VAS and IDS fundamentals

In upcoming articles I will be looking closely at vulnerability assessment systems and intrusion detection systems. We’ll examine fundamentals, deployment, analysis, and response strategies centering on these technologies. I am particularly indebted to the work of Becky Bace in this field and refer readers to a couple of her publications in the references below.

An IDS is software or hardware designed to automate surveillance of computers and networks. It collects and analyzes records of system and network activity for evidence of security violations. An IDS can be configured to detect successful intrusions such as unauthorized penetrations of security barriers; it can also detect attacks such as unsuccessful intrusions and denial-of-service attacks.

In contrast, a VAS is designed to look for known vulnerabilities. A VAS scans computer and network security systems and compares gathered data with compilations of standards to spot weaknesses in security configurations. A VAS usually runs periodically and produces reports, whereas most IDSs run all the time and produce alerts immediately when they notice anomalies.

VASs can be useful when new programs are installed, after significant changes are made to software or network configurations, and during or after security incidents. Both VASs and IDSs fit into security management by supporting auditability; they provide information for independent reviews of system records, adequacy of security controls, and compliance with policy and procedures. Their data not only help detect previously unnoticed breaches of security but also help guide changes in security arrangements and in incident handling and recovery plans.

VASs and IDSs are valuable in security management because they document existing threats and help build baseline information for improved risk analysis and risk management. IDSs in particular can detect early stages of possible attacks such as port scans and probes; with appropriate response in place, such information is valuable in helping managers take immediate steps to forestall the anticipated attacks.

IDSs can also supply forensic evidence useful in prosecuting crimes.

On another level, VASs can be useful in training network security staff. They can serve as an element of quality assurance, such as after installation of major operating system upgrades. However, all such applications depend on having the VAS kept up to date; an out-of-date VAS will miss newly discovered but potentially disastrous vulnerabilities and may even contribute to an unjustified and misleading confidence in inadequate security measures.

On the negative side, a VAS can be used by attackers as well as by defenders. Some open-source tools are available on the Internet to anyone who wants them and can be applied, at least to some extent, against poorly defended sites to detect specific vulnerabilities that can then be exploited by attackers.

In an upcoming issue, I’ll look at deployment of VASs and IDSs and some aspects of data analysis.

For further reading:

Amoroso, E. (1999). _Intrusion Detection_. Intrusion.Net Books (Sparta, N.J.). ISBN 0-966-67007-8. 218. Index.

Bace, R. B. (2000). _Intrusion Detection_. Macmillan Technical Publishing (Indianapolis, Ind.). ISBN 1-578-70185-6. xix + 339. Index.

Bace, R. G. (2002). _Vulnerability Assessment and Intrusion Detection Systems_. Chapter 37 in [CSH4]

[CSH4]: Bosworth, S. & M. E. Kabay (2002), eds. _Computer Security Handbook, 4th Edition_. Wiley (New York). ISBN 0-471-41258-9. 1,184 pp. Index.

Escamilla, T. (1998). _Intrusion Detection: Network Security Beyond the Firewall_. John Wiley & Sons (New York). ISBN 0-471-29000-9. xx + 348. Index.

Northcutt, S., J. Novak & D. McLachlan (2000). _Network Intrusion Detection: An Analyst’s Handbook, Second Edition_. New Riders Publishing (Indianapolis, Ind.). ISBN 0-7357-1008-2. xxxii + 430. Index.