HP Host Intrusion Detection System (HIDS) manual Why Existing Tools Are Only Part of the Solution

Overview

Why Do You Need Intrusion Detection?

Exploitation of Critical Infrastructure Elements

As more business is done over the Internet, more trust is placed in critical infrastructure elements: the routers, hubs, and web servers that move data around the net. They also include DNS name servers that allow users to access www.mycompany.com from their browsers. A DNS server is a computer that maps names such as www.company.com to an Internet address such as 10.2.3.4. By attacking these important infrastructure services, an attacker can bring your whole organization to its knees. Sometimes attackers do not have to steal your information to hurt you. By simply making your systems unavailable for use, they can cause you losses in both financial terms and in credibility in your industry.

Misconfigured Software and Hardware

It may seem obvious, but if you misconfigure a critical piece of software or hardware, you can open yourself up to many security problems. This is a particular problem in the area of firewalls, where configuration rules are complex: one missed rule can leave your whole internal network open to attack. Another example is a network where the system administrator has not taken the time to put some simple security measures in place.

Excessive Privilege for Simple Tasks

Code that runs with privilege (as root on UNIX systems, or as Administrator on Windows NT systems) is particularly vulnerable because a simple bug can have major impact. Most security problems are found in code that runs with privilege and is poorly designed. Moreover, most code runs with more privilege than it needs to accomplish its task. Often a site will install its web server to run as root, granting it far greater privilege than it needs to simply serve up web pages and CGI scripts. A web server running as root is a prime target for an attacker; by exploiting a CGI script vulnerability, the attacker can gain full root privileges on your systems.

Being Used as a Springboard to Attack the Next Victim

Even if you are not attacked yourself, your company systems can be used to launch an attack on other victims elsewhere on the Internet.

Why Existing Tools Are Only Part of the Solution

A number of technologies have emerged as potential solutions to the various security problems faced by companies. Firewalls, encryption, and security auditing tools are useful in the world of security. After reading this section, you will understand how HP-UX HIDS integrates with these existing technologies.

Firewalls

A firewall is a system that is placed between two networks to control what traffic is allowed between those networks. A firewall is usually placed between the Internet and your internal intranet. It can be viewed as a useful point of policy enforcement through which you can decide what network traffic is and is not permitted to and from your organization. When deployed correctly (itself a difficult task in a complex business environment), a firewall is an efficient tool to prevent attacks on your critical systems and data. However, a firewall connected to the Internet cannot protect you against an attack against your systems launched from inside your organization. Often, it cannot stop an attacker inside your organization from attacking systems on the Internet (you may be used as a springboard to attack the next victim).