lectures 1 and 2 firewalls and their...
TRANSCRIPT
1
Lectures 1 and 2
INFS 766/INFT 865Prof. Ravi Sandhu
Internet Security Protocols Spring 2000
INFS 766/INFT 865Internet Security Protocols
Lectures 1 and 2Firewalls and Their Limitations
Prof. Ravi Sandhu
2© Ravi Sandhu 2000
REFERENCE BOOKS
u Network Security Essentials, William Stallings,Prentice-Hall, 2000
u Security Technologies for the World Wide Web, RolfOppliger, Artech House, 2000
u Internet and Intranet Security, Rolf Oppliger, ArtechHouse, 1998
u Building Internet Firewalls, Brent Chapman andElizabeth Zwicky, O’Reilly and Associates, 1995
u Network Security: Private Communication in a PublicWorld, C. Kaufman, R. Perlman and M. Speciner,Prentice-Hall, 1995
2
Lectures 1 and 2
INFS 766/INFT 865Prof. Ravi Sandhu
Internet Security Protocols Spring 2000
3© Ravi Sandhu 2000
WEB SOURCES
u source for RFCs and IETFl http://www.ietf.org
u cryptographic sourcesl RSA’s frequently asked questions: http://www.rsa.com/rsalabs/newfaql NIST encryption home page: http://csrc.nist.gov/encryption/
u firewall sourcesl Links to many vendor sites: http://www.waterw.com/~manower/vendor.htmll Firewalls mailing lists and searchable archive: http://lists.gnac.net/firewallsl Firewalls frequently asked questions: http://www.clark.net/pub/mjr/pubs/fwfaq
4© Ravi Sandhu 2000
SECURITY COURSES CYCLE
u Falll INFS 762 Information Systems Securityl INFS 767 Secure Electronic Commerce
u Springl INFS 766 Internet Security Protocolsl INFS 765 Database Securityl INFT 862 Formal Models for Computer Security
3
Lectures 1 and 2
INFS 766/INFT 865Prof. Ravi Sandhu
Internet Security Protocols Spring 2000
OPENING REMARKS
6© Ravi Sandhu 2000
INTERNET INSECURITY
u Internet insecurity spreads at Internet speedl Morris worm of 1987l Password sniffing attacks in 1994l IP spoofing attacks in 1995l Denial of service attacks in 1996l Email borne viruses 1999
u Internet insecurity grows at super-Internet speedl security incidents are growing faster then the Internet
(which has roughly doubled every year since 1988)
4
Lectures 1 and 2
INFS 766/INFT 865Prof. Ravi Sandhu
Internet Security Protocols Spring 2000
7© Ravi Sandhu 2000
INTERNET SECURITY
u There are no clear cut boundaries inmodern cyberspacel AOL-Microsoft war of 1999l Hotmail password bypass of 1999l Ticketmaster deep web links
8© Ravi Sandhu 2000
SECURITY OBJECTIVES
INTEGRITYmodification
AVAILABILITYaccess
CONFIDENTIALITYdisclosure
USAGE-CONTROLpurpose
5
Lectures 1 and 2
INFS 766/INFT 865Prof. Ravi Sandhu
Internet Security Protocols Spring 2000
9© Ravi Sandhu 2000
SECURITY TECHNIQUES
u Preventionl access control
u Detectionl auditing/intrusion detectionl incident handling
u Acceptancel practicality
10© Ravi Sandhu 2000
THREATS, VULNERABILITIESASSETS AND RISK
u THREATS are possible attacksu VULNERABILITIES are weaknessesu ASSETS are information and
resources that need protectionu RISK requires assessment of threats,
vulnerabilities and assets
6
Lectures 1 and 2
INFS 766/INFT 865Prof. Ravi Sandhu
Internet Security Protocols Spring 2000
11© Ravi Sandhu 2000
RISK
uOutsider Attackn insider attack
uInsider Attackn outsider attack
12© Ravi Sandhu 2000
PERSPECTIVE ON SECURITY
u No silver bulletsu A process NOT a turn-key productu Requires a conservative stanceu Requires defense-in-depthu A secondary objectiveu Absolute security does not exist
u Security in most systems can be improved
7
Lectures 1 and 2
INFS 766/INFT 865Prof. Ravi Sandhu
Internet Security Protocols Spring 2000
13© Ravi Sandhu 2000
PERSPECTIVE ON SECURITY
u absolute security is impossible doesnot mean absolute insecurity isacceptable
14© Ravi Sandhu 2000
ENGINEERING AUTHORITY & TRUST4 LAYERS
PolicyModel
ArchitectureMechanism
What?
How?
Assurance
8
Lectures 1 and 2
INFS 766/INFT 865Prof. Ravi Sandhu
Internet Security Protocols Spring 2000
INTRUSION SCENARIOS
16© Ravi Sandhu 2000
CLASSICAL INTRUSIONSSCENARIO 1
u Insider attackl The insider is already an authorized user
u Insider acquires privileged accessl exploiting bugs in privileged system programsl exploiting poorly configured privileges
u Install backdoors/Trojan horses tofacilitate subsequent acquisition ofprivileged access
9
Lectures 1 and 2
INFS 766/INFT 865Prof. Ravi Sandhu
Internet Security Protocols Spring 2000
17© Ravi Sandhu 2000
CLASSICAL INTRUSIONSSCENARIO 2
u Outsider attacku Acquire access to an authorized
accountu Perpetrate an insider attack
18© Ravi Sandhu 2000
NETWORK INTRUSIONSSCENARIO 3
u Outsider/Insider attacku Spoof network protocols to
effectively acquire access to anauthorized account
10
Lectures 1 and 2
INFS 766/INFT 865Prof. Ravi Sandhu
Internet Security Protocols Spring 2000
19© Ravi Sandhu 2000
DENIAL OF SERVICEATTACKS
u Flooding network ports with attacksource masking
u TCP/SYN flooding of internet serviceproviders in 1996
20© Ravi Sandhu 2000
INFRASTRUCTUREATTACKS
u router attacksl modify router configurations
u domain name server attacksu internet service attacks
l web sitesl ftp archives
11
Lectures 1 and 2
INFS 766/INFT 865Prof. Ravi Sandhu
Internet Security Protocols Spring 2000
INTERNET ARCHITECTUREAND PROTOCOLS
22© Ravi Sandhu 2000
OSI REFERENCE MODEL
higherlevel
protocols
lowerlevel
protocolsor
networkservices
higherlevel
protocols
lowerlevel
protocolsor
networkservicesPhysical Layer
Data Link Layer
Network Layer
Transport Layer
Session Layer
Presentation Layer
Application Layer
END USER A END USER B
Physical Layer
Data Link Layer
Network Layer
Transport Layer
Session Layer
Presentation Layer
Application Layer
PHYSICAL MEDIUM
Enduser
functions
Networkfunctions
12
Lectures 1 and 2
INFS 766/INFT 865Prof. Ravi Sandhu
Internet Security Protocols Spring 2000
23© Ravi Sandhu 2000
OSI REFERENCE MODEL
END USER A END USER B
higherlevel
protocols
lowerlevel
protocolsor
networkservices
higherlevel
protocols
lowerlevel
protocolsor
networkservices
SOURCE NODE DESTINATION NODEINTERMEDIATENETWORK NODE
24© Ravi Sandhu 2000
layer5-7
4
3
2
TCP/IP PROTOCOL STACKBASIC PROTOCOLS
TELNET FTP SMTP HTTP etc
TCP UDP
IP
Ethernet Token-Ring ATM PPP etc
13
Lectures 1 and 2
INFS 766/INFT 865Prof. Ravi Sandhu
Internet Security Protocols Spring 2000
25© Ravi Sandhu 2000
TCP/IP PROTOCOL STACKBASIC PROTOCOLS
u IP (Internet Protocol)l connectionless routing of packets
u UDP (User Datagram Protocol)l unreliable datagram protocol
u TCP (Transmission Control Protocol)l connection-oriented, reliable, transport
protocol
26© Ravi Sandhu 2000
TCP/IP PROTOCOL STACKBASIC PROTOCOLS
u TELNET: remote terminalu FTP (File Transfer Protocol)u TFTP (Trivial File Transfer Protocol)u SMTP (Simple Mail Transfer Protocol)u RPC (Remote Procedure Call)u HTTP (Hyper Text Transfer Protocol)u and others
14
Lectures 1 and 2
INFS 766/INFT 865Prof. Ravi Sandhu
Internet Security Protocols Spring 2000
27© Ravi Sandhu 2000
TELNET FTP SMTP HTTP etc
TCP UDP
IP
Ethernet Token-Ring ATM PPP etc
layer5-7
4
3
2
TCP/IP PROTOCOL STACKINFRASTRUCTURE PROTOCOLS
ICMP
ARP RARP
DNS RIP EGPBGP
28© Ravi Sandhu 2000
TCP/IP PROTOCOL STACKINFRASTRUCTURE PROTOCOLS
u ICMP: Internet Control Message Protocolu ARP: Address Resolution Protocolu RARP: Reverse Address Resolution Protocolu DNS: Domain Name Serviceu RIP: Routing Information Protocolu BGP: Border Gateway Protocolu EGP: External Gateway Protocol
15
Lectures 1 and 2
INFS 766/INFT 865Prof. Ravi Sandhu
Internet Security Protocols Spring 2000
29© Ravi Sandhu 2000
TELNET FTP SMTP HTTP
TCP UDP
IP
Ethernet Token-Ring ATM
layer5-7
4
3
2
TCP/IP PROTOCOL STACKSECURITY PROTOCOLS
ICMP
ARP RARP
DNS RIP EGPBGP
IPSEC
SSL
30© Ravi Sandhu 2000
INTERNET STANDARDSPROCESS
u IETF: Internet Engineering Task Forcel Application Areal General Areal Internet Areal Operational Requirements Areal Routing Areal Security Areal Transport Areal User Services Area
16
Lectures 1 and 2
INFS 766/INFT 865Prof. Ravi Sandhu
Internet Security Protocols Spring 2000
31© Ravi Sandhu 2000
IETF SECURITY AREAACTIVE WORKING GROUPS
u IP Security Protocol (IPSEC)u Transport Layer Security (TLS)u Secure Shell (SECSH)u Public Key Infrastructure X.509 (PKIX)u Domain Name System Security (DNSSEC)u S/MIME Mail Security (SMIME)u Simple Public Key Infrastructure (SPKI)u Common Authentication Technology (CAT)u Web Transaction Security (WTS)u One Time Password Authentication (OTP)u Authenticated Firewall Traversal (AFT)u An Open Specification for Pretty Good Privacy (OPENPGP)
32© Ravi Sandhu 2000
RFCs AND IETF DRAFTS
u RFCsl Standards
n Proposed Standardn Draft Standardn Internet Standard
l Informationall Experimentall Historic
u IETF draftsl work in progressl expire after 6 months
17
Lectures 1 and 2
INFS 766/INFT 865Prof. Ravi Sandhu
Internet Security Protocols Spring 2000
33© Ravi Sandhu 2000
MUST, SHOULD, MAY
u MUSTl mandatory, required of compliant
implementations
u SHOULDl strongly recommended but not required
u MAYl possibilityl even if not stated a may is always allowed
unless it violates MUST NOT
TCP/IP VULNERABILITIES
18
Lectures 1 and 2
INFS 766/INFT 865Prof. Ravi Sandhu
Internet Security Protocols Spring 2000
35© Ravi Sandhu 2000
BASIC TCP/IPVULNERABILITIES
u many dangerous implementations ofprotocolsl sendmail
u many dangerous protocolsl NFS, X11, RPCl many of these are UDP based
36© Ravi Sandhu 2000
BASIC TCP/IPVULNERABILITIES
u solutionl allow a restricted set of protocols
between selected external and internalmachines
l otherwise known as firewalls
19
Lectures 1 and 2
INFS 766/INFT 865Prof. Ravi Sandhu
Internet Security Protocols Spring 2000
37© Ravi Sandhu 2000
IP PACKET
u headeru data
l carries a layer 4 protocoln TCP, UDP
l or a layer 3 protocoln ICMP, IPSEC, IP
l or a layer 2 protocoln IPX, Ethernet, PPP
38© Ravi Sandhu 2000
TCP INSIDE IP
IPHEADER
TCPHEADER
20
Lectures 1 and 2
INFS 766/INFT 865Prof. Ravi Sandhu
Internet Security Protocols Spring 2000
39© Ravi Sandhu 2000
IP HEADER FORMAT
u version: 4bit, currently v4u header length: 4 bit, length in 32 bit wordsu TOS (type of service): unusedu total length: 16 bits, length in bytesu identification, flags, fragment offset: total 16 bits used for
packet fragmentation and reassemblyu TTL (time to live): 8 bits, used as hop countu Protocol: 8 bit, protocol being carried in IP packet, usually
TCP, UDP but also ICMP, IPSEC, IP, IPX, PPP, Ethernetu header checksum: 16 bit checksumu source address: 32 bit IP addressu destination address: 32 bit IP address
40© Ravi Sandhu 2000
IP HEADER FORMAT
u optionsl source routing
n enables route of a packet and its responseto be explicitly controlled
l route recordingl timestampingl security labels
21
Lectures 1 and 2
INFS 766/INFT 865Prof. Ravi Sandhu
Internet Security Protocols Spring 2000
41© Ravi Sandhu 2000
TCP HEADER FORMAT
u source port numberl source IP address + source port number is a
socket: uniquely identifies sender
u destination port numberl destination IP address + destination port number
is a socket : uniquely identifies receiver
u SYN and ACK flagsu sequence numberu acknowledgement number
42© Ravi Sandhu 2000
TCP 3 WAY HANDSHAKE
initiator responderSYN(X)
SYN(Y), ACK(X)
ACK(Y)
22
Lectures 1 and 2
INFS 766/INFT 865Prof. Ravi Sandhu
Internet Security Protocols Spring 2000
43© Ravi Sandhu 2000
TCP SYN FLOODINGATTACK
u TCP 3 way handshakel send SYN packet with random IP source
addressl return SYN-ACK packet is lostl this half-open connection stays for a
fairly long time out period
u Denial of service attacku Basis for IP spoofing attack
44© Ravi Sandhu 2000
IP SPOOFING
u Send SYN packet with spoofedsource IP address
u SYN-flood real source so it dropsSYN-ACK packet
u guess sequence number and sendACK packet to targetl target will continue to accept packets
and response packets will be dropped
23
Lectures 1 and 2
INFS 766/INFT 865Prof. Ravi Sandhu
Internet Security Protocols Spring 2000
45© Ravi Sandhu 2000
TCP SESSION HIJACKING
u Send RST packet with spoofedsource IP address and appropriatesequence number to one end
u SYN-flood that endu send ACK packets to target at other
end
46© Ravi Sandhu 2000
SMURF ATTACK
u Send ICMP ping packet with spoofedIP source address to a LAN whichwill broadcast to all hosts on the LAN
u Each host will send a reply packet tothe spoofed IP address leading todenial of service
24
Lectures 1 and 2
INFS 766/INFT 865Prof. Ravi Sandhu
Internet Security Protocols Spring 2000
47© Ravi Sandhu 2000
ULTIMATE VULNERABILITY
u IP packet carries no authentication ofsource address
u IP spoofing is possiblel IP spoofing is a real threat on the Internetl IP spoofing occurs on other packet-switched
networks also, such as Novell’s IPX
u Firewalls do not solve this problemu Requires cryptographic solutions
FIREWALLS
25
Lectures 1 and 2
INFS 766/INFT 865Prof. Ravi Sandhu
Internet Security Protocols Spring 2000
49© Ravi Sandhu 2000
WHAT IS A FIREWALL?
internalnetwork
FIRE-WALL
externalInternet
50© Ravi Sandhu 2000
WHAT IS A FIREWALL?
u all traffic between external andinternal networks must go throughthe firewalll easier said than done
u firewall has opportunity to ensurethat only suitable traffic goes backand forthl easier said than done
26
Lectures 1 and 2
INFS 766/INFT 865Prof. Ravi Sandhu
Internet Security Protocols Spring 2000
51© Ravi Sandhu 2000
ULTIMATE FIREWALL
internalnetwork
externalInternet
AirGap
52© Ravi Sandhu 2000
BENEFITS
u secure and carefully administerfirewall machines to allow controlledinteraction with external Internet
u internal machines can beadministered with varying degrees ofcare
u does work
27
Lectures 1 and 2
INFS 766/INFT 865Prof. Ravi Sandhu
Internet Security Protocols Spring 2000
53© Ravi Sandhu 2000
BASIC LIMITATIONS
u connections which bypass firewallu services through the firewall
introduce vulnerabilitiesu insiders can exercise internal
vulnerabilitiesu performance may sufferu single point of failure
54© Ravi Sandhu 2000
TYPES OF FIREWALLS
u Packet filtering firewallsl IP layer
u Application gateway firewallsl Application layer
u Circuit relay firewallsl TCP layer
u Combinations of these
28
Lectures 1 and 2
INFS 766/INFT 865Prof. Ravi Sandhu
Internet Security Protocols Spring 2000
55© Ravi Sandhu 2000
PACKET FILTERING FIREWALLS
u IP packets are filtered based onl source IP address + source port numberl destination IP address + destination
port numberl protocol field: TCP or UDPl TCP protocol flag: SYN or ACK
56© Ravi Sandhu 2000
FILTERING ROUTERS
internalnetwork packet
filteringrouter
externalInternet
i-nw-to-router
router-to-i-nw
e-nw-to-router
router-to-e-nw
mailgateway
29
Lectures 1 and 2
INFS 766/INFT 865Prof. Ravi Sandhu
Internet Security Protocols Spring 2000
57© Ravi Sandhu 2000
PACKET FILTERING FIREWALLS
u drop packets based on filtering rulesu static (stateless) filtering
l no context is kept
u dynamic (statefull) filteringl keeps context
58© Ravi Sandhu 2000
PACKET FILTERINGFIREWALLS
u Should never allow packet withsource address of internal machineto enter from external internet
u Cannot trust source address to allowselective access from outside
30
Lectures 1 and 2
INFS 766/INFT 865Prof. Ravi Sandhu
Internet Security Protocols Spring 2000
59© Ravi Sandhu 2000
FILTERING ROUTERS
internalnetwork 1
packetfilteringrouter
externalInternet
mail gateway(internal network 3)
internalnetwork 2
60© Ravi Sandhu 2000
FILTERING HOST
internalnetwork
externalrouter
externalInternet
packetfilteringfirewall
host
u one can use a packet filtering firewall even ifconnection to Internet is via an external serviceprovider
31
Lectures 1 and 2
INFS 766/INFT 865Prof. Ravi Sandhu
Internet Security Protocols Spring 2000
61© Ravi Sandhu 2000
PACKET FILTERING FIREWALLS
u packet filtering is effective forcoarse-grained controls
u not so effective for fine-grainedcontroll can do: allow incoming telnet from a
particular hostl cannot do: allow incoming telnet from a
particular user
62© Ravi Sandhu 2000
APPLICATION GATEWAYFIREWALLS
internalnetwork
externalrouter
externalInternet
applicationgatewayfirewall
host
SIMPLESTCONFIGURATION
32
Lectures 1 and 2
INFS 766/INFT 865Prof. Ravi Sandhu
Internet Security Protocols Spring 2000
63© Ravi Sandhu 2000
APPLICATION PROXIES
u have to be implemented for eachservice
u may not be safe (depending onservice)
64© Ravi Sandhu 2000
CLIENT-SIDE PROXIESInternal-Client External-Server
u allow outgoing http for web accessto external machines from internalusers
u requires some client configuration
33
Lectures 1 and 2
INFS 766/INFT 865Prof. Ravi Sandhu
Internet Security Protocols Spring 2000
65© Ravi Sandhu 2000
SERVER-SIDE PROXIESExternal-Client Internal-Server
u allow incoming telnet for access toselected internal machines from selectedexternal users
u requires some cryptographic protection tothwart sniffing and IP spoofing
u becoming increasingly important forl electronic commercel VPNl remote access security
66© Ravi Sandhu 2000
FIREWALL ARCHITECTURESDUAL HOMED HOST
Bastion Host(Application
Gateway)
Router RouterIntranet
Internet
Bastion Host(ExternalService)
34
Lectures 1 and 2
INFS 766/INFT 865Prof. Ravi Sandhu
Internet Security Protocols Spring 2000
67© Ravi Sandhu 2000
FIREWALL ARCHITECTURESSCREENED SUBNET
Packet Filter
Router RouterIntranet
Internet
Bastion Host(ExternalService)
INTRUSION DETECTION
35
Lectures 1 and 2
INFS 766/INFT 865Prof. Ravi Sandhu
Internet Security Protocols Spring 2000
69© Ravi Sandhu 2000
RELATED TECHNOLOGIES
u Intrusion detectionu Vulnerability assessmentu Incident responseu Honey potsu Sniffer probes
70© Ravi Sandhu 2000
INTRUSION DETETCIONTECHNIQUES
u Policy detection (or knowledge-based)l default permit
n attack-signature based detectionn also called misuse detection
l default denyn specification-based detection
u Anomaly detection (or behavior-based)n requires user profilingn requires some learning capability in the system
u Combinations of these
36
Lectures 1 and 2
INFS 766/INFT 865Prof. Ravi Sandhu
Internet Security Protocols Spring 2000
71© Ravi Sandhu 2000
INTRUSION DETECTIONDATA SOURCE
u network-based intrusion detectionl multiple sensor points
u host-based intrusion detectionl multi-host based
u application-based intrusion detectionu combinations of these
72© Ravi Sandhu 2000
ATTACKER
u Outsiderl easier
u insiderl harder
37
Lectures 1 and 2
INFS 766/INFT 865Prof. Ravi Sandhu
Internet Security Protocols Spring 2000
73© Ravi Sandhu 2000
INTRUSION DETECTION ISSUES
u effectivenessu efficiencyu securityu inter-operabilityu ease of useu transparency
74© Ravi Sandhu 2000
INTRUSION DETECTIONCHALLENGES
u False alarm rateu Performance and scalability
38
Lectures 1 and 2
INFS 766/INFT 865Prof. Ravi Sandhu
Internet Security Protocols Spring 2000
75© Ravi Sandhu 2000
BASE RATE FALLACY
u Test for a disease is 99% accuratel 100 disease-free people tested, 99 test negativel 100 diseased people tested, 99 test positive
u Prevalence of disease is 1 in 10,000u Alice tests positiveu What is probability Alice has the disease?
76© Ravi Sandhu 2000
BASE RATE FALLACY
u Test for a disease is 99% accuratel 100 disease-free people tested, 99 test negativel 100 diseased people tested, 99 test positive
u Prevalence of disease is 1 in 10,000u Alice tests positiveu What is probability Alice has the disease?
1 in 100u False alarm rate: 99 in 100 !!!!!
39
Lectures 1 and 2
INFS 766/INFT 865Prof. Ravi Sandhu
Internet Security Protocols Spring 2000
77© Ravi Sandhu 2000
BASE RATE FALLACYBAYE’S THEOREM
u population: 1,000,000u diseased: 100u disease free: 999,900u false positive: 9,999u true positive: 99u Alice’s chance of disease:
99/(9,999+99) = 1/100
78© Ravi Sandhu 2000
BASE RATE FALLACY99.99% ACCURACY
u population: 1,000,000u diseased: 100u disease free: 999,900u false positive: 99.99u true positive: 99.99u Alice’s chance of disease:
99.99/(99.99+99.99) = 1/2
40
Lectures 1 and 2
INFS 766/INFT 865Prof. Ravi Sandhu
Internet Security Protocols Spring 2000
79© Ravi Sandhu 2000
NETWORK-BASED INTRUSIONDETECTION SIGNATURES
u port signaturesu header signaturesu string signatures
80© Ravi Sandhu 2000
NETWORK-BASED INTRUSIONDETECTION ADVANTAGES
u Complements firewallsu broad visibility into network activityu no impact on network performanceu transparent installation
41
Lectures 1 and 2
INFS 766/INFT 865Prof. Ravi Sandhu
Internet Security Protocols Spring 2000
81© Ravi Sandhu 2000
NETWORK-BASED INTRUSIONDETECTION DISADVANTAGES
u False positivesu miss new unknown attacksu scalability with high-speed networksu passive stanceu emergence of switched Ethernet
82© Ravi Sandhu 2000
HOST-BASED INTRUSIONDETECTION
u host wrappers or personal firewallsl look at all network packets, connection
attempts, or login attempts to the monitoredmachine
n example, tcp-wrapper
u host-based agentsl monitor accesses and changes to critical
system files and changes in user privilegen example, tripwire
42
Lectures 1 and 2
INFS 766/INFT 865Prof. Ravi Sandhu
Internet Security Protocols Spring 2000
83© Ravi Sandhu 2000
INTRUSION DETECTIONSTANDARDS
u None existu ongoing efforts
l CIDF: common intrusion detectionframeworkfor sharing information
l IETF Intrusion Detection Working Groupjust started
84© Ravi Sandhu 2000
INTRUSION DETECTION
u Needs to integrate with othersecurity technologies such ascryptography and access control
u one component of defense-in-depthlayered security strategy
u incident-response and recovery areimportant considerations