Who plays more games? The people trying to penetrate networks and wreak havoc, or the vendors who dream up products and services to thwart them?
The psychological advantage is clearly with the companies that design and sell IT security products, because they can count on users’ imaginations to conjure up the imps and goblins. Often enough, the hackers just need to switch on their computers to learn enough about the latest vulnerabilities to create a new menace.
The hackers can launch their poisoned arrows at specific targets, while network owners need to shield everything – physical assets, the integrity of the network itself, and all the stored and live data associated with it.
There is only one way to find out how much security is enough, and that unfortunately is shortly after discovering there was too little.
Three conflicting trends make the situation particularly nerve-wracking for public-sector IT managers: Post-9/11 security overkill, buget restraint, and an environment in which the information technology staffs of governments are being asked to facilitate the online delivery of functions which were often designed for inherently secure, one-to-one delivery.
It is not surprising that network managers and administrators all over the world were shaken this year when Richard Stiennon, a vice-president at respected Gartner Research, published a report titled Intrusion Detection is Dead – Long Live Intrusion Prevention.
Those who had just paid for a new Intrusion Detection System (IDS) and may never have heard of Intrusion Prevention would have been especially rocked.
Stiennon said that organizations should buy firewalls instead of IDS because intrusion detection simply does not provide another ring of protection against attacks. IT managers, according to Gartner, should look at advanced, integrated firewall products with protection at the network and application level. (Even though Stiennon was caught off-base on some technical points, Gartner is standing by its conclusions.
In the real world, in most cases a firewall would sit between the network and the outside world, examining traffic and rejecting packets which showed unwanted characteristics. The IDS would work inside the firewall, constantly inspecting network traffic for behaviour that exceeded selected boundaries of tolerance. Set the barrier too high on either system and wanted traffic is blocked. Set it too low and there is no protection.
An IDS may demand constant fine-tuning and tinkering, as administrators work through piles of detected anomalies – from the previous shift or day or week. In the meantime, whatever has been detected has already happened, or may still be happening. (Looked at one way, IDS could be a system administrator’s nightmare. It constantly lists things that could go wrong, or already have, and it can be adjusted at any time to generate lots more.)
The key to untangling the situation is to look less at what the various systems are called and more at what they are actually designed to achieve. Network security is achieved in much the same way that security guards keep order at a suburban mall. Known offenders are either stopped at the entrance or shown the door when detected. Suspicious behaviour of any kind is investigated, and once again, “good” is accepted and “bad” is rejected.
When it comes to networks, the first solution depends on threat information always being collected and countermeasures always being deployed in timely fashion. The latter depends on second-guessing everyone and every process connected with the network. Taken together, such measures are time-consuming, expensive and carry no guarantee of success.
There are some relevant questions that managers can ask to decide where and how to deploy the overflowing alphabet soup of solutions. Some of them are at the granular level: How deep in the data stream does the product look, how many anomalies can it look for and how quickly can it perform? The second set relates to overall control. How quickly does the product provide a comprehensive picture of what is actually happening on the network, and how quickly can administrators intervene to prevent or limit damage?
The IT security message from vendors appears to be, “If you make the investment in these products, the return will be a more secure network. The more layers of protection, the more secure it will be.” But managers always have a choice – when it comes to evaluating the benefits of the various systems, they can look past the fear, uncertainty and doubt of the marketing and advertising and insist on seeing the numbers.
Richard Bray (firstname.lastname@example.org) is an Ottawa-based writer specializing in high technology issues.