Computer Systems Security in an Internet Age—Protecting Your Network, Part Two

In the last issue of The Trusted Professional, we discussed the nature of the threat to computer networks connected to the Internet and the role firewalls play in securing Internet connections. We will continue that discussion this month, and introduce intrusion detection systems as a possible component of a network security system.

Many other threats also loom on the Internet, beyond specific, targeted attacks to break into your network. You have probably heard the term denial-of-service (DoS) attack, which gives new meaning to the old, similar acronym DOS (Disk Operating System). A denial-of-service attack isn’t meant to break into your system. It is meant to take down your system and deny you, your customers and your partners use of the system. These attacks usually involve either overwhelming the target with traffic to “smother” the server or firewall, or sending data that is targeted to take down the site. A malformed or corrupt data transmission that a server doesn’t know what to do with, leading to a crash, is one example.

Since these attacks can usually be traced back via logs, the more conventional approach is to take over someone else’s system and launch the attack from there. An attack launched from many systems is called a distributed denial-of-service attack because it is coming from many places. The recent Code Red worm that launched an attack on the White House website performed a distributed denial-of-service attack.

An intrusion detection system (IDS) is a specialized device or computer that, essentially, protects your firewall and servers from attack. An IDS looks at all of the traffic coming into or going out of your network and looks for suspicious behavior or patterns. Like viruses, network attacks also exhibit patterns of behavior and contain “traces” that can be identified, known as signatures.

The most common network attacks, including SYN-Flood, Smurf, and Teardrop, have specific signatures that an IDS can recognize and take appropriate action against, such as logging the origin of the attack, killing connections and shutting down ports on the firewall. An IDS can also recognize behavioral patterns of attack, even without a signature, and take action based on that behavior. An IDS is generally used to protect the area between the firewall and the Internet, but can also protect the “DMZ” (the location of publicly accessible servers) or your internal network. If the firewall is the security guard who monitors comings and goings, the IDS is the armed guard who actually handles the break-ins.

What is the cost of network downtime if, like most businesses, you are using the Internet for e-mail and web browsing? E-mail is currently used by most businesses as a critical communication medium with customers, partners and suppliers, and downtime can be significant in impact. How much does this economic impact increase if you are doing B2B e-commerce and online purchasing with partners? Or consider the impact if you have a client extranet or if your customers and partners connect to your website for business transactions. These scenarios generally are mulled over to help determine the cost justifications for a solid firewall solution and possibly for an IDS. So, what is the cost? Calculate it.

As we discussed in our first column two months ago, configuration of your firewall and related security systems should be based on the business rules established in your security policy. Your business rules determine who can access particular resources on your network, and your firewall and security systems should implement those rules too. The firewall should also apply more technically specific rules. For example, specific types of traffic that users would not generate because they represent a threat should not be allowed.

Most firewall products implement these rules by creating complex packet filters that drop or allow traffic based on Internet protocol (IP) and the address/port of the source and destination. Others create a business rule base and convert the rules into the necessary code and distribute it to the “enforcement points” (firewalls and other gateways). The advantage of this type of approach is that your management is centralized and all enforcement points follow a centrally defined policy. When changes are made, they can be easily transmitted to the appropriate devices. The market leader in this area is Check Point Software Technologies.

Some of the industry-leading firewall vendors include Check Point Software Technologies (FireWall-1), Cisco Systems (PIX), Symantec (Raptor), Network Associates (Gauntlet), WatchGuard Technologies, SonicWALL and NetScreen. Novell and Microsoft are also players in this field. Novell’s BorderManager is a good choice for Novell-centric businesses willing to forgo some advanced features for tight Novell Directory Service (NDS) integration, centralized management and fast performance. Microsoft’s ISA Server is a third-generation product that is steadily gaining market share.

Internet Security Systems is the market leader in intrusion detection systems with its RealSecure and BlackIce products, but other players include Cisco, Symantec (through its acquisition of Axent), NFR Security and Intrusion.Com. All of these products have different and varying strengths, and you should utilize a qualified security specialist to determine the capabilities you need and the best match for your environment.

In next month’s column, we will discuss viruses and other hostile content, and measures to protect your network from them.