As use of the internet for business-critical applications increases and new e-commerce and extranets proliferate, network security continues to increase in importance. Thanks to the openness and accessibility of the internet, which is the reason organizations embrace it in the first place, these new capabilities put sensitive information at risk.
While firewalls provide a first line of defense against unauthorized users, no single technology has been developed which solves all security problems. Attackers are increasingly experiencing vulnerabilities via the HTTP protocol, which is almost always allowed past the firewall. This allows attackers to gain access to corporate web-based services.
Intrusion detection systems (IDS) have become standard components in most network architectures as part of this layered approach. An IDS is the network equivalent of a burglar alarm. Its main purpose is to generate an alert when an attacker tries to hack into a network. To accomplish this, an IDS is equipped with both standard and customized attack signature detection engines. These engines are used to monitor and analyze network events for any signs of an attack or malicious activity.
However, sensitive web transactions are typically encrypted, for example, using Secure Sockets Layer (SSL). While encryption, such as SSL, is a critical component of many secure intranet transaction systems, IDS sensors cannot decrypt such traffic. This makes such sensors blind to the content of the encrypted traffic. Most attacks on network systems that can be done over unencrypted web traffic can also be done over the encrypted (SSL) link.
In the course of ordinary unencrypted web traffic, hacker activity or other net works attacks are usually detected by the IDS. The wide-spread usage of SSL presents a major dilemma, as IDS sensors cannot detect SSL traffic. As a result, encrypted SSL traffic passes through the IDS without examination. This renders the typical IDS ineffective because they cannot search incoming encrypted traffic for signatures indicative of an attack. To be effective, a network IDS needs to be able to examine all packets on the network segment. Without this capability, attackers can easily conceal their probes and attacks, such as a Unicode hack, SQL Injection, and buffer overflow, in the unexamined encrypted packets.