A first line of defense in preventing a computer attack is the firewall. Firewalls, either
network based or host based, are configured to allow or deny connections into or out
of its perimeter based on the protected entity’s security policy. The policy states what
types of connections are allowed into or out of the entity. However, when network
service such as SSH must be offered, the firewall is configured to allow connections
to the service. The solution needed is an application that can detect a dictionary
attack and dynamically apply firewall blocking rules against the source of the
dictionary attack. This solution already exists. The following is a short list
of available applications that offer protection against the SSH dictionary attack:
- Snort Intrusion Detection System
- DenyHosts application program
- OpenSSH timelox software patch
- SSHD_Sentry application program
These applications detect SSH dictionary attacks against a local host and
can be configured and/or modified to automatically apply firewall blocking
rules to the local host from the source of the attack.
Classically, firewalls and access control mechanisms are implemented as
static protection mechanisms. The rules are configured based on the security
policy for the host or network that these devices protect, and the rules
remain constant unless there is a security policy change. Intrusion detection
is technology designed to monitor hosts and/or networks. These systems
monitor a host or network based on configurable rules and specifications.
Once abnormal activity is observed, the system will send an alert to the
system administrator. It is the responsibility of the system administrator to act
on the alerts they receive from the detection system. Unfortunately, the
response time of human administrators is too slow compared to the speed of
modern day attacks. As a result, research in the field of intrusion detection
has begun to focus on the concept of Active Response. Active response is
the act of detection systems dynamically responding to real time attacks
without the need of human advisory. Indeed, the detection techniques listed in
this section are simple mechanisms that offer active response by dynamically
blocking access to servers from the sources of SSH dictionary attacks.
However, a distributed solution that offers dissemination of the detection
information and security policy to participating neighbors can offer greater
security by way of preemptive and proactive protection.
No comments:
Post a Comment