The importance of the network security problems comes into prominence by the growth of the Internet. This article introduces the basics of the host security problem, reviews the most important intrusion detection methods, and finally proposes a novel solution. Different kinds of security software utilizing the network have been described (Snort, 2006). The novelty of the proposed method is that its clients running in each host create a peer-to-peer (P2P) overlay network. Organization is automatic; it requires no user interaction. This network model ensures stability, which is important for quick and reliable communication between nodes. Its main idea is that the network that is the easiest way to attack the networked computers is utilized in the novel approach in order to improve the efficiency of the protection. By this build-up the system remains useful over the unstable network. The first implementation of the proposed method has proved its ability to protect operating systems of networked hosts.
The Problem Of Host Security
This section describes basic security concepts, dangers threatening user data and resources. We describe different means of attacks and their common features one by one, and show the common protection methods against them.
Information stored on a computer can be personal or business character, private or confidential. An unauthorized person can therefore steal it; its possible cases are shown in Table 1. Stored data can not only be stolen, but also changed. Information modified on a host is extremely useful to cause economic damage to a company.Table 1.
The types of the information stealth
|• An unauthorized person gains access to a host.|
• Abuse of an authorized user.
• Monitoring or intercepting network traffic by someone.
Not only data, but also resources are to be protected. Resource is not only hardware. A typical type of attack is to gain access to a computer to initiate other attacks from it. This is to make the identification of the original attacker more difficult, as the next intruded host in this chain sees the IP address of previous one as its attacker.
Intrusion attempts, based on their purpose, can be of different methods. But these methods share things in common, scanning networks ports or subnetworks for services, and making several attempts in a short time. This can be used to detect these attempts and to prepare for protection.
With attempts of downloading data, or disturbing the functionality of a host, the network address of the target is known by the attacker. He or she scans the host for open network ports, in order to find buggy service programs. This is the well-known port scan. The whole range of services is probed one by one. The object of this is to find some security hole, which can be used to gain access to the system (Teo, 2000). The most widely known software application for this purpose is Nmap (Nmap Free Security Scanner, Tools, & Hacking Resources, 2006). It is important to notice that this is not written for bad intention, but (as everything) it can also be used in an unlawful way.
Modern intrusion methods exert software and hardware weaknesses simultaneously. A well-known example is ARP poisoning. An attacker, already having gained access to a host of a subnetwork, sends many address resolution protocol (ARP) packets through its interface. This causes network switches to enter hub mode, resulting in every host on the subnetwork being able to see all traffic, also packets addressed to other hosts. The traffic can then be analyzed by the attacker, to gain passwords or other data. Therefore, to detect modern, multi-level intrusions, a single probe is not enough (Symantec Internet Security Threat Report, Volume III, 2005).
Key Terms in this Chapter
Peer-to-Peer (P2P) Model: A communication way where each node has the same authority and communication capability. They create a virtual network, overlaid on the Internet. Its members organize themselves into a topology for data transmission. Each peer provides services the others can use, and each peer sends requests to other ones.
Overlay Network: The applications, which create an ALN, work together and usually follow the P2P communication model.
Hub: A hardware device used to connect more than two hosts on a network. It sends every received network packet to all hosts connected to it, not just the destination. Simpler design than a network switch, but it provides less security.
Data Integrity: The integrity of a computer system means that the host behaves and works as its administrator intended it to do so. Data integrity must therefore be always monitored.
Security Policy: It means a set of rules to act, in which the expectations and provisions of accessibility of the computer for the users and the administrators are also included. It is worth it to be made up before initiating medium or large sized computer networking systems.
Security Management: It means the calculation of the damage caused by a certain attack in advance, so one can decide, if a particular security investment such as buying new devices or training employees is worth or not.
Client/Server Model: A communicating way, where one hardware or software entity (server) has more functionalities than the other entity (the client), whereas the client is responsible to initiate and close the communication session toward the server. Usually the server provides services that the client can request from the server. Its alternative is the P2P model.
Switch: A hardware device used to connect more than two hosts on a network. It forwards every received network packet to the interface of the destination specified in the header of the packet. Switches are more secure than network hubs.
Firewall: This is a host or router that provides a strict gateway to the Internet for a subnetwork, checking traffic and maybe dropping some network packets.
Application Level Network (ALN): The applications, which are running in the hosts, can create a virtual network from their logical connections. This is also called overlay network. The operations of such software entities are not able to understand without knowing their logical relations. In most cases the ALN software entities use the P2P model, not the client/server one for the communication.