Computers and Security, Vol. 17, No. 6
Is network intrusion detection software being used correctly. 7 MUVCIU Ranuwr. Most intrusion
detection systems (111%) cannot trace an attacker back
to their point of origin.Yet many network managers
are purchasing intrusion detection systems anyway.
Currently, users have two choices: anomaly detection
and misuse detection. But each has serious limitations.
Anomaly detection systems ‘learn’ what constitutes
normal network traffic, developing sets of models that
are updated over time. These models are applied
against new trafflc.Traffic that doesn’t match the nor-
mal model is flagged as suspicious. As networks grow,
the diversity of applications makes the complex traffic
look random. A patient hacker may even generate
their own traffic to create a distorted model of normal
appearance to get past the IDS. Many companies offer an easier form of 111s known as misuse detection
intrusion detection systems. These resemble a virus
scanner attached to a network. They are usually pro-
grammed with signature sets representing the types of
connections and traffic that indicate a particular
attack. These systems are fast and don’t generate false
positives because they ‘understand’ what attacks look like. Most 111% are deployed outside the firewall,
where they detect an attack and send an alarm.To get
the best out of an IDS, the network manager should draw up a list of the types of incursions that could
cause a serious problem and set the system up to
watch for them. The near future promises 111s~ that
combine anomaly detection with misuse detection
which will integrate smoothly with firewalls and other
security systems. Until then, the technology should
only be used as part of the defence of a network.
Scrwity i2ilanngcwrcnt, Aqrist 1998, pp. 124 126.
WSS put its stamp on E-mail security, Gvc:yov~~ Yema. Securing incoming and outgoing E- mail needs
to be a priority for enterprise network. Control over
message content, attachments and encryption can
protect your information and users. Worldtalk’s
WordSecure Server (WSS) 3.0 lets you control mes-
sage content, encryption, virus detection and spam
mail. In addition, it includes support for LDAP and
S/MIME, providing a near-complete E-mail firewall
security solution. Filtering based on source and desti-
nation address and keywords in the subject and body
text are two ofWSS’ more basic features. WS enforces
its policies on both user and domain levels by parsing
the destination and source E-mail addresses, enabling
complete domain and system-wide administration.
Using its built-in LDAP support, WSS accesses public
key information and encrypts messages for end users.
For further security, yowl can mandate that individual
addresses send encrypted messages. WSS is also able to
scan popular compression programs for viruses. Most
of the WSS security measures can stamp a message
with additional information, and they are completely
administrator-configurable. :%ttl~ovk (lorrllzrtir?~, _jlr/y
15, 1998, I’?‘. 42-44.
LAN-to-LAN VPNs: secure enough? Strlv Steinkc. The Internet promises cheap. universal corl-
nectivity, but do VPNs adequately address questions
about its security? This article focuses on network-
to-network VPN products in four categories: fire-
wall-related software VPNs, router and switch VPNs,
standalone softwareVPNs and hardware-basedVPNs.
The products covered are: Check Point’s VPN-1,
Axent Technologies’ Kaptor Firewall, Network
Associates’ Gauntlet Global VPN, Secure Computing’s SecureZone, Cisco Systems’ PIX and
Internetwork Operating Systems, 3c0111‘s
NetBuilder, Novell’s BorderManager, Aventail’s VPN
Server. Hay Network’s Contivity Extranct Skyitch,
Internet I>evices’ Fort Knox Policy Router,
Radguard’s cIPro, TimeStep’s Permit Gate 4520 and
VPNeti VPNware VSU 1010. n’cmwrk Mqa~it~c, A~p/_st 2998, pp. 44-49.
521
Recommended
