Response to question from Prashanth, Rao >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] >On Behalf Of Rao, Prashanth >Sent: Tuesday, January 19, 1999 10:11 PM >To: '[EMAIL PROTECTED]' >Subject: What is Adaptive detection and response >>hi, >i have read the cyberwalls white paper from Aberdeen group.I n this white >paper author has mentioned about Adaptive detection and response (Intrusion >detection and content filtering).where exactly we need to implement this?at >firewall level/router level?or at all levels? or create a separate layer and >have a dedicated sever etc.any thoughts and comments is of great help to >really implement the perfect enterprise cyber wall. >prashanth rao This was forwarded to me for an answer, so I will attempt to provide one knowing that I have not seen the whole thread of discussion. If it is out of balance, I beg forgiveness in advance. Since the concept of cyberwalls is somewhat new, please forgive my wordiness as I want to be clear in answering your question(s). Adaptive detection and response is the concept of tying the ability of the IDS network security component to an attack profile and then adjusting security policies dynamically in the policy enforcement rule base to defeat the attack and potentially add additional security policies to thwart off other attack profiles that may be related. Historically, this has not been a consolidated operation. Further, this has traditionally been done on separate standalone systems offering perimeter defensive measures and not ubiquitous throughout an enterprise network environment. One major differentiator of a cyberwall vs. a firewall is that a firewall traditionally segments and protects network-to-network traffic. Cyberwalls are components that are installed ubiquitously on a network - on desktops, on servers, between trusted network components, etc. Another difference is that on firewalls, intrusion detection is usually not included and not totally integral to the policy enforcement facilities. In a cyberwall, IDS functionality and rule adaption to meet a cyberthreat are integral components. Finally, because security policy rule enforcement engines are installed on desktops and servers (with full IDS and other functions), the overhead and performance matters that typically cause firewall bottlenecks on a network are avoided and distributed to the source or destination system for the traffic on the network. This means that performance requirements are not measured or managed the same way as traditional perimeter firewalls: a cyberwall implementation distributes the performance burden to many machines and, specifically, to the systems that are in communications sessions between each other. In this manner, performance characterization is a function of what a desktop or server is doing as opposed to what some other machine may be doing that generates traffic on a network through a shared resource (like a perimeter or network-to-network firewall environment). Major functions of an adaptive detection and response include three states: inspection, detection and protection. We achieve this via: - Frame-level capture and full bit-level inspection of all traffic to/from a system or network. On internal networks, this also means ALL protocols - not just IP. On internal networks, multiprotocol operations are the norm and not the exception. While IP is popular and growing, most networks still have IPX, AppleTalk, NetBEUI, SNA, DECnet and many other protocols that can be used to attack systems which are used on networks. In some environments, such as real-time and manufacturing networks, there are many, many custom protocols used to support the operations and these cannot be filtered with traditional perimeter IP-based firewall facilities. - IDS functionality at each point of inspection. As an example, a server such as a certificate authority (CA) server or LDAP server have no effective manner, under any operating system, to detect a network attack profile on the server itself. This is especially important on internal network attacks via intranets and extranets. Detection of such attacks allows the individual system or network "sub group" to detect the attack and formulate a defensive strategy on-the-fly. IDS systems that are not ubiquitous can cause performance bottlenecks or lack of timely response when placed on standalone systems in chokepoint configuration fashion. - Frame, packet, application, "stateful" and, in some cases, proxy security policy engine filtering facilities that not only implement standard restrictive access methods, but also interoperate with IDS facilities to properly adapt the operating security rule base to meet the threat being detected. This protection functionality allows a cyberwall to exercise real security actions dynamically instead of just reporting a problem in the expectation that the network or security management team will modify the rule base to meet the threat at some future time. The best network security implementation for any network is a layered security architecture that allows work to be done in a predominantly transparent manner to the security entities or applications installed. In the case of "ultimate" network security, routers with security filtering (like access control lists or ACLs), cyberwalls and traditional firewalls co-exist and complement each other's functionality as a network is secured in a hierarchical or tiered manner. As each layer of a network security architecture is breached, the next layer should inspect, detect and protect the next layer. Ultimately, through the implementation of a layered security architecture, proper levels of security are applied to defeat the level of threat and the appropriate tool at each layer of network architecture allows the system(s) on the network to survive an attack. Cyberwalls are usually configured much differently, due to multiple protocols and differing application and server requirements, than a traditional IP perimeter firewall with well-known IP-based applications. As a result, there are different management burdens associated with managing cyberwalls than traditional firewalls. Companies will need cyberwalls, firewalls, certificate authorities, digital signature servers, router ACLs, token authentication systems, challenge-response authentication systems, PKI key escrow and management, cryptographic methods and a whole rash of security tools and systems to properly secure corporate assets from compromise. There is no one tool to solve the problems and no one way to do so. Cyberwalls, however, introduce a new network security tool to help solve internal security problems, provide comprehensive security management to a high granularity state and keep a breached perimeter network connection from becoming the fatal flaw in security in a company that potentially kills the corporate assets that are unprotected internally. I hope this addresses your questions. If you have any others about cyberwalls, please let me know. Regards, Bill Hancock ************************************* Bill Hancock, Ph.D., CISSP Chief Technology Officer Network-1 Security Solutions, Inc. The Intranet Security Company 878 Greenview Dr. Grand Prairie, TX 75050 Tel: 972-606-8200 Fax: 972-606-8220 Web: http://www.Network-1.com Email: [EMAIL PROTECTED] Nasdaq: NSSI ************************************* - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
