Tuesday, May 25, 2010

Guest Post - Ricky Peterson - Intrusion Prevention - Alternatives to Antivirus

Ricky Peterson was a Spring Research Analyst at Fortalice® LLC and is a student at Immaculata University.



TEASER/TITLE: Intrusion Protection: What you need to know.

SUMMARY PARAGRAPH: Standard antivirus is only catching 1/3 of viruses and intrusion attempts at the present time. Something new is needed in the market that offers better odds. Several technologies that may aid users are whitelisting, advanced intrusion detection programs like Snort, and active intrusion defense such as a honeypot server.

 

KEY FINDINGS

Intrusion detection programs such as Snort can be used to actively block or passively detect a variety of attacks and probes.
According to Symantec, Honeypots are effective and cost efficient.



BACKGROUND

Ever since its inception, the antivirus and computer security industry has struggled to keep up with hackers and cyber criminals. Antivirus alone cannot keep up with the growing threat of viruses and system and network intrusion. What is needed is a combination of different technologies to improve the success rate. While combining technologies will increase protection, care is still needed because there is no foolproof intrusion protection plan.

      There are several technologies that can aid in intrusion protection. Server based firewalls are a good idea. Honeypots and advanced intrusion protection are also a viable option. These however, need to be used in addition to, not instead of, antivirus.

 

 

ANALYSIS:

      Lets start with honeypots. These are useful because they draw hackers toward them and away from any sensitive information on your network. Honeypots are computers that basically paint a big bullseye on themselves and attract hackers. They then feed the hackers fake information or actively counter the intrusion.

        Server based firewalls can be useful in averting hackers as well. These are similar to what is used on individual PCs as a firewall. These are standalone units with the sole purpose of guarding a network. Firewall servers stand between the network and the internet and scan all incoming traffic. Any suspicious  traffic is then diverted away from the network.

      Whitlisting is very effective but is also complicated and labor intensive. With whitelisting, only traffic that has been registered and given approval is allowed access to the network. This is effective because the only connections between the network and the outside are with approved people. The problem with this occurs when approved connections need to be removed or established. If a connection is needed quickly, the computer admin must be available to grant the appropriate approval.
IMPLICATIONS:

While there are many things that augment antivirus, none of them are perfect.
Do not take up a new technology and abandon standard antivirus. They are to work together.
At this time there is no clear solution to the widespread problem or viruses and hacks.
Investing in these preventative technologies cannot hurt, only help.



RECOMMENDATIONS

Look to the near future for new ways to combat these problems.
Combine technologies like honeypots with your current intrusion protection for a boost in protection.
Don’t neglect your antivirus software
Monitor your network. Active prevention is the best defense.
SOURCES:

Symantec Website

www. Snort.org

Honeypots-Definitions and Value of Honeypots

Lance Spitzner- http://www.tracking-hackers.com

No comments:

Post a Comment