These days, companies often feel as though they are at war with an unseen enemy that comes in many shapes.

• Viruses that come in through seemingly innocent e-mail attachments and end up destroying valuable (and sometimes irretrievable) applications and files.
• Denial-of-service attacks that virtually shut down businesses by flooding servers with bogus queries.
• Ordinary port scans, ping sweeps, and packet sniffers turned into reconnaissance tools for probing network weaknesses in order to launch attacks.

Patrick Henry once said, "The battle . . . is not to the strong alone; it is to the vigilant, the active, the brave." His words seem appropriate for companies trying to combat hackers.

Assailants who operate in the anonymity of cyberspace may seem like a superior force to small companies, not only because the attacks are so random, varied and devastating, but also because smaller companies do not have an army of technical staff and security experts on staff to defend them.

However, in keeping with Henry's admonition, vigilance can overcome a seemingly stronger adversary, especially in the case of network security. With the right combination of complementary security measures, even if an attack is able to bypass one access point, overlapping layers ensure that it will be stopped by another mechanism.

Complementary crime stoppers

If a corporate network is like a house, a firewall is like the door locks on the perimeter that admit only users who have been given keys (authorization) to get in. An intrusion detection system (IDS) is like a surveillance camera and motion sensor that can be set up anywhere in the house to detect irregular, unapproved activity and generate an armed response.

The primary function of a firewall is to control access to services and hosts. If a service or connection to a specific host is permitted, firewalls typically do not inspect the content. An example is public access to a Web server on a DMZ. ("DMZ" is jargon for a small part of an internal network that is opened up to external access by putting it in a kind of demilitarized zone buffer.) All connection requests to the Hypertext Transfer Protocol (HTTP) port on the Web server will be permitted by the firewall, including malicious traffic directed at the HTTP server. However, an intrusion detection system will catch this activity.

Similarly, firewalls typically will not protect against attacks originating inside the network or entering from other ingress points not protected by firewalls, for example, remote access servers. In contrast, an IDS can be deployed anywhere on the network to monitor internal as well as external activity.

What a firewall does

A firewall is designed to sit at the perimeter of the network and receive and transmit authorized data as well as filter out unauthorized packets.

The challenge with a firewall is to get the right amount of security without imposing unacceptable limitations on internal users or unnecessary management complexity. Because a firewall does high-volume packet inspection, it must also be extremely fast and efficient, so that this extra layer of protection doesn't noticeably slow network performance.

In addition, the firewall itself must be resistant to attack so that hackers can't penetrate the network by simply taking control of the firewall.

What a firewall includes

A firewall implements two primary security measures:

• Access Control Lists (ACLs) are lists of permitted and prohibited addresses that allow transmissions to be accepted or rejected based on their origin or destination.
• Network Address Translation (NAT) is a service that re-addresses data packets as they pass through the firewall. NAT offers two very important values to small companies. First, it simplifies address management by allowing administrators to assign a single external address for all internal users. Second, it masks the true addresses of internal computers and servers from the outside world.

Some firewalls also feature Port Address Translation (PAT) and a built-in Dynamic Host Configuration Protocol (DHCP) server, which will automatically assign network addresses to all internal computers when they are powered on. This is an important feature for small companies that want to simplify administration of their security systems.

Different types of firewalls

Several different types of firewalls are available on the marketplace today, including packet-filtering firewalls, application-level gateways, and stateful inspection firewalls. In general, packet-filtering and application-level gateways offer more sophisticated security but come at a higher cost, including more complex administration and a greater impact on network performance.

A stateful inspection firewall analyzes packets in terms of sessions. If an incoming transmission appears to be a legitimate reply to a previous request from inside the network, the firewall allows it to pass. This approach allows relatively unrestricted transmission from inside the network, and selective but flexible access from the outside. In conjunction with simple ACLs, stateful inspection provides easily administered protection that requires substantially less processing power than other solutions.

Ideally, any firewall should offer Web-based management, which makes a firewall much easier to configure, monitor, and troubleshoot.

Different types of intrusion detection

There are two basic types of intrusion detection systems — host-based and network-based.

Host-based systems, which, as the name implies, reside on and use the resources of a host computer, are used to protect critical servers. Network-based IDSs are dedicated platforms that analyze network packet headers to make security decisions based on packet source, destination, and type. They also analyze packet data to make decisions based on the actual data being transmitted.

What an IDS includes

An IDS monitors the network through one or more sensors deployed strategically in the network. The sensors analyze captured packets and compare them against typical intrusion activities known as "signatures." If the captured packets match a defined intrusion pattern, the sensor sends an alarm.

An IDS device should have a comprehensive signature list for detecting attacks in all of the following categories:

• Exploits: activity indicative of someone attempting to gain access to or compromise systems on the network.
• Denial of Service: an activity indicative of someone attempting to consume bandwidth or computing resources to disrupt operations.
• Reconnaissance: an activity indicative of someone attempting to probe or map the network to identify targets of opportunity for attack.
• Misuse: an activity indicative of someone attempting to violate corporate policy.

Companies should also be able to create their own signatures for immediate defense against certain attacks, such as detecting e-mail attachments with a particular file extension.

Sensors are completely passive and do not generate packets or add overhead to the network (with the exception of response mode to terminate a session). A properly configured and installed sensor cannot be compromised because the monitoring interface cannot be detected and malicious packets cannot be directed at it. The interface does not have either a protocol stack or an IP address and is not susceptible to "anti-sniff" detection techniques.

Sensors can be placed anywhere in the network. Typical deployment choices for small companies include:

• Internal network segments where critical resources are located.
• In front of a firewall.
• Behind a firewall.
• Behind a dial-up modem server.
• On an extranet connection.
• On a DMZ.