Detection systems require tuning

Detection systems require tuning


Intrusion detection is the latest tool for network security, but feds who have tried it find it far from simple.

'It's easier said than done,' said Cheryl Ledbetter, information systems security officer for the Transportation Department's Transportation Administrative Services Center. 'You've got to know what you're looking for. Then you've got to look for it.'

Ledbetter and other government security officials spoke last week at a Washington conference on intrusion detection systems.

'IDS is the buzzword of the day,' said Dara Murray, director of computer security for the National Science Foundation.

'We were hacked,' she said, so installing intrusion detection was the top priority when she started her job several months ago. 'You really have to know your environment,' she said.

TASC, which supplies Transportation's backbone, discovered that installing an intrusion detection box and turning it on didn't help much. It was necessary to know the entire network and its changing traffic, understand what was normal, and decide what constituted evidence of an intrusion or attempted intrusion.

Plus, keeping an eye on the results eats a lot of resources, Ledbetter said, especially for an agency short on experienced security people.

If she were doing it over at TASC, 'I'd consider outsourcing it,' she said. That was what NSF decided to do.

'We just didn't have the expertise in-house to monitor our networks,' Murray said. NSF contracted with NetSec Technologies Inc. of Herndon, Va., for round-the-clock intrusion detection. But that did not eliminate the agency's responsibilities.

To write a statement of work, 'you have to understand what you really want,' Murray said. The network has to be documented and its vulnerabilities assessed. The agency must decide what needs to be protected and what doesn't.

'We're not really sure what our environment is because we're just getting our IDS off the ground,' Murray said.

What can happen next is that intrusion detection systems overwhelm security officials with reports.

Deluge of data

'You don't want to get too much, because the more you have, the less people are going to look at it,' said Steven Shields, network security officer for the Coast Guard's Telecommunications and Information Systems Command.

Probes by potential intruders occur almost constantly. When the Coast Guard recently brought up a new network, 'within 15 minutes we had a probe,' Shields said.

The IDS could also bog down the network, said Barton Abbott, Raytheon Co.'s director of information assurance for the Navy-Marine Corps Intranet project.

'You have to tune your systems, or you're going to get flooded,' he said. 'You can create a service denial attack on your own system by setting the intrusion threshold too low.'


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected