Intrusion detection systems–the primary source of warnings that attacks are under way–are critical pieces of network-security infrastructure, providing detailed records of attacks, intrusions and unexpected network activity. For most enterprises, the IDS has become the central piece of security hardware, certainly the most visible piece to the staff. Without an IDS, the security staff must gather forensics information from firewall, server and router log files.
The mission of IDS is changing, however. Many IDS vendors are improving their products so that the IDS doesn’t simply give you the details on an event that has occurred. Instead, the system will help prevent intrusions from happening in the first place.
Even within the reporting realm, IDS is becoming more active as anomaly detection, vulnerability assessment and forensics come under the broad label of IDS’s reportable events. The growing number of attacks and attack types makes it more important for the IDS to correlate with logs and reports from other network-security components for context and ease of interpretation.
Schemes such as Cisco’s Network Admission Control (NAC) and Microsoft’s Network Access Protection (NAP) have, among many other capabilities, IDS and firewalls sharing some of the features of an IPS (intrusion prevention system), with the IDS feeding control information to a central authority, which then gives instruction to the firewall for connection reset and address blocking.
Last year, the verdict on IPSs was “don’t believe the hype.” As a piece of a multilayer security approach, an IPS can join the IDS, enterprise firewall, desktop firewall and application firewall to protect your key network assets.
For some, the blocking of even one piece of legitimate traffic is unacceptable.
As an incremental tool that can help cut down on the volume of attack traffic, intrusion prevention from vendors including Check Point Software, Internet Security Systems, Lucid Security, Radware and Tipping Point should be seriously explored in 2005.
The various governmental regulations, including HIPAA and GLB, make it business-critical for a company to protect customer and patient data from any theft or intrusions, and make it just as important that the company demonstrate that the protection is in place and effective.
Outside the conventional perimeter, software firewalls installed on mobile clients help move protection outside the bricks and mortar of the corporate boundaries, to slow the spread of mal-ware that can gain entry in Starbucks, traverse a VPN and run loose in the network core.
The intelligent integration of security functions, controlled by software that enforces intelligent policies, will be one of the great migrations of the year. Ask any vendor claiming to have an enterprise policy framework how many companies have partnered with them to let their products be queried and/or controlled by the central management console. The partnership issue should be more readily resolved by the industry giants that have introduced their own policy and access-control systems.
Both Cisco Systems with its NAC and Microsoft with NAP are building network-control frameworks on the basis of technology and products that are in the field, though neither company expects to have production deployments before the middle of the year.
At the same time, agencies and organizations have begun the work of building standards–the National Institute for Standards and Testing published ANSI INCITS 359-2004 (for role-based access control) in February 2004, and other organizations have committees beginning to look at the requirements for standards.
Although, in some ways, authentication is the boring brother-in-law of the security world, there is room for excitement as the world moves closer to the promised nirvana of single sign-on.
To comply with regulations, data must be protected from external threats and even successful intrusions cannot result in the release of protected data. Therefore, IDS and IPS must look at traffic flowing in both directions in order to defend the database and its supporting applications from giving up critical data.
Data storage devices that can take data away are also a significant concern. “Thumb drives,” small USB storage devices, have replaced floppy disks as the portable storage medium of choice for mobile professionals carrying presentations, software updates or small applications from office to office.
Instead of network security, more professionals are becoming involved in data assurance, network assurance or even business assurance, helping to protect the information against network intrusion, physical disaster or device theft.
http://www.securitypipeline.com/shared/article/printablePipelineArticle.jhtml;jsessionid=SLLOOGDEM1DNQQSNDBGCKH0CJUMEKJVN?articleId=55800918