Tip

Bridging the gap between perimeter and host security


What you will learn from this tip: How intrusion-detection systems, honeypots and darknets bridge the gap between perimeter and host security to secure the network.

Most organizations recognize the importance of information security and devote resources to an information security program with adequate technical controls. In many cases, controls are well-developed in the areas of controlling access to the network (perimeter protection) and fortifying individual systems on the network (host protection). We're now beginning to see an increased emphasis on bridging the gap between these two areas with network-based security mechanisms.

In this tip, we'll explore three technical controls you can put in place to help bridge the gap in your enterprise:

    Requires Free Membership to View

intrusion-detection systems, honeypots/honeynets and darknets. Each of these tools allows for a range of implementations from simple to complex.

Intrusion-detection systems

There are two basic approaches to intrusion detection:

  • Signature-based intrusion-detection systems (IDSes) work in a manner similar to modern antivirus technology. They are constantly updated with attack-definition files (signatures) that describe each type of known malicious activity. They then scan network traffic for packets that match the signatures, and then raise alerts to security administrators.
  • Anomaly-based IDSes work on a different principle. They learn the profile of "normal" network activity by monitoring the network over time, and then alert administrators to any deviations from that norm. The major advantage to anomaly-based systems is their ability to identify previously unknown attacks. Unfortunately, they haven't quite entered the mainstream of information security and reached the point of maturity where they're reliable enough for use on production networks.

If you'd like to implement an IDS, you may consider two different avenues, depending upon the time and financial resources you're able to commit to the project. The first option is the open-source route. The Snort intrusion-detection system is available for free at Snort.org and is well-supported by the information security community. If you're not willing to spend the time necessary to get Snort up and running, you may purchase a commercial IDS. There are quite a few products available today from vendors like Cisco and Enterasys. You also might wish to consider the commercial appliance versions of Snort available from Sourcefire.

Honeypots and honeynets

Honeypots and honeynets are another option available to security practitioners to secure the network. These tools are, believe it or not, designed to attract malicious attackers. Honeypots are systems designed to be targets of opportunity, useful for monitoring and observing hacker activity in an attempt to learn new hacking tools and techniques. Knowledge gained from honeypot systems may be used to protect the production network.

Honeynets are networks of honeypot systems, normally running different operating systems and applications with differing configurations. There is quite a bit of research underway in the academic community on so-called self-healing honeynets. These honeynets are designed to attract and monitor malicious activity and then quickly restore themselves to their original state, ready for the next attack attempt and saving a considerable amount of administrative time. For more information on establishing a honeypot or honeynet, consult the Honeynet Project at Honeynet.org.

Darknet

One of the simplest tools you can implement on your network is a darknet. All you need to do is set aside a portion of unused IP address space and designate it as the darknet. Next, configure your IDS or other network-monitoring device to detect any traffic headed to a darknet address. As there are no legitimate systems running on the darknet, you may safely assume that any traffic bearing a darknet destination address is from a malicious or misconfigured system. Darknets are especially useful for detecting systems on your network that may be infected by worms or other malicious code and are attempting to spread to random addresses on your network.


More information:

About the author
Mike Chapple, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles including the CISSP Prep Guide and Information Security Illuminated.


This was first published in May 2005

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.