HP Host Intrusion Detection System (HIDS) manual Encryption, Security Auditing Tools

Overview

Why Do You Need Intrusion Detection?

A further complication in deploying a firewall is that it is difficult to establish clearly where the boundary exists between inside and outside. At one time it was obvious that the Internet was outside and the intranet was inside. However, more and more corporations are joining their intranets in multiple-partner arrangements, often termed extranets. A firewall becomes difficult to deploy in an extranet environment; if inside and outside have been joined together, where can you draw the line and place your firewall? In such an environment, some form of continuous security monitoring tool is needed to ensure that critical systems are not being abused and valuable data is not being pilfered by your erstwhile partners.

Encryption

Encryption is a mathematical technique that prevents the unauthorized reading and modification of data. It does this in such a way that the intended recipients of the data can read it but no intermediate recipient can read or alter the data. It also allows authentication of the sender of a message: is the claimed sender really the person who sent the message?

In any well-designed cryptographic system, the heart of the security is the key which is used to encrypt the message. Knowing the key allows you to decrypt any message, alter it, and retransmit it to the sender. Even if the inner workings of the encryption software are known completely, without knowing the key you cannot read or alter messages.

The problem with relying on encryption lies in the old adage that a chain is only as strong as its weakest link. In this case, the weakest link is not the encryption technology but the systems on which the key is stored. After all, how can you be sure the program you are using to encrypt your data hasn’t saved your key to a temporary file on your disk, from which an attacker can later retrieve it? If attackers gain access to your key, not only can they decrypt your data, they can impersonate you and send messages claiming to be signed only by you.

Encryption does not protect your data while it is in the clear (not encrypted) as you process it (for example, preparing a document for printing). Moreover, encryption cannot protect your systems against denial of service attacks. So despite the advantages in the space of privacy and authentication that encryption brings, it is still only part of an overall security solution.

Security Auditing Tools

A security auditing tool probes your systems and networks for potential vulnerabilities that an attacker could exploit, and generates a report identifying holes and recommending fixes. Of course, the assumption is that once you find the holes, you will quickly patch them before they are exploited. If it is used in this fashion, and run regularly, a security auditing tool can be a very valuable weapon against attackers.

But how regularly should you run the tool? Attacks can occur at any point in the day; an attacker can penetrate your systems, cover up his or her tracks, and install a variety of back doors all within a matter of minutes. Running your tools every hour gives attackers a very large window of opportunity to exploit your systems, steal your data, and cover their tracks before you ever detect them. It is obvious that if some form of continuously running security audit tool were available, life would be much simpler and your systems more secure. This brings us to the need for an Intrusion Detection System.