Protect Your Information with Intrusion Detection (Power)

Precise and reliable information on the components of your system and data, starting from the moment of their creation up to the time of their deletion, is the key to the successful detection of security violations. This enables the security administrator to compare standard conditions to the current state and detect all unauthorized changes in time. All resources are monitored, including the data (both system data and user data), systems (both hardware and software), networks (both hardware and software), workstations (hardware and software), applications and operating systems.

Approaches to intrusion detection are usually based on detecting the differences between the current condition of a controlled object and that recorded previously, under normal conditions. Security personnel must always know where a resource is located, as well as its status and contents. Without detailed information of this sort, it is impossible to detect when something has been added, modified, or violated.

Unfortunately, most organizations neglect this stage of planning, due to the fact that the process of registering a large amount of required information on various components of the information can be somewhat time-consuming and tedious. Quite often, specialists in information-security departments do not have the appropriate skills for obtaining this information, or have no access to all of the equipment that is connected to the network. Therefore, they must cooperate with specialists from IT departments, telecommunications departments, etc. Only through such cooperation can specialists obtain all of the required information. As practice has shown, the network map (if ever created at all) is developed in most cases at the stage of designing the information system. But companies often do not keep their system maps up to date, rendering them practically useless as the basis for controlling unauthorized changes. Another common mistake is that, quite often, the network map and all related information is created and stored only in IT departments, so they are not available to security departments, which impacts their work negatively.

Network Map

If you have not done so already, it is absolutely necessary to perform a detailed inventory of all hardware and software of the corporate network. All information must be stored in a database, where it will be easy to compare the initial inventory results to the results produced by all subsequent inventories. In the case of authorized changes, such as adding new equipment, or the replacement or deletion of existing equipment, it is necessary to introduce a system of timely modification of the inventory list.

Network-architecture inventory must include the following information:

• Network topology for all devices, including active network equipment, servers and workstations, including their addresses (for example, IP addresses and MAC addresses)

• Routing table (information flows between devices)

• Description of the VLAN used and the principles according to which they are built (by ports, addresses, protocols, labels and so on)

• Information on the configuration of networks and devices (this must include access-control lists and other security settings)

• For communication equipment ports, indications that they belong to various net-work segments

• Availability of SPAN ports and their configuration

• Used protocols, traffic characteristics (for example, peak, minimum and average values for the network workload) and throughput value

• Description of the physical location of all network devices, workstations and servers, including the designation of floor and room numbers

• Information on the public networks by which your information is transferred and/or to which your corporate network has been connected

The description of the network's architecture is the basis for the network map. Additionally, the network map might contain the following information:

• List of all software installed on servers and workstations

• List of users and their privileges

• For network segments, an indication where they belong to specific departments, and a description of their functional tasks

The network map is not simply a document storing all of the required information. Instead, it is more like an atlas that includes different maps describing the same territory from different points of view (geographical, political, economic, etc.). In the same sense, the network map describes various aspects of the corporate network's operation.

To create the network component of this map, it is best to use various network-management systems (such as HP OpenView, SPECTRUM, Visio, etc). Such tools include the AutoDiscovery function, which allows administrators to update network maps automatically and trace all unauthorized changes in the network configuration. Information on the protocols used and the traffic characteristics can be obtained using various protocol analyzers. Security scanners can also be very useful, since they allow the detection of the following:

• Network services

• Banners of the responding services

• OS types and version numbers

• NetBIOS shares

• Common security policy parameters

All devices detected within the corporate network must be grouped according to the following parameters:

• Organizational departments and hosts that logically belong to them (for example, all hosts for the financial department or personnel-management department)

• Network segments and host that belong to them

• Vulnerabilities to attacks of high, medium and low risk levels (for example, an external router carries a high level of risk, while the risk level for a department server is medium, and that for a workstation is low)

• Level of the device's importance (high, medium or low), in relation to the functional tasks assigned to that device (for example, a banking payroll server or router can be classified as having high importance, a file server solving an organization's subsidiary tasks as a medium-importance device, and a workstation as a low-importance device)

You can also use automated tools for composing an inventory of the hardware and software. For workstations and servers running Windows 9x or Windows NT/2000, these mechanisms are already built into the operating system. For UNIX, there are similar programs, such as Strobe (ftp://ftp.cerias.purdue.edu/pub/tools/unix/scanners/strobe/) and fremont (ftp://ftp.cerias.purdue.edu/pub/tools/unix/netutils/fremont/), which allow you to determine which devices are connected to your phone line, system and network. Furthermore, there are third-party tools with a broader set of functional capabilities, for example, LAN Auditor (http://www.lanauditor.com/).