Modern networking continues to provide communication and information access increases and improvements. The continuing growth of networking systems and technology seems limitless and the speed of networked communications has brought benefits to nearly every human endeavor.
In addition to the inherent complexities of network communications, recent trends in information technology have seen large enterprises and other users moving towards a centralization of some network services, notably data storage and mining as well as some more complex applications. This centralization is realized in many instances by contracted access to provisionable, or virtually reconfigurable, networks. A provisionable network allows a centralization of information technology (IT) services and enterprise-wide, and even internet-wide, access to specialized data and functions. The various moves to re-centralize IT systems of all kinds is driven in part by shortages in IT staff and by the intrinsic inefficiencies of distributed systems. Notably, many IT managers are migrating to a smaller number of large data centers. Enabled by abundant and relatively inexpensive network bandwidth, IT services can now be distributed to users globally. The need to nest server-side technology near the client workstation is lessening, which has led to this dramatic change in IT architecture.
Security of networks has been a concern since before the first important data storage in an accessible computer system. Even more than earlier distributed networks, provisionable networks are exposed to possible security lapse and even attack through the multitudinous communications links such systems entail. Because there is necessary communication within and between resources contained within the provisionable data center, as well as communication with clients outside the network, the possible avenues of security failure are many.
In addition to “normal” hacker attack, security breaches can consist of such things as the unauthorized entry into a portion of a database by an otherwise authorized user or the unauthorized use of an application managed by the center. An example of this could be use by a foreign engineering entity of a supercomputer computational fluid dynamics facility, perhaps barred by technology exchange law, wherein the foreign entity's use of other portions of the same provisionable data center is legitimate and desirable.
Another example involves a case wherein there are competing clients legitimately served by the UDC and who share some of the available resources, such as a marketing database. These same two clients may also employ the UDC for secure archiving of proprietary data that neither wants the other to access. Furthermore, the management system of a provisionable data center itself could be the target of a focused intrusion whose goal could be the weakening of the management structure to enable other intrusions.
A technology of intrusion detection has grown in company with that of the provisionable network. Network intrusion detection systems (NIDS) and their management infrastructures are now as complex as the networks they protect.
Designing and deploying a Network Intrusion Detection System (NIDS) for providing effective attack detection capabilities to an infrastructure is an extremely difficult task. Apart from the minor difficulties of understanding how and where to physically deploy NIDS sensors, the major difficulty is in understanding where sensors should be most effectively deployed and, more importantly, how to configure the NIDS sensors. Configuration of NIDS sensors, in terms of enabling the proper intrusion attack signatures, assigning the correct severities to them, and associating the most effective responses to those alerts, has not been documented as a streamlined, guided, process and in its absence most configurations are either done with the default settings or by tuning them with production environment observations. Default sensor settings are unreliable across the installation spectrum and NIDS often deal with storms of false positives when used with a default configuration. Even though tuning the NIDS in the production environment over a period of time is desirable if used for the final tuning, using the process for fully configuring a NIDS sensor can prove disastrous in terms of false negatives as also very time consuming and requiring continuous periodic tuning.
In the absence of a clear streamlined guided process, NIDS sensors have been either configured with default settings or tuned in production environments. Using default settings can only be relied (and that too minimally owing to usage in disparate environments) for their severities and would surely result in a storm of false “positives” if used with the default configuration. On the other hand, tuning the NIDS in the production environment over a period of time for fully configuring an NIDS sensor could prove disastrous in terms of false “negatives” as also very time consuming and requiring continuous periodic tuning. Also in the absence of any standardized framework for assigning severities or associating response actions, even an NIDS solution that uses excellent sensors looses its effectiveness because of inconsistencies in its alerting and response.
What is needed, then, is a method for configuring network intrusion detection sensors in a network such that the management components of the network are protected from intrusions that originate from either an external source, or from the systems within a less trusted part of the network management infrastructure. Such a configuration method should enable the cost effective deployment of sensors that are tuned to determine and discriminate between the threat levels of detected intrusions and to be able to generate an appropriate response to a detected intrusion.