ResearchPaper:Information Security Technologies

Research Paper: Information Security Technologies
by Benjamin Tomhave November 10, 2004
Prepared for: Professor Dave Carothers E !E 21" The #eor$e %ashin$ton &niversity
This paper or presentation is my o'n 'or() *ny assistan+e , re+eived in its preparation is a+(no'-ed$ed 'ithin the paper or presentation, in a++ordan+e 'ith a+ademi+ pra+ti+e) ,f , .sed data, ideas, 'ords, dia$rams, pi+t.res, or other information from any so.r+e, , have +ited the so.r+es f.--y and +omp-ete-y in footnotes and bib-io$raphy entries) This in+-.des so.r+es 'hi+h , have /.oted or paraphrased) 0.rthermore, , +ertify that this paper or presentation 'as prepared by me spe+ifi+a--y for this +-ass and has not been s.bmitted, in 'ho-e or in part, to any other +-ass in this &niversity or e-se'here, or .sed for any p.rpose other than satisfyin$ the re/.irements of this +-ass, e1+ept that , am a--o'ed to s.bmit the paper or presentation to a professiona- p.b-i+ation, peer revie'ed jo.rna-, or professiona- +onferen+e) ,n addin$ my name fo--o'in$ the 'ord 2!i$nat.re2, , intend that this +ertifi+ation 'i-- have the same a.thority and a.thenti+ity as a do+.ment e1e+.ted 'ith my hand3'ritten si$nat.re) !i$nat.re 44444Benjamin 5) Tomhave444444444444444444444444
Benjamin 5) Tomhave
126762004 1

by Benjamin 5) Tomhave
Abstract The fo--o'in$ resear+h paper provides ana-ysis of thirteen 819: information se+.rity te+hno-o$y topi+s, arran$ed in ten 810: $ro.ps, that are either +ommon-y fo.nd or emer$in$ 'ithin the information se+.rity ind.stry) These topi+s in+-.de: *++ess Controana$ement, *ntivir.s, *.dit Data ;ed.+tion, 0ire'a--s, ,ntr.sion Dete+tion !ystems 8,D!:, ,ntr.sion Prevention !ystems 8,P!:, *noma-y Dete+tion !ystems 8*D!:, Event Corre-ation !ystems 8EC!:, Net'or( appin$, Pass'ord Cra+(in$, P.b-i+ <ey ,nfrastr.+t.re, =irt.a- Private Net'or(, and =.-nerabi-ity !+annin$ !ystems) ,D!, ,P!, *D! and EC! are $ro.ped to$ether .nder one +ommon headin$ 8,ntr.sion Dete+tion and *na-ysis !ystems: d.e to their +ommona-ity and interdependen+e) This paper provides basi+ overvie' information abo.t ea+h te+hno-o$y, b.t primari-y fo+.ses on ana-y>in$ ea+h te+hno-o$y 'ithin the modern information se+.rity and b.siness +onte1t, -oo(in$ at ho' it meets b.siness needs 'hi-e addressin$ Confidentia-ity, ,nte$rity and *vai-abi-ity as a Co.ntermeas.re that Dete+ts, Corre+ts and6or Prote+ts)
Benjamin 5) Tomhave
126762004 2
Table of Contents ,),NT;?D&CT,?N *ND ?=E;=,E% ?0 *PP;?*C@))))))))))))))))))))))))))))))))))))))))))))))))) 4 ,,)*CCE!! C?NT;?5 *N*#E ENT))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) A *)B.siness *na-ysis)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))A B)!e+.rity *na-ysis))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))7 ,,,)*NT,=,;&!))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) B *)B.siness *na-ysis)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))11 B)!e+.rity *na-ysis))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))11 ,=)*&D,T D*T* ;ED&CT,?N)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 19 *)B.siness *na-ysis)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))19 B)!e+.rity *na-ysis))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))14 =)0,;E%*55! ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 1A *)B.siness *na-ysis)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))17 B)!e+.rity *na-ysis))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))17 =,),NT;&!,?N DETECT,?N *ND *N*5C!,! !C!TE !)))))))))))))))))))))))))))))))))))))))) 1" *),ntr.sion Dete+tion !ystems 8,D!: ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))1B 1)B.siness *na-ysis))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 21 2)!e+.rity *na-ysis)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 22 B),ntr.sion Prevention !ystems 8,P!:))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))29 1)B.siness *na-ysis))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 24 2)!e+.rity *na-ysis)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 2A C)Event Corre-ation !ystems 8EC!:)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 2A 1)B.siness *na-ysis))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 27 2)!e+.rity *na-ysis)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 27 D)*noma-y Dete+tion !ystems 8*D!: ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 27 1)B.siness *na-ysis))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 2B 2)!e+.rity *na-ysis)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 90 =,,)NET%?;< *PP,N#)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 90 *)B.siness *na-ysis)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))91 B)!e+.rity *na-ysis))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))92 =,,,)P*!!%?;D C;*C<,N#)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 99 *)B.siness *na-ysis)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))9A B)!e+.rity *na-ysis))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))9D ,E)P&B5,C <EC ,N0;*!T;&CT&;E))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 9D *)B.siness *na-ysis)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))9" B)!e+.rity *na-ysis))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))40 E)=,;T&*5 P;,=*TE NET%?;<!))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 41 *)B.siness *na-ysis)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))49 B)!e+.rity *na-ysis))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))49 E,)=&5NE;*B,5,TC !C*NN,N# !C!TE !)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 44 *)B.siness *na-ysis)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))4D B)!e+.rity *na-ysis))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))4D ;E0E;ENCE!)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 4"
Benjamin 5) Tomhave
126762004 9

by Benjamin 5) Tomhave ,),NT;?D&CT,?N *ND ?=E;=,E% ?0 *PP;?*C@
This resear+h paper introd.+es and ana-y>es ten 810: information se+.rity te+hno-o$ies) Ea+h of the fo--o'in$ se+tions fo+.ses on a spe+ifi+ te+hno-o$y and adheres to the fo--o'in$ $enera- format: o Te+hno-o$y ?vervie': * hi$h3-eve- introd.+tion to the te+hno-o$y) o B.siness *na-ysis: *n eva-.ation of the .sef.-ness, +ost, +omp-e1ity, and .ti-ity of the te+hno-o$y in the modern b.siness environment) o !e+.rity *na-ysis: The se+.rity te+hno-o$y is 'ei$hed a$ainst the tenets of Confidentia-ity, ,nte$rity and *vai-abi-ity as 'e-- as eva-.atin$ its ro-e as a +o.ntermeas.re 8dete+t, +orre+t, prote+t:)
The ten se+.rity te+hno-o$ies addressed in this paper are: 1) *++ess Contro2) *ntivir.s 9) *.dit Data ;ed.+tion 4) 0ire'a--s A) ,ntr.sion Dete+tion and *na-ysis !ystems D) Net'or( appin$ ana$ement
Benjamin 5) Tomhave
126762004 4
7) Pass'ord Cra+(in$ ") P.b-i+ <ey ,nfrastr.+t.re B) =irt.a- Private Net'or(s 10) =.-nerabi-ity !+annin$ !ystems
,,)*CCE!! C?NT;?5
*N*#E ENT
*++ess +ontro- mana$ement 8*C : systems p.-- to$ether identity, a.thenti+ation and a.thori>ation to restri+t 'hat reso.r+es a .ser may a++ess and in 'hat manner that a++ess may o++.r 8read, 'rite, e1e+.te, modify, et+):) *C so-.tions may be based on a n.mber andatory *++ess provides an
of se+.rity mode-s, in+-.din$ Dis+retionary *++ess Contro- 8D*C:,
Contro- 8 *C:, and ;o-e3Based *++ess Contro- 8;B*C:) * standard *C
interfa+e thro.$h 'hi+h a .ser 'i-- se-f3identify, fo--o'ed by a me+hanism for +ha--en$in$ and +onfirmin$ that identity, and then a method for $rantin$ ri$hts, or a++ess to information, based on the non3rep.diated a.thenti+ation of the .ser) *++ess +ontro- is at the heart of information se+.rity and is the f.ndamenta- premise .pon 'hi+h the ind.stry is based1) %itho.t a++ess +ontro- mana$ement, there 'o.-d no method thro.$h 'hi+h to provide se+.rity for systems and data)
*)B.siness *na-ysis *++ess +ontro- mana$ement systems provide the fo.ndation for information se+.rity 'ithin the b.siness environment) ,ts .sef.-ness is e1tensive, 'ith the primary f.n+tions
1
Ben ;ot+h(e, Access Control Systems & Methodology 8Ne' Cor(: !e+.rityDo+s)+om, 2004, a++essed 0D November 2004:F avai-ab-e from http:66''')se+.ritydo+s)+om6$o6DBF ,nternet)
Benjamin 5) Tomhave
126762004 A
bein$ to +-assify data systems a++ordin$ to va-.e and a--o+ate prote+tion me+hanisms in a++ordan+e 'ith the va-.e of the reso.r+e) *++ordin$ to Tipton and <ra.se, GHtheI essen+e of a++ess +ontro- is that permissions are assi$ned to individ.a-s or system obje+ts, 'hi+h are a.thori>ed to a++ess spe+ifi+ reso.r+es)G2
The imp-ementation of *C
systems +an ran$e in +ost from minor to e1treme,
dependin$ on the va-.e of the reso.r+e bein$ prote+ted) The .nder-yin$ se+.rity modeapp-ied a-so impa+ts ho' e1pensive and +omp-e1 the so-.tion may be) *C so-.tions
are perhaps the most important se+.rity te+hno-o$y that +an be dep-oyed, ahead of a-other +o.ntermeas.res, be+a.se of its inherent p.rpose to +ontro- a++ess to data and systems) The .ti-ity of the *C systems, ho'ever, is -imit-ess .nder the ass.mption
that a b.siness has reso.r+es of va-.e that re/.ire prote+tin$)
Dis+retionary *++ess Contro- systems are very +ommon and are $enera--y +ost3effe+tive for most environments) ost operatin$ systems today 3 ran$in$ from %indo's to &N,E andatory *++ess
to 5in.1 and beyond 3 ma(e .se of a D*C mode- of a++ess +ontro-)
Contro- systems tend to be more +omp-e1 and +ost-y in performan+e and maintenan+e) *C systems re/.ire a m.+h stron$er systemati+ adheren+e to the pre+epts of a++ess +ontro- and +an th.s +ha--en$e administrative reso.r+es and +onfo.nd a++ess to data as re/.ired by the b.siness) ,mp-ementation of *C re/.ires proper foresi$ht and p-annin$
to avoid diffi+.-ties in the -on$ termF an effort that is often a +ost-y en$ineerin$ effort fro'ned .pon by the b.siness) 0ina--y, ;o-e3Based *++ess Contro- systems are
@aro-d 0) Tipton and i+(i <ra.se, J,K,nformation !e+.rity 8Bo+a ;aton: *.erba+h, 2000:, p1)
ana$ement @andboo(, 4th EditionJ,K
Benjamin 5) Tomhave
126762004 D
in+reasin$ in pop.-arity and are predi+ted to savin$ +ompanies mi--ions of do--ars in the +omin$ years)9
B)!e+.rity *na-ysis *n a++ess +ontro- mana$ement system has the potentia- for impa+tin$ a-- three tenets of information se+.rity 8Confidentia-ity, ,nte$rity and *vai-abi-ity:) The primary ro-e of an *C so-.tion is to prote+t the +onfidentia-ity of a reso.r+e by restri+tin$ a++ess to the so-.tion 'i-- +ontro- the attrib.tes of the a++ess, s.+h as system may
reso.r+e) *dditiona--y, an *C
read, 'rite and e1e+.te) 0or e1amp-e, in the +ase of a data fi-e, an *C
$rant a .ser read a++ess, b.t deny a++ess to 'rite or modify the data 'ithin the fi-e)
&nder a D*C mode-, a++ess +ontro-s are mana$ed dire+t-y by the reso.r+e o'ner) ,n a *C mode-, the system di+tates 'hat -eve- of a++ess may be $ranted to a reso.r+e) 0ina--y, ;B*C assi$ns a++ess based on the ri$hts of a $ro.p 8or ro-e: 'ithin the system) *-- .sers 'ho share a $iven ro-e have the same a++ess) This approa+h +ontrasts to D*C 'here ea+h .ser may have a .ni/.e set of ri$hts) *C is simi-ar to ;B*C in terms of
.sin$ a ro-e3based approa+hed based on -abe-in$) @o'ever, the inner operations of a *C vary distin+t-y from an ;B*CF dis+.ssion of 'hi+h e1+eeds the s+ope of this do+.ment)
*++ess +ontro- mana$ement systems hin$e on the proper identifi+ation of s.bje+ts tryin$ to a++ess obje+ts) The pro+ess of positive-y identifyin$ a s.bje+t is +a--ed a.thenti+ation)
9
Nationa- ,nstit.te of !tandards and Te+hno-o$y, J,KN,!T P-annin$ ;eport 0231: E+onomi+ ,mpa+t *ssessment of N,!TLs ;o-e3Based *++ess Contro- 8;B*C: Pro$ramJ,K 8%ashin$ton: N,!T, 2002, a++essed 12 ?+tober 2004:F avai-ab-e from http:66+sr+)nist)$ov6rba+6rba+3impa+t3s.mmary)do+F ,nternet)
Benjamin 5) Tomhave
126762004 7
The a.thenti+ation pro+ess .s.a--y o++.rs 'hen a s.bje+t se-f3identifies and then responds to a systemati+ +ha--en$e of the identity) This +ha--en$e is based on 'hat yo. (no', 'hat yo. have or 'ho yo. are) * pass'ord is an e1amp-e of somethin$ that yo. may (no', and is +.rrent-y the most +ommon method of provin$ identity) * to(en is an e1amp-e of somethin$ that yo. have, and biometri+s is an e1amp-e of 'ho yo. are) Biometri+s is a method of identifi+ation based on the physi+a- +hara+teristi+s of a h.man bein$, s.+h as a fin$erprint, iris s+an or retina- s+an) Biometri+s, tho.$h ho-din$
si$nifi+ant promise as part of an a++ess +ontro- mana$ement system, a-so has si$nifi+ant dra'ba+(s, s.+h as to a++eptabi-ity to .sers, re-iabi-ity and resistan+e to +o.nterfeitin$)4
The f.t.re of a++ess +ontro- mana$ement systems appears to be in the dire+tion of m.-ti3 fa+tor a.thenti+ation, oftentimes ma(in$ .se of pass'ords in +ombination 'ith to(ens or biometri+s) Beyond the +.rrent trend, it seems -i(e-y that pass'ords 'i-- event.a--y be rendered +omp-ete-y obso-ete in favor of some form of to(en or biometri+ be+omin$ the first, if not on-y, form of a.thenti+ation) !pe+ifi+a--y, .se of n.meri+ or data to(ens is on the in+rease and proje+ted to +ontin.e $ainin$ in pop.-arity and a++eptan+e) ajor
internationa- ,nternet !ervi+e Provider *meri+a ?n-ine has re+ent-y anno.n+ed the avai-abi-ity of n.meri+ to(ens for .sers as a se+ond fa+tor for a.thenti+ation) *dditiona--y, as p.b-i+ (ey infrastr.+t.re so-.tions 8see !e+tion ,E be-o': mat.re and $ain in preva-en+e, the .se of data to(ens 'i-- in+rease in importan+e) 0or e1amp-e, a ban( 'i-- be ab-e to iss.e a &!B3based data to(en to a +.stomer) ?n the data to(en 'i-be the +.stomer2s .ni/.e identifier in the form of a di$ita- +ertifi+ate) This +ertifi+ate 'i--
Dona-d ;) ;i+hards, GBiometri+ ,dentifi+ation,G in J,K,nformation !e+.rity ana$ement @andboo(, 4th EditionJ,K, ed) @aro-d 0) Tipton and i+(i <ra.se 8Bo+a ;aton: *.erba+h, 2000:, pB)
Benjamin 5) Tomhave
126762004 "
be mana$ed thro.$h a +entra- Certifi+ate *.thority and 'i-- be .sed both for a.thenti+ation and for en+ryptin$ and di$ita--y si$nin$ +omm.ni+ation and transa+tions)
Th.s, a++ess +ontro- mana$ement 'i-- not on-y +ontin.e its +entra- ro-e 'ithin information se+.rity, b.t it 'i-- a-so $ro' in s+ope, addin$ more e1tensive +apabi-ities for positive-y impa+tin$ +onfidentia-ity and inte$rity) *dditiona--y, besides prote+tin$
reso.r+es, it may a-so in+-.de e1tended +apabi-ities that 'i-- a--o' for easier dete+tion of atta+(s and possib-y even a.tomati+ methods for +orre+tin$ vio-ations of inte$rity)
,,,)*NT,=,;&!
The first +omp.ter vir.s +redited 'ith bein$ fo.nd Gin the 'i-dG is be-ieved to be a pro$ram +a--ed GE-( C-onerG that tar$eted *pp-e D?! 9)9)A The term Gvir.sG may
a+t.a--y have ori$inated in the 1B70s in s+ien+e fi+tion -iterat.reD, tho.$h as a +on+ept it has -i(e-y been aro.nd sin+e the 1BD0s) Traditiona--y, GHaI vir.s is simp-y a +omp.ter pro$ram that is intentiona--y 'ritten to atta+h itse-f to other pro$rams or dis( boot se+tors and rep-i+ate 'henever those pro$rams are e1e+.ted or those infe+ted dis(s are a++essed)G7 ,n the modern +onte1t, this traditiona- form of ma-i+io.s +ode, or ma-'are, is -ess +ommon) ,nstead, it is far more +ommon to see variations on this ori$ina- theme in the form of G'ormsG and GTrojan horsesG that infe+t a +omp.ter system either thro.$h dire+t e1e+.tion or thro.$h some form of net'or(3based rep-i+ation method) ,n the
A
%i(ipedia, Computer virus 8!t) Petersb.r$: %i(ipedia, 2004, a++essed 0D November 2004:F avai-ab-e from http:66en)'i(ipedia)or$6'i(i6Comp.ter4vir.sF ,nternet) D %i(ipedia, Computer virus 8!t) Petersb.r$: %i(ipedia, 2004, a++essed 0D November 2004:F avai-ab-e from http:66en)'i(ipedia)or$6'i(i6Comp.ter4vir.sF ,nternet) 7 Bob <anish, An Overview of Computer Viruses and Antivirus Software 8&n(no'n: <anish, 1BBD, a++essed 12 ?+tober 2004:F avai-ab-e from http:66''')hi+om)net6Moedip.s6vir.s92)htm-F ,nternet)
Benjamin 5) Tomhave
126762004 B
modern +onte1t, hybrid ma-'are pro$rams typi+a--y rep-i+ate thro.$h 'orm3-i(e behavio.r that preys on v.-nerabi-ities in operatin$ systems or thro.$h so+ia- en$ineerin$ atta+(s, and then set.p ba+(doors via the Trojan horse me+hanism) This ba+(door +an then a--o' the atta+(er to remote-y a++ess and +ontro- an infe+ted system, a--o'in$ for the perpetration of other i--i+it a+tivities, s.+h as sendin$ !P* or .sin$ the +ompromised
system as a pro1y, or re-ay, thro.$h 'hi+h remote a++ess +an be $ained to other'ise3 prote+ted reso.r+es)
*ntivir.s soft'are has been aro.nd for at -east the past 1031A years, tho.$h no referen+es 'ere fo.nd that indi+ated a spe+ifi+ date 'hen s.+h pro$rams 'ere first made avai-ab-e) *ntivir.s soft'are 'as deve-oped to dete+t the presen+e, and event.a--y the attempted infe+tion, of a system by ma-'are) There are $enera--y t'o types of antivir.s s+annin$ soft'are: si$nat.re3based and he.risti+) !i$nat.re3based s+annin$ re-ies on a database of (no'n ma-'are si$nat.res) ,t m.st be .pdated on a re$.-ar basis in order to ens.re a +.rrent database of (no'n ma-'are) *++ordin$ to eBC=#, an ,T !e+.rity +ompany, a he.risti+ s+anner G-oo(s at +hara+teristi+s of a fi-e, s.+h as si>e or ar+hite+t.re, as 'e-- as behaviors of its +ode to determine the -i(e-ihood of an infe+tion)G" The do'nside to he.risti+ s+anners is that they often $enerate res.-ts that misidentify soft'are as bein$ ma-'are 8a)()a) Gfa-se positivesG:)
The most pop.-ar operatin$ system, in terms of p.re n.mbers, is
i+rosoft %indo's) *s
s.+h, it is a-so the most tar$eted p-atform by ma-'are) There are severa- +ompanies 'ho provide *= soft'are for %indo's) There are a-so versions of *= soft'are for other
"
eBC=# ,T !e+.rity, Heuristic Scanning - Where to e!t" 8Te-3*viv: eBC=#, 2004, a++essed 12 ?+tober 2004:F avai-ab-e from http:66''')eb+v$)+om6arti+-es)phpNidO2D4F ,nternet)
Benjamin 5) Tomhave
126762004 10
p-atforms, -i(e
a+ ?!, &N,E and 5in.1) @o'ever, there are very fe' +ases of ma-'are
for those p-atforms, d.e in part to their distin+t differen+es from %indo's)
*)B.siness *na-ysis ,n the modern a$e of +omp.tin$, antivir.s 8*=: soft'are is very ine1pensive, very +ommon, $enera--y easy to dep-oy, and oftentimes re-ative-y easy to maintain 8easier than pat+hin$ operatin$ systems and app-i+ations, b.t sti-- more +ha--en$in$ than bein$ f.--y se-f3+ontained:) 0.rthermore, the preva-en+e and avai-abi-ity of antivir.s as a very basi+ +o.ntermeas.re is s.+h that a -e$a- ar$.ment +o.-d be s.++essf.--y made that the fai-.re of a b.siness to imp-ement *= soft'are thro.$ho.t the or$ani>ation +o.-d be deemed an a+t of ne$-i$en+e) *s s.+h, the .ti-ity and .sef.-ness of *= soft'are is very obvio.s, both from the standpoint of minimi>in$ the threat of ma-'are and from -imitin$ -e$a-iabi-ity res.-tin$ from a ma-'are infe+tion)
*= soft'are itse-f is $enera--y not +omp-e1)
ost *= pa+(a$es re-y primari-y on The
si$nat.re3based s+annin$ 'ith minor he.risti+ s+annin$ +apabi-ities inte$rated)
soft'are is .s.a--y simp-e to insta-- and is +onfi$.red by defa.-t to a.tomati+a--y .pdate the .nder-yin$ s+annin$ en$ine and the si$nat.re database on a re$.-ar basis from the ,nternet)
B)!e+.rity *na-ysis %hereas b.sinesses are e1pe+ted to insta-- and maintain antivir.s soft'are on most, if not a--, systems as a matter of -imitin$ -e$a- -iabi-ity, the effe+tiveness of *= soft'are
Benjamin 5) Tomhave
126762004 11
diminishes ea+h day) The *= ind.stry has $enera--y rea+hed a p-atea. in the -ast five years and has not made any major advan+es in the abi-ity to dete+t and prevent ma-'are infe+tion) 0.rthermore, the $ro'th in pop.-arity of the ,nternet has +a.sed the +omp.tin$ 'or-d to be+ome hi$h-y inter+onne+ted, -eadin$ to the deve-opment of so3+a--ed G>ero3day e1p-oits)G These e1p-oits +orrespond to v.-nerabi-ities that are re-eased on the same day in 'hi+h the e1p-oit itse-f is re-eased) ,n the 'orst3+ase s+enario, a major or$ani>ation -i(e i+rosoft 'i-- anno.n+e the presen+e of a v.-nerabi-ity in their pop.-ar %indo's
operatin$ system mid3day, and by that evenin$ a 'orm 'i-- be +ir+.-atin$ on the ,nternet that is a+tive-y -oo(in$ for v.-nerab-e systems and attemptin$ to infe+t them thro.$h this ne' v.-nerabi-ity) !ad-y, s.+h events have happened in re+ent history, and oftentimes before a pat+h is even avai-ab-e to fi1 the v.-nerabi-ity and before *= si$nat.res have been deve-oped and re-eased)
The p.rpose of *= is to dete+t, prote+t and +orre+t) !pe+ifi+a--y, antivir.s soft'are is desi$ned to dete+t ma-'are infe+tions, b.t it is a-so ab-e to prote+t a$ainst an a+tive infe+tion attempt, and it is a-so often ab-e to +orre+t by disinfe+tin$ a system, dependin$ on the +hara+teristi+s of the ma-'are) 0rom the standpoint of Confidentia-ity, ,nte$rity and *vai-abi-ity, *= soft'are primari-y addresses ,nte$rity) The $oa- of *= soft'are is to prote+t the ,nte$rity of the operatin$ system, app-i+ation or data) *dditiona--y, it has a se+ondary benefit of ens.rin$ the avai-abi-ity of an obje+t by dete+tin$, prote+tin$ or +orre+tin$ ma-'are infe+tions) Confidentia-ity may a-so be prote+ted indire+t-y for
ma-'are that may +a.se data to be sent o.t random-y, s.+h as %ord do+.ments as atta+hments, for'ardin$ emai-s, et+)
Benjamin 5) Tomhave
126762004 12
,=)*&D,T D*T* ;ED&CT,?NB
*.dit Data ;ed.+tion is an emer$in$ fie-d of st.dy in information se+.rity) The *.dit Data ;ed.+tion #ro.p, part of the C?*!T 5aboratory at P.rd.e &niversity in the Center for Ed.+ation and ;esear+h in ,nformation *ss.ran+e and !e+.rity 8CE;,*!:, appears to be a -eader in innovative resear+h and thin(in$ on the s.bje+t) The prob-em bein$ addressed re-ates to the amo.nt of a.dit data +reated, o.t of ne+essity, by +riti+a- systems) These +riti+a- systems often $enerate +opio.s amo.nts of a.dit -o$s, 'hi+h are often diffi+.-t to po.r thro.$h for si$ns of ma-feasan+e) The $oa-s of a.dit data red.+tion systems are to +ontrib.te to mis.se and anoma-y dete+tion) These types of systems are dis+.ssed f.rther in !e+tion =,)
*)B.siness *na-ysis *.dit data red.+tion 8*D;: 'i-- in+reasin$-y be+ome a .sef.- and ne+essary part of the information se+.rity so-.tion too-set) B.sinesses are in+reasin$-y in.ndated 'ith a.dit -o$s $enerated by a-- +riti+a- systems) The advent of federa- re$.-ations that re/.ire thoro.$h -o$$in$, s.+h as 'ithin Pfinan+ia--y si$nifi+ant systems,Q 'i-- f.rther +ontrib.te to this trend) *s a res.-t, in order to ma1imi>e the va-.e of these a.dit -o$s 'ith an eye to'ard red.+in$ ris( to the overa-- b.siness, it 'i-- be+ome in+reasin$-y ne+essary to +ondense these ra' -o$s into a more .sef.- format)
P.rd.e &niversity, C#$%AS& Audit 'rail $eduction (roup 8%est 5afayette: CE;,*!, .ndated, a++essed 12 ?+tober 2004:F avai-ab-e from http:66''')+erias)p.rd.e)ed.6abo.t6history6+oast6proje+ts6a.dit3trai-s3 red.+e)phpNo.tp.tOprintab-eF ,nternet)
Benjamin 5) Tomhave
126762004 19
Today, a.dit data red.+tion systems are sti-- ear-y in a+ademi+ and +ommer+iadeve-opment) !o-.tions tend to be re-ative-y +omp-e1 and +ost-y) @o'ever, it seems very -i(e-y that these systems 'i-- improve over time and de+rease in +omp-e1ity) ,n the end, 'e 'i-- -i(e-y see -ar$e a.dit data repositories b.i-t, based on data 'areho.sin$ +on+epts that then -evera$e data minin$ te+hni/.es for reportin$ and ana-ysis) These data feeds 'i-- then be p.mped into systems that estab-ish a base-ine for performan+e and have b.i-t3in artifi+ia- inte--i$en+e that +an dete+t anoma-o.s behavio.r indi+ative of a an instan+e of mis.se or ab.se, f-a$$in$ and es+a-atin$ the event a++ordin$-y)
B)!e+.rity *na-ysis The p.rpose of an a.dit data red.+tion system is to red.+e the overa-- +ost and +omp-e1ity asso+iated 'ith +ombinin$ a.dit -o$s into one -o+ation and interfa+e) These systems may have dire+t or indire+t impa+t on the Confidentia-ity, ,nte$rity or *vai-abi-ity of data or systems, dependin$ on the so.r+e of the -o$s and the type of mis.se or ab.se dete+ted) ,n $enera-, *D; systems are a +o.ntermeas.re desi$ned to better dete+t instan+es of mis.se or ab.se) *s the systems mat.re and f.rther inte$rate 'ith intr.sion dete+tion and ana-ysis systems, the +apabi-ity 'i-- a-so emer$e to ta(e prote+tive and +orre+tive a+tions) 0or e1amp-e, intr.sion dete+tion and prevention
systems 8as 'i-- be dis+.ssed be-o': a-ready have the +apabi-ity to rea+t dynami+a--y and in rea-3time to dete+ted threats) &sin$ a.dit data red.+tion systems to a++.rate-y dete+t mis.se or ab.se in rea-3time ho-ds the promise of inte$ratin$ 'ith these a+tive response systems and th.s e1tend its +o.ntermeas.re +apabi-ities)
Benjamin 5) Tomhave
126762004 14
=)0,;E%*55!10 11 12
19 14
* fire'a-- is defined as a G+omponent or set of +omponents that restri+ts a++ess bet'een a prote+ted net'or( and the ,nternet, or bet'een other sets of net'or(s)G 1A 0ire'a--s are net'or( se+.rity reso.r+es that are defined to +ontro- the f-o' of data bet'een t'o or more net'or(s) 0rom a hi$h3-eve- perspe+tive, they +an serve as a +ho(e3point, desi$ned to restri+t, or +ho(e, the f-o' of net'or( traffi+, or as a $ate'ay that performs f.rther pro+essin$ on the traffi+ beyond simp-e +ho(in$ restri+tions) *++ordin$ to R'i+(y, et a-, fire'a--s +an $enera--y be p-a+ed into t'o +ate$ories: Pa+(et 0i-ters or Pro1ies) Per dis+.ssion in E !E 21", these +ate$ories +an be broadened to in+-.de +ir+.it3-eve$ate'ays and statef.- inspe+tion devi+es) B-andin$1D adds a third +ate$ory of hybrid or +omp-e1 $ate'ays to R'i+(yLs initia- pair)
,n rea-ity, the B-andin$ definition is probab-y the most +orre+t in that fire'a--s either perform as a pa+(et fi-ter, a pro1y, or as some +ombination of the t'o) ?ther types of fire'a-- simp-y e1pand .pon those ori$ina- base types) 0or e1amp-e, most pro1ies today have additiona- +apabi-ities to perform +ontent mana$ement at the app-i+ation -eve-, dete+tin$ inappropriate or .na++eptab-e +ontent, s.+h as thro.$h a 'eb or mai- session)
10
an., )irewall *asics 8&n(no'n: !e+.rityDo+s)+om, 2004, a++essed 0D November 2004:F avai-ab-e from http:66''')se+.ritydo+s)+om6-ibrary62419F ,nternet) 11 E-i>abeth D) R'i+(y and others, *uilding %nternet )irewalls+ ,nd #dition 8Cambrid$e: ?2;ei--y, 2000:) 12 !imson #arfin(e- and #ene !pafford, -ractical .ni! & %nternet Security+ ,nd #dition 8Cambrid$e: ?2;ei--y, 1BBD:) 19 5e+t.re notes from E !E 21", ta(en 20 ?+tober 2004) 14 P.rd.e &niversity, )irewalls 8%est 5afayette: CE;,*!, .ndated, a++essed 12 ?+tober 2004:F avai-ab-e from http:66''')+erias)p.rd.e)ed.6abo.t6history6+oast4reso.r+es6fire'a--s6F ,nternet) 1A E-i>abeth D) R'i+(y and others, *uilding %nternet )irewalls+ ,nd #dition 8Cambrid$e: ?2;ei--y, 2000:, p102) 1D !teven 0) B-andin$, G!e+.red Conne+tions to E1terna- Net'or(s,G in J,K,nformation !e+.rity ana$ement @andboo(, 4th EditionJ,K, ed) @aro-d 0) Tipton and i+(i <ra.se 8Bo+a ;aton: *.erba+h, 2000:, pAB3D1)
Benjamin 5) Tomhave
126762004 1A
*-so, many fire'a--s provide +apabi-ities -i(e Net'or( *ddress Trans-ation 8N*T: that provide a -o$i+a- separation bet'een net'or(s by +han$in$ the .nder-yin$ n.mberin$ s+heme 8,P addressin$:) N*T is an important feat.re be+a.se it a--o's or$ani>ations to inter+onne+t their reso.r+es interna--y .sin$ ,P address spa+e that is reserved for interna.se by ;0C 1B1") This reserved spa+e is not ro.tab-e on the ,nternet, and th.s is not dire+t-y a++essib-e to atta+(ers o.tside the fire'a-- performin$ the N*T)
* s.rvey of vario.s vendor 'eb sites, s.+h as Cis+o, Che+(point, Net!+reen, Cyber#.ard, B-.eCoat and !e+.re Comp.tin$, ref-e+ts the rea-ity that most fire'a--s are no' hybrids) This notion is f.rther reinfor+ed 'hen readin$ thro.$h the 0ire'a-- Criteria v4)117 for ,C!* 5absL 0ire'a-- Certifi+ation pro$ram) No fire'a-- +an re+eive a
+ertifi+ation today 'itho.t bein$ a'are of state, th.s ma(in$ it a statef.- inspe+tion fire'a--) @o'ever, basi+ fire'a--s, -i(e those so-d by Cis+o, Che+(point and Net!+reen, are essentia--y j.st pa+(et fi-terin$, 'ith the additiona- +apabi-ities of tra+(in$ the state of a net'or( session) Che+(point e1tends this base desi$n f.rther by a-so providin$ some app-i+ation3spe+ifi+ pro1y +omponents) Cyber#.ard, B-.eCoat and !e+.re Comp.tin$, on the other hand, prod.+e fire'a--s that are primari-y pro1ies) *$ain, ho'ever, be+a.se of their adheren+e to the ,C!* +riteria, they a-so are a'are of state, at -east to some de$ree, and th.s are ab-e to perform basi+ pa+(et fi-terin$ f.n+tions, too) Therefore, today, it is probab-y safe to say that there is on-y one (ind of fire'a--, and that is a hybrid or +omp-e1 $ate'ay)
17
http:66''')i+sa-abs)+om6htm-6+omm.nities6fire'a--s6+ertifi+ation6+riteria6+riteria44)1)shtm-
Benjamin 5) Tomhave
126762004 1D
*)B.siness *na-ysis The +ost of a fire'a-- today is minima-, and is $reat-y o.t'ei$hed by the vast .ti-ity it serves) 0ire'a--s need not be e1pensive so-.tions, b.t +an be based on $eneri+ +omp.ter +omponents that ma(e .se of free, open3so.r+e operatin$ systems and soft'are) 0.rthermore, these simp-e so-.tions do not re/.ire e1tensive and e1pensive hard'are, b.t +an oftentimes simp-y in+-.de a pro+essor, memory and a stora$e devi+e 8-i(e a CD3 ;? :) ,f the se+.rity re/.irements for an environment are stri+ter, then there are a-so many +ommer+ia--y viab-e so-.tions that ran$e in pri+e and +apabi-ity) !evera- vendors se-- fire'a--s of varyin$ types that +an hand-e a variety of net'or( se+.rity needs) %hether those needs be for app-i+ation pro1ies, or red.ndant pa+(et fi-terin$ 'ith a.tomati+ fai-over and re+overy +apabi-ities, or 'eb pro1ies 'ith +ontent mana$ement +apabi-ities to prote+t end3.sers a$ainst the ha>ards of .nsafe 'eb bro'sin$, the on-y -imitation today is in the si>e of the b.d$et)
B)!e+.rity *na-ysis G0ire'a--s are po'erf.- too-s, b.t they sho.-d never be .sed instead of other se+.rity meas.res) They sho.-d on-y be .sed in addition to s.+h meas.res)G 1" The primary ro-e of a fire'a--, in the traditiona- sense, is to prote+t a$ainst .na.thori>ed a++ess of reso.r+es via the net'or( as part of a Pdefense in depthQ so-.tion) This ro-e serves to ens.re the inte$rity of data and systems 'hi-e a-so -imitin$ the avai-abi-ity of those reso.r+es to ma-feasants) Despite a-- the advan+es in fire'a-- te+hno-o$y over the past 20 years, the f.ndamenta- ro-e of the fire'a-- has not +han$ed) %hat has +han$ed is the
1"
!imson #arfin(e- and #ene !pafford, -ractical .ni! & %nternet Security+ ,nd #dition 8Cambrid$e: ?2;ei--y, 1BBD:, pD97)
Benjamin 5) Tomhave
126762004 17
abi-ity to inte$rate fire'a--s 'ith other te+hno-o$ies, s.+h as intr.sion dete+tion and ana-ysis systems) !.+h inte$ration +an -ead to providin$ an a+tive response +apabi-ity that b-o+(s a++ess to dete+ted atta+(ers in a rea-3time manner) 0.rthermore, in addition to servin$ in a prote+tin$ ro-e, the a.dit and a+tivity -o$s prod.+ed by a fire'a-- +an be .sed for dete+tin$ atta+(s, 'hi+h +an in t.rn res.-t in the initiation of +orre+tive a+tions, as has a-ready been mentioned)
0ire'a--s, today, serve as a basi+ b.i-din$ b-o+( 'ithin se+.rity infrastr.+t.res) *t the same time, as /.oted above, they are not the Psi-ver b.--etQ of information se+.rity) ,mp-ementation of a fire'a-- is no $.arantee of se+.rity and sho.-d be +ombined 'ith the other se+.rity te+hno-o$ies des+ribed 'ithin this paper)
=,),NT;&!,?N DETECT,?N *ND *N*5C!,! !C!TE !
The +on+ept of intr.sion dete+tion has been aro.nd sin+e 1B"0)1B ,n its most essentiaform, intr.sion dete+tion is desi$ned to dete+t mis.se or ab.se of net'or( or system reso.r+es and report that o++.rren+e) This dete+tion o++.rs as a res.-t of identifyin$ behavio.r based on anoma-ies or si$nat.res) The most +ommon form of intr.sion
dete+tion system 8,D!: today re-ies on si$nat.re3based dete+tion)
The se+.rity ind.stry has $reat-y e1panded intr.sion dete+tion over the past years to in+orporate severa- advan+ed +on+epts) Beyond basi+ dete+tion and a-ertin$, most
systems today bi-- themse-ves as havin$ Gintr.sion preventionG +apabi-itiesF other'ise

1B
Pa.- ,nne--a, 'he #volution of %ntrusion /etection Systems 8&n(no'n: !e+.rity0o+.s)+om, 2001, a++essed 12 ?+tober 2004:F avai-ab-e from http:66''')se+.rityfo+.s)+om6info+.s61A14F ,nternet)
Benjamin 5) Tomhave
126762004 1"
(no'n as a+tive response) The +on+ept of intr.sion prevention is that an a+tivity +an be dete+ted re-iab-y and then stopped, either at the host or net'or( -eve-, by the dete+tin$ system) 0rom the net'or( perspe+tive, this response +o.-d be as simp-e as dete+tin$ an ab.sive TCP3based net'or( +onne+tion and iss.in$ a TCP ;eset 8;!T: pa+(et to both the so.r+e and destination hosts, for$in$ the ,P header information to impersonate ea+h side)
*dditiona--y, si$nifi+ant advan+es have been made in the areas of event +orre-ation and anoma-y dete+tion) Event +orre-ation is an approa+h 'herein m.-tip-e a-erts that may appear disparate are ab-e to be -in(ed to$ether based on +ommon +riteria, s.+h as time or method or tar$et, and res.-t in an es+a-ated a-ert, if not a +oordinated a.tomati+ response) *noma-y dete+tion is simi-ar to event +orre-ation, tho.$h its primary ro-e is to s+ientifi+a--y determine a base-ine for performan+e, s.+h as a+ross a net'or( or $ro.p of hosts, and then $enerate a-erts 'hen performan+e deviates si$nifi+ant-y from that base-ine)
The fo--o'in$ se+tions dis+.ss ea+h of these te+hno-o$ies, providin$ an overvie' and then a respe+tive b.siness and se+.rity ana-ysis)
A0,ntr.sion
Dete+tion !ystems 8,D!: ,1
,ntr.sion dete+tion systems are typi+a--y +-assified a++ordin$ to their primary method of dete+tion: net'or(3based, host3based, hybrid, or net'or(3node) Net'or(3based dete+tion
20
Pa.- ,nne--a, 'he #volution of %ntrusion /etection Systems 8&n(no'n: !e+.rity0o+.s)+om, 2001, a++essed 12 ?+tober 2004:F avai-ab-e from http:66''')se+.rityfo+.s)+om6info+.s61A14F ,nternet)
Benjamin 5) Tomhave
126762004 1B
+apt.res pa+(ets dire+t-y off the net'or(, 'hi-e host3based dete+tion resides on a host and +apt.res data as it f-o's into and o.t of that host) @ybrid systems a$$re$ate the
+apabi-ities of net'or(3based and host3based systems 'hereas net'or(3node systems try to f.n+tion -i(e a net'or(3based system 'hi-e residin$ on a host)
Today, ,D! has be$.n to mat.re to the point 'here most systems +an be operated as a hybrid, if the b.siness desires) The main approa+h .sed, s.+h as thro.$h the open3so.r+e prod.+t !nort, is to +ond.+t net'or(3 and6or host3based s+annin$ .sin$ a si$nat.re set and then a$$re$ate a-erts to a sin$-e host for mana$ement of those a-erts) ore advan+ed
systems have additiona- +apabi-ities, as 'i-- be dis+.ssed in the fo--o'in$ se+tions, s.+h as intr.sion prevention, anoma-y dete+tion, and event +orre-ation)
,ntr.sion dete+tion systems, as a 'ho-e, have a +o.p-e (ey -imitations) 0irst, they are typi+a--y -imited in the same 'ay that antivir.s is -imited in that s.++essf.- dete+tion is based on havin$ a $ood si$nat.re that mat+hes (no'n bad traffi+) %ith net'or(
dete+tion, this si$nat.re -imitation is parti+.-ar-y +ha--en$in$ be+a.se too -itera- of a strin$ +an res.-t in a dete+tion fai-.re) 0.rthermore, ,D! are -imited by ho' m.+h net'or( traffi+ they +an pro+ess in a $iven period of time) 0or e1amp-e, most ,D! today 'i-- +-aim to be ab-e to monitor 1#bps of traffi+ in rea-3time, tho.$h a+t.a- testin$, s.+h as in the ,D! 5ab at ,C!* 5abs, has proven that these prod.+ts are a+t.a--y often performin$ at m.+h -ess than 1#bps) Even 'orse, ba+(bone net'or( providers are often r.nnin$ at m.+h hi$her speeds than 1#bps, s.+h as over ?C34" or ?C31B2 net'or(s, 'hi+h are 2)4"" #bps and B)BA2 #bps, respe+tive-y) This means that the needs and
Benjamin 5) Tomhave
126762004 20
e1pe+tations for performan+e and thro.$hp.t are very hi$h and not reasonab-y bein$ met by +ommer+ia- prod.+tions)
,n addition to bein$ -imited by si$nat.res and performan+e, most ,D! a-so in+-.de mana$ement +on+erns 'ith respe+t to the n.mber of si$nat.res bein$ mana$ed and the n.mber of a-erts bein$ $enerated) 0r.strations arisin$ from these many -imitations have -ed to advan+es in mana$ement of the base ,D!, and 'i-- be dis+.ssed in the *noma-y Dete+tion !ystems and Event Corre-ation !ystems se+tions be-o')
1)B.siness *na-ysis ,ntr.sion dete+tion systems are sti-- mat.rin$ as a prod.+t) *dvan+es in event +orre-ation, anoma-y dete+tion and a+tive response have made their .se m.+h more appea-in$) @o'ever, the +ost of dep-oyment and mana$ement is sti-- a-most at a brea(3even point 'ith the benefits derived) Net'or(s that are parti+.-ar-y mat.re and +-ean have a m.+h $reater -i(e-ihood of reapin$ -ar$e benefits from an enhan+ed ,D! dep-oyment, 'hereas net'or(s that are not 'e--3desi$ned and that are poor-y mana$ed 'i-- have a very diffi+.-t time t.nin$ si$nat.res to their environment and estab-ishin$ performan+e base-ines)
S.a-ity ,D! soft'are is free thro.$h open3so.r+e initiatives s.+h as !nort) Than(s to !nort, a-- a +ompany rea--y needs is a reasonab-y si>ed PC 'ith one or more hi$h3speed net'or( +ards and the (no'3ho' to insta-- and mana$e the prod.+t on a +ompatib-e operatin$ system, 'hi+h may a-so be free) @o'ever, the open3so.r+e mana$ement too-s that are avai-ab-e for .se 'ith !nort, s.+h as *C,D and !nortCenter, -eave m.+h to be desired and often for+e +ompanies to'ard +ommer+ia- so-.tions) Benjamin 5) Tomhave 126762004 21
ost +ommer+ia- so-.tions sti-- tend to be rather e1pensive and re/.ire +onsiderab-e trainin$) ?ne interestin$ deve-opment is the inte$ration of intr.sion dete+tion so-.tions 'ith fire'a-- prod.+ts, s.+h as has been done by Cis+o, Che+(point and Net!+reen) *s 'i-- be dis+.ssed in the fo--o'in$ se+tion on intr.sion prevention systems 8,P!:, this advan+e has a--o'ed ,D! to evo-ve to in+-.de a+tive response +apabi-ities, parti+.-ar-y from the net'or( perspe+tive)
?vera-- ,D! has va-.e for most or$ani>ations that have their net'or( in $ood 'or(in$ order) @o'ever, .nderstaffed and poor-y ar+hite+ted environments 'i-- -i(e-y see ,D! as an .na++eptab-e hass-e and +ost) 0or those or$ani>ations, there are a-ternative so-.tions) !evera- se+.rity +ompanies are in the mar(et providin$ o.tso.r+ed insta--ation, maintenan+e and monitorin$ of ,D! so-.tions) These Gmana$ed se+.rity so-.tionsG
providers may be benefi+ia- for or$ani>ations that 'ant the benefits of an ,D!, even in a -imited +apa+ity, b.t that +annot afford to imp-ement and mana$e the ,D! themse-ves)
2)!e+.rity *na-ysis The ori$ina- ro-e of ,D! 'as to dete+t threats on net'or(s and hosts) This ro-e has evo-ved to in+-.de a+tive response +apabi-ities that a--o' it to prote+t reso.r+es and +orre+t mis.se or ab.se on net'or(s or hosts) ,D! +an today serve in a ro-e that impa+ts Confidentia-ity, ,nte$rity and *vai-abi-ity, dependin$ on the si$nat.re set dep-oyed, the effe+tiveness of a-ert mana$ement, and 'hether or not an a+tive response +apabi-ity e1ists)
Benjamin 5) Tomhave
126762004 22
*0,ntr.sion
Prevention !ystems 8,P!:,2
,ntr.sion prevention systems, or ,P!, are often defined as Gany devi+e 8hard'are or soft'are: that has the abi-ity to dete+t atta+(s, both (no'n and .n(no'n, and prevent the atta+( from bein$ s.++essf.-)G ,, ,P! have $ro'n from a desire to +ombine the deep3 inspe+tion +apabi-ities of ,D! 'ith the b-o+(in$ +apabi-ities of fire'a--s) These b-o+(in$ +apabi-ities, often referred to as a+tive response, a--o's the dete+tion of a po-i+y vio-ation to be trans-ated in rea-3time into a po-i+y3based a+tion desi$ned to impede or stop the vio-ation)
There are a fe' variations on ,P!, b.t the most +ommon is the in-ine net'or(3based system) *nother variation of ,P! are the so3+a--ed G5ayer 7 s'it+hesG that have mat.red to in+-.de Do! and DDo! dete+tion and miti$ation based on an a'areness of traffi+ at the app-i+ation -ayer of the ?!, mode-) *-so, host3based app-i+ation fire'a--s have been inte$rated 'ith ,D! +apabi-ities to a--o' for app-i+ation3spe+ifi+ a+tive response +apabi-ities based on a $enera- po-i+y instead of a si$nat.re set) @ybrid s'it+h so-.tions are net'or(3based, b.t operate simi-ar to the app-i+ation fire'a--s)
*-- of these types of ,P! have t'o thin$s in +ommon: they $enerate an a-ert, based either on a si$nat.re or a po-i+y, and they initiate a response, as has been pro$rammed into the system) These a-erts may o++.r as the res.-t of a si$nat.re mat+h or a vio-ation of a
21
Nei- Desai, %ntrusion -revention Systems& the e!t Step in the #volution of %/S 8&n(no'n: !e+.rity0o+.s)+om, 2009, a++essed 12 ?+tober 2004:F avai-ab-e from http:66''')se+.rityfo+.s)+om6info+.s61D70F ,nternet) 22 Nei- Desai, %ntrusion -revention Systems& the e!t Step in the #volution of %/S 8&n(no'n: !e+.rity0o+.s)+om, 2009, a++essed 12 ?+tober 2004:F avai-ab-e from http:66''')se+.rityfo+.s)+om6info+.s61D70F ,nternet)
Benjamin 5) Tomhave
126762004 29
se+.rity po-i+y set.p spe+ifi+ for an app-i+ation, and the response may ran$e from +ho(in$ the f-o' of traffi+ to terminatin$ or b-o+(in$ the offendin$ traffi+ a-to$ether)
There are a +o.p-e (ey -imitations to ,P!, as e1ist for ,D!) Those -imitations in+-.de a++.rate dete+tion, the abi-ity to hand-e the f.-- thro.$hp.t of a net'or(, and the abi-ity to $enerate the response +orre+t-y and in a time-y manner) The thro.$hp.t iss.e has been dis+.ssed above) The matter of a++.ra+y be+omes in+reasin$-y important 'hen
dis+.ssin$ an a+tive, a.tomated response to a dete+ted event) ,f proper and a--o'ed traffi+ is in+orre+t-y dete+ted by a si$nat.re or as a po-i+y vio-ation, that traffi+ may be inappropriate-y s.bje+ted to the a+tive response) ,n parti+.-ar, (no'n $ood traffi+ may be terminated or b-o+(ed, res.-tin$ in a ne$ative impa+t to the b.siness) *s for $eneratin$ the response +orre+t-y in a time-y manner, this -imitation pertains to the abi-ity of the ,P! to not on-y dete+t +orre+t-y, b.t to se-e+t the +orre+t response based on a po-i+y, and then be ab-e to iss.e that response 'hi-e the offense is sti-- o++.rrin$) Choosin$ the proper response +an be+ome +ha--en$in$ 'hen dea-in$ 'ith a.tomated es+a-ations)
1)B.siness *na-ysis ost ,D! systems today in+-.de some manner of ,P! +apabi-ities) #iven a 'e--3defined set of si$nat.res or po-i+ies, it ma(es sense to dep-oy an ,D! 'ith ,P! +apabi-ities, parti+.-ar-y on the perimeter of yo.r net'or(, and in front of hi$h-y va-.ab-e assets) The +ost of these systems is +omparab-e to that dis+.ssed above in the ,D! B.siness *na-ysis 8=,)*)1:) &-timate-y, s.++essf.- dep-oyment and ret.rn on investment 'i-- re-ate dire+t-y to ho' 'e-- the net'or( is ar+hite+ted, ho' 'e-- the so-.tion is mana$ed, and ho' m.+h tho.$ht has $one into the overa-- se+.rity mana$ement of the or$ani>ation) Benjamin 5) Tomhave 126762004 24
2)!e+.rity *na-ysis ,P! e1pands the basi+ dete+tion +apabi-ities of ,D! to in+-.de definite +orre+tive +apabi-ities) These +orre+tive +apabi-ities have the re-ated benefit of prote+tin$ reso.r+es based on se+.rity po-i+ies) These +apabi-ities 'or( to$ether to prote+t the
Confidentia-ity, ,nte$rity and *vai-abi-ity of systems and data)
C0Event
Corre-ation !ystems 8EC!:,3
Event Corre-ation !ystems b.i-d on the s.++esses of ,ntr.sion Dete+tion !ystems by providin$ a better me+hanism for a$$re$atin$, mana$in$ and +orre-atin$ ,D! events, s.+h as are $enerated thro.$h si$nat.re dete+tions or po-i+y vio-ations) EC! $oes beyond simp-y p.--in$ to$ether event -o$s from ,D!, ho'ever) EC! a--o's for the a$$re$ation of -o$ data from m.-tip-e so.r+es, in+-.din$ fire'a--s, hosts, app-i+ations, and of +o.rse ,D!) ost EC! so-.tions serve a d.a- ro-e as a data 'areho.se for -o$s and by providin$
a data minin$ interfa+e 8man.a- and a.tomated: to ma(e .se of the data stored in the 'areho.se)
The primary benefit of the Event Corre-ation !ystem is in its abi-ity to +orre-ate events from m.-tip-e systems and $enerate smart a-erts, a-on$ 'ith the +apabi-ity to es+a-ate a-erts, based on that +orre-ation) Event Corre-ation !ystems are .s.a--y +omprised of
29
;.sse-- <ay, #vent Correlation 8&n(no'n: C? P&TE;%?;5D, 2009, a++essed 12 ?+tober 2004:F avai-ab-e from http:66''')+omp.ter'or-d)+om6net'or(in$topi+s6net'or(in$6mana$ement6story60,10"01,"99BD,00)htm-F ,nternet)
Benjamin 5) Tomhave
126762004 2A
severa- (ey a+tivities: Compression, Co.ntin$, !.ppression, #enera-i>ation and Time3 based +orre-ation) These a+tivities are best defined by <ay,4: Compression ta(es m.-tip-e o++.rren+es of the same event, e1amines them for d.p-i+ate information, removes red.ndan+ies and reports them as a sin$-e event) !o 1,000 Gro.te fai-edG a-erts be+ome a sin$-e a-ert that says Gro.te fai-ed 1,000 times)G
Counting reports a spe+ified n.mber of simi-ar events as one) This differs from +ompression in that it doesn2t j.st ta--y the same event and that there2s a thresho-d to tri$$er a report)
Suppression asso+iates priorities 'ith a-arms and -ets the system s.ppress an a-arm for a -o'er3priority event if a hi$her3priority event has o++.rred)
Generalization asso+iates a-arms 'ith some hi$her3-eve- events, 'hi+h are 'hat2s reported) This +an be .sef.- for +orre-atin$ events invo-vin$ m.-tip-e ports on the same s'it+h or ro.ter in the event that it fai-s) Co. don2t need to see ea+h spe+ifi+ fai-.re if yo. +an determine that the entire .nit has prob-ems)
Time-based correlation +an be he-pf.- estab-ishin$ +a.sa-ity 33 for instan+e, tra+in$ a +onne+tivity prob-em to a fai-ed pie+e of hard'are) ?ften more
24
;.sse-- <ay, #vent Correlation 8&n(no'n: C? P&TE;%?;5D, 2009, a++essed 12 ?+tober 2004:F avai-ab-e from http:66''')+omp.ter'or-d)+om6net'or(in$topi+s6net'or(in$6mana$ement6story60,10"01,"99BD,00)htm-F ,nternet)
Benjamin 5) Tomhave
126762004 2D
information +an be $-eaned by +orre-atin$ events that have spe+ifi+ time3based re-ationships) !ome prob-ems +an be determined on-y thro.$h s.+h tempora+orre-ation)
1)B.siness *na-ysis EC! is the so-.tion that is most desirab-e and has the potentia- for the bi$$est ret.rn on investment) @o'ever, imp-ementation of s.+h a system has proven to be very
+ha--en$in$ for vendors) *s a res.-t, these systems tend to be very e1pensive and not terrib-y re-iab-e) ,nstead, the *noma-y Dete+tion approa+h, as dis+.ssed be-o', has been +on+eived and is be$innin$ to re+eive in+reased mar(et share) ,n the f.t.re, it is hoped that EC! 'i-- mat.re to the point 'here it +an be inte$rated to ro.nd3o.t the ,ntr.sion Dete+tion and *na-ysis !ystem)
2)!e+.rity *na-ysis The primary f.n+tion of EC! is to better dete+t events 'ithin the enterprise) ?n+e re-iab-e dete+tion o++.rs, then other +apabi-ities, s.+h as a+tive response, +an be deve-oped 'ith it) &nti- that time, ho'ever, this so-.tion is primari-y aimed at prote+tin$ the ,nte$rity of systems and data as a res.-t of dete+tin$ a+tive threats a$ainst them)
/0*noma-y Dete+tion
!ystems 8*D!:,5 ,6
2A
Christina Cip Ch.n$, Anomaly /etection in /ata7ase Systems 8Davis: &C Davis Comp.ter !e+.rity 5aboratory, 1BBB, a++essed 12 ?+tober 2004:F avai-ab-e from http:66se+-ab)+s).+davis)ed.6proje+ts6anoma-y)htm-F ,nternet) 2D ;oy *) a1ion and <ymie )C) Tan, *enchmar8ing Anomaly-*ased /etection Systems 8Pittsb.r$h: Carne$ie e--on &niversity, 2000, a++essed 12 ?+tober 2004:F avai-ab-e from http:66'''3 2)+s)+m.)ed.6afs6+s)+m.)ed.6.ser6ma1ion6'''6p.bs6ma1iontan00)pdfF ,nternet)
Benjamin 5) Tomhave
126762004 27
*noma-y Dete+tion !ystems are an e1tension of ,ntr.sion Dete+tion !ystems 8or Dete+tion !ystems, as defined by Ch.n$:) Per
is.se
a1ion and <ymie, PHanoma-yI dete+tion
is a (ey e-ement of intr.sion dete+tion and other dete+tion systems in 'hi+h pert.rbations of norma- behavior s.$$est the presen+e of intentiona--y or .nintentiona--y ind.+ed atta+(s, fa.-ts, defe+ts, et+)Q
,9
This type of dete+tion is based -ar$e-y on the r.-es of
probabi-ity and predi+tab-e, ta(in$ into +onsideration -o$ data from m.-tip-e so.r+es 8m.+h as is done in EC!:, b.t app-yin$ theories of predi+tabi-ity to these -o$s and a.tomati+a--y $eneratin$ a best $.ess as to 'hether or not a mis.se, or ab.se, is o++.rrin$) ,n its basest form, *D! $enerates a base-ine for performan+e and then
monitors for behavio.r that deviates from that base-ine) ,n its more advan+ed, optimi>ed form, *D! dynami+a--y +a-+.-ates the +.rrent performan+e based on a$$re$ate -o$ data and determines 'hether or not the +.rrent -eve- of performan+e is deviant from e1pe+ted -eve-s)
*s o.t-ined in
a1ion and <ymie, one of the (ey +ha--en$es to *D! is in performan+e)
* -ar$e n.mber of +a-+.-ations m.st be performed on the f-y to determine 'hether or not the a$$re$ate -o$s +an be +orre-ated and 'ei$hted in s.+h a manner as to predi+t an instan+e of mis.se) a1ion and <ymie theori>ed that the type and so.r+e of data .sed by
an *D! +o.-d have an impa+t on its performan+e) This theory 'as proven thro.$h their e1perimentation, indi+atin$, then, that *D! is s.bje+t to performan+e variation, dependin$ on data and so.r+e fa+tors) &nfort.nate-y, performan+e varian+e is not
27
;oy *) a1ion and <ymie )C) Tan, *enchmar8ing Anomaly-*ased /etection Systems 8Pittsb.r$h: Carne$ie e--on &niversity, 2000, a++essed 12 ?+tober 2004:F avai-ab-e from http:66'''3 2)+s)+m.)ed.6afs6+s)+m.)ed.6.ser6ma1ion6'''6p.bs6ma1iontan00)pdfF ,nternet)
Benjamin 5) Tomhave
126762004 2"
somethin$ $enera--y appre+iated by b.sinesses and +o.-d stand to -imit its adoption 'ithin +orporate se+.rity environments)
1)B.siness *na-ysis *noma-y dete+tion systems are an emer$in$ so-.tion re-ated in part to intr.sion 8or mis.se: dete+tion systems and event +orre-ation systems) This rea-ity as an emer$in$ te+hno-o$y -imits the n.mber of +ommer+ia- so-.tions avai-ab-e and in+reases the +ost of dep-oyment) !ome or$ani>ations have $one so far as to deve-op r.dimentary *D! so-.tions in3ho.se in order to defer +ommer+ia- e1penses) @o'ever, the overa-- va-.e of these systems is -imited by the primitive ro.tines performed)
&-timate-y, *D! and EC! represent the idea- so-.tions that 'i-- ma1imi>e ret.rn on investment for dete+tion of threats 'ithin a se+.rity infrastr.+t.re) ?n+e so-.tions be$in to mat.re, +ompetition emer$es, and pri+es be$in to drop, 'e 'i-- -i(e-y see a 'ide adoption of these types of so-.tions) &nti- that time, on-y the -ar$est or$ani>ations, 'ith the ne+essary reso.r+es to imp-ement s.+h a so-.tion, 'i-- -i(e-y see the .ti-ity of *D! or EC!) !ma-- and medi.m si>ed or$ani>ations 'i-- -i(e-y need to be +ontent 'ith basi+ ,D! and ,P! +apabi-ities for the foreseeab-e f.t.re, bannin$ a major brea(thro.$h in performan+e and re-iabi-ity that +an red.+e the overa-- tota- +ost of o'nership 'hi-e ma1imi>in$ the va-.e) ,nte$ration of these so-.tions 'ith a+tive response +apabi-ities and fire'a--s 'i-- +ontin.e to mat.re as the +ore prod.+ts themse-ves mat.re)
Benjamin 5) Tomhave
126762004 2B
2)!e+.rity *na-ysis *D! are primari-y desi$ned to dete+t threats to the or$ani>ation) This dete+t +apabi-ity may be e1panded in the f.t.re to in+-.de prote+t and +orre+t +apabi-ities, b.t on-y after the prod.+t has mat.red f.rther) The $enera- $oa- of *D!, as is tr.e 'ith most intr.sion dete+tion re-ated so-.tions, is to primari-y ens.re ,nte$rity, 'ith se+ondary $oa-s of ens.rin$ *vai-abi-ity and Confidentia-ity) Dete+tion +an be .sed .niversa--y to ens.re a-three aspe+ts of the C,* approa+h)
=,,)NET%?;<
*PP,N#
Net'or( mappin$ is defined as Pthe st.dy of the physi+a- +onne+tivity of the ,nternet)G2" ,n its most +ommon form, net'or( mappin$ is .sed to do+.ment the -ayo.t of a -o+a- area net'or( 85*N: as part of an overa-- se+.rity assessment) This .se is a form of
inte--i$en+e $atherin$ and oftentimes pre+edes the a+t.a- assessment of tar$eted systems)
Net'or( mappin$ has evo-ved over the years from the simp-e performan+e of PP,N#Q or PC?NNECTQ attempts to more e1tensive and s.bversive 8or P/.ietQ: methods of dete+tion) Today, the most pop.-ar too- for performin$ net'or( mappin$ is the open3 so.r+e too- Nmap)2B Nmap is +apab-e of testin$ for the presen+e of nodes on a net'or( based on a variety of dete+tion te+hni/.es, in+-.din$ the .se of ,nternet Proto+o- 8,P:, Transmission Contro- Proto+o- 8TCP: and &niversa- Data$ram Proto+o- 8&DP:) Ea+h of these proto+o-s has a .ni/.e f-avor, and th.s +an $enerate varyin$ res.-ts) 0.rthermore,
2"
%i(ipedia, etwor8 Mapping 8!t) Petersb.r$: %i(ipedia, 2004, a++essed 12 ?+tober 2004:F avai-ab-e from http:66en)'i(ipedia)or$6'i(i6Net'or(4 appin$F ,nternet) 2B 0yodor, map Security Scanner 8&n(no'n: ,nse+.re)or$, .ndated, a++essed 12 ?+tober 2004:F avai-ab-e from http:66''')inse+.re)or$6nmap6inde1)htm-F ,nternet)
Benjamin 5) Tomhave
126762004 90
Nmap has additiona- +apabi-ities for s.bvertin$ net'or( se+.rity devi+es -i(e fire'a--s and intr.sion dete+tion systems) ,t +an ta(e as inp.t a host name, an ,P address, a ran$e of ,P addresses, or a net'or( or s.bnet'or() ,t may a-so ta(e +onfi$.rab-e parameters of Pd.mmyQ so.r+e addresses to he-p +amo.f-a$e to net'or( sensors 'hat it is tryin$ to do)
The $oa- of net'or( mappin$ is to determine 'o.-d nodes are a+tive on a net'or() This basi+ determination +an be deve-oped f.rther to identify ho' far a'ay the nodes are from the s+annin$ host) ?peratin$ system identifi+ation may a-so be performed by too-s -i(e Nmap, tho.$h this f.n+tiona-ity is an e1tension of net'or( mappin$ and not +ore to its +apabi-ities)
*)B.siness *na-ysis Net'or( mappin$ is a +heap and va-.ab-e too- for revie'in$ the e1isten+e of nodes on a net'or() ;.nnin$ a net'or( mappin$ too- on a re$.-ar basis and +omparin$ its res.-ts +an assist an or$ani>ation in ens.rin$ that no nodes are bein$ added to the net'or( 'itho.t proper a.thori>ation) !in+e the most pop.-ar too-, Nmap, is free and has been ported to many operatin$ systems, in+-.din$ 5in.1, &N,E, %indo's and on-y rea- +osts are in terms of performan+e and pro+essin$) a+ ?!, the
There are a +o.p-e potentia- ris(s and -imitations for net'or( mappin$) 0irst, some app-i+ations and systems do not respond 'e-- to probes from net'or( mappin$ too-s) ainframes, for e1amp-e, have been (no'n to respond poor-y to ra' net'or( so+(et re/.ests) Th.s, net'or( mappin$ +o.-d +a.se instabi-ity in a mainframe, or at -east
Benjamin 5) Tomhave
126762004 91
$enerate a -ar$e n.mber of a-erts) *dditiona--y, net'or( mappin$ +an be -imited by +ertain types of net'or( and fire'a-- r.-es) %hereas net'or( mappin$ .sed to be ab-e to +ir+.mvent fire'a--s .sin$ vario.s pa+(et manip.-ation te+hni/.es, most fire'a--s today are a'are of state and th.s effe+tive-y b-o+( +ir+.mvention) *dditiona--y, intr.sion dete+tion systems, 'hi+h may a-so be +ir+.mvented, have the +apabi-ity today to be t.ned so as to more optima--y dete+t the o++.rren+e of net'or( mappin$)
B)!e+.rity *na-ysis Net'or( mappin$ is a form of dete+tion, from the standpoint that it dete+ts nodes on a net'or(, 'hi+h +an in t.rn be .sed to determine 'hether or not a $iven node is a.thori>ed to be on the net'or() Net'or( mappin$ may a-so be +onstr.ed as a form of prote+tion, sin+e the a+tions that derive from +omparin$ net'or( mappin$ data sets +o.-d res.-t in remova- of .na.thori>ed nodes from the net'or()
0rom the standpoint of Confidentia-ity, ,nte$rity and *vai-abi-ity, net'or( mappin$ primari-y serves the $oa- of ens.rin$ the ,nte$rity of the net'or() ,t may a-so be .sed to verify that +ertain nodes remain avai-ab-e on a net'or() Net'or( mappin$ does not have any impa+t on Confidentia-ity, .n-ess one 'ere to spin the impa+t a-on$ the fo--o'in$ -ine: a node, s.+h as an ,D! sensor, is p-a+ed on the net'or( and +onfi$.red so as not to be dete+tab-e by net'or( mappin$F ho'ever, a mis+onfi$.ration res.-ts in +a.sin$ the sensor to respond to net'or( mappin$ re/.ests, revea-in$ its -o+ation, and possib-y its identityF th.s, net'or( mappin$ +an ens.re the +onfidentia-ity of PhiddenQ net'or( nodes)
Benjamin 5) Tomhave
126762004 92
=,,,)P*!!%?;D C;*C<,N#
*++ordin$ to %i(ipedia, GHpass'ordI +ra+(in$ is the pro+ess of re+overin$ se+ret pass'ords stored in a +omp.ter system)G90 Pass'ord +ra+(in$ may serve to re+over a -ost pass'ord or to +ompromise an .n(no'n pass'ord for the p.rposes of $ainin$ .na.thori>ed a++ess to a system or data) *dditiona--y, pass'ord +ra+(in$ may be .sed as a preventative meas.re to ens.re that stron$ pass'ords are bein$ .sed by system .sers)
ost pass'ords today are maintained as a hashed, rather than en+rypted, va-.e) @ashin$ means ta(in$ a pass'ord strin$ and .sin$ it as an inp.t for an a-$orithm that res.-ts in an o.tp.t that does not resemb-e the ori$ina- inp.t) &n-i(e en+ryption, hashin$ on-y 'or(s one 'ay and +annot be de+rypted) @ashin$ pass'ords before storin$ them is far more effi+ient than en+ryptin$ and de+ryptin$ pass'ords on the f-y) Th.s, 'hen a .ser
attempts to -o$in, their s.bmitted pass'ord is hashed, and the hashed va-.e is +ompared 'ith the hashed va-.e stored on the system) #iven an e1a+t hash mat+h, the -o$in is approved and the .ser is +onsidered a.thenti+ated)
The best +ommer+ia- .se of pass'ord +ra+(in$ is as a preventative meas.re, ens.rin$ that .sers are +hoosin$ hi$h /.a-ity 8or stron$: pass'ords) *++ordin$ to Tsta(e, ma(er of the pop.-ar -0pht+ra+( pass'ord +ra+(in$ .ti-ity, Ge1perts from !*N!, ind.stry, $overnment, and a+ademia +ite 'ea( pass'ords as one of the most +riti+a- se+.rity threats
90
%i(ipedia, -assword crac8ing 8!t) Petersb.r$: %i(ipedia, 2004, a++essed 12 ?+tober 2004:F avai-ab-e from http:66en)'i(ipedia)or$6'i(i6Pass'ord4+ra+(in$F ,nternet)
Benjamin 5) Tomhave
126762004 99
to net'or(s)G91
,n the +.rrent +onte1t, pass'ords are the primary method for
a.thenti+ation, despite the avai-abi-ity of better so-.tions, as des+ribed in !e+tion ,, above) Th.s, prote+tion of pass'ords and ens.rin$ stron$ pass'ords a$ainst simp-e atta+(s is of the .tmost importan+e)
Pass'ords are typi+a--y s.bje+ted to a +ombination of t'o (inds of atta+(s: br.te3for+e and di+tionary 8or 'ord3-ist:) Br.te3for+e atta+(s attempt to iterate thro.$h every possib-e pass'ord option avai-ab-e, either dire+t-y attemptin$ to the test pass'ord a$ainst the system, or in the +ase of a +apt.red pass'ord fi-e, +omparin$ the hashed or en+rypted test pass'ord a$ainst the hashed or en+rypted va-.e in the fi-e) ,n a di+tionary atta+(, a -ist of +ommon pass'ords, oftentimes +onsistin$ of re$.-ar 'ords, is /.i+(-y r.n thro.$h and app-ied in a simi-ar manner as 'ith the br.te3for+e atta+()
Di+tionary atta+(s are oftentimes very effe+tive .n-ess systems re/.ire .sers to +hoose stron$ pass'ords) 0or e1amp-e, the maintainers of the pop.-ar open3so.r+e pass'ord +ra+(in$ too- Uohn the ;ipper se-- +o--e+tions of 'ord -ists on CD) The CDs in+-.de 'ord -ists for more than 20 h.man -an$.a$es, p-.s +ommon and defa.-t pass'ords and .ni/.e 'ords for a-- +ombined -an$.a$es) 0or aro.nd VA0 an individ.a- 'antin$ to e1e+.te a massive di+tionary3based atta+( +o.-d have a++ess to over D00 B of 'ord -ist data)92 The ready avai-abi-ity of s.+h data sets for .se in di+tionary atta+(s means that, .n-ess a stron$ pass'ord is se-e+ted, it is very -i(e-y that the pass'ord +an be +ra+(ed in a
91
Tsta(e, :sta8e ;C 5 8Cambrid$e: Tsta(e, .ndated, a++essed 12 ?+tober 2004:F avai-ab-e from http:66''')atsta(e)+om6prod.+ts6-+6F ,nternet) 92 ?pen'a-- Proje+t, <ohn the $ipper password crac8er 8 os+o': ?pen'a--, .ndated, a++essed 12 ?+tober 2004:F avai-ab-e from http:66''')open'a--)+om6john6F ,nternet)
Benjamin 5) Tomhave
126762004 94
reasonab-e amo.nt of time) This is espe+ia--y tr.e of pass'ords that are based on h.man3 readab-e 'ords)
* stron$ pass'ord is most often defined as a strin$ of ei$ht 8": or more +hara+ters that mi1 .pper3 and -o'er3+ase -etters, n.mbers and spe+ia- +hara+ters) !tron$ pass'ords do not resemb-e 'ords, and are best 'hen $enerated at random)99 ?ne s.$$ested approa+h is pi+(in$ a passphrase and either .sin$ the passphrase in its entirety or pi+(in$ the -eadin$ -etters from ea+h 'ord in the phrase and s.bstit.tin$ n.mbers and spe+ia- +hara+ters for some of the -etters) Certain pass'ord hashin$ a-$orithms prod.+e stron$er hash va-.es 'ith -on$er pass'ords 'hi-e others prod.+e stron$er hash va-.es based on in+reased +omp-e1ity of the pass'ord)
,n addition to re/.irin$ .sers to +hoose stron$ pass'ords, it is a-so in+.mbent .pon system administrators to re/.ire that pass'ords be +han$ed fre/.ent-y) Conventiona'isdom indi+ates that no pass'ord sho.-d have a -ifetime $reater than B0 days, and for hi$h-y +riti+a- systems the -ifetime sho.-d be 90 days or -ess) ?ne e1+eption to this r.-e invo-ves t'o3fa+tor a.thenti+ation 'here a pass'ord is +o.p-ed 'ith a stron$er a.thenti+ation method, s.+h as to(ens or biometri+s)
*)B.siness *na-ysis Pass'ords ho-d a preva-ent p-a+e 'ithin the se+.rity infrastr.+t.re thro.$ho.t most, if not a--, or$ani>ations) &nti- pass'ords are rep-a+ed by stron$er forms of a.thenti+ation,
99
*) C-iff, -assword Crac8ers - #nsuring the Security of =our -assword 8&n(no'n: !e+.rity0o+.s)+om, 2001, a++essed 12 ?+tober 2004:F avai-ab-e from http:66''')se+.rityfo+.s)+om6info+.s611B2F ,nternet)
Benjamin 5) Tomhave
126762004 9A
s.+h as to(ens or biometri+s, it is abso-.te-y ne+essary that the .se of stron$ pass'ords be enfor+ed) Therefore, the benefit of b.yin$ 'ord -ists and pass'ord +ra+(in$ soft'are and r.nnin$ them re$.-ar-y, parti+.-ar-y on (ey systems, $reat-y o.t'ei$hs the +osts) ?ne do'nside is 'here +entra-i>ed a.thenti+ation has not been imp-emented) ,n those +ases, 'hi-e it is -i(e-y that .sers 'i-- .se the same pass'ord a+ross m.-tip-e systems, the +ost in time of r.nnin$ pass'ord +ra+(in$ a$ainst a-- systems be+omes +ha--en$in$) Th.s, in addition to pass'ord +ra+(in$, it is a-so .sef.- to imp-ement a +entra-i>ed a.thenti+ation system that res.-ts in fe'er pass'ord fi-es to test)
B)!e+.rity *na-ysis Pass'ord +ra+(in$ is primari-y a prote+tive +o.ntermeas.re) ,t is desi$ned to ens.re that pass'ords .sed in vario.s a.thenti+ation me+hanisms are stron$ eno.$h to prevent +as.adi+tionary3based atta+(s) ,t is ass.med, ho'ever, that a br.te3for+e atta+( +an be 100W s.++essf.- $iven eno.$h time) *s s.+h, it is vita--y import to +ombine pass'ord +ra+(in$ 'ith stri+t systemati+ re/.irements for stron$ pass'ords and re$.-ar pass'ord rotation) Pass'ord +ra+(in$ he-ps ens.re the Confidentia-ity and ,nte$rity of data and systems by proppin$3.p the a.thenti+ation system)
,E)P&B5,C <EC ,N0;*!T;&CT&;E94
94
The fo--o'in$ $enera- reso.r+es are avai-ab-e, b.t not /.oted in this paper : severa- P<, -in(s: http:66''')p(i3pa$e)or$6 more P<, do+s: http:66''')open$ro.p)or$6p.b-i+6te+h6se+.rity6p(i6 1A0B %# http:66''')ietf)or$6htm-)+harters6p(i13+harter)htm 0edera- P<, !teerin$ Committee: http:66''')+io)$ov6fp(is+6 P<, and the 5a': http:66''')p(i-a')+om6
Benjamin 5) Tomhave
126762004 9D
P.b-i+ <ey ,nfrastr.+t.re 'as on+e tho.$ht to be the si-ver b.--et for so-vin$ se+.rity and priva+y on the ,nternet, as 'e-- as providin$ a frame'or( for se+.re b.siness transa+tions a+ross shared net'or( reso.r+es) The rea-ity is that P<, is +omp-e1, e1pensive, and very diffi+.-t to imp-ement 'e--) C-ar(e has $one so far as to +-aim, 'ith si$nifi+ant proof, that P<, 'i-- remain a fai-.re and offers a-ternatives that see( to improve or s.pp-ant the +.rrent E)A0B standard for P<,) G,ts (ey defi+ien+ies are its inherent-y hierar+hi+a- and a.thoritarian nat.re, its .nreasonab-e pres.mptions abo.t the se+.rity of private (eys, a ran$e of other te+hni+a- and imp-ementation defe+ts, +onf.sions abo.t 'hat it is that a +ertifi+ate a+t.a--y provides ass.ran+e abo.t, and its inherent priva+y3invasiveness)G9A
*++ordin$ to %i(ipedia, a P.b-i+ <ey ,nfrastr.+t.re is Gan arran$ement, .s.a--y +arried o.t by soft'are at a +entra- -o+ation to$ether 'ith other +oordinated soft'are at distrib.ted -o+ations, 'hi+h provides for third party 8often termed a tr.sted third party: vettin$ of and vo.+hin$ for .ser identities and for bindin$ of p.b-i+ (eys to .sers 8typi+a--y in +ertifi+ates: and vi+e versa)G9D The most +ommon form of P<, today is !e+.re !o+(et 5ayer 8!!5: +ertifi+ates .sed thro.$h the ,nternet for se+.rin$ 'eb bro'sin$ sessions) Companies s.+h as =eri!i$n and Tha'te ma(e avai-ab-e servers on the ,nternet thro.$h 'hi+h another or$ani>ation2s !!5 +ertifi+ate +an be verified by a +-ient 'eb bro'ser as bein$ a.thenti+ and non3revo(ed)
9A
;o$er C-ar(e, Conventional -u7lic >ey %nfrastructure& An Artefact %ll-)itted to the eeds of the %nformation Society 8Canberra : C-ar(e, 2000, a++essed 12 ?+tober 2004:F avai-ab-e from http:66''')an.)ed.)a.6peop-e6;o$er)C-ar(e6,,6P<, is0it)htm-F ,nternet) 9D %i(ipedia, -u7lic 8ey infrastructure 8!t) Petersb.r$: %i(ipedia, 2004, a++essed 0D November 2004:F avai-ab-e from http:66en)'i(ipedia)or$6'i(i6P.b-i+4(ey4infrastr.+t.reF ,nternet)
Benjamin 5) Tomhave
126762004 97
,n more +omp-e1 s+enarios, P<, +an be dep-oyed interna--y to an or$ani>ation for vario.s p.rposes, s.+h as se+.re interna- +omm.ni+ation, providin$ en+ryption servi+es to data and systems, di$ita--y si$nin$ +ode, and providin$ en+ryption materia-s a--o'in$ .sers to di$ita--y si$n +omm.ni+ation) Typi+a--y, tho.$h, enterprise P<, so-.tions are provided primari-y as part of an a.thenti+ation system to better prove and se+.re an individ.a-Ls identity)
%i(ipedia provides a de+ent overvie' of P<, and its history)
97
*dditiona--y, the
Nationa- ,nstit.te of !tandards and Te+hno-o$y 8N,!T: has stepped3.p to provide p.b-i+ -eadership for dep-oyment and s.pport of P<, in federa- environments, as 'e-- as to he-p steer the deve-opment and standardi>ation of asso+iated te+hno-o$ies)9"
*)B.siness *na-ysis P<, has histori+a--y been +onsidered a pipedream that 'i-- never +ome to fr.ition) Considerab-e +riti+ism has been -evied a$ainst it d.e to the asso+iated +ost and +omp-e1ity) The major dep-oyments of P<, today seem to fo+.s aro.nd s.pportin$ !!5 for ,nternet transa+tions) @o'ever, P<, has fina--y be$.n to evo-ve and mat.re, to the point 'here other -ar$e or$ani>ations have de+ided to insta-- enterprise so-.tions) 0or e1amp-e, *?5 no' has its o'n p.b-i+ P<, that it +an .se for the p.rposes of $eneratin$ !!5 +ertifi+ates, amon$ other thin$s) Proof of this dep-oyment +an be fo.nd by
revie'in$ the root +ertifi+ates iss.ed 'ith a-- major bro'sers)
97
%i(ipedia, -u7lic 8ey infrastructure 8!t) Petersb.r$: %i(ipedia, 2004, a++essed 0D November 2004:F avai-ab-e from http:66en)'i(ipedia)or$6'i(i6P.b-i+4(ey4infrastr.+t.reF ,nternet) 9" Nationa- ,nstit.te of !tandards and Te+hno-o$y, %S' ->% -rogram 8%ashin$ton: N,!T, 2004, a++essed 12 ?+tober 2004:F avai-ab-e from http:66+sr+)nist)$ov6p(i6F ,nternet)
Benjamin 5) Tomhave
126762004 9"
The .se of P<, for enhan+in$ a.thenti+ation and identifi+ation is a -a.dab-e $oa-, b.t one that is very e1pensive in a+hievin$) This $oa- +o.-d a-so be a+hieved thro.$h .se of +heaper a.thenti+ation systems +ombined 'ith other a.thenti+ation methods, s.+h as to(ens or biometri+s) Th.s, the .ti-ity of a P<, for the avera$e or$ani>ation appears to be minima-, and the +ost is $enera--y very prohibitive)
The types of +ompanies that 'o.-d benefit from dep-oyin$ their o'n P<, in+-.de -ar$e ,nternet +ompanies that not on-y +ond.+t a -ot of b.siness a+ross the ,nternet, b.t that provide b.siness servi+es to other or$ani>ations a+ross the ,nternet) *dditiona--y, -ar$e soft'are deve-opment +ompanies may benefit from imp-ementin$ a P<, in order to si$n +ode and app-i+ations to he-p ass.re the inte$rity of their prod.+ts and inte--e+t.aproperty) 0edera- a$en+ies and finan+ia- servi+es +ompanies may a-so benefit from dep-oyin$ some form of P<, in order to estab-ish a net'or( of tr.st .pon 'hi+h +.stomers and +iti>ens +an re-y)
,n the end, ho'ever, the e1treme +ost of s.++essf.--y imp-ementin$ a P<, so-.tion $enera--y o.t'ei$hs most of the benefits that may be derived) ,n the +ase of sma-- or medi.m si>ed soft'are deve-opment +ompanies, it may in fa+t be +heaper to re-y on +ode si$nin$ from a tr.sted third party rather than to +ond.+t the +ode si$nin$ 'ith an in3ho.se P<,)
Benjamin 5) Tomhave
126762004 9B
B)!e+.rity *na-ysis The main ro-e of P<, as a +o.ntermeas.re is to prote+t a$ainst atta+( and +ompromise) %hether it be inte$rated into an a.thenti+ation system or part of a +ode si$nin$ system, the overa-- $oa- is to ens.re ,nte$rity) *dditiona--y, P<, +an serve in a +apa+ity of ens.rin$ that Confidentia-ity of data thro.$h tr.sted en+ryption me+hanisms that -evera$e tr.sted en+ryption materia-s) P<, may, ho'ever, have a ne$ative affe+t on the
*vai-abi-ity of data or systems) ,f the P<, fai-s, the asso+iated materia-s or me+hanisms may not f.n+tion proper-y to de+rypt data, or to a--o' for proper a.thenti+ation to o++.r) !in+e a se+.re system 'i-- Pfai- safe,Q fai-.re of the P<, sho.-d fai- to a +-osed state that disa--o's a++ess, b.t in t.rn impa+tin$ *vai-abi-ity)
Benjamin 5) Tomhave
126762004 40
E)=,;T&*5 P;,=*TE
NET%?;<!9B
* =irt.a- Private Net'or( 8=PN: is a private +omm.ni+ations net'or( that ma(es .se of p.b-i+ net'or(s, oftentimes for +omm.ni+ation bet'een different or$ani>ations)40 * =PN is not inherent-y se+.re, tho.$h in its most +ommon in+arnation it does .ti-i>e en+ryption to ens.re the +onfidentia-ity of data transmitted) The =PN is often seen as a +heaper so-.tion for dep-oyin$ a private net'or( than private -eased3-ines)41 42 They often serve to prote+t and ens.re the inte$rity of +omm.ni+ations49 and may a-so prote+t the +onfidentia-ity of those +omm.ni+ations 'hen .ti-i>in$ en+ryption)
*side from the +ost fa+tor, =PNs have t'o main advanta$es: they may provide overa-en+ryption for +omm.ni+ations and they a--o' the .se of proto+o-s that are other'ise diffi+.-t to se+.re)
44
,n +ontrast, R'i+(ey sites the t'o main disadvanta$es of =PNs
bein$ the re-ian+e on Gdan$ero.sG p.b-i+ net'or(s and e1tendin$ the net'or( that is bein$ prote+ted)4A
There are three types of =PNs avai-ab-e today: dedi+ated, !!5 and opport.nisti+) Dedi+ated =PNs, either in a $ate'ay3to3$ate'ay or +-ient3to3$ate'ay +onfi$.ration,
9B
*bo.t)+om has severa- -in(s on =PNs that may be 'orth revie'in$) http:66+ompnet'or(in$)abo.t)+om6od6vpn6 40 %i(ipedia, Virtual private networ8 8!t) Petersb.r$: %i(ipedia, 2004, a++essed 0D November 2004:F avai-ab-e from http:66en)'i(ipedia)or$6'i(i6=irt.a-4private4net'or(F ,nternet) 41 E-i>abeth D) R'i+(y and others, *uilding %nternet )irewalls+ ,nd #dition 8Cambrid$e: ?2;ei--y, 2000:, p104) 42 ;obert os(o'it>, What %s A Virtual -rivate etwor8" 8&n(no'n: C P, .ndated, a++essed 12 ?+tober 2004:F avai-ab-e from http:66''')net'or(+omp.tin$)+om6B0A6B0A+o-mos(o'it>)htm-F ,nternet) 49 E-i>abeth D) R'i+(y and others, *uilding %nternet )irewalls+ ,nd #dition 8Cambrid$e: ?2;ei--y, 2000:, p11B) 44 E-i>abeth D) R'i+(y and others, *uilding %nternet )irewalls+ ,nd #dition 8Cambrid$e: ?2;ei--y, 2000:, p120) 4A E-i>abeth D) R'i+(y and others, *uilding %nternet )irewalls+ ,nd #dition 8Cambrid$e: ?2;ei--y, 2000:, p121)
Benjamin 5) Tomhave
126762004 41
appear to +.rrent-y be the most prominent dep-oyment)
@o'ever, !!5 =PNs are
in+reasin$ in pop.-arity, servin$ as a -i$ht'ei$ht, p-atform3independent +-ient3to3$ate'ay prote+tion me+hanism) *dditiona--y, the +on+ept of opport.nisti+ en+ryption, as .sed 'ith =PNs, 'as first posited in 2001 by the 0ree!6%*N proje+t, 'ho2s mission 'as to provide free standards3based =PN soft'are .nder an open3so.r+e initiative) The +on+ept of opport.nisti+ en+ryption 8?E: hin$ed on the notion that a =PN did not need to be in an G.pG state at a-- times, b.t rather on-y needed to be a+tivated 'hen +omm.ni+ation 'as o++.rrin$) Th.s, $ate'ays a+ross the ,nternet +o.-d be +onfi$.red to s.pport en+ryption on an as3needed basis and 'o.-d on-y have to set.p the =PN 'hen a +onne+tion from6thro.$h an ?E3a'are $ate'ay 'as initiated) This mode- is simi-ar to the traditiona.se of !!5 on the ,nternet, e1+ept that instead of simp-y en+ryptin$ the traffi+ at the app-i+ation -ayer, the en+ryption 'as a+t.a--y o++.rrin$ at the net'or( and6or transport -ayer, and a-- happenin$ transparent to the end3.ser)4D The $oa- of imp-ementin$
opport.nisti+ en+ryption 'ithin free ,P!EC3based =PNs 'as to transparent-y en+rypt a-,nternet traffi+)
ost virt.a- private net'or(s today ma(e .se of ,P!EC en+ryption) ,P!EC provides net'or(3-eve- se+.rity for the ,nternet Proto+o- 8,P: and is an e1tension of the ori$ina,Pv4 standard) ,P!EC ma(es .se of the mana$ement and se+.rity proto+o-
,!*< P6?a(-ey and has the benefit of prote+tin$ a$ainst man3in3the3midd-e atta+(s
4D
@enry !pen+er and D) @.$h ;ede-meier, Opportunistic #ncryption 8&n(no'n: 0rees'an)or$, 2001, a++ess 07 November 2001:F avai-ab-e from http:66''')frees'an)or$6frees'an4trees6frees'an3 1)B16do+6opport.nism)spe+F ,nternet)
Benjamin 5) Tomhave
126762004 42
d.rin$ +onne+tion set.p) ,P!EC in+-.des a n.mber of other feat.res, s.+h as bein$ .sab-e by t.nne-in$ proto+o-s) 47
*)B.siness *na-ysis =irt.a- private net'or(s have a -e$itimate .se in the b.siness environment, espe+ia--y 'hen .sed in a se+.re manner, -evera$in$ avai-ab-e en+ryption options) #iven the
$ro'in$ preva-en+e and avai-abi-ity of +heap ,nternet a++ess, a =PN +an be .sed to se+.re-y and re-iab-y rep-a+e more e1pensive -eased -ines) This rep-a+ement is
parti+.-ar-y ni+e in environments 'here the data bein$ transmitted is sensitive, b.t 'here interr.ption of +onne+tivity 'i-- not represent a major disr.ption to the b.siness)
any hard'are and soft'are so-.tions are avai-ab-e today, 'ith +osts ran$in$ from free 80ree!6%*N: to e1pensive 8dedi+ated hard'are3based so-.tions tar$etin$ hi$h thro.$hp.t:) ost ine1pensive net'or(in$ e/.ipment, s.+h as the 5in(sys and Net$ear
-ines of home .ser se+.rity devi+es, no' s.pport ,P!EC3based =PNs)
B)!e+.rity *na-ysis The basi+ $oa- of a =irt.a- Private Net'or( is to ens.re the inte$rity of the +onne+tion and +omm.ni+ations) 4" %hen en+ryption is added, the $oa- of preservin$ +onfidentia-ity may a-so be a+hieved) ?ne do'nside to =PNs is that they tend to be b.i-t on +omp-e1
47
;obert os(o'it>, What %s A Virtual -rivate etwor8" 8&n(no'n: C P, .ndated, a++essed 12 ?+tober 2004:F avai-ab-e from http:66''')net'or(+omp.tin$)+om6B0A6B0A+o-mos(o'it>)htm-F ,nternet) 4" E-i>abeth D) R'i+(y and others, *uilding %nternet )irewalls+ ,nd #dition 8Cambrid$e: ?2;ei--y, 2000:, p11B)
Benjamin 5) Tomhave
126762004 49
systems and are prone to easy disr.ption, red.+in$ the overa-- avai-abi-ity of data and +omm.ni+ations)
0rom the perspe+tive of +o.ntermeas.res, the =PN primari-y serves to prote+t data, tho.$h it may a-so dynami+a--y +orre+t) ,f -o$$in$ is enab-ed and monitored, then atta+(s a$ainst the =PN may a-so res.-t in meetin$ the need of dete+tion, tho.$h that 'o.-d be an+i--ary)
E,)=&5NE;*B,5,TC !C*NN,N# !C!TE !
=.-nerabi-ity s+annin$ is the Ga.tomated pro+ess of proa+tive-y identifyin$ v.-nerabi-ities of +omp.tin$ systems in a net'or( in order to determine if and 'here a system +an be e1p-oited and6or threatened)G4B =.-nerabi-ity s+annin$ typi+a--y re-ies on a handf.- of too-s that identify hosts and then pro+eed to test them for (no'n 'ea(nesses) The a.tomated s+annin$ pro+ess sho.-d in+-.de three hi$h3-eve- steps: re+eivin$ a.thority to s+an, determinin$ the s+ope of the pro$ram, and estab-ishin$ a se+.rity base-ine 8based on the n.mber of v.-nerabi-ities fo.nd per n.mber of hosts s+anned:)A0 *dditiona--y, a $ood v.-nerabi-ity s+annin$ pro$ram 'i-- se+.re-y mana$e the res.-ts of the s+ans and 'i-have a proven p-an and pro+ess in p-a+e for remediation of v.-nerabi-ities that are .n+overed) =.-nerabi-ity s+annin$ sho.-d o++.r as part of an overa-- ris( mana$ement frame'or(, not as a standa-one se+.rity +o.ntermeas.re)
4B
%ebopedia, vulnera7ility scanning 8Darien: U.pitermedia, .ndated, a++essed 12 ?+tober 2004:F avai-ab-e from http:66''')'ebopedia)+om6TE; 6=6v.-nerabi-ity4s+annin$)htm-F ,nternet) A0 Christopher Coo(, Managing etwor8 Vulnera7ilities in a /O#? SA #nvironment 8<ansas City: D?E, .ndated, a++essed 12 ?+tober 2004:F avai-ab-e from http:66+io)doe)$ov6Conferen+es6!e+.rity6Presentations6Coo(C)ppsF ,nternet)
Benjamin 5) Tomhave
126762004 44
The most pop.-ar v.-nerabi-ity s+annin$ too- avai-ab-e today is a-so free, open3so.r+e soft'are) Ness.sA1 has be+ome the de fa+to too- for v.-nerabi-ity s+annin$ over the past five 8A: years, rep-a+in$ +ommer+ia- too-s -i(e CyberCop !+anner 8dis+ontin.ed:, ,!! !e+.rity !+anner, and eEye ;etina) =.-nerabi-ity s+annin$ has been aro.nd sin+e the -ate "0s or ear-y B0s, pioneered by Dan 0armer, +o3a.thor of the C?P!A2 se+.rity too-) ?ri$ina--y, v.-nerabi-ity s+annin$ 'as host3based in nat.re, as C?P! and T,#E; 'ere, b.t event.a--y e1panded to in+-.de net'or(3based s+annin$) There are sti-- host3based s+anners avai-ab-e, s.+h as the Center for ,nternet !e+.rity2s ben+hmar( se+.rity too-A9) ore often, tho.$h, v.-nerabi-ity s+annin$ today is net'or(3based)
Chapp-e provides a ni+e overvie' of the Ness.s s+anner and 'hy itLs preferab-e to its +ompetition: GThe Ness.s too- 'or(s a -itt-e different-y than other s+anners) ;ather than p.rportin$ to offer a sin$-e, a--3en+ompassin$ v.-nerabi-ity database that $ets .pdated re$.-ar-y, Ness.s s.pports the Ness.s *tta+( !+riptin$ 5an$.a$e 8N*!5:, 'hi+h a--o's se+.rity professiona-s to .se a simp-e -an$.a$e to des+ribe individ.a- atta+(s) Ness.s administrators then simp-y in+-.de the N*!5 des+riptions of a-- desired v.-nerabi-ities to deve-op their o'n +.stomi>ed s+ans)GA4
A1 A2
http:66''')ness.s)or$6 http:66''')fish)+om6+ops6overvie')htmA9 http:66''')+ise+.rity)+om6 A4 i(e Chapp-e, Vulnera7ility scanning with essus 8&n(no'n: Te+hTar$et)+om, 2009, a++essed 12 ?+tober 2004:F avai-ab-e from http:66sear+hse+.rity)te+htar$et)+om6tip60,2"B4"9,sid144$+iB9"271,00)htm-Ntra+(ON5320F ,nternet)
Benjamin 5) Tomhave
126762004 4A
*)B.siness *na-ysis *s 'as the +ase 'ith pass'ord +ra+(in$ in !e+tion =,,, above, v.-nerabi-ity s+annin$ is a very +heap and .sef.- pra+ti+e) %hen +ond.+ted re$.-ar-y and +aref.--y, the .se of an a.tomated v.-nerabi-ity s+annin$ too- +an provide +onsiderab-e information abo.t the overa-- ris( -ands+ape of te+hno-o$ies thro.$ho.t an enterprise) =.-nerabi-ity s+annin$ is parti+.-ar-y important for ens.rin$ that ,nternet3a++essib-e reso.r+es are proper-y se+.red before dep-oyment, and to ens.re that they remain se+.re after dep-oyment)
Be+a.se the most +ommon too-s for +ond.+tin$ v.-nerabi-ity s+ans is free, open3so.r+e soft'are, there is very -itt-e reason not to ma(e .se of it) 0.rthermore, the insta--ation and operation of a too- -i(e Ness.s does not re/.ire m.+h te+hni+a- a+.men) ore
important-y, the information that +an be $athered from the assessment +an be inva-.ab-e) ?peration of a basi+ v.-nerabi-ity s+anner is not +omp-e1) a(in$ matters even better,
too-s -i(e Ness.s are thoro.$h-y do+.mented on the ,nternet and +an often be fo.nd in pre3pa+(a$ed bootab-e environments)
B)!e+.rity *na-ysis =.-nerabi-ity s+annin$ +an +ontrib.te to +o.ntermeas.res in a-- three areas of prote+t, dete+t and +orre+t) The primary ro-e of the s+annin$ is to dete+t v.-nerabi-ities in systems, b.t 'hen .sed proper-y it 'i-- a-so +ontrib.te to prote+tin$ reso.r+es from bein$ dep-oyed inse+.re-y and by providin$ ade/.ate information to a--o' system administrators to +orre+t v.-nerabi-ities)
Benjamin 5) Tomhave
126762004 4D
0rom the standpoint of Confidentia-ity, ,nte$rity and *vai-abi-ity, v.-nerabi-ity s+annin$ most affe+ts the ,nte$rity of systems, tho.$h there may be an+i--ary benefits to Confidentia-ity and *vai-abi-ity) ,n dete+tin$ and reso-vin$ 'ea(nesses in a system, the inte$rity of the system +an be ass.red) 0.rthermore, ens.rin$ the inte$rity of a system 'i-- he-p prevent the system from be+omin$ +ompromised, res.-tin$ in a -oss of +onfidentia-ity, or from bein$ over-y s.s+eptib-e to atta+(s that may res.-t in denyin$ the avai-abi-ity of the system or asso+iated app-i+ation)
Benjamin 5) Tomhave
126762004 47
R ! R "C S 1) Tsta(e) :sta8e ;C 5) Cambrid$e: Tsta(e, .ndated, a++essed 12 ?+tober 2004F avai-ab-e from http:66''')atsta(e)+om6prod.+ts6-+6F ,nternet) 2) B-andin$, !teven 0) G!e+.red Conne+tions to E1terna- Net'or(s,G in %nformation Security Management Hand7oo8+ 4th #dition, ed) @aro-d 0) Tipton and i+(i <ra.se) Bo+a ;aton: *.erba+h, 2000) 9) Chapp-e, i(e) Vulnera7ility scanning with essus) &n(no'n: Te+hTar$et)+om, 2009, a++essed 12 ?+tober 2004F avai-ab-e from http:66sear+hse+.rity)te+htar$et)+om6tip60,2"B4"9,sid144$+iB9"271,00)htm-Ntra+(ON5 320F ,nternet) 4) C-ar(e, ;o$er) Conventional -u7lic >ey %nfrastructure& An Artefact %ll-)itted to the eeds of the %nformation Society) Canberra : C-ar(e, 2000, a++essed 12 ?+tober 2004F avai-ab-e from http:66''')an.)ed.)a.6peop-e6;o$er)C-ar(e6,,6P<, is0it)htm-F ,nternet) A) C-iff, *) -assword Crac8ers - #nsuring the Security of =our -assword) &n(no'n: !e+.rity0o+.s)+om, 2001, a++essed 12 ?+tober 2004F avai-ab-e from http:66''')se+.rityfo+.s)+om6info+.s611B2F ,nternet) D) Coo(, Christopher) Managing etwor8 Vulnera7ilities in a /O#? SA #nvironment) <ansas City: D?E, .ndated, a++essed 12 ?+tober 2004F avai-ab-e from http:66+io)doe)$ov6Conferen+es6!e+.rity6Presentations6Coo(C)ppsF ,nternet) 7) Desai, Nei-) %ntrusion -revention Systems& the e!t Step in the #volution of %/S) &n(no'n: !e+.rity0o+.s)+om, 2009, a++essed 12 ?+tober 2004F avai-ab-e from http:66''')se+.rityfo+.s)+om6info+.s61D70F ,nternet) ") eBC=# ,T !e+.rity) Heuristic Scanning - Where to e!t") Te-3*viv: eBC=#, 2004, a++essed 12 ?+tober 2004F avai-ab-e from http:66''')eb+v$)+om6arti+-es)phpNidO2D4F ,nternet) B) 0yodor) map Security Scanner) &n(no'n: ,nse+.re)or$, .ndated, a++essed 12 ?+tober 2004F avai-ab-e from http:66''')inse+.re)or$6nmap6inde1)htm-F ,nternet) 10) #arfin(e-, !imson and #ene !pafford, -ractical . %@ & %nternet Security+ ,nd #dition) Cambrid$e: ?2;ei--y, 1BBD) 11) ,nne--a, Pa.-) 'he #volution of %ntrusion /etection Systems) &n(no'n: !e+.rity0o+.s)+om, 2001, a++essed 12 ?+tober 2004F avai-ab-e from http:66''')se+.rityfo+.s)+om6info+.s61A14F ,nternet)
Benjamin 5) Tomhave
126762004 4"
12) <anish, Bob) An Overview of Computer Viruses and Antivirus Software) &n(no'n: <anish, 1BBD, a++essed 12 ?+tober 2004F avai-ab-e from http:66''')hi+om)net6Moedip.s6vir.s92)htm-F ,nternet) 19) <ay, ;.sse--) #vent Correlation) &n(no'n: C? P&TE;%?;5D, 2009, a++essed 12 ?+tober 2004F avai-ab-e from http:66''')+omp.ter'or-d)+om6net'or(in$topi+s6net'or(in$6mana$ement6story60,1 0"01,"99BD,00)htm-F ,nternet) 14) 1A) an.) )irewall *asics) &n(no'n: !e+.rityDo+s)+om, 2004, a++essed 0D November 2004F avai-ab-e from http:66''')se+.ritydo+s)+om6-ibrary62419F ,nternet) a1ion, ;oy *) and <ymie )C) Tan) *enchmar8ing Anomaly-*ased /etection Systems) Pittsb.r$h: Carne$ie e--on &niversity, 2000, a++essed 12 ?+tober 2004F avai-ab-e from http:66'''3 2)+s)+m.)ed.6afs6+s)+m.)ed.6.ser6ma1ion6'''6p.bs6ma1iontan00)pdfF ,nternet) os(o'it>, ;obert) What %s A Virtual -rivate etwor8") &n(no'n: C P, .ndated, a++essed 12 ?+tober 2004F avai-ab-e from http:66''')net'or(+omp.tin$)+om6B0A6B0A+o-mos(o'it>)htm-F ,nternet)
1D)
17) Nationa- ,nstit.te of !tandards and Te+hno-o$y) %S' ->% -rogram) %ashin$ton: N,!T, 2004, a++essed 12 ?+tober 2004F avai-ab-e from http:66+sr+)nist)$ov6p(i6F ,nternet) 1") Nationa- ,nstit.te of !tandards and Te+hno-o$y) %S' -lanning $eport 1,-2& #conomic %mpact Assessment of %S'As $ole-*ased Access Control B$*ACC -rogram) %ashin$ton: N,!T, 2002, a++essed 12 ?+tober 2004F avai-ab-e from http:66+sr+)nist)$ov6rba+6rba+3impa+t3s.mmary)do+F ,nternet) 1B) ?pen'a-- Proje+t) <ohn the $ipper password crac8er) os+o': ?pen'a--, .ndated, a++essed 12 ?+tober 2004F avai-ab-e from http:66''')open'a--)+om6john6F ,nternet) 20) P.rd.e &niversity) C#$%AS& Audit 'rail $eduction (roup) %est 5afayette: CE;,*!, .ndated, a++essed 12 ?+tober 2004F avai-ab-e from http:66''')+erias)p.rd.e)ed.6abo.t6history6+oast6proje+ts6a.dit3trai-s3 red.+e)phpNo.tp.tOprintab-eF ,nternet) 21) P.rd.e &niversity) )irewalls) %est 5afayette: CE;,*!, .ndated, a++essed 12 ?+tober 2004F avai-ab-e from http:66''')+erias)p.rd.e)ed.6abo.t6history6+oast4reso.r+es6fire'a--s6F ,nternet) 22) ;i+hards, Dona-d ;) GBiometri+ ,dentifi+ation,G in J,K,nformation !e+.rity ana$ement @andboo(, 4th EditionJ,K, ed) @aro-d 0) Tipton and i+(i <ra.se) Bo+a ;aton: *.erba+h, 2000)
Benjamin 5) Tomhave
126762004 4B
29) ;ot+h(e, Ben) Access Control Systems & Methodology) Ne' Cor(: !e+.rityDo+s)+om, 2004, a++essed 0D November 2004F avai-ab-e from http:66''')se+.ritydo+s)+om6$o6DBF ,nternet) 24) !pen+er, @enry and D) @.$h ;ede-meier, Opportunistic #ncryption) &n(no'n: 0rees'an)or$, 2001, a++ess 07 November 2001F avai-ab-e from http:66''')frees'an)or$6frees'an4trees6frees'an31)B16do+6opport.nism)spe+F ,nternet) 2A) Tipton, @aro-d 0) and i+(i <ra.se) %nformation Security Management Hand7oo8+ 4th #dition) Bo+a ;aton: *.erba+h, 2000) 2D) %ebopedia) vulnera7ility scanning) Darien: U.pitermedia, .ndated, a++essed 12 ?+tober 2004F avai-ab-e from http:66''')'ebopedia)+om6TE; 6=6v.-nerabi-ity4s+annin$)htm-F ,nternet) 27) %i(ipedia) Anti-virus software) !t) Petersb.r$: %i(ipedia, 2004, a++essed 0D November 2004F avai-ab-e from http:66en)'i(ipedia)or$6'i(i6*nti3vira-4soft'areF ,nternet) 2") %i(ipedia) Computer virus) !t) Petersb.r$: %i(ipedia, 2004, a++essed 0D November 2004F avai-ab-e from http:66en)'i(ipedia)or$6'i(i6Comp.ter4vir.sF ,nternet) 2B) %i(ipedia) etwor8 Mapping) !t) Petersb.r$: %i(ipedia, 2004, a++essed 12 ?+tober 2004F avai-ab-e from http:66en)'i(ipedia)or$6'i(i6Net'or(4 appin$F ,nternet) 90) %i(ipedia) -assword crac8ing) !t) Petersb.r$: %i(ipedia, 2004, a++essed 12 ?+tober 2004F avai-ab-e from http:66en)'i(ipedia)or$6'i(i6Pass'ord4+ra+(in$F ,nternet) 91) %i(ipedia) -u7lic 8ey infrastructure) !t) Petersb.r$: %i(ipedia, 2004, a++essed 0D November 2004F avai-ab-e from http:66en)'i(ipedia)or$6'i(i6P.b-i+4(ey4infrastr.+t.reF ,nternet) 92) %i(ipedia) Virtual private networ8) !t) Petersb.r$: %i(ipedia, 2004, a++essed 0D November 2004F avai-ab-e from http:66en)'i(ipedia)or$6'i(i6=irt.a-4private4net'or(F ,nternet) 99) Cip Ch.n$, Christina) Anomaly /etection in /ata7ase Systems) Davis: &C Davis Comp.ter !e+.rity 5aboratory, 1BBB, a++essed 12 ?+tober 2004F avai-ab-e from http:66se+-ab)+s).+davis)ed.6proje+ts6anoma-y)htm-F ,nternet) 94) R'i+(y, E-i>abeth D), !) Cooper and D) B) Chapman) *uilding %nternet )irewalls+ ,nd #dition) Cambrid$e: ?2;ei--y, 2000)
Benjamin 5) Tomhave
126762004 A0

ResearchPaper:Information Security Technologies

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ResearchPaper:Information Security Technologies

Uploaded by

Copyright:

Available Formats

Research Paper: Information Security Technologies

by Benjamin Tomhave November 10, 2004

Research Paper: Information Security Technologies

Research Paper: Information Security Technologies

of se+.rity mode-s, in+-.din$ Dis+retionary *++ess Contro- 8D*C:,

Contro- 8 *C:, and ;o-e3Based *++ess Contro- 8;B*C:) * standard *C

systems +an ran$e in +ost from minor to e1treme,

that a b.siness has reso.r+es of va-.e that re/.ire prote+tin$)

to 5in.1 and beyond 3 ma(e .se of a D*C mode- of a++ess +ontro-)

ana$ement @andboo(, 4th EditionJ,K

The most pop.-ar operatin$ system, in terms of p.re n.mbers, is

*= soft'are itse-f is $enera--y not +omp-e1)

ost *= pa+(a$es re-y primari-y on The

si$nat.re3based s+annin$ 'ith minor he.risti+ s+annin$ +apabi-ities inte$rated)

,=)*&D,T D*T* ;ED&CT,?NB

=,),NT;&!,?N DETECT,?N *ND *N*5C!,! !C!TE !

dete+tion system 8,D!: today re-ies on si$nat.re3based dete+tion)

systems today bi-- themse-ves as havin$ Gintr.sion preventionG +apabi-itiesF other'ise

Dete+tion !ystems 8,D!: ,1

Prevention !ystems 8,P!:,2

Confidentia-ity, ,nte$rity and *vai-abi-ity of systems and data)

Corre-ation !ystems 8EC!:,3

a1ion and <ymie, PHanoma-yI dete+tion

This type of dete+tion is based -ar$e-y on the r.-es of

a1ion and <ymie, one of the (ey +ha--en$es to *D! is in performan+e)

,n the +.rrent +onte1t, pass'ords are the primary method for

,E)P&B5,C <EC ,N0;*!T;&CT&;E94

%i(ipedia provides a de+ent overvie' of P<, and its history)

revie'in$ the root +ertifi+ates iss.ed 'ith a-- major bro'sers)

,n +ontrast, R'i+(ey sites the t'o main disadvanta$es of =PNs

appear to +.rrent-y be the most prominent dep-oyment)

@o'ever, !!5 =PNs are

-ines of home .ser se+.rity devi+es, no' s.pport ,P!EC3based =PNs)

E,)=&5NE;*B,5,TC !C*NN,N# !C!TE !

You might also like

of se+.rity mode-s, in+-.din$ Dis+retionary ++ess Contro- 8DC:,

Contro- 8 C:, and ;o-e3Based ++ess Contro- 8;BC:) standard *C

,=)&D,T DT* ;ED&CT,?NB

=,),NT;&!,?N DETECT,?N ND N*5C!,! !C!TE !

E,)=&5NE;B,5,TC !CNN,N# !C!TE !