You are on page 1of 17

School of Computer Science and Information Technology University of Nottingham Jubilee Campus NOTTINGHAM NG8 1BB, UK

Computer Science Technical Report No. NOTTCS-TR-2005-1

Firewalls, Intrusion Detection Systems and Anti-Virus Scanners
Julie Greensmith and Uwe Aickelin

First released: February 2005

© Copyright 2005 Julie Greensmith and Uwe Aickelin

In an attempt to ensure good-quality printouts of our technical reports, from the supplied PDF files, we process to PDF using Acrobat Distiller. We encourage our authors to use outline fonts coupled with embedding of the used subset of all fonts (in either Truetype or Type 1 formats) except for the standard Acrobat typeface families of Times, Helvetica (Arial), Courier and Symbol. In the case of papers prepared using TEX or LATEX we endeavour to use subsetted Type 1 fonts, supplied by Y&Y Inc., for the Computer Modern, Lucida Bright and Mathtime families, rather than the public-domain Computer Modern bitmapped fonts. Note that the Y&Y font subsets are embedded under a site license issued by Y&Y Inc. For further details of site licensing and purchase of these fonts visit

1 .nott. 2004 1 Introduction While the sharing of resources and information in an interconnected communication network is essential. as stated in [7]. Intrusion Detection and Anti-virus Scanners Julie Greensmith ASAP Group. ¯ Interception can occur when an unauthorised user gains access to a service or to a resource. security policies are developed which account for the measures taken to ensure both the confidentiality and integrity of the system. There are several ways in which a system can be compromised. occurring as the result of denial of service attacks or from the action of a computer As a consequence. systems can be vulnerable to misuse by other users through access violation attempts. UK email: jqg@cs. University Of Nottingham. Additionally. During the design phase of a distributed system. ¯ Interruption can occur when files are corrupted or erased. 2 Securing Networks Security is needed throughout distributed systems (interconnected components forming a network) in order to build dependable and trusted computing platforms.Firewalls. such as the illegal copying of data after breaking into a restricted file system. However. and is there to protect the data. the usability of the system must be preserved. A number of tools have been developed to prevent this vulnerability including firewalls. when it is June 21. the differences between these tools are not immediately obvious. Confidentiality in this context refers to access constraints on users. This article will examine the process involved in using each of the tools and will highlight the differences between the tools themselves and their subsequent deployment throughout a network of computers. but do exist and play a core role in securing systems. The integrity refers to the correct running of the system and the data contained on the system. it is necessary to impose access restrictions. which is tied in with preserving the integrity of the system so that it is still functioning at the use level. intrusion detection systems and anti-virus software.

An example of this would be the addition of information to a password file in order to compromise a system. For example. correct authentication and authorisation of users with respect to data access and command execution. and indeed. Therefore. The system in question is a network of interconnected computers and servers. Such measures can include the encryption of data. 3 Security Measures 3. Many tools and techniques exist with the purpose of ensuring the confidentiality and integrity of a system. The level of security and methods of ensuring this are defined in a security policy. A firewall can be a number of different components such as a router or a collection of 2 .1 Firewalls Firewall systems are commonly implemented throughout computer networks. A diagram of the connected components is represented in figure 1. They act as a measure of control. there are various constraints and configurations that should be applied to the system to enforce this. and the necessary measures taken. and the conscientious audit of log files monitoring system activity. If so. in the inland revenue. From these descriptions it is evident that potential abusers of these systems can be both external and internal to the system. This local network additionally needs to be connected to the external world i. To prevent such events from taking place within a system. The type of tool used and the way in which it is implemented is dependent on the contents of the policy. I will briefly digress and discuss what is meant by ‘systems’ within this context. the policy would be used to define if incoming telnet connections were permitted. Similarly. These functions must be available without compromising the integrity of confidentiality of the system. firewalls. forming a local area network. The use and deployment of the tools (in this particular instance.e. The data within the system must be protected: not all users within that local network need to have access to all files on the network or the external Internet environment. There are several security challenges that need to be addressed for this network. enforcing the relevant components of the security policy. external entities may need to access the web server within the network. and can also include the modification of transmitted data. for instance. the architecture of the system itself. leading to a breakdown of trust between parties. This network could be used for example. a security policy must be put into place. the Internet.¯ Modification involves an unauthorised user or program making changes to data or system configuration. ¯ Fabrication is where data or activities are generated which would not normally occur. intrusion detection systems and anti-virus scanners) is dependent upon where in the system they are placed. data or users. to access a particular forum held on the web server.

Figure 1: A simple network structure 3 .

The initial connection request is filtered (and is subject acceptance based on the security 4 . or deny all packets except those which are specified. This operation is likely to not be authorised and therefore the firewall on the router would not permit the transmission of the packets into the network. 3. The solution to this is for the two parties to create a ‘tunnel’ between the two components.1 Packet Filtering Firewalls Packet filtering firewalls work at the transport layer of the seven layer model[8]. The advantage of the ‘accept’ method is that it gives legitimate users of the network greater flexibility. There are different types of firewall that can be implemented. However. behind at least one firewall. then it is likely that the external user is trying to TELNET into that machine. with the choice of firewall being dependent upon the security policy and the level of deployment in the system.1. Denying all that is unknown can give greater security. As the name suggests. however. This method should be deployed frequently but often isn’t due to a lack of understanding from persons responsible for the configuration of the firewall. However. The security policy for the network would not permit a direct connection between the external user and the file server (as shown as part of the LAN in Figure 1) as this could leave the network vulnerable to attack.1. comparing it against a set of criteria for what is permissible either in or out of the network. in an Internet cafe) could log in to an office machine from a remotely connected laptop while working out of the office. Packet filters can examine the following attributes of a packet: ¯ Source IP address ¯ Destination IP address ¯ TCP/UDP source port ¯ TCP/UDP destination port If in the example network an external user was trying to connect to port 23 of a machine on the local network. the basic function of a firewall is to protect the integrity of the network which is firewall controlled. This means that they are commonly deployed on routers and act as a bottleneck between the local network and the external Internet. it also increases the vulnerability of the network because not all attacks could come from rules which are already known: this is why the ‘denial’ paradigm is more likely to be used. it can cause inconvenience to legitimate users. There are two ways in which packet filters operate. a packet filtering firewall examines a packet passing through machines. employing a method of encryption in the connection.g. a remote user of the system from a previously unseen IP address (e.2 Circuit Level Gateways The situation could arise when an external user (not from the local area network) wishes to access information on a file server. For example. 3. either accept all packets except those which are specified. The criteria for this is defined by the security policy.

if adequately prepared. as in the case of FTP through a proxy.1. the inclusion of components in a demilitarized zone ( in between the two firewalls) would allow access to components which were needed by the external network.g. Application gateways have a lower transparency as it often requires the users to use modified software clients in order to use the proxy’s service which could result in the user attempting to bypass the system entirely. this proxy can act as a mediator between an external entity and a component behind the packet filtering firewall on the main router. as it acts as a relay between the two entities. application gateways can filter IP traffic. meaning that the end user should be unaware of the action of the firewall. then modified clients may need to be installed. an online enquires form. 1 More about this in a little while 5 . are a commonly used firewall mechanism. cannot be accessed.g. but would not disclose the architectural details of the LAN. and through the use of a proxy server allows external users to perform functions on. Transparency is high for packet filtering firewalls as the user is not always aware of the firewall until a transmission is denied. Allowing employees to surf such sites is seen as a waste of resources. not to mention a breeding ground for viruses1 . it can prevent anonymous FTP log-in to the system. also known as proxies. the pre-defined security policy. This can be useful in the event of restricting access to certain blacklisted web-sites. Proxies can also act as caches for the local users accessing the Internet. to be available to entities outside of the local network. For example.1. Due to the optional requirement for restricted commands execution. 3. the transparency of the service to the users is affected. application gateways can perform packet logging for a post hoc inspection of the traffic going both in and out of the network.3 Application Gateways Application gateways. As with circuit level gateways. 3. where common mail providers such as hotmail and Yahoo. While remote access to other components of the network may not be allowed. would define the access permitted to each individual user of the network. Hence. Again. which is extra work for both the system administrators and the users. Additionally. Restricting the access to components via a DMZ. for example a web server. such as a publically available interface e. In this case is important in this case to explicitly state the use of circuit level gateways in order to avoid the exploitation of the network.4 Other Points to Note One feature of firewalls is that they should provide a high level of user transparency. in corporate LANs. The disadvantage with using an application gateway is that it requires a multi-stage handshake for the initialisation of a connection which could slow down the performance of that application considerably as opposed to making a direct connection. so quality of service is maintained as a result. This is an advantage because it would not allow certain actions to be taken once a connection to the proxy has been made e. It is feasible to want a particular component of a network.policy) but all packets following are not. unlike circuit gateways. However.

IDS are not a preventive measure. experience has shown that these systems are difficult to manage due to the complexity of the rules and the processes involved. Such an alarm can trigger an immediate response e. As with any complex system. ease of initial installation. the use of an intrusion detection system is becoming increasingly commonplace due to both the increase in complexity of attack and of the computer systems themselves. the majority of traffic on the network is not malicious. Stateful inspection can be used to prevent attacks such as the Loki or Smurf denial of service attack. and have been implemented as the first line of defence in many networks. rendering them less secure than their separate counterparts. unexpected interactions between the various components can give rise to vulnerabilities which can be exploited. depending on where they are deployed [9]. transport layer and network layer. In essence. Firewall routers are a specific piece of hardware designed to perform as a router and a firewall. Neither will they prevent internal damage to a system. As the name clearly states. they are a detection system. namely bridging firewalls and firewall routers. The first way is to classify based on the method of detection. and users within a system do not set out to gain unauthorised access to information. can be used to alert the owner that unauthorised behaviour is taking place. IDS can be either network based. or simply to cause annoyance to the neighbours. they are analogous to a burglar alarm in a house. There are two different ways of classifying an IDS. it perhaps makes more sense to describe what they are not. With respect to the actual hardware required in order to implement firewalls. However. the use of a firewall may not prevent internal abuse from an otherwise legitimate user of the system (either for breaches of confidentiality or for system integrity). Bridging firewalls are becoming prominent due to their ease of configuration. As with firewalls.2 Intrusion detection systems As previously stated. different types of intrusion detection system exist.g. emergent properties can arise unexpectedly. there are two types. An alternative way is to classify based on the position of deployment within a network. thus implying that abuse of a system is reported as and when it happens. When defining what intrusion detection systems are. Stateful Multilayer Inspection Firewalls have been deployed. using a firewall such as IPtables. in the form of either misuse detection or anomaly detection. host based or application based. However. They will not stop intruders breaking into a system. 6 . 3. as the firewall would be aware that the original packet was not sent as a broadcast message from a machine on the network [6]. In the case of such systems. at the application layer. good performance (little computational overhead) and their ability to be stealthy and so are less likely to be attacked [15] . which combines the packet filter property with the packet sniffing capabilities of gateways. call the police.Recently. Bridging firewalls are software firewalls that can be run on a standard machine. Additionally.

Irrespective of the specifics regarding implementation and deployment. or false alarms where an alert is generated yet there is not actual attack. IDS function in a generic way. There is a relatively high maintenance cost in that the signature base has to be kept up to date. If certain patterns of traffic are captured. The means by which snort functions involves the use of software component processing information regarding network connections. Snort examines the network traffic at its position on the network in a passive manner: it sniffs the network. this can be done using an automated system. 4. Alerts are generated if and when a threatening pattern is encountered. precautions must be taken to stealth this part of the system. 3. Examination of the headers and content of TCP packets is performed and matched against patterns contained in a signature database. The use of only already known signatures means that the system will produce only a few false positives. or manually. through the process of feature extraction. 2. often in the form of IP packets. 3. Misuse detection systems rely on the accurate matching of system or network activity [19]. Additionally. Missing an actual attack is probably worse than being inundated with false alarms. giving a higher rate of false negatives (where a real attack is not detected) than would be desired. The data are then analysed in a manner which is specific to the individual IDS. The data items are classified as a threat or harmless. known as signatures. then an alert is generated2. This method of detection is accurate for matching behaviour against a list of already documented patterns.2. The data are decoded and transformed into a uniform format. A more detailed explanation of the process is as follows: 1. If a threat is detected. then a response is produced. usually in the form of an alert to the system administrator. or is it a TCP pattern detection system? This depends immensely on how you define an intrusion 7 . An example of this type of IDS is a system known as Snort [4]. else potential attacks could go unnoticed. and classified as threatening or not. though this is debatable. Data has to be captured.1 IDS Classification based on style of detection Misuse Detection : This type of IDS can also be called a signature recognition system. so that an intruder can not spoof alerts (potentially leading to a denial of service attack). Various techniques are employed to produce correlations of the results. this type of system can miss highly novel attacks to which a signature does not yet exist. However. 2 Let me pose a question: is this really an intrusion detection system. Input data from a system is collected and processed into a manageable format.

Markov chains. then it is likely that the integrity of the system is being compromised. a user of the example network ordinarily runs word processing applications and Internet browsers. Anomaly Detection : The goal of anomaly detection systems is to successfully classify user or network behaviour as normal or abnormal. One of the potential drawbacks with anomaly detection systems is the genera8 . For example. While anomaly detection is a relatively effective way of predicting novel attacks. see [18]). it remains a promising area of research[]. starts changing file permissions and sending broadcast SYN packets. Once this period had ends (approximately two weeks was used for the training period). If this user suddenly gains super-user privileges. The characterisation of what constitutes ‘normal’ behaviour is certainly a non-trivial issue. Normal behaviour is profiled either from an individual user or from the network. This could lead to a buffer overflow which could turn into a denial of service attack on the system itself. neural nets and ideas based on other modern AI techniques (inclusive of artificial immune systems[3]). This is performed by taking into account the amount of background noise or user variation which is intrinsic to the system. variants from this are defined as anomalies and alerts are generated. or even remote command execution of the host running the program (for examples. This IDS resides on a host machine and examines numerous Unix system calls to construct a profile of normal behaviour over a training period through examining the IP traffic in and out of the host machine.Snort is an open source IDS which implements a range of pattern matching algorithms of the input data and produces alerts based on the matching of the input to a signature base. in which an integer overflow was discovered in one of the stream processors responsible for the calculation of the segment size for re-assembly. Still. including statistical models. For example it is likely that multiple port-scans on a particular component would raise some sort of alarm. The idea being that 1000 pairs of eyes are more likely to notice a vulnerability in the software than a select few hired ‘experts’. an insight into normal behaviour was used as the basis of the classification: if the observed behaviour deviates from the normal. then an anomaly is detected. then it is likely to be posted on a user forum. A recent example of this is a vulnerability found in the snort program itself. they do not as yet feature in many commercially produced systems partially due to the high rate of false positives. The advantage of the system being open source is that if a vulnerability is found. A corresponding alert would be generated and some form of action would be taken by the system administrator. There have been many approaches used in order to perform this classification. This causes the generation of a warning message which is sent to the user. based on a profile of information gathered during a training period. An example of this type of IDS is the experimental artificial immune system developed by Somayaji et al[5].

including on switches. user behaviour is dynamic. the amount of false positives were reduced through using a richer representation of the network traffic and through the finer tuning of several system parameters[2]. The use of a token bucket filter [] in this case would be preferable. eliminating such a degree of user transparency.tion of false positives. router. it should be taken into account that if the network is subject to particularly large amounts of traffic. but this could potentially slow down the network.2. Network Based : This type of IDS sniffs the traffic on the network by capturing packets of data (often IP data) and using them in the analysis. This could occur if the user behaviour suddenly changed. This could be a problem especially if virtual private networks form part of the system. so providing detection for traffic going in and out of multiple hosts. the presence of the ‘sniffing’ device on the network should operate in a stealthy manner making it difficult for malicious users to launch an attack on the IDS itself. The amount of false positives can be reduced using various methods. the problem of packet fragmentation 9 . even within programs themselves.e. However. does not have a direct effect on the system. perhaps the user went on holiday! However. Data capture is performed at the network switch level. as once a connection has been established.2 Classification through deployment There are several places throughout a system where an IDS could be placed. Additionally. the change of behaviour caused by this would be sufficiently different to the normal profile that an excessive amount of alerts could be generated. it is relatively easy to apply to pre-existing networks without causing too much disruption. the level of encryption used makes it difficult to detect suspicious behaviour. As this type of IDS is passive i. specific to the technique involved in the anomaly detection process. The methods used in these products can provide a large amount of audit data so attack patterns can be studied retrospectively. Additionally. and the security vulnerabilities of a system can be explored in a post-hoc manner. 3. As a consequence of this increased amount of alerts. changing over time as the user needs change. not only does it become irritating to the administrator. This method of deployment is popular for commercially available IDS [1] as they are relatively scalable so can be used for large scale networks: only one system is used to detect attacks covering many hosts. The IDS should not interfere with the end-users of the system thus providing a high degree of transparency. It is also difficult to analyse the content of an IP packet if a method of encryption is used. Here are some specific details regarding where IDS are placed and how this affects their functions. In the case of the system in Hofmeyer and Forrest [3]. but it also becomes more difficult to detect an actual attack. then it would be difficult to detect an attack with large amounts of ‘background noise’. Additionally.

as it is difficult to piece together the fragmented packets in a way in which to both capture the necessary information. the system would be rendered useless if the user turned it off. the major disadvantage with the deployment of this type of system lies in the distributed nature of such a system. Prominently. All of the above are non-trivial issues. The high maintenance cost of this means that the situation of the database becoming obsolete is likely. which may have to be resolved before such systems can reach the effectiveness which they promise. If a signature based system is implemented. combining transparency and autonomy into a system is difficult. The operation of such systems rely on the availability of system logs which are used as an audit trail. for example the statistical profiling method as described in [19]. In theory it is possible to disable the system by using a denial 10 . There are several advantages of using one of these types of detection systems. Additionally. In addition to the wealth of data provided. Such systems often use user profiling in a manner similar to anomaly detectors. Host Based : There are examples of systems that use a bottom up system of decentralised deployment based on a per host distribution. But. then the signature data-base must be kept up to date on every machine in the network. with the information of exactly what is happening within the system becoming integral to the alert generating process. often generated at the kernel level of the system. Scalability issues become a consideration. but pose as something non-threatening) based on the detection of unexpected behaviour. logs based on the host machine record the outcome of an often not overcome in this type of system. However. and the machines would become increasingly vulnerable. the analysis of the traffic and the impact of any disruption can be analysed with greater accuracy. The computational resources for the host based systems are provided by the host machine. This vantage point can also be used to detect processes which should not be running in this manner. namely it can detect Trojan horse programs (programs which perform malicious operations. If the intrusion system consumes too many system resources and slows the system down to an unacceptable level. without increasing greatly the computational overheads. which can assist in the development of various countermeasures. then the user may be inclined to switch off the system. a further advantage is that host based systems can view encrypted malicious traffic that a network based system would not be able to examine in detail [16]. An adaptive system where each machine would adapt to the perils of the dynamic network environment would reduce the maintenance of the network. and avoid the users of the system being directly involved in the protection of the system as a whole. Compressing the data contained within these logs is difficult as it requires significant feature extraction of relevant information from a potentially data rich source. This also applies for excessive amounts of alerts caused by a system with too many false positives.

The 3 Bearing in mind that examining computer viruses and attacks would be an essay worth in itself! 11 . Due to the sheer amount of unexpected ‘bugs’ that can occur due to program interactions. collectively known as malware. the Network Associates virus glossary gives a definition of malware as “programs that are intentionally designed to perform some unauthorised act”[12]. As there are a plethora of ways in which such malicious code can be written and deployed. Unfortunately. For example. so systemic port scans could go undetected. However. on the other hand. either causing the system to crash or the deactivation of the system because of the annoyance to the user. or would cause programs to crash. various classification systems exist. The behaviour of these malware agents varies considerably.3 Anti-virus Scanners Anti-virus (AV) scanners used in an attempt to directly protect systems from damage.3.of service attack in the form of alert flooding. They can also monitor systems using encryption as it runs on the host machine.1 Malware in a minute Malicious code is essentially a computer program that modifies a system call or the functioning of a program without the consent of the user of the system. These systems analyse the behaviour of applications running on a host machine. A relatively benign but annoying virus could change a small feature of a program or system[11]. there are a number of holes that can be. They are specifically used to detect unauthorised usage of an application within a system. Finally. The virus would often modify critical code within the boot sector of a machine rendering it useless. In order to really appreciate the role of AV scanners in context. or even embedded into an operating system. another major disadvantage is that the information from host based systems cannot be used in order to detect attacks on the network itself. a maliciously designed Internet worm can bring the world of interconnected computers to a standstill within a matter of hours. and indeed have been exploited. AV scanners detect a specific type of unauthorised activity in the form of malicious mobile code. they are more effective when used in combination with other types of IDS. such systems are relatively easy to attack through program exploits or denial of service. as does the resultant effect on the system. it is necessary to explore and explain the basic principles as to what scanners have to protect against3 . 3. 3. and use the information generated from the application logs in order to detect unusual behaviour. as they run within applications themselves. Application Based : Application based IDS are a subset of host based systems. Computer viruses first emerged during the 1980’s and their main transmission vector was shared floppy disks.

as the spread had to be via a physical floppy disk. In general worms use Internet connectivity in the form of either e-mail. enticing the user to open the virus containing attachment. and so they forward this e-mail complete with its virus infected 12 . such definitions are not mutually exclusive. but is a malicious program designed to cause damage to computer systems. Computer viruses in the conventional sense of the word are now less prevalent. but propagates through a network. It is defined by the SANS institute [14]as “a computer program that appears to have a useful function. This type of malware does not focus on using networking to spread. which masquerade as benign programs. someone within an organisation receives an e-mail attachment which is a screen-saver. indeed. In the last five years. and rely on using other cells/files on a host in order to spread. As with malware. However. which the user downloads. The recovery after such events costs billions in both financial terms and in people’s time. CD’s) to exchange information and booting from floppy disks is less common. and cost billions of pounds in wasted time and resources. the screen saver is amusing to the user. due to two facts. the increasing interconnection of computers spawned a new transport vector for malware.term ‘virus’ was coined due to the similarity to biological viruses. 192 had been reported. both do not have the capability to replicate on their own. For example. this screen saver on execution infects the computer causing malfunctions in a multitude of system processes. with this option frequently disabled as a default. However. loose classification schemes exist for worms. people rarely use actual mediums (floppy disks. and thus. A worm can be defined as malicious code which is either file infecting or not. and this user decides to download this attachment and install it on their machine. However. brought the Internet to a total standstill. Despite all the publicity and hype surrounding the dangers and damage caused by Internet worms. To illustrate this. Worms are a serious problem for organisations large and small. slowing up both the host machine and mail servers In the case of such worms as Nimda and SobigF. Such worms propagate through the network masquerading as an e-mail attachment. 44 in 2000. but also has a hidden and potentially malicious function”. Unfortunately. but by the first half of 2003. which may or may not require user intervention. the Nimda worm utilised all three methods of disruption and propagation. This type of worm required an element of social engineering as the actual e-mail message often contains a generic message. windows file sharing systems or through direct TCP/IP connections. The spread of viruses before computers were connected was relatively slow. There are several aspects to worm design and propagation. due to the fact that the transmission was not over a scale free network. proliferation of worms through e-mail based transmission has become a real problem. This often leads to a mass duplication of the virus. with frequently disastrous consequences. another persistent viral offender is a Trojan horse program. The worm then replicates by sending itself to all addresses in the host machine’s address book. many of the most disruptive pieces of malware are in the forms of computer worms. based on how they install themselves on a host machine and also how they propagate through a network. the Virus Library [17] recorded one e-mail worm in 1998.

On discovery of a virus. However. Efficient pattern matching in terms of computational resources is required in order to provide any protection. but have often been used to create distributed denial of service attacks on large corporations including the Microsoft web site. This can greatly compromise data confidentiality and the integrity of a system.attachment to a series of their colleagues. and can also be run at both the level of the server (to detect viruses that could infect servers) and the individual host machines. However. e-mail services could be restricted to management staff only. it can create remote access to the machine for the creator of the virus. This software examines processes at the application layer of the network. the most obvious method involves the user downloading updates and patches. If the program is run on a machine. 3. patience (or in the case of those still running dial-up connections) the resources to keep constantly updating virus definitions. The most favourable method of protecting against malware is the installation of an anti-virus scanner. Firstly. the user or administrator is informed and the anti-virus vendors often provide a virtual antidote in the form of a patch to aid in fixing any damage caused by the virus. and when the computer is booted. this provides a severe impediment to modern business practises and is obviously no solution. then the user could be tempted to turn off the software. It is worth bearing in mind that the more publicised viruses of late have not caused unsurmountable damage to the individual machines itself. Anti-virus scanners are popular in the commercial sector. There are two points at which an anti-virus scanner is run on a host machine: on the commencement of downloading an attachment. Trojan horse programs often cause minor malfunctions in applications: decimal point errors in spreadsheets or formatting issues in word processing software. as with misuse IDS. but there are various ethical and practical considerations. It is only once the symptoms of this virus are noted that a system administrator is alerted to any danger. The Trojan program can convert a host machine into a ‘zombie’ machine for the purposes of launching a distributed denial of service attack. as if the virus scanner was to slow down the system processes sufficiently. the protection from such viruses is only effective providing that the signature base is kept up to date with the latest update. Updates can become so voluminous that individual users do not have the time. and by prohibiting downloading of attachments. including F-secure[10] and Norton[13] who provide several products available for home and commercial use. A more serious security hole created by Trojan horse programs is known as a backdoor.2 Scanners: The Remedy For an organisation to completely stop the proliferation of computer viruses. The problem with 13 .3. Such scanners acting on the user machines contain ( as with misuse detectors) a signature base containing pre-defined virus behaviour patterns which can include information about what anomalies to examine in terms of system calls or the presence of files with certain extensions. in a multitude of companies. and by this time it could be too late. There are several ways in which the signature bases can be updated across the network.

the systems appear to have similarities. An alternative method would include the installation of new signatures and patches via a network administrator. if this was on a critical system such as a air traffic control system or medical system. virus incidents would be less common. and anti-virus products . Firewalls can be implemented on a network at multiple layers. examining network connections on a host machine. This type of deployment can be seen in both IDS . This is more suitable for very small networks. The most effective form of updates would come directly and automatically from the vendor. On the face of it this does not seem like too much of a problem. This is similar to the problem faced by the administrators of host based intrusion detection systems. and it is difficult to get everyone to be responsible for this. through the examination of communication mediums and system calls. as stated in the security policy. IDS. the AV-scanner would only be effective if this was done on a regular basis. Anti-virus scanners are 14 . Intrusion detection systems are looking for anomalous system/network behaviour. represented as a rule set can be used to specify what is permitted and what is not. However. then the consequences could be disastrous. or in the case of personal firewalls. in all cases. function?” The differences lie in two main aspects: what the component is looking for as a violation and how the component responds to the detection of a violation. 4 Comparatively Speaking Superficially. Again. however. compromising the security of the network without the administrator being aware. and any potential problems that could be caused via software interaction are likely to be noticed.this is that it is not scalable in large organisations. “why are these systems classified as different types of security measure when they essentially perform similar.the network IDS Snort and the host based Tripwire. and would ensure a higher level of protection. This is seen in many different types of firewall. if not the same. There are two foreseeable problems: certain individuals at the vendor end abusing the trust and using the addition of a patch to open up a back-door.Firewalls are implemented to prevent connections being mad and packets being transmitted on violation of the rules laid out by the security policy. but is likely to be more reliable as updates would be performed as a matter of due course.for use on mail servers as filters and for use on host machines checking system calls. however. there are obvious privacy issues that can arise because of this : the vendor would need some form of access to the network. it is still seen to be the responsibility of the individual user or their organisation. When viewed in terms of deployment. Additionally. It really does beg the question then. a database of already known patterns of misbehaviour. misuse detecting IDS and most anti-virus scanners. It is true that if the vendor was responsible for providing and making the updates. firewalls and anti-virus scanners perform similar roles. though on closer inspection differences become apparent. Vigilance :. be it using a pre-defined pattern base or profiling mechanism. and the addition of a patch or a new signature causing an unexpected error.

[3] S Hofmeyr and S Forrest.The common response of a firewall is to deny a connection or to drop a packet which would be seen to be against the security policy. intrusion detection system and anti-virus scanner. Proceedings of GECCO. provide a higher level of security than treating only one component as the security solution. The same applies for anti-virus systems applied at a mail server: if a mail message contains a suspected virus. 2002. Intrusion detection systems. Coverage and generaliszation in an artificial immune system. form a spectrum of overlapping function. The differences between these systems is not as clear cut as was first thought: indeed there is some overlap in the functioning of all these systems. [2] J Balthrop.looking for the presence of pre-defined files or the execution of system commands which are known to cause problems. Immunity by design. without exception. where they are deployed and their functions and respective behaviour was discussed. deployment and configuration of all of these systems form some of the most effective measures that are available in the battle for the defence of computer systems. they are sufficiently different in their mechanism of action and their response. F Esponda. the use of all three in combination. then the recipient is warned and the message is quarantined. The three components. along with some examples of intrusion and attack to which they are used to protect against. 15 . Of course there are exceptions to all of the above. The basic concept of a network and the need for an effective security policy. to warrant being treated as separate components. informing them of the problem. Response :. The action of an anti-virus product would involve quarantining ‘infected’ or modified files and producing an notification message to the user. The different types of firewall. As each of the components is developed with different constraints in mind. pages 1289–1296. Proceedings of GECCO. when used in conjunction. Yet. in theory. More passively still. References [1] Rebecca Bace and Peter Mell. the common response from an intrusion detection system is to notify the administrator of a system of a suspected intrusion. The distinctions between the different components is not entirely clear cut: a well implemented intrusion detection system should. be able to detect the action of a computer virus too. The correct implementation. S Forrest. and M Glickman. with due care and attention. was introduced. 5 Summary This article has concentrated on exploring and explaining three countermeasures which are used to improve the security of networked computers. pages 3–10. NIST Special Publication on Intrusion Detection System. 1999.

whitehats. pages 229– Probabilistic techniques for intrusion detection based on computer audit data. IEEE Symposium on Security and Privacy. [5] A Somayaji. 1999. 4th edition edition. systems and humans. Syed Masum Emran. USENIX In Proceedings of the 13th Conference on Systems descs/ Network Intrusion Detection. [7] Andrew S Tanenbaum. A taxonomy for information security technologies.fsecure. [9] H Venter and J Eloff. [17] www. [19] Nong Ye. [13] www.[4] Martin Roesch.viruslibrary. man and cybernetics. [16] New Riders. Prentice Hall. [10] pages 120–128. and Mingming Xu. and T Longstaff. [8] Andrew S Tanenbaum. Xiangyang Li. 16 . Qiang Chen. [14] www. 1996. In IEEE Transactions on systems. S Forrest. pages 266– A sense of self for unix processes. [11] www. 2001. 2003. Prentice Hall. S Hofmeyr.securityfocus. Computer Networks. Computers and Security. [12] www. 2002.tripwire.shtml. Distributed Systems: Principles and [18] www. volume 31:4. 3rd edition edition. [15] [6] Judy Novak Stephen Northcutt. 22(4):299–307. Snort: Lightweight intrusion detection for networks.part A. 2003.