Network Security Tools (Intro)

Intrusion detection systems, or IDSs, have become an important component in the

Security Officer's toolbox. However, intrusion detection systems do exactly as the name
suggests: they detect possible intrusions. More specifically, IDS tools aim to detect
computer attacks and/or computer misuse, and to alert the proper individuals upon
detection. An IDS installed on a network provides through various methods, both detect
when an intruder/attacker/burglar is present, and both subsequently issue some type of
warning or alert (Kozushko, 2003).

Although IDSs may be used in conjunction with firewalls, which aim to regulate and
control the flow of information in and out of a network, the two security tools should
not be considered the same thing. Using the previous example, firewalls can be thought
of as a fence or a security guard placed in front of a house. They protect a network and
attempt to prevent intrusions, while IDS tools detect whether or not the network is
under attack or has, in fact, been breached. IDS tools thus form an integral part of a
thorough security system. They don’t fully guarantee security (Indian Computer
Emergency Response Team, 2003).

Intrusion detection systems are an integral and necessary element of a complete

information security infrastructure performing as "the logical complement to network
firewalls” (Innella, McMillan 2001).

On the other hand, a firewall is basically the first line of defense for a network. The
basic purpose of a firewall is to keep uninvited guests from browsing a network. A
firewall can be a hardware device or a software application and is generally placed at
the perimeter of the network to act as the gatekeeper for all incoming and outgoing
traffic (Bradley, 2004).

A firewall allows establish certain rules to determine what traffic should be allowed in
or out of a private network.

Traditionally, firewalls and anti-virus programs try to block attacks and IDS tries to
identify attacks as they occur. Such techniques are critical to a defense in depth
approach to security, but they have limitations. A firewall can stop services by blocking
certain port numbers but it does little to evaluate traffic that uses allowed port numbers.
IDS can evaluate traffic that passes through these open ports but cannot stop it. IPS can
proactively block attacks(SANS, 2002).

Historically, IDS solutions were the forerunner of IPS and, as the names suggest, the
main difference is that an IDS solution only detects that an attack may be taking place
or has already taken place, whilst an IPS solution should have the ability to block and
prevent an attack as it happens in real time and prevent it from reaching its target
(McAfee, 2006).
IPS solutions are hence more sophisticated than IDS solutions. Physically an IDS
solution does not have to sit within the network path, but can just analyze packets
copied from the network

As security incidents become more numerous, IDS and IPS tools become increasingly
necessary. They round out the security arsenal, working in conjunction with other
information security tools, and allow for the complete supervision of all network
activity (Group Network Instruments, 2007).

Like every IDS or IPS, detection systems also suffer from several drawbacks. For
example, since an IPS intercepts all requests to the system it protects, it has certain
prerequisites - it must be very reliable, must not negatively impact performance, and
must not block legitimate traffic (Group NSS, 2004).

An IDS or IPS is a complex network packet and flow inspection system demanding an
order of magnitude higher processing power compared to the highest throughput
firewalls. Enterprise networks are migrating from Fast Ethernet to Gigabit Ethernet
technology at the aggregation points and core of the network. To meet the
computational demands of multi-gigabit in-line IDS or IPS, sensors must rely on high-
performance processors to meet packet-processing rates and per-packet latency
requirements. As a necessary condition for complete detection coverage, the sensor
must be capable of seeing all the traffic on its monitoring ports under the most stringent
bursty conditions (McAfee, 2003).

As networks become faster there is a need for security analysis techniques that can keep
up with the increased network throughput. Traditional centralized approaches to traffic
analysis cannot scale with the increase of bandwidth advances mainly due to their
memory and computational requirements. In the last few years a number of distributed
architectures have already been proposed for dedicated network monitoring tasks but
they are not scalable in the context of high speed networks (Sallay, AlShalfan, Ben Fred
j, 2009).

In order to solve that kind of problem, it’s possible to use parallel computing; a parallel
program consists of multiple active processes simultaneously solving a given problem.
A given task is divided into multiple sub tasks using divide-and-conquer technique and
each one of them are processed on different CPUs (Held, Bautista, Koehl, 2006).

Likewise, these new security tools besides other new computing technologies such as
parallel computing, genetic algorithms, new programming suites. Represent a great deal
of opportunities and challenges in the development of new solutions against many
different types of malware. The development of a security tool which could use the
advantages of these new computing technologies and solve certain drawbacks of current
security tools named before might be an integral solution to protect safe and easy way a
computer network.