Network Monitoring:
Large enterprises have made dramatic strides in improving the security of their perimeters. Modern security architecture for network monitoring and enforcement technology have left most networks highly resistant to external attacks, even against the most capable attackers. However, despite a large investment in perimeter security, most networks remain vulnerable at their core.
The era in which networks are compromised through simple Internet-exposed service vulnerabilities is drawing to a close. Attackers are quickly adapting to networks that no longer admit total access with simple remote buffer overflow scripts. Through email worms, exposed VPN clients, or open wireless access points, attackers are exploiting the core vulnerability of the modern enterprise network: weak internal security.
Worse still, the enterprise perimeter is crumbling. The inside of the network monitoring is exposed any time a business partner is given access to an internal resource, or a consultant plugs a laptop into the wall. Simple trust models, and the static defenses that depend on them, are breaking down in the face of constantly changing business needs.
This white paper presents a new approach to complete enterprise security relational modeling. Relational modeling analyzes spatial relationships between network hosts in order to effectively secure the network from the perimeter through the core. This provides enterprise networks a complete, holistic, accurate view of all network traffic, behavior, and usage the total, exhaustive picture needed to effect mission-critical security policy and investment.
Limitations Of The Network Visibilities:
Pervasive security improvement was the promise of network intrusion detection systems (NIDS). Unlike firewalls or per-host software installations, NIDS have an unintrusive deployment model?thus the potential to secure the inside of an enterprise network. But, as security operations teams have discovered, the solution is not so simple.
Anomaly Detection And The Next Solution For Network Monitoring:
In attempting to solve the internal security problem, vendors have advanced their existing solutions with anomaly detection NIDS. Anomaly detection augments NIDS, technology with its ability to alert network operators to non-signature network traffic anomalies. Thus, in theory, anomaly detection NIDS deployed once could effectively stop unknown or zero-day attacks, employing a real-time model of normal network behavior in order to detect traffic anomalies.
While proven effective at stopping even unknown attacks at the perimeter, there are two major problems that vendors face trying to solve internal security network monitoring problems with anomaly detection NIDS. First, modeling increasingly complex and critical networks is often too difficult for even the most powerful and sensitive anomaly detection systems. Second, the threat model on the inside of the network doesn't match with the mechanics of systems designed for the perimeter. Operator experience with these systems in the core of the network has shown that anomaly detection NIDS has value mainly at the perimeter, alongside signature-driven systems.
Anomaly Detection Is Hard for Network Monitoring:
To understand the complexities of anomaly detection, it is useful to understand the models used by typical NIDS designs. The two most common anomaly models for NIDS are protocol anomaly detection, which attempts to validate traffic packet-by-packet for normalcy, and statistical or rate-based anomaly detection, which monitors traffic levels by host and protocol to find deviations or spikes in traffic that likely correspond to misuse. Both of these models are interesting and have value; neither are a standalone solution to network security problems.
Protocol anomaly detection systems, or PADS, are based on the assertion that most attack traffic will violate RFC-style norms. Many of the most damaging perimeter-facing attacks in the last 10 years have exploited bugs in the corner cases of Internet protocol handling. A PADS designer would say that a buffer overflow in Microsoft SQL Server, for instance, would involve SQL packets that look radically different from normal SQL
packets. A deployed PADS contains encoded norms for all the protocols typically seen on a given enterprise network. Traffic can then be validated packet-by-packet for conformance to these rules, and flagged when it deviates.
Statistical ADS take a mathematical approach to the problem of network monitoring. Rather than encoding rules about how traffic should look directly into the system, a statistical ADS attempts to learn these rules from the network. While statistical systems can apply learning techniques to the same packet-by-packet models used by PADS, most operate at a higher level.
