Wang Yuezhong, the technical director of Syman Tieke, China: Even the Internet network allows your company to contact up to millions of potential customers, relatively, these customers can contact your company by internet access. Many websites and internal networks will be invaded because there is no necessary precaution to prevent attacks. If companies cannot guarantee the security of websites and customer information, then companies will face greater losses. A single attack event can cause a few million yuan of potential revenue, but that is just starting. The damage caused by an attack event also includes: the inconvenience of customers or the loss of intelligent property and market advantage, facing the legal responsibility of customer information leakage and the time and money costs from the attack incident.
Best defense against information system attacks is integrated tools and security policies that increase the accuracy of attack information and provide real-time information to effectively respond to attacks.
The security demand network is composed of various forms of hardware and software, while users have different access needs for these hardware and software. For the effective protection information system, there must be a safety model for these diversified network components and related security issues. The following is an outline of a basic security model:
1. Vendor Policy 2. Firewall 3. Intrusion Detection System 4. Router Security 5. Host System Security 6. Anniiviation 7. Emergency Stamping Plan We will discuss some of the problems faced by the company, especially within the enterprise information infrastructure The entry detection system will be discussed.
Firewall: necessary, but non-critical solution firewall is the first defense line of corporate network, but should never be seen as "magic weapon" that can solve network security problems. No single product can be considered a magic weapon. When the network boundary is deployed with the entire infrastructure, they provide basic security. Almost all companies that pay attention to their business have been investing and build firewall technology. But even if the firewall has been built, there are still 90% of the financial star 500 large enterprises to detect the security gap. The problem is that all firewalls are exposed to external attacks or have been avoided in a variety of ways. For example, the hacker can sprit the wrong setting with the firewall, through the switch of the switch to avoid the firewall, launch a rejection service attack (DOS) on a specific service; use Trojan and wear technology, even start buffering District spill attacks to get the firewall Root Access. Because more than 70% network information security accident comes from internal attacks, companies must also build firewalls in important network assets to reduce the risk of intrusion. However, internal attackers can still avoid or spying these firewalls once again.
The firewall is deemed to be a goalkeeper, but the protection they can provide is very limited. Their biggest problem is that the firewall cannot check the package content. To check the contents of the package, companies must add the mechanism of intrusion detection in the security deployment. Intrusion detection systems can assist in an early stage identification attack, providing a fast information security event analysis and more response time, and deploys a defense mechanism to prevent further attack events.
Improve enterprise information security defense rating - Intrusion detection system If information security assets have related to certain companies, deploy intrusion detection systems become a very necessary corporate information security impact measures. Intrusion detection system can replenish the deficiencies of firewall technology. Detectors with IDS inside and outside the firewall can assist in determining whether the firewall is appropriately set and operated. IDS can also identify cyber attacks that the firewall cannot be perceived. Intrusion detection systems assisted enterprise passive as active, and can effectively reduce the risk of network security.
Intrusion detection system is divided into the following four types:
Traditional Network Intrusion Detection System (NIDS) Traditional Host Intrusion Detection System (HIDS) Hybrid Intrusion Detection System (HYBRID IDS) Traffic Systems Traditional Network Intrusion Detection System (NIDS) Using Non-Distance Mode Network card to view each passible network package. Typical network type IDs is composed of one or more detectors and the main controlbed from detectors. The deployment of network IDS is simple and easier to manage than the main model IDS, but some network IDs will have a large number of online communication after installation, and they will not be able to attack events, and they will not be able to generate a lot due to false positives. Management warning; makes real attacks difficult to identify. The false positivity refers to a warning generated by the legitimate activity when there is no attack behavior that actually occurs. If a company has repeatedly hit by false positives, companies will begin to ignore their warning systems and their materials collected, making this system becomes useless. Mistakers are a continuous challenge for most companies. Traditional Host Intrusion Detection System (HIDS) Monitoring procedures inside the host and monitor data on logging files and suspicious activities. Some host types of IDs are operated independently. In other systems, each host type IDS will return to the main system responsible for focusing on assessing and responding mechanisms, which is very helpful for large-scale deployment. Because of most hosting solutions, limited platform supports and coverage will make this solution difficult to manage, and they will have a network attack because of the abilities that lack packet detection make the system portal open.
Hybrid intrusion detection system combines host type and network type technology. The hybrid IDS is based on the system and can identify the flow to or from the single host network package. The hybrid system is unlike a network type IDS, it does not check each passed package, so it slows down some of the performance reduction problems due to traffic analysis. Mixed IDSES provides more protection by monitoring the event, data, directory, and login files in the login. The platform restrictions and deployment issues are still a dispute, and they will traditionally consume considerable system resources, but they are less prone to misconcencing compared to network type IDs.
Decept System or "Honeypot" is a general conventional statement that provides additional hierarchical protection for the network infrastructure. The trap system is usually more valuable than other detection systems, as it can reduce false positives and security illusion, the trapping system can be considered "Set and Forget" IDS, the detector can be used by a single system Or multiple network devices consist, the only purpose is to capture unauthorized activities. This means that any seal package of entering and exiting the system will naturally be considered suspicious, which simplifies the data record and analysis program and provides practical information about the motivation of the attacker.
Generally, there is a mistake of the trapping system, that is because they will lure the hackers, so the evidence they collect may not be used to sue the hacker. The fact is that the trapping system is not an active trap (LURES) and it is not easy to find. The hacker can only find the trapping system through the execution of the detection tool used to invade the network.
