ;B*CF dis+.ssion of 'hi+h e+eeds the s+ope of this
do+.ment)
*++ess +ontro- mana$ement systems hin$e on the proper identifi+ation of s.bje+ts tryin$
to a++ess obje+ts) The pro+ess of positive-y identifyin$ a s.bje+t is +a--ed a.thenti+ation)
9Nationa- nstit.te of !tandards and Te+hno-o$y, JKN!T P-annin$ ;eport 0231: E+onomi+ mpa+t*ssessment of N!TLs ;o-e3Based *++ess Contro- 8;B*C Pro$ramJK 8%ashin$ton: N!T, 2002,a++essed 12 ?+tober 2004F avai-ab-e from http:66+sr+)nist)$ov6rba+6rba+3impa+t3s.mmary)do+F nternet)
Benjamin 5) Tomhave 126762004 7
-
8/12/2019 ResearchPaper:Information Security Technologies
8/50
The a.thenti+ation pro+ess .s.a--y o++.rs 'hen a s.bje+t se-f3identifies and then
responds to a systemati+ +ha--en$e of the identity) This +ha--en$e is based on 'hat yo.
(no', 'hat yo. have or 'ho yo. are) * pass'ord is an eamp-e of somethin$ that yo.
may (no', and is +.rrent-y the most +ommon method of provin$ identity) * to(en is an
eamp-e of somethin$ that yo. have, and biometri+s is an eamp-e of 'ho yo. are)
Biometri+s is a method of identifi+ation based on the physi+a- +hara+teristi+s of a h.man
bein$, s.+h as a fin$erprint, iris s+an or retina- s+an) Biometri+s, tho.$h ho-din$
si$nifi+ant promise as part of an a++ess +ontro- mana$ement system, a-so has si$nifi+ant
dra'ba+(s, s.+h as to a++eptabi-ity to .sers, re-iabi-ity and resistan+e to +o.nterfeitin$)4
The f.t.re of a++ess +ontro- mana$ement systems appears to be in the dire+tion of m.-ti3
fa+tor a.thenti+ation, oftentimes ma(in$ .se of pass'ords in +ombination 'ith to(ens or
biometri+s) Beyond the +.rrent trend, it seems -i(e-y that pass'ords 'i-- event.a--y be
rendered +omp-ete-y obso-ete in favor of some form of to(en or biometri+ be+omin$ the
first, if not on-y, form of a.thenti+ation) !pe+ifi+a--y, .se of n.meri+ or data to(ens is on
the in+rease and proje+ted to +ontin.e $ainin$ in pop.-arity and a++eptan+e) ajor
internationa- nternet !ervi+e Provider *meri+a ?n-ine has re+ent-y anno.n+ed the
avai-abi-ity of n.meri+ to(ens for .sers as a se+ond fa+tor for a.thenti+ation)
*dditiona--y, as p.b-i+ (ey infrastr.+t.re so-.tions 8see !e+tion be-o' mat.re and
$ain in preva-en+e, the .se of data to(ens 'i-- in+rease in importan+e) or eamp-e, a
ban( 'i-- be ab-e to iss.e a &!B3based data to(en to a +.stomer) ?n the data to(en 'i--
be the +.stomers .ni/.e identifier in the form of a di$ita- +ertifi+ate) This +ertifi+ate 'i--
4Dona-d ;) ;i+hards, GBiometri+ dentifi+ation,G in JKnformation !e+.rity ana$ement @andboo(, 4thEditionJK, ed) @aro-d ) Tipton and i+(i
-
8/12/2019 ResearchPaper:Information Security Technologies
9/50
be mana$ed thro.$h a +entra- Certifi+ate *.thority and 'i-- be .sed both for
a.thenti+ation and for en+ryptin$ and di$ita--y si$nin$ +omm.ni+ation and transa+tions)
Th.s, a++ess +ontro- mana$ement 'i-- not on-y +ontin.e its +entra- ro-e 'ithin
information se+.rity, b.t it 'i-- a-so $ro' in s+ope, addin$ more etensive +apabi-ities for
positive-y impa+tin$ +onfidentia-ity and inte$rity) *dditiona--y, besides prote+tin$
reso.r+es, it may a-so in+-.de etended +apabi-ities that 'i-- a--o' for easier dete+tion of
atta+(s and possib-y even a.tomati+ methods for +orre+tin$ vio-ations of inte$rity)
)*NT=;&!
The first +omp.ter vir.s +redited 'ith bein$ fo.nd Gin the 'i-dG is be-ieved to be a
pro$ram +a--ed GE-( C-onerG that tar$eted *pp-e D?! 9)9)A The term Gvir.sG may
a+t.a--y have ori$inated in the 170s in s+ien+e fi+tion -iterat.re, tho.$h as a +on+ept it
has -i(e-y been aro.nd sin+e the 10s) Traditiona--y, GHaI vir.s is simp-y a +omp.ter
pro$ram that is intentiona--y 'ritten to atta+h itse-f to other pro$rams or dis( boot se+tors
and rep-i+ate 'henever those pro$rams are ee+.ted or those infe+ted dis(s are
a++essed)G7 n the modern +ontet, this traditiona- form of ma-i+io.s +ode, or ma-'are, is
-ess +ommon) nstead, it is far more +ommon to see variations on this ori$ina- theme in
the form of G'ormsG and GTrojan horsesG that infe+t a +omp.ter system either thro.$h
dire+t ee+.tion or thro.$h some form of net'or(3based rep-i+ation method) n the
A%i(ipedia, Computer virus8!t) Petersb.r$: %i(ipedia, 2004, a++essed 0 November 2004F avai-ab-efrom http:66en)'i(ipedia)or$6'i(i6Comp.tervir.sF nternet)%i(ipedia, Computer virus8!t) Petersb.r$: %i(ipedia, 2004, a++essed 0 November 2004F avai-ab-efrom http:66en)'i(ipedia)or$6'i(i6Comp.tervir.sF nternet)7Bob
-
8/12/2019 ResearchPaper:Information Security Technologies
10/50
modern +ontet, hybrid ma-'are pro$rams typi+a--y rep-i+ate thro.$h 'orm3-i(e
behavio.r that preys on v.-nerabi-ities in operatin$ systems or thro.$h so+ia- en$ineerin$
atta+(s, and then set.p ba+(doors via the Trojan horse me+hanism) This ba+(door +an
then a--o' the atta+(er to remote-y a++ess and +ontro- an infe+ted system, a--o'in$ for the
perpetration of other i--i+it a+tivities, s.+h as sendin$ !P* or .sin$ the +ompromised
system as a proy, or re-ay, thro.$h 'hi+h remote a++ess +an be $ained to other'ise3
prote+ted reso.r+es)
*ntivir.s soft'are has been aro.nd for at -east the past 1031A years, tho.$h no referen+es
'ere fo.nd that indi+ated a spe+ifi+ date 'hen s.+h pro$rams 'ere first made avai-ab-e)
*ntivir.s soft'are 'as deve-oped to dete+t the presen+e, and event.a--y the attempted
infe+tion, of a system by ma-'are) There are $enera--y t'o types of antivir.s s+annin$
soft'are: si$nat.re3based and he.risti+) !i$nat.re3based s+annin$ re-ies on a database of
(no'n ma-'are si$nat.res) t m.st be .pdated on a re$.-ar basis in order to ens.re a
+.rrent database of (no'n ma-'are) *++ordin$ to eBC=#, an T !e+.rity +ompany, a
he.risti+ s+anner G-oo(s at +hara+teristi+s of a fi-e, s.+h as si>e or ar+hite+t.re, as 'e-- as
behaviors of its +ode to determine the -i(e-ihood of an infe+tion)G" The do'nside to
he.risti+ s+anners is that they often $enerate res.-ts that misidentify soft'are as bein$
ma-'are 8a)()a) Gfa-se positivesG)
The most pop.-ar operatin$ system, in terms of p.re n.mbers, is i+rosoft %indo's) *s
s.+h, it is a-so the most tar$eted p-atform by ma-'are) There are severa- +ompanies 'ho
provide *= soft'are for %indo's) There are a-so versions of *= soft'are for other
"eBC=# T !e+.rity,Heuristic Scanning - Where to e!t"8Te-3*viv: eBC=#, 2004, a++essed 12 ?+tober2004F avai-ab-e from http:66''')eb+v$)+om6arti+-es)phpidO24F nternet)
Benjamin 5) Tomhave 126762004 10
-
8/12/2019 ResearchPaper:Information Security Technologies
11/50
p-atforms, -i(e a+ ?!, &N and 5in.) @o'ever, there are very fe' +ases of ma-'are
for those p-atforms, d.e in part to their distin+t differen+es from %indo's)
*)B.siness *na-ysis
n the modern a$e of +omp.tin$, antivir.s 8*= soft'are is very inepensive, very
+ommon, $enera--y easy to dep-oy, and oftentimes re-ative-y easy to maintain 8easier than
pat+hin$ operatin$ systems and app-i+ations, b.t sti-- more +ha--en$in$ than bein$ f.--y
se-f3+ontained) .rthermore, the preva-en+e and avai-abi-ity of antivir.s as a very basi+
+o.ntermeas.re is s.+h that a -e$a- ar$.ment +o.-d be s.++essf.--y made that the fai-.re
of a b.siness to imp-ement *= soft'are thro.$ho.t the or$ani>ation +o.-d be deemed an
a+t of ne$-i$en+e) *s s.+h, the .ti-ity and .sef.-ness of *= soft'are is very obvio.s,
both from the standpoint of minimi>in$ the threat of ma-'are and from -imitin$ -e$a-
-iabi-ity res.-tin$ from a ma-'are infe+tion)
*= soft'are itse-f is $enera--y not +omp-e) ost *= pa+(a$es re-y primari-y on
si$nat.re3based s+annin$ 'ith minor he.risti+ s+annin$ +apabi-ities inte$rated) The
soft'are is .s.a--y simp-e to insta-- and is +onfi$.red by defa.-t to a.tomati+a--y .pdate
the .nder-yin$ s+annin$ en$ine and the si$nat.re database on a re$.-ar basis from the
nternet)
B)!e+.rity *na-ysis
%hereas b.sinesses are epe+ted to insta-- and maintain antivir.s soft'are on most, if not
a--, systems as a matter of -imitin$ -e$a- -iabi-ity, the effe+tiveness of *= soft'are
Benjamin 5) Tomhave 126762004 11
-
8/12/2019 ResearchPaper:Information Security Technologies
12/50
diminishes ea+h day) The *= ind.stry has $enera--y rea+hed a p-atea. in the -ast five
years and has not made any major advan+es in the abi-ity to dete+t and prevent ma-'are
infe+tion) .rthermore, the $ro'th in pop.-arity of the nternet has +a.sed the +omp.tin$
'or-d to be+ome hi$h-y inter+onne+ted, -eadin$ to the deve-opment of so3+a--ed G>ero3day
ep-oits)G These ep-oits +orrespond to v.-nerabi-ities that are re-eased on the same day
in 'hi+h the ep-oit itse-f is re-eased) n the 'orst3+ase s+enario, a major or$ani>ation
-i(e i+rosoft 'i-- anno.n+e the presen+e of a v.-nerabi-ity in their pop.-ar %indo's
operatin$ system mid3day, and by that evenin$ a 'orm 'i-- be +ir+.-atin$ on the nternet
that is a+tive-y -oo(in$ for v.-nerab-e systems and attemptin$ to infe+t them thro.$h this
ne' v.-nerabi-ity) !ad-y, s.+h events have happened in re+ent history, and oftentimes
before a pat+h is even avai-ab-e to fi the v.-nerabi-ity and before *= si$nat.res have
been deve-oped and re-eased)
The p.rpose of *= is to dete+t, prote+t and +orre+t) !pe+ifi+a--y, antivir.s soft'are is
desi$ned to dete+t ma-'are infe+tions, b.t it is a-so ab-e to prote+t a$ainst an a+tive
infe+tion attempt, and it is a-so often ab-e to +orre+t by disinfe+tin$ a system, dependin$
on the +hara+teristi+s of the ma-'are) rom the standpoint of Confidentia-ity, nte$rity
and *vai-abi-ity, *= soft'are primari-y addresses nte$rity) The $oa- of *= soft'are is
to prote+t the nte$rity of the operatin$ system, app-i+ation or data) *dditiona--y, it has a
se+ondary benefit of ens.rin$ the avai-abi-ity of an obje+t by dete+tin$, prote+tin$ or
+orre+tin$ ma-'are infe+tions) Confidentia-ity may a-so be prote+ted indire+t-y for
ma-'are that may +a.se data to be sent o.t random-y, s.+h as %ord do+.ments as
atta+hments, for'ardin$ emai-s, et+)
Benjamin 5) Tomhave 126762004 12
-
8/12/2019 ResearchPaper:Information Security Technologies
13/50
=)*&DT D*T* ;ED&CT?N
*.dit Data ;ed.+tion is an emer$in$ fie-d of st.dy in information se+.rity) The *.dit
Data ;ed.+tion #ro.p, part of the C?*!T 5aboratory at P.rd.e &niversity in the Center
for Ed.+ation and ;esear+h in nformation *ss.ran+e and !e+.rity 8CE;*!, appears to
be a -eader in innovative resear+h and thin(in$ on the s.bje+t) The prob-em bein$
addressed re-ates to the amo.nt of a.dit data +reated, o.t of ne+essity, by +riti+a- systems)
These +riti+a- systems often $enerate +opio.s amo.nts of a.dit -o$s, 'hi+h are often
diffi+.-t to po.r thro.$h for si$ns of ma-feasan+e) The $oa-s of a.dit data red.+tion
systems are to +ontrib.te to mis.se and anoma-y dete+tion) These types of systems are
dis+.ssed f.rther in !e+tion =)
*)B.siness *na-ysis
*.dit data red.+tion 8*D; 'i-- in+reasin$-y be+ome a .sef.- and ne+essary part of the
information se+.rity so-.tion too-set) B.sinesses are in+reasin$-y in.ndated 'ith a.dit
-o$s $enerated by a-- +riti+a- systems) The advent of federa- re$.-ations that re/.ire
thoro.$h -o$$in$, s.+h as 'ithin finan+ia--y si$nifi+ant systems,Q 'i-- f.rther +ontrib.te
to this trend) *s a res.-t, in order to maimi>e the va-.e of these a.dit -o$s 'ith an eye
to'ard red.+in$ ris( to the overa-- b.siness, it 'i-- be+ome in+reasin$-y ne+essary to
+ondense these ra' -o$s into a more .sef.- format)
P.rd.e &niversity, C#$%AS Audit 'rail $eduction (roup8%est 5afayette: CE;*!, .ndated, a++essed12 ?+tober 2004F avai-ab-e from http:66''')+erias)p.rd.e)ed.6abo.t6history6+oast6proje+ts6a.dit3trai-s3red.+e)phpo.tp.tOprintab-eF nternet)
Benjamin 5) Tomhave 126762004 19
-
8/12/2019 ResearchPaper:Information Security Technologies
14/50
Today, a.dit data red.+tion systems are sti-- ear-y in a+ademi+ and +ommer+ia-
deve-opment) !o-.tions tend to be re-ative-y +omp-e and +ost-y) @o'ever, it seems
very -i(e-y that these systems 'i-- improve over time and de+rease in +omp-eity) n the
end, 'e 'i-- -i(e-y see -ar$e a.dit data repositories b.i-t, based on data 'areho.sin$
+on+epts that then -evera$e data minin$ te+hni/.es for reportin$ and ana-ysis) These data
feeds 'i-- then be p.mped into systems that estab-ish a base-ine for performan+e and have
b.i-t3in artifi+ia- inte--i$en+e that +an dete+t anoma-o.s behavio.r indi+ative of a an
instan+e of mis.se or ab.se, f-a$$in$ and es+a-atin$ the event a++ordin$-y)
B)!e+.rity *na-ysis
The p.rpose of an a.dit data red.+tion system is to red.+e the overa-- +ost and
+omp-eity asso+iated 'ith +ombinin$ a.dit -o$s into one -o+ation and interfa+e) These
systems may have dire+t or indire+t impa+t on the Confidentia-ity, nte$rity or
*vai-abi-ity of data or systems, dependin$ on the so.r+e of the -o$s and the type of
mis.se or ab.se dete+ted) n $enera-, *D; systems are a +o.ntermeas.re desi$ned to
better dete+t instan+es of mis.se or ab.se) *s the systems mat.re and f.rther inte$rate
'ith intr.sion dete+tion and ana-ysis systems, the +apabi-ity 'i-- a-so emer$e to ta(e
prote+tive and +orre+tive a+tions) or eamp-e, intr.sion dete+tion and prevention
systems 8as 'i-- be dis+.ssed be-o' a-ready have the +apabi-ity to rea+t dynami+a--y and
in rea-3time to dete+ted threats) &sin$ a.dit data red.+tion systems to a++.rate-y dete+t
mis.se or ab.se in rea-3time ho-ds the promise of inte$ratin$ 'ith these a+tive response
systems and th.s etend its +o.ntermeas.re +apabi-ities)
Benjamin 5) Tomhave 126762004 14
-
8/12/2019 ResearchPaper:Information Security Technologies
15/50
=);E%*55!1011121914
* fire'a-- is defined as a G+omponent or set of +omponents that restri+ts a++ess bet'een a
prote+ted net'or( and the nternet, or bet'een other sets of net'or(s)G 1A
ire'a--s are
net'or( se+.rity reso.r+es that are defined to +ontro- the f-o' of data bet'een t'o or
more net'or(s) rom a hi$h3-eve- perspe+tive, they +an serve as a +ho(e3point, desi$ned
to restri+t, or +ho(e, the f-o' of net'or( traffi+, or as a $ate'ay that performs f.rther
pro+essin$ on the traffi+ beyond simp-e +ho(in$ restri+tions) *++ordin$ to R'i+(y, et a-,
fire'a--s +an $enera--y be p-a+ed into t'o +ate$ories: Pa+(et i-ters or Proies) Per
dis+.ssion in E!E 21", these +ate$ories +an be broadened to in+-.de +ir+.it3-eve-
$ate'ays and statef.- inspe+tion devi+es) B-andin$1adds a third +ate$ory of hybrid or
+omp-e $ate'ays to R'i+(yLs initia- pair)
n rea-ity, the B-andin$ definition is probab-y the most +orre+t in that fire'a--s either
perform as a pa+(et fi-ter, a proy, or as some +ombination of the t'o) ?ther types of
fire'a-- simp-y epand .pon those ori$ina- base types) or eamp-e, most proies today
have additiona- +apabi-ities to perform +ontent mana$ement at the app-i+ation -eve-,
dete+tin$ inappropriate or .na++eptab-e +ontent, s.+h as thro.$h a 'eb or mai- session)
10an.,)irewall *asics8&n(no'n: !e+.rityDo+s)+om, 2004, a++essed 0 November 2004F avai-ab-efrom http:66''')se+.ritydo+s)+om6-ibrary62419F nternet)11E-i>abeth D) R'i+(y and others,*uilding %nternet )irewalls+ ,nd #dition8Cambrid$e: ?;ei--y, 2000)12!imson #arfin(e- and #ene !pafford,ractical .ni! & %nternet Security+ ,nd #dition8Cambrid$e:?;ei--y, 1)195e+t.re notes from E!E 21", ta(en 20 ?+tober 2004)14P.rd.e &niversity,)irewalls8%est 5afayette: CE;*!, .ndated, a++essed 12 ?+tober 2004F avai-ab-efrom http:66''')+erias)p.rd.e)ed.6abo.t6history6+oastreso.r+es6fire'a--s6F nternet)1AE-i>abeth D) R'i+(y and others,*uilding %nternet )irewalls+ ,nd #dition8Cambrid$e: ?;ei--y, 2000,p102)1!teven ) B-andin$, G!e+.red Conne+tions to Eterna- Net'or(s,G in JKnformation !e+.rityana$ement @andboo(, 4th EditionJK, ed) @aro-d ) Tipton and i+(i
-
8/12/2019 ResearchPaper:Information Security Technologies
16/50
*-so, many fire'a--s provide +apabi-ities -i(e Net'or( *ddress Trans-ation 8N*T that
provide a -o$i+a- separation bet'een net'or(s by +han$in$ the .nder-yin$ n.mberin$
s+heme 8P addressin$) N*T is an important feat.re be+a.se it a--o's or$ani>ations to
inter+onne+t their reso.r+es interna--y .sin$ P address spa+e that is reserved for interna-
.se by ;C 11") This reserved spa+e is not ro.tab-e on the nternet, and th.s is not
dire+t-y a++essib-e to atta+(ers o.tside the fire'a-- performin$ the N*T)
* s.rvey of vario.s vendor 'eb sites, s.+h as Cis+o, Che+(point, Net!+reen,
Cyber#.ard, B-.eCoat and !e+.re Comp.tin$, ref-e+ts the rea-ity that most fire'a--s are
no' hybrids) This notion is f.rther reinfor+ed 'hen readin$ thro.$h the ire'a-- Criteria
v4)117 for C!* 5absL ire'a-- Certifi+ation pro$ram) No fire'a-- +an re+eive a
+ertifi+ation today 'itho.t bein$ a'are of state, th.s ma(in$ it a statef.- inspe+tion
fire'a--) @o'ever, basi+ fire'a--s, -i(e those so-d by Cis+o, Che+(point and Net!+reen,
are essentia--y j.st pa+(et fi-terin$, 'ith the additiona- +apabi-ities of tra+(in$ the state of
a net'or( session) Che+(point etends this base desi$n f.rther by a-so providin$ some
app-i+ation3spe+ifi+ proy +omponents) Cyber#.ard, B-.eCoat and !e+.re Comp.tin$,
on the other hand, prod.+e fire'a--s that are primari-y proies) *$ain, ho'ever, be+a.se
of their adheren+e to the C!* +riteria, they a-so are a'are of state, at -east to some
de$ree, and th.s are ab-e to perform basi+ pa+(et fi-terin$ f.n+tions, too) Therefore,
today, it is probab-y safe to say that there is on-y one (ind of fire'a--, and that is a hybrid
or +omp-e $ate'ay)
17http:66''')i+sa-abs)+om6htm-6+omm.nities6fire'a--s6+ertifi+ation6+riteria6+riteria4)1)shtm-
Benjamin 5) Tomhave 126762004 1
-
8/12/2019 ResearchPaper:Information Security Technologies
17/50
*)B.siness *na-ysis
The +ost of a fire'a-- today is minima-, and is $reat-y o.t'ei$hed by the vast .ti-ity it
serves) ire'a--s need not be epensive so-.tions, b.t +an be based on $eneri+ +omp.ter
+omponents that ma(e .se of free, open3so.r+e operatin$ systems and soft'are)
.rthermore, these simp-e so-.tions do not re/.ire etensive and epensive hard'are, b.t
+an oftentimes simp-y in+-.de a pro+essor, memory and a stora$e devi+e 8-i(e a CD3
;?) f the se+.rity re/.irements for an environment are stri+ter, then there are a-so
many +ommer+ia--y viab-e so-.tions that ran$e in pri+e and +apabi-ity) !evera- vendors
se-- fire'a--s of varyin$ types that +an hand-e a variety of net'or( se+.rity needs)
%hether those needs be for app-i+ation proies, or red.ndant pa+(et fi-terin$ 'ith
a.tomati+ fai-over and re+overy +apabi-ities, or 'eb proies 'ith +ontent mana$ement
+apabi-ities to prote+t end3.sers a$ainst the ha>ards of .nsafe 'eb bro'sin$, the on-y
-imitation today is in the si>e of the b.d$et)
B)!e+.rity *na-ysis
Gire'a--s are po'erf.- too-s, b.t they sho.-d never be .sed insteadof other se+.rity
meas.res) They sho.-d on-y be .sed in additionto s.+h meas.res)G1" The primary ro-e
of a fire'a--, in the traditiona- sense, is to prote+t a$ainst .na.thori>ed a++ess of
reso.r+es via the net'or( as part of a defense in depthQ so-.tion) This ro-e serves to
ens.re the inte$rity of data and systems 'hi-e a-so -imitin$ the avai-abi-ity of those
reso.r+es to ma-feasants) Despite a-- the advan+es in fire'a-- te+hno-o$y over the past 20
years, the f.ndamenta- ro-e of the fire'a-- has not +han$ed) %hat has +han$ed is the
1"!imson #arfin(e- and #ene !pafford,ractical .ni! & %nternet Security+ ,nd #dition8Cambrid$e:?;ei--y, 1, p97)
Benjamin 5) Tomhave 126762004 17
-
8/12/2019 ResearchPaper:Information Security Technologies
18/50
abi-ity to inte$rate fire'a--s 'ith other te+hno-o$ies, s.+h as intr.sion dete+tion and
ana-ysis systems) !.+h inte$ration +an -ead to providin$ an a+tive response +apabi-ity
that b-o+(s a++ess to dete+ted atta+(ers in a rea-3time manner) .rthermore, in addition to
servin$ in a prote+tin$ ro-e, the a.dit and a+tivity -o$s prod.+ed by a fire'a-- +an be .sed
for dete+tin$ atta+(s, 'hi+h +an in t.rn res.-t in the initiation of +orre+tive a+tions, as has
a-ready been mentioned)
ire'a--s, today, serve as a basi+ b.i-din$ b-o+( 'ithin se+.rity infrastr.+t.res) *t the
same time, as /.oted above, they are not the si-ver b.--etQ of information se+.rity)
mp-ementation of a fire'a-- is no $.arantee of se+.rity and sho.-d be +ombined 'ith the
other se+.rity te+hno-o$ies des+ribed 'ithin this paper)
=)NT;&!?N DETECT?N *ND *N*5!! !!TE!
The +on+ept of intr.sion dete+tion has been aro.nd sin+e 1"0)1 n its most essentia-
form, intr.sion dete+tion is desi$ned to dete+t mis.se or ab.se of net'or( or system
reso.r+es and report that o++.rren+e) This dete+tion o++.rs as a res.-t of identifyin$
behavio.r based on anoma-ies or si$nat.res) The most +ommon form of intr.sion
dete+tion system 8D! today re-ies on si$nat.re3based dete+tion)
The se+.rity ind.stry has $reat-y epanded intr.sion dete+tion over the past years to
in+orporate severa- advan+ed +on+epts) Beyond basi+ dete+tion and a-ertin$, most
systems today bi-- themse-ves as havin$ Gintr.sion preventionG +apabi-itiesF other'ise
1Pa.- nne--a, 'he #volution of %ntrusion /etection Systems8&n(no'n: !e+.rityo+.s)+om, 2001,a++essed 12 ?+tober 2004F avai-ab-e from http:66''')se+.rityfo+.s)+om6info+.s61A14F nternet)
Benjamin 5) Tomhave 126762004 1"
-
8/12/2019 ResearchPaper:Information Security Technologies
19/50
(no'n as a+tive response) The +on+ept of intr.sion prevention is that an a+tivity +an be
dete+ted re-iab-y and then stopped, either at the host or net'or( -eve-, by the dete+tin$
system) rom the net'or( perspe+tive, this response +o.-d be as simp-e as dete+tin$ an
ab.sive TCP3based net'or( +onne+tion and iss.in$ a TCP ;eset 8;!T pa+(et to both
the so.r+e and destination hosts, for$in$ the P header information to impersonate ea+h
side)
*dditiona--y, si$nifi+ant advan+es have been made in the areas of event +orre-ation and
anoma-y dete+tion) Event +orre-ation is an approa+h 'herein m.-tip-e a-erts that may
appear disparate are ab-e to be -in(ed to$ether based on +ommon +riteria, s.+h as time or
method or tar$et, and res.-t in an es+a-ated a-ert, if not a +oordinated a.tomati+ response)
*noma-y dete+tion is simi-ar to event +orre-ation, tho.$h its primary ro-e is to
s+ientifi+a--y determine a base-ine for performan+e, s.+h as a+ross a net'or( or $ro.p of
hosts, and then $enerate a-erts 'hen performan+e deviates si$nifi+ant-y from that
base-ine)
The fo--o'in$ se+tions dis+.ss ea+h of these te+hno-o$ies, providin$ an overvie' and
then a respe+tive b.siness and se+.rity ana-ysis)
A0ntr.sion Dete+tion !ystems 8D!
,1
ntr.sion dete+tion systems are typi+a--y +-assified a++ordin$ to their primary method of
dete+tion: net'or(3based, host3based, hybrid, or net'or(3node) Net'or(3based dete+tion
20Pa.- nne--a, 'he #volution of %ntrusion /etection Systems8&n(no'n: !e+.rityo+.s)+om, 2001,a++essed 12 ?+tober 2004F avai-ab-e from http:66''')se+.rityfo+.s)+om6info+.s61A14F nternet)
Benjamin 5) Tomhave 126762004 1
-
8/12/2019 ResearchPaper:Information Security Technologies
20/50
+apt.res pa+(ets dire+t-y off the net'or(, 'hi-e host3based dete+tion resides on a host and
+apt.res data as it f-o's into and o.t of that host) @ybrid systems a$$re$ate the
+apabi-ities of net'or(3based and host3based systems 'hereas net'or(3node systems try
to f.n+tion -i(e a net'or(3based system 'hi-e residin$ on a host)
Today, D! has be$.n to mat.re to the point 'here most systems +an be operated as a
hybrid, if the b.siness desires) The main approa+h .sed, s.+h as thro.$h the open3so.r+e
prod.+t !nort, is to +ond.+t net'or(3 and6or host3based s+annin$ .sin$ a si$nat.re set
and then a$$re$ate a-erts to a sin$-e host for mana$ement of those a-erts) ore advan+ed
systems have additiona- +apabi-ities, as 'i-- be dis+.ssed in the fo--o'in$ se+tions, s.+h
as intr.sion prevention, anoma-y dete+tion, and event +orre-ation)
ntr.sion dete+tion systems, as a 'ho-e, have a +o.p-e (ey -imitations) irst, they are
typi+a--y -imited in the same 'ay that antivir.s is -imited in that s.++essf.- dete+tion is
based on havin$ a $ood si$nat.re that mat+hes (no'n bad traffi+) %ith net'or(
dete+tion, this si$nat.re -imitation is parti+.-ar-y +ha--en$in$ be+a.se too -itera- of a
strin$ +an res.-t in a dete+tion fai-.re) .rthermore, D! are -imited by ho' m.+h
net'or( traffi+ they +an pro+ess in a $iven period of time) or eamp-e, most D! today
'i-- +-aim to be ab-e to monitor 1#bps of traffi+ in rea-3time, tho.$h a+t.a- testin$, s.+h
as in the D! 5ab at C!* 5abs, has proven that these prod.+ts are a+t.a--y often
performin$ at m.+h -ess than 1#bps) Even 'orse, ba+(bone net'or( providers are often
r.nnin$ at m.+h hi$her speeds than 1#bps, s.+h as over ?C34" or ?C312 net'or(s,
'hi+h are 2)4"" #bps and )A2 #bps, respe+tive-y) This means that the needs and
Benjamin 5) Tomhave 126762004 20
-
8/12/2019 ResearchPaper:Information Security Technologies
21/50
epe+tations for performan+e and thro.$hp.t are very hi$h and not reasonab-y bein$ met
by +ommer+ia- prod.+tions)
n addition to bein$ -imited by si$nat.res and performan+e, most D! a-so in+-.de
mana$ement +on+erns 'ith respe+t to the n.mber of si$nat.res bein$ mana$ed and the
n.mber of a-erts bein$ $enerated) r.strations arisin$ from these many -imitations have
-ed to advan+es in mana$ement of the base D!, and 'i-- be dis+.ssed in the *noma-y
Dete+tion !ystems and Event Corre-ation !ystems se+tions be-o')
1)B.siness *na-ysis
ntr.sion dete+tion systems are sti-- mat.rin$ as a prod.+t) *dvan+es in event +orre-ation,
anoma-y dete+tion and a+tive response have made their .se m.+h more appea-in$)
@o'ever, the +ost of dep-oyment and mana$ement is sti-- a-most at a brea(3even point
'ith the benefits derived) Net'or(s that are parti+.-ar-y mat.re and +-ean have a m.+h
$reater -i(e-ihood of reapin$ -ar$e benefits from an enhan+ed D! dep-oyment, 'hereas
net'or(s that are not 'e--3desi$ned and that are poor-y mana$ed 'i-- have a very diffi+.-t
time t.nin$ si$nat.res to their environment and estab-ishin$ performan+e base-ines)
S.a-ity D! soft'are is free thro.$h open3so.r+e initiatives s.+h as !nort) Than(s to
!nort, a-- a +ompany rea--y needs is a reasonab-y si>ed PC 'ith one or more hi$h3speed
net'or( +ards and the (no'3ho' to insta-- and mana$e the prod.+t on a +ompatib-e
operatin$ system, 'hi+h may a-so be free) @o'ever, the open3so.r+e mana$ement too-s
that are avai-ab-e for .se 'ith !nort, s.+h as *CD and !nortCenter, -eave m.+h to be
desired and often for+e +ompanies to'ard +ommer+ia- so-.tions)
Benjamin 5) Tomhave 126762004 21
-
8/12/2019 ResearchPaper:Information Security Technologies
22/50
ost +ommer+ia- so-.tions sti-- tend to be rather epensive and re/.ire +onsiderab-e
trainin$) ?ne interestin$ deve-opment is the inte$ration of intr.sion dete+tion so-.tions
'ith fire'a-- prod.+ts, s.+h as has been done by Cis+o, Che+(point and Net!+reen) *s
'i-- be dis+.ssed in the fo--o'in$ se+tion on intr.sion prevention systems 8P!, this
advan+e has a--o'ed D! to evo-ve to in+-.de a+tive response +apabi-ities, parti+.-ar-y
from the net'or( perspe+tive)
?vera-- D! has va-.e for most or$ani>ations that have their net'or( in $ood 'or(in$
order) @o'ever, .nderstaffed and poor-y ar+hite+ted environments 'i-- -i(e-y see D! as
an .na++eptab-e hass-e and +ost) or those or$ani>ations, there are a-ternative so-.tions)
!evera- se+.rity +ompanies are in the mar(et providin$ o.tso.r+ed insta--ation,
maintenan+e and monitorin$ of D! so-.tions) These Gmana$ed se+.rity so-.tionsG
providers may be benefi+ia- for or$ani>ations that 'ant the benefits of an D!, even in a
-imited +apa+ity, b.t that +annot afford to imp-ement and mana$e the D! themse-ves)
2)!e+.rity *na-ysis
The ori$ina- ro-e of D! 'as to dete+t threats on net'or(s and hosts) This ro-e has
evo-ved to in+-.de a+tive response +apabi-ities that a--o' it to prote+t reso.r+es and
+orre+t mis.se or ab.se on net'or(s or hosts) D! +an today serve in a ro-e that impa+ts
Confidentia-ity, nte$rity and *vai-abi-ity, dependin$ on the si$nat.re set dep-oyed, the
effe+tiveness of a-ert mana$ement, and 'hether or not an a+tive response +apabi-ity
eists)
Benjamin 5) Tomhave 126762004 22
-
8/12/2019 ResearchPaper:Information Security Technologies
23/50
*0ntr.sion Prevention !ystems 8P!,2
ntr.sion prevention systems, or P!, are often defined as Gany devi+e 8hard'are or
soft'are that has the abi-ity to dete+t atta+(s, both (no'n and .n(no'n, and prevent the
atta+( from bein$ s.++essf.-)G ,, P! have $ro'n from a desire to +ombine the deep3
inspe+tion +apabi-ities of D! 'ith the b-o+(in$ +apabi-ities of fire'a--s) These b-o+(in$
+apabi-ities, often referred to as a+tive response, a--o's the dete+tion of a po-i+y vio-ation
to be trans-ated in rea-3time into a po-i+y3based a+tion desi$ned to impede or stop the
vio-ation)
There are a fe' variations on P!, b.t the most +ommon is the in-ine net'or(3based
system) *nother variation of P! are the so3+a--ed G5ayer 7 s'it+hesG that have mat.red
to in+-.de Do! and DDo! dete+tion and miti$ation based on an a'areness of traffi+ at the
app-i+ation -ayer of the ?! mode-) *-so, host3based app-i+ation fire'a--s have been
inte$rated 'ith D! +apabi-ities to a--o' for app-i+ation3spe+ifi+ a+tive response
+apabi-ities based on a $enera- po-i+y instead of a si$nat.re set) @ybrid s'it+h so-.tions
are net'or(3based, b.t operate simi-ar to the app-i+ation fire'a--s)
*-- of these types of P! have t'o thin$s in +ommon: they $enerate an a-ert, based either
on a si$nat.re or a po-i+y, and they initiate a response, as has been pro$rammed into the
system) These a-erts may o++.r as the res.-t of a si$nat.re mat+h or a vio-ation of a
21Nei- Desai,%ntrusion revention Systems the e!t Step in the #volution of %/S8&n(no'n:!e+.rityo+.s)+om, 2009, a++essed 12 ?+tober 2004F avai-ab-e fromhttp:66''')se+.rityfo+.s)+om6info+.s6170F nternet)22Nei- Desai,%ntrusion revention Systems the e!t Step in the #volution of %/S8&n(no'n:!e+.rityo+.s)+om, 2009, a++essed 12 ?+tober 2004F avai-ab-e fromhttp:66''')se+.rityfo+.s)+om6info+.s6170F nternet)
Benjamin 5) Tomhave 126762004 29
-
8/12/2019 ResearchPaper:Information Security Technologies
24/50
se+.rity po-i+y set.p spe+ifi+ for an app-i+ation, and the response may ran$e from
+ho(in$ the f-o' of traffi+ to terminatin$ or b-o+(in$ the offendin$ traffi+ a-to$ether)
There are a +o.p-e (ey -imitations to P!, as eist for D!) Those -imitations in+-.de
a++.rate dete+tion, the abi-ity to hand-e the f.-- thro.$hp.t of a net'or(, and the abi-ity to
$enerate the response +orre+t-y and in a time-y manner) The thro.$hp.t iss.e has been
dis+.ssed above) The matter of a++.ra+y be+omes in+reasin$-y important 'hen
dis+.ssin$ an a+tive, a.tomated response to a dete+ted event) f proper and a--o'ed
traffi+ is in+orre+t-y dete+ted by a si$nat.re or as a po-i+y vio-ation, that traffi+ may be
inappropriate-y s.bje+ted to the a+tive response) n parti+.-ar, (no'n $ood traffi+ may be
terminated or b-o+(ed, res.-tin$ in a ne$ative impa+t to the b.siness) *s for $eneratin$
the response +orre+t-y in a time-y manner, this -imitation pertains to the abi-ity of the P!
to not on-y dete+t +orre+t-y, b.t to se-e+t the +orre+t response based on a po-i+y, and then
be ab-e to iss.e that response 'hi-e the offense is sti-- o++.rrin$) Choosin$ the proper
response +an be+ome +ha--en$in$ 'hen dea-in$ 'ith a.tomated es+a-ations)
1)B.siness *na-ysis
ost D! systems today in+-.de some manner of P! +apabi-ities) #iven a 'e--3defined
set of si$nat.res or po-i+ies, it ma(es sense to dep-oy an D! 'ith P! +apabi-ities,
parti+.-ar-y on the perimeter of yo.r net'or(, and in front of hi$h-y va-.ab-e assets) The
+ost of these systems is +omparab-e to that dis+.ssed above in the D! B.siness *na-ysis
8=)*)1) &-timate-y, s.++essf.- dep-oyment and ret.rn on investment 'i-- re-ate dire+t-y
to ho' 'e-- the net'or( is ar+hite+ted, ho' 'e-- the so-.tion is mana$ed, and ho' m.+h
tho.$ht has $one into the overa-- se+.rity mana$ement of the or$ani>ation)
Benjamin 5) Tomhave 126762004 24
-
8/12/2019 ResearchPaper:Information Security Technologies
25/50
2)!e+.rity *na-ysis
P! epands the basi+ dete+tion +apabi-ities of D! to in+-.de definite +orre+tive
+apabi-ities) These +orre+tive +apabi-ities have the re-ated benefit of prote+tin$ reso.r+es
based on se+.rity po-i+ies) These +apabi-ities 'or( to$ether to prote+t the
Confidentia-ity, nte$rity and *vai-abi-ity of systems and data)
C0Event Corre-ation !ystems 8EC!,3
Event Corre-ation !ystems b.i-d on the s.++esses of ntr.sion Dete+tion !ystems by
providin$ a better me+hanism for a$$re$atin$, mana$in$ and +orre-atin$ D! events, s.+h
as are $enerated thro.$h si$nat.re dete+tions or po-i+y vio-ations) EC! $oes beyond
simp-y p.--in$ to$ether event -o$s from D!, ho'ever) EC! a--o's for the a$$re$ation of
-o$ data from m.-tip-e so.r+es, in+-.din$ fire'a--s, hosts, app-i+ations, and of +o.rse
D!) ost EC! so-.tions serve a d.a- ro-e as a data 'areho.se for -o$s and by providin$
a data minin$ interfa+e 8man.a- and a.tomated to ma(e .se of the data stored in the
'areho.se)
The primary benefit of the Event Corre-ation !ystem is in its abi-ity to +orre-ate events
from m.-tip-e systems and $enerate smart a-erts, a-on$ 'ith the +apabi-ity to es+a-ate
a-erts, based on that +orre-ation) Event Corre-ation !ystems are .s.a--y +omprised of
29;.sse--
-
8/12/2019 ResearchPaper:Information Security Technologies
26/50
severa- (ey a+tivities: Compression, Co.ntin$, !.ppression, #enera-i>ation and Time3
based +orre-ation) These a+tivities are best defined by
-
8/12/2019 ResearchPaper:Information Security Technologies
27/50
information +an be $-eaned by +orre-atin$ events that have spe+ifi+ time3based
re-ationships) !ome prob-ems +an be determined on-y thro.$h s.+h tempora-
+orre-ation)
1)B.siness *na-ysis
EC! is the so-.tion that is most desirab-e and has the potentia- for the bi$$est ret.rn on
investment) @o'ever, imp-ementation of s.+h a system has proven to be very
+ha--en$in$ for vendors) *s a res.-t, these systems tend to be very epensive and not
terrib-y re-iab-e) nstead, the *noma-y Dete+tion approa+h, as dis+.ssed be-o', has been
+on+eived and is be$innin$ to re+eive in+reased mar(et share) n the f.t.re, it is hoped
that EC! 'i-- mat.re to the point 'here it +an be inte$rated to ro.nd3o.t the ntr.sion
Dete+tion and *na-ysis !ystem)
2)!e+.rity *na-ysis
The primary f.n+tion of EC! is to better dete+t events 'ithin the enterprise) ?n+e
re-iab-e dete+tion o++.rs, then other +apabi-ities, s.+h as a+tive response, +an be
deve-oped 'ith it) &nti- that time, ho'ever, this so-.tion is primari-y aimed at prote+tin$
the nte$rity of systems and data as a res.-t of dete+tin$ a+tive threats a$ainst them)
/0*noma-y Dete+tion !ystems 8*D!,5,6
2AChristina ip Ch.n$,Anomaly /etection in /ata7ase Systems8Davis: &C Davis Comp.ter !e+.rity5aboratory, 1, a++essed 12 ?+tober 2004F avai-ab-e fromhttp:66se+-ab)+s).+davis)ed.6proje+ts6anoma-y)htm-F nternet)2;oy *) aion and
-
8/12/2019 ResearchPaper:Information Security Technologies
28/50
*noma-y Dete+tion !ystems are an etension of ntr.sion Dete+tion !ystems 8or is.se
Dete+tion !ystems, as defined by Ch.n$) Per aion and ed
form, *D! dynami+a--y +a-+.-ates the +.rrent performan+e based on a$$re$ate -o$ data
and determines 'hether or not the +.rrent -eve- of performan+e is deviant from epe+ted
-eve-s)
*s o.t-ined in aion and
-
8/12/2019 ResearchPaper:Information Security Technologies
29/50
somethin$ $enera--y appre+iated by b.sinesses and +o.-d stand to -imit its adoption
'ithin +orporate se+.rity environments)
1)B.siness *na-ysis
*noma-y dete+tion systems are an emer$in$ so-.tion re-ated in part to intr.sion 8or
mis.se dete+tion systems and event +orre-ation systems) This rea-ity as an emer$in$
te+hno-o$y -imits the n.mber of +ommer+ia- so-.tions avai-ab-e and in+reases the +ost of
dep-oyment) !ome or$ani>ations have $one so far as to deve-op r.dimentary *D!
so-.tions in3ho.se in order to defer +ommer+ia- epenses) @o'ever, the overa-- va-.e of
these systems is -imited by the primitive ro.tines performed)
&-timate-y, *D! and EC! represent the idea- so-.tions that 'i-- maimi>e ret.rn on
investment for dete+tion of threats 'ithin a se+.rity infrastr.+t.re) ?n+e so-.tions be$in
to mat.re, +ompetition emer$es, and pri+es be$in to drop, 'e 'i-- -i(e-y see a 'ide
adoption of these types of so-.tions) &nti- that time, on-y the -ar$est or$ani>ations, 'ith
the ne+essary reso.r+es to imp-ement s.+h a so-.tion, 'i-- -i(e-y see the .ti-ity of *D! or
EC!) !ma-- and medi.m si>ed or$ani>ations 'i-- -i(e-y need to be +ontent 'ith basi+
D! and P! +apabi-ities for the foreseeab-e f.t.re, bannin$ a major brea(thro.$h in
performan+e and re-iabi-ity that +an red.+e the overa-- tota- +ost of o'nership 'hi-e
maimi>in$ the va-.e) nte$ration of these so-.tions 'ith a+tive response +apabi-ities and
fire'a--s 'i-- +ontin.e to mat.re as the +ore prod.+ts themse-ves mat.re)
Benjamin 5) Tomhave 126762004 2
-
8/12/2019 ResearchPaper:Information Security Technologies
30/50
2)!e+.rity *na-ysis
*D! are primari-y desi$ned to dete+t threats to the or$ani>ation) This dete+t +apabi-ity
may be epanded in the f.t.re to in+-.de prote+t and +orre+t +apabi-ities, b.t on-y after
the prod.+t has mat.red f.rther) The $enera- $oa- of *D!, as is tr.e 'ith most intr.sion
dete+tion re-ated so-.tions, is to primari-y ens.re nte$rity, 'ith se+ondary $oa-s of
ens.rin$ *vai-abi-ity and Confidentia-ity) Dete+tion +an be .sed .niversa--y to ens.re a--
three aspe+ts of the C* approa+h)
=)NET%?;< *PPN#
Net'or( mappin$ is defined as the st.dy of the physi+a- +onne+tivity of the nternet)G2"
n its most +ommon form, net'or( mappin$ is .sed to do+.ment the -ayo.t of a -o+a- area
net'or( 85*N as part of an overa-- se+.rity assessment) This .se is a form of
inte--i$en+e $atherin$ and oftentimes pre+edes the a+t.a- assessment of tar$eted systems)
Net'or( mappin$ has evo-ved over the years from the simp-e performan+e of PN#Q or
C?NNECTQ attempts to more etensive and s.bversive 8or /.ietQ methods of
dete+tion) Today, the most pop.-ar too- for performin$ net'or( mappin$ is the open3
so.r+e too- Nmap)2 Nmap is +apab-e of testin$ for the presen+e of nodes on a net'or(
based on a variety of dete+tion te+hni/.es, in+-.din$ the .se of nternet Proto+o- 8P,
Transmission Contro- Proto+o- 8TCP and &niversa- Data$ram Proto+o- 8&DP) Ea+h of
these proto+o-s has a .ni/.e f-avor, and th.s +an $enerate varyin$ res.-ts) .rthermore,
2"%i(ipedia,etwor8 Mapping8!t) Petersb.r$: %i(ipedia, 2004, a++essed 12 ?+tober 2004F avai-ab-efrom http:66en)'i(ipedia)or$6'i(i6Net'or(appin$F nternet)2yodor,map Security Scanner8&n(no'n: nse+.re)or$, .ndated, a++essed 12 ?+tober 2004F avai-ab-efrom http:66''')inse+.re)or$6nmap6inde)htm-F nternet)
Benjamin 5) Tomhave 126762004 90
-
8/12/2019 ResearchPaper:Information Security Technologies
31/50
Nmap has additiona- +apabi-ities for s.bvertin$ net'or( se+.rity devi+es -i(e fire'a--s
and intr.sion dete+tion systems) t +an ta(e as inp.t a host name, an P address, a ran$e
of P addresses, or a net'or( or s.bnet'or() t may a-so ta(e +onfi$.rab-e parameters of
d.mmyQ so.r+e addresses to he-p +amo.f-a$e to net'or( sensors 'hat it is tryin$ to do)
The $oa- of net'or( mappin$ is to determine 'o.-d nodes are a+tive on a net'or() This
basi+ determination +an be deve-oped f.rther to identify ho' far a'ay the nodes are from
the s+annin$ host) ?peratin$ system identifi+ation may a-so be performed by too-s -i(e
Nmap, tho.$h this f.n+tiona-ity is an etension of net'or( mappin$ and not +ore to its
+apabi-ities)
*)B.siness *na-ysis
Net'or( mappin$ is a +heap and va-.ab-e too- for revie'in$ the eisten+e of nodes on a
net'or() ;.nnin$ a net'or( mappin$ too- on a re$.-ar basis and +omparin$ its res.-ts
+an assist an or$ani>ation in ens.rin$ that no nodes are bein$ added to the net'or(
'itho.t proper a.thori>ation) !in+e the most pop.-ar too-, Nmap, is free and has been
ported to many operatin$ systems, in+-.din$ 5in., &N, %indo's and a+ ?!, the
on-y rea- +osts are in terms of performan+e and pro+essin$)
There are a +o.p-e potentia- ris(s and -imitations for net'or( mappin$) irst, some
app-i+ations and systems do not respond 'e-- to probes from net'or( mappin$ too-s)
ainframes, for eamp-e, have been (no'n to respond poor-y to ra' net'or( so+(et
re/.ests) Th.s, net'or( mappin$ +o.-d +a.se instabi-ity in a mainframe, or at -east
Benjamin 5) Tomhave 126762004 91
-
8/12/2019 ResearchPaper:Information Security Technologies
32/50
$enerate a -ar$e n.mber of a-erts) *dditiona--y, net'or( mappin$ +an be -imited by
+ertain types of net'or( and fire'a-- r.-es) %hereas net'or( mappin$ .sed to be ab-e to
+ir+.mvent fire'a--s .sin$ vario.s pa+(et manip.-ation te+hni/.es, most fire'a--s today
are a'are of state and th.s effe+tive-y b-o+( +ir+.mvention) *dditiona--y, intr.sion
dete+tion systems, 'hi+h may a-so be +ir+.mvented, have the +apabi-ity today to be t.ned
so as to more optima--y dete+t the o++.rren+e of net'or( mappin$)
B)!e+.rity *na-ysis
Net'or( mappin$ is a form of dete+tion, from the standpoint that it dete+ts nodes on a
net'or(, 'hi+h +an in t.rn be .sed to determine 'hether or not a $iven node is
a.thori>ed to be on the net'or() Net'or( mappin$ may a-so be +onstr.ed as a form of
prote+tion, sin+e the a+tions that derive from +omparin$ net'or( mappin$ data sets +o.-d
res.-t in remova- of .na.thori>ed nodes from the net'or()
rom the standpoint of Confidentia-ity, nte$rity and *vai-abi-ity, net'or( mappin$
primari-y serves the $oa- of ens.rin$ the nte$rity of the net'or() t may a-so be .sed to
verify that +ertain nodes remain avai-ab-e on a net'or() Net'or( mappin$ does not have
any impa+t on Confidentia-ity, .n-ess one 'ere to spin the impa+t a-on$ the fo--o'in$
-ine: a node, s.+h as an D! sensor, is p-a+ed on the net'or( and +onfi$.red so as not to
be dete+tab-e by net'or( mappin$F ho'ever, a mis+onfi$.ration res.-ts in +a.sin$ the
sensor to respond to net'or( mappin$ re/.ests, revea-in$ its -o+ation, and possib-y its
identityF th.s, net'or( mappin$ +an ens.re the +onfidentia-ity of hiddenQ net'or(
nodes)
Benjamin 5) Tomhave 126762004 92
-
8/12/2019 ResearchPaper:Information Security Technologies
33/50
=)P*!!%?;D C;*Ced a++ess to a system or data) *dditiona--y, pass'ord +ra+(in$ may be .sed as
a preventative meas.re to ens.re that stron$ pass'ords are bein$ .sed by system .sers)
ost pass'ords today are maintained as a hashed, rather than en+rypted, va-.e) @ashin$
means ta(in$ a pass'ord strin$ and .sin$ it as an inp.t for an a-$orithm that res.-ts in an
o.tp.t that does not resemb-e the ori$ina- inp.t) &n-i(e en+ryption, hashin$ on-y 'or(s
one 'ay and +annot be de+rypted) @ashin$ pass'ords before storin$ them is far more
effi+ient than en+ryptin$ and de+ryptin$ pass'ords on the f-y) Th.s, 'hen a .ser
attempts to -o$in, their s.bmitted pass'ord is hashed, and the hashed va-.e is +ompared
'ith the hashed va-.e stored on the system) #iven an ea+t hash mat+h, the -o$in is
approved and the .ser is +onsidered a.thenti+ated)
The best +ommer+ia- .se of pass'ord +ra+(in$ is as a preventative meas.re, ens.rin$ that
.sers are +hoosin$ hi$h /.a-ity 8or stron$ pass'ords) *++ordin$ to sta(e, ma(er of
the pop.-ar -0pht+ra+( pass'ord +ra+(in$ .ti-ity, Geperts from !*N!, ind.stry,
$overnment, and a+ademia +ite 'ea( pass'ords as one of the most +riti+a- se+.rity threats
90%i(ipedia,assword crac8ing8!t) Petersb.r$: %i(ipedia, 2004, a++essed 12 ?+tober 2004F avai-ab-efrom http:66en)'i(ipedia)or$6'i(i6Pass'ord+ra+(in$F nternet)
Benjamin 5) Tomhave 126762004 99
-
8/12/2019 ResearchPaper:Information Security Technologies
34/50
to net'or(s)G91 n the +.rrent +ontet, pass'ords are the primary method for
a.thenti+ation, despite the avai-abi-ity of better so-.tions, as des+ribed in !e+tion
above) Th.s, prote+tion of pass'ords and ens.rin$ stron$ pass'ords a$ainst simp-e
atta+(s is of the .tmost importan+e)
Pass'ords are typi+a--y s.bje+ted to a +ombination of t'o (inds of atta+(s: br.te3for+e
and di+tionary 8or 'ord3-ist) Br.te3for+e atta+(s attempt to iterate thro.$h every possib-e
pass'ord option avai-ab-e, either dire+t-y attemptin$ to the test pass'ord a$ainst the
system, or in the +ase of a +apt.red pass'ord fi-e, +omparin$ the hashed or en+rypted test
pass'ord a$ainst the hashed or en+rypted va-.e in the fi-e) n a di+tionary atta+(, a -ist of
+ommon pass'ords, oftentimes +onsistin$ of re$.-ar 'ords, is /.i+(-y r.n thro.$h and
app-ied in a simi-ar manner as 'ith the br.te3for+e atta+()
Di+tionary atta+(s are oftentimes very effe+tive .n-ess systems re/.ire .sers to +hoose
stron$ pass'ords) or eamp-e, the maintainers of the pop.-ar open3so.r+e pass'ord
+ra+(in$ too- Uohn the ;ipper se-- +o--e+tions of 'ord -ists on CD) The CDs in+-.de
'ord -ists for more than 20 h.man -an$.a$es, p-.s +ommon and defa.-t pass'ords and
.ni/.e 'ords for a-- +ombined -an$.a$es) or aro.nd VA0 an individ.a- 'antin$ to
ee+.te a massive di+tionary3based atta+( +o.-d have a++ess to over 00B of 'ord -ist
data)92 The ready avai-abi-ity of s.+h data sets for .se in di+tionary atta+(s means that,
.n-ess a stron$ pass'ord is se-e+ted, it is very -i(e-y that the pass'ord +an be +ra+(ed in a
91sta(e, :sta8e ;C 58Cambrid$e: sta(e, .ndated, a++essed 12 ?+tober 2004F avai-ab-e fromhttp:66''')atsta(e)+om6prod.+ts6-+6F nternet)92?pen'a-- Proje+t,
-
8/12/2019 ResearchPaper:Information Security Technologies
35/50
reasonab-e amo.nt of time) This is espe+ia--y tr.e of pass'ords that are based on h.man3
readab-e 'ords)
* stron$ pass'ord is most often defined as a strin$ of ei$ht 8" or more +hara+ters that
mi .pper3 and -o'er3+ase -etters, n.mbers and spe+ia- +hara+ters) !tron$ pass'ords do
not resemb-e 'ords, and are best 'hen $enerated at random)99 ?ne s.$$ested approa+h is
pi+(in$ a passphrase and either .sin$ the passphrase in its entirety or pi+(in$ the -eadin$
-etters from ea+h 'ord in the phrase and s.bstit.tin$ n.mbers and spe+ia- +hara+ters for
some of the -etters) Certain pass'ord hashin$ a-$orithms prod.+e stron$er hash va-.es
'ith -on$er pass'ords 'hi-e others prod.+e stron$er hash va-.es based on in+reased
+omp-eity of the pass'ord)
n addition to re/.irin$ .sers to +hoose stron$ pass'ords, it is a-so in+.mbent .pon
system administrators to re/.ire that pass'ords be +han$ed fre/.ent-y) Conventiona-
'isdom indi+ates that no pass'ord sho.-d have a -ifetime $reater than 0 days, and for
hi$h-y +riti+a- systems the -ifetime sho.-d be 90 days or -ess) ?ne e+eption to this r.-e
invo-ves t'o3fa+tor a.thenti+ation 'here a pass'ord is +o.p-ed 'ith a stron$er
a.thenti+ation method, s.+h as to(ens or biometri+s)
*)B.siness *na-ysis
Pass'ords ho-d a preva-ent p-a+e 'ithin the se+.rity infrastr.+t.re thro.$ho.t most, if
not a--, or$ani>ations) &nti- pass'ords are rep-a+ed by stron$er forms of a.thenti+ation,
99*) C-iff,assword Crac8ers - #nsuring the Security of =our assword8&n(no'n: !e+.rityo+.s)+om,2001, a++essed 12 ?+tober 2004F avai-ab-e from http:66''')se+.rityfo+.s)+om6info+.s6112F nternet)
Benjamin 5) Tomhave 126762004 9A
-
8/12/2019 ResearchPaper:Information Security Technologies
36/50
s.+h as to(ens or biometri+s, it is abso-.te-y ne+essary that the .se of stron$ pass'ords be
enfor+ed) Therefore, the benefit of b.yin$ 'ord -ists and pass'ord +ra+(in$ soft'are and
r.nnin$ them re$.-ar-y, parti+.-ar-y on (ey systems, $reat-y o.t'ei$hs the +osts) ?ne
do'nside is 'here +entra-i>ed a.thenti+ation has not been imp-emented) n those +ases,
'hi-e it is -i(e-y that .sers 'i-- .se the same pass'ord a+ross m.-tip-e systems, the +ost
in time of r.nnin$ pass'ord +ra+(in$ a$ainst a-- systems be+omes +ha--en$in$) Th.s, in
addition to pass'ord +ra+(in$, it is a-so .sef.- to imp-ement a +entra-i>ed a.thenti+ation
system that res.-ts in fe'er pass'ord fi-es to test)
B)!e+.rity *na-ysis
Pass'ord +ra+(in$ is primari-y a prote+tive +o.ntermeas.re) t is desi$ned to ens.re that
pass'ords .sed in vario.s a.thenti+ation me+hanisms are stron$ eno.$h to prevent +as.a-
di+tionary3based atta+(s) t is ass.med, ho'ever, that a br.te3for+e atta+( +an be 100W
s.++essf.- $iven eno.$h time) *s s.+h, it is vita--y import to +ombine pass'ord +ra+(in$
'ith stri+t systemati+ re/.irements for stron$ pass'ords and re$.-ar pass'ord rotation)
Pass'ord +ra+(in$ he-ps ens.re the Confidentia-ity and nte$rity of data and systems by
proppin$3.p the a.thenti+ation system)
)P&B5C
-
8/12/2019 ResearchPaper:Information Security Technologies
37/50
P.b-i+ ations !!5 +ertifi+ate +an be verified by a
+-ient 'eb bro'ser as bein$ a.thenti+ and non3revo(ed)
9A;o$er C-ar(e, Conventional u7lic >ey %nfrastructure An Artefact %ll-)itted to the eeds of the%nformation Society8Canberra : C-ar(e, 2000, a++essed 12 ?+tober 2004F avai-ab-e fromhttp:66''')an.)ed.)a.6peop-e6;o$er)C-ar(e66P
-
8/12/2019 ResearchPaper:Information Security Technologies
38/50
n more +omp-e s+enarios, Pation for vario.s
p.rposes, s.+h as se+.re interna- +omm.ni+ation, providin$ en+ryption servi+es to data
and systems, di$ita--y si$nin$ +ode, and providin$ en+ryption materia-s a--o'in$ .sers to
di$ita--y si$n +omm.ni+ation) Typi+a--y, tho.$h, enterprise Pation of asso+iated te+hno-o$ies)9"
*)B.siness *na-ysis
P
-
8/12/2019 ResearchPaper:Information Security Technologies
39/50
The .se of Ped soft'are deve-opment +ompanies, it may in fa+t be +heaper to re-y on +ode
si$nin$ from a tr.sted third party rather than to +ond.+t the +ode si$nin$ 'ith an in3ho.se
P
-
8/12/2019 ResearchPaper:Information Security Technologies
40/50
B)!e+.rity *na-ysis
The main ro-e of P
-
8/12/2019 ResearchPaper:Information Security Technologies
41/50
)=;T&*5 P;=*TE NET%?;
* =irt.a- Private Net'or( 8=PN is a private +omm.ni+ations net'or( that ma(es .se of
p.b-i+ net'or(s, oftentimes for +omm.ni+ation bet'een different or$ani>ations)40 *
=PN is not inherent-y se+.re, tho.$h in its most +ommon in+arnation it does .ti-i>e
en+ryption to ens.re the +onfidentia-ity of data transmitted) The =PN is often seen as a
+heaper so-.tion for dep-oyin$ a private net'or( than private -eased3-ines)4142 They often
serve to prote+t and ens.re the inte$rity of +omm.ni+ations49and may a-so prote+t the
+onfidentia-ity of those +omm.ni+ations 'hen .ti-i>in$ en+ryption)
*side from the +ost fa+tor, =PNs have t'o main advanta$es: they may provide overa--
en+ryption for +omm.ni+ations and they a--o' the .se of proto+o-s that are other'ise
diffi+.-t to se+.re) 44 n +ontrast, R'i+(ey sites the t'o main disadvanta$es of =PNs
bein$ the re-ian+e on Gdan$ero.sG p.b-i+ net'or(s and etendin$ the net'or( that is
bein$ prote+ted)4A
There are three types of =PNs avai-ab-e today: dedi+ated, !!5 and opport.nisti+)
Dedi+ated =PNs, either in a $ate'ay3to3$ate'ay or +-ient3to3$ate'ay +onfi$.ration,
9*bo.t)+om has severa- -in(s on =PNs that may be 'orth revie'in$)http:66+ompnet'or(in$)abo.t)+om6od6vpn640%i(ipedia, Virtual private networ88!t) Petersb.r$: %i(ipedia, 2004, a++essed 0 November 2004Favai-ab-e from http:66en)'i(ipedia)or$6'i(i6=irt.a-privatenet'or(F nternet)41E-i>abeth D) R'i+(y and others,*uilding %nternet )irewalls+ ,nd #dition8Cambrid$e: ?;ei--y, 2000,p104)42;obert os(o'it>, What %s A Virtual rivate etwor8"8&n(no'n: CP, .ndated, a++essed 12 ?+tober2004F avai-ab-e from http:66''')net'or(+omp.tin$)+om60A60A+o-mos(o'it>)htm-F nternet)49E-i>abeth D) R'i+(y and others,*uilding %nternet )irewalls+ ,nd #dition8Cambrid$e: ?;ei--y, 2000,p11)44E-i>abeth D) R'i+(y and others,*uilding %nternet )irewalls+ ,nd #dition8Cambrid$e: ?;ei--y, 2000,p120)4AE-i>abeth D) R'i+(y and others,*uilding %nternet )irewalls+ ,nd #dition8Cambrid$e: ?;ei--y, 2000,p121)
Benjamin 5) Tomhave 126762004 41
-
8/12/2019 ResearchPaper:Information Security Technologies
42/50
appear to +.rrent-y be the most prominent dep-oyment) @o'ever, !!5 =PNs are
in+reasin$ in pop.-arity, servin$ as a -i$ht'ei$ht, p-atform3independent +-ient3to3$ate'ay
prote+tion me+hanism) *dditiona--y, the +on+ept of opport.nisti+ en+ryption, as .sed
'ith =PNs, 'as first posited in 2001 by the ree!6%*N proje+t, 'hos mission 'as to
provide free standards3based =PN soft'are .nder an open3so.r+e initiative) The +on+ept
of opport.nisti+ en+ryption 8?E hin$ed on the notion that a =PN did not need to be in an
G.pG state at a-- times, b.t rather on-y needed to be a+tivated 'hen +omm.ni+ation 'as
o++.rrin$) Th.s, $ate'ays a+ross the nternet +o.-d be +onfi$.red to s.pport en+ryption
on an as3needed basis and 'o.-d on-y have to set.p the =PN 'hen a +onne+tion
from6thro.$h an ?E3a'are $ate'ay 'as initiated) This mode- is simi-ar to the traditiona-
.se of !!5 on the nternet, e+ept that instead of simp-y en+ryptin$ the traffi+ at the
app-i+ation -ayer, the en+ryption 'as a+t.a--y o++.rrin$ at the net'or( and6or transport
-ayer, and a-- happenin$ transparent to the end3.ser)4 The $oa- of imp-ementin$
opport.nisti+ en+ryption 'ithin free P!EC3based =PNs 'as to transparent-y en+rypt a--
nternet traffi+)
ost virt.a- private net'or(s today ma(e .se of P!EC en+ryption) P!EC provides
net'or(3-eve- se+.rity for the nternet Proto+o- 8P and is an etension of the ori$ina-
Pv4 standard) P!EC ma(es .se of the mana$ement and se+.rity proto+o-
!*
-
8/12/2019 ResearchPaper:Information Security Technologies
43/50
d.rin$ +onne+tion set.p) P!EC in+-.des a n.mber of other feat.res, s.+h as bein$
.sab-e by t.nne-in$ proto+o-s)47
*)B.siness *na-ysis
=irt.a- private net'or(s have a -e$itimate .se in the b.siness environment, espe+ia--y
'hen .sed in a se+.re manner, -evera$in$ avai-ab-e en+ryption options) #iven the
$ro'in$ preva-en+e and avai-abi-ity of +heap nternet a++ess, a =PN +an be .sed to
se+.re-y and re-iab-y rep-a+e more epensive -eased -ines) This rep-a+ement is
parti+.-ar-y ni+e in environments 'here the data bein$ transmitted is sensitive, b.t 'here
interr.ption of +onne+tivity 'i-- not represent a major disr.ption to the b.siness)
any hard'are and soft'are so-.tions are avai-ab-e today, 'ith +osts ran$in$ from free
8ree!6%*N to epensive 8dedi+ated hard'are3based so-.tions tar$etin$ hi$h
thro.$hp.t) ost inepensive net'or(in$ e/.ipment, s.+h as the 5in(sys and Net$ear
-ines of home .ser se+.rity devi+es, no' s.pport P!EC3based =PNs)
B)!e+.rity *na-ysis
The basi+ $oa- of a =irt.a- Private Net'or( is to ens.re the inte$rity of the +onne+tion
and +omm.ni+ations)4" %hen en+ryption is added, the $oa- of preservin$ +onfidentia-ity
may a-so be a+hieved) ?ne do'nside to =PNs is that they tend to be b.i-t on +omp-e
47;obert os(o'it>, What %s A Virtual rivate etwor8"8&n(no'n: CP, .ndated, a++essed 12 ?+tober2004F avai-ab-e from http:66''')net'or(+omp.tin$)+om60A60A+o-mos(o'it>)htm-F nternet)4"E-i>abeth D) R'i+(y and others,*uilding %nternet )irewalls+ ,nd #dition8Cambrid$e: ?;ei--y, 2000,p11)
Benjamin 5) Tomhave 126762004 49
-
8/12/2019 ResearchPaper:Information Security Technologies
44/50
systems and are prone to easy disr.ption, red.+in$ the overa-- avai-abi-ity of data and
+omm.ni+ations)
rom the perspe+tive of +o.ntermeas.res, the =PN primari-y serves to prote+t data,
tho.$h it may a-so dynami+a--y +orre+t) f -o$$in$ is enab-ed and monitored, then atta+(s
a$ainst the =PN may a-so res.-t in meetin$ the need of dete+tion, tho.$h that 'o.-d be
an+i--ary)
)=&5NE;*B5T !C*NNN# !!TE!
=.-nerabi-ity s+annin$ is the Ga.tomated pro+ess of proa+tive-y identifyin$ v.-nerabi-ities
of +omp.tin$ systems in a net'or( in order to determine if and 'here a system +an be
ep-oited and6or threatened)G4 =.-nerabi-ity s+annin$ typi+a--y re-ies on a handf.- of
too-s that identify hosts and then pro+eed to test them for (no'n 'ea(nesses) The
a.tomated s+annin$ pro+ess sho.-d in+-.de three hi$h3-eve- steps: re+eivin$ a.thority to
s+an, determinin$ the s+ope of the pro$ram, and estab-ishin$ a se+.rity base-ine 8based on
the n.mber of v.-nerabi-ities fo.nd per n.mber of hosts s+anned)A0 *dditiona--y, a $ood
v.-nerabi-ity s+annin$ pro$ram 'i-- se+.re-y mana$e the res.-ts of the s+ans and 'i--
have a proven p-an and pro+ess in p-a+e for remediation of v.-nerabi-ities that are
.n+overed) =.-nerabi-ity s+annin$ sho.-d o++.r as part of an overa-- ris( mana$ement
frame'or(, not as a standa-one se+.rity +o.ntermeas.re)
4%ebopedia, vulnera7ility scanning8Darien: U.pitermedia, .ndated, a++essed 12 ?+tober 2004F avai-ab-efrom http:66''')'ebopedia)+om6TE;6=6v.-nerabi-itys+annin$)htm-F nternet)A0Christopher Coo(,Managing etwor8 Vulnera7ilities in a /O#?SA #nvironment8
-
8/12/2019 ResearchPaper:Information Security Technologies
45/50
The most pop.-ar v.-nerabi-ity s+annin$ too- avai-ab-e today is a-so free, open3so.r+e
soft'are) Ness.sA1has be+ome the de fa+to too- for v.-nerabi-ity s+annin$ over the past
five 8A years, rep-a+in$ +ommer+ia- too-s -i(e CyberCop !+anner 8dis+ontin.ed, !!
!e+.rity !+anner, and eEye ;etina) =.-nerabi-ity s+annin$ has been aro.nd sin+e the -ate
"0s or ear-y 0s, pioneered by Dan armer, +o3a.thor of the C?P!A2 se+.rity too-)
?ri$ina--y, v.-nerabi-ity s+annin$ 'as host3based in nat.re, as C?P! and T#E; 'ere,
b.t event.a--y epanded to in+-.de net'or(3based s+annin$) There are sti-- host3based
s+anners avai-ab-e, s.+h as the Center for nternet !e+.ritys ben+hmar( se+.rity too- A9)
ore often, tho.$h, v.-nerabi-ity s+annin$ today is net'or(3based)
Chapp-e provides a ni+e overvie' of the Ness.s s+anner and 'hy itLs preferab-e to its
+ompetition:
GThe Ness.s too- 'or(s a -itt-e different-y than other s+anners) ;ather than
p.rportin$ to offer a sin$-e, a--3en+ompassin$ v.-nerabi-ity database that $ets
.pdated re$.-ar-y, Ness.s s.pports the Ness.s *tta+( !+riptin$ 5an$.a$e
8N*!5, 'hi+h a--o's se+.rity professiona-s to .se a simp-e -an$.a$e to des+ribe
individ.a- atta+(s) Ness.s administrators then simp-y in+-.de the N*!5
des+riptions of a-- desired v.-nerabi-ities to deve-op their o'n +.stomi>ed
s+ans)GA4
A1http:66''')ness.s)or$6A2http:66''')fish)+om6+ops6overvie')htm-A9http:66''')+ise+.rity)+om6A4i(e Chapp-e, Vulnera7ility scanning with essus8&n(no'n: Te+hTar$et)+om, 2009, a++essed 12?+tober 2004F avai-ab-e fromhttp:66sear+hse+.rity)te+htar$et)+om6tip60,2"4"9,sid14$+i9"271,00)htm-tra+(ON5320F nternet)
Benjamin 5) Tomhave 126762004 4A
-
8/12/2019 ResearchPaper:Information Security Technologies
46/50
*)B.siness *na-ysis
*s 'as the +ase 'ith pass'ord +ra+(in$ in !e+tion = above, v.-nerabi-ity s+annin$ is a
very +heap and .sef.- pra+ti+e) %hen +ond.+ted re$.-ar-y and +aref.--y, the .se of an
a.tomated v.-nerabi-ity s+annin$ too- +an provide +onsiderab-e information abo.t the
overa-- ris( -ands+ape of te+hno-o$ies thro.$ho.t an enterprise) =.-nerabi-ity s+annin$ is
parti+.-ar-y important for ens.rin$ that nternet3a++essib-e reso.r+es are proper-y se+.red
before dep-oyment, and to ens.re that they remain se+.re after dep-oyment)
Be+a.se the most +ommon too-s for +ond.+tin$ v.-nerabi-ity s+ans is free, open3so.r+e
soft'are, there is very -itt-e reason not to ma(e .se of it) .rthermore, the insta--ation
and operation of a too- -i(e Ness.s does not re/.ire m.+h te+hni+a- a+.men) ore
important-y, the information that +an be $athered from the assessment +an be inva-.ab-e)
?peration of a basi+ v.-nerabi-ity s+anner is not +omp-e) a(in$ matters even better,
too-s -i(e Ness.s are thoro.$h-y do+.mented on the nternet and +an often be fo.nd in
pre3pa+(a$ed bootab-e environments)
B)!e+.rity *na-ysis
=.-nerabi-ity s+annin$ +an +ontrib.te to +o.ntermeas.res in a-- three areas of prote+t,
dete+t and +orre+t) The primary ro-e of the s+annin$ is to dete+t v.-nerabi-ities in
systems, b.t 'hen .sed proper-y it 'i-- a-so +ontrib.te to prote+tin$ reso.r+es from bein$
dep-oyed inse+.re-y and by providin$ ade/.ate information to a--o' system
administrators to +orre+t v.-nerabi-ities)
Benjamin 5) Tomhave 126762004 4
-
8/12/2019 ResearchPaper:Information Security Technologies
47/50
rom the standpoint of Confidentia-ity, nte$rity and *vai-abi-ity, v.-nerabi-ity s+annin$
most affe+ts the nte$rity of systems, tho.$h there may be an+i--ary benefits to
Confidentia-ity and *vai-abi-ity) n dete+tin$ and reso-vin$ 'ea(nesses in a system, the
inte$rity of the system +an be ass.red) .rthermore, ens.rin$ the inte$rity of a system
'i-- he-p prevent the system from be+omin$ +ompromised, res.-tin$ in a -oss of
+onfidentia-ity, or from bein$ over-y s.s+eptib-e to atta+(s that may res.-t in denyin$ the
avai-abi-ity of the system or asso+iated app-i+ation)
Benjamin 5) Tomhave 126762004 47
-
8/12/2019 ResearchPaper:Information Security Technologies
48/50
R!R"CS
1) sta(e) :sta8e ;C 5) Cambrid$e: sta(e, .ndated, a++essed 12 ?+tober 2004Favai-ab-e from http:66''')atsta(e)+om6prod.+ts6-+6F nternet)
2) B-andin$, !teven ) G!e+.red Conne+tions to Eterna- Net'or(s,G in%nformationSecurity Management Hand7oo8+ 4th #dition, ed) @aro-d ) Tipton and i+(i
-
8/12/2019 ResearchPaper:Information Security Technologies
49/50
12) , ;obert) What %s A Virtual rivate etwor8") &n(no'n: CP, .ndated,a++essed 12 ?+tober 2004F avai-ab-e fromhttp:66''')net'or(+omp.tin$)+om60A60A+o-mos(o'it>)htm-F nternet)
17) Nationa- nstit.te of !tandards and Te+hno-o$y)%S' >% rogram) %ashin$ton:N!T, 2004, a++essed 12 ?+tober 2004F avai-ab-e from http:66+sr+)nist)$ov6p(i6Fnternet)
1") Nationa- nstit.te of !tandards and Te+hno-o$y)%S' lanning $eport 1,-2#conomic %mpact Assessment of %S's $ole-*ased Access Control B$*ACrogram) %ashin$ton: N!T, 2002, a++essed 12 ?+tober 2004F avai-ab-e from
http:66+sr+)nist)$ov6rba+6rba+3impa+t3s.mmary)do+F nternet)
1) ?pen'a-- Proje+t)
-
8/12/2019 ResearchPaper:Information Security Technologies
50/50
29) ;ot+h(e, Ben)Access Control Systems & Methodology) Ne' or(:!e+.rityDo+s)+om, 2004, a++essed 0 November 2004F avai-ab-e fromhttp:66''')se+.ritydo+s)+om6$o6F nternet)
24) !pen+er, @enry and D) @.$h ;ede-meier, Opportunistic #ncryption) &n(no'n:
rees'an)or$, 2001, a++ess 07 November 2001F avai-ab-e fromhttp:66''')frees'an)or$6frees'antrees6frees'an31)16do+6opport.nism)spe+Fnternet)
2A) Tipton, @aro-d ) and i+(i