Bro: A System for Detecting Network Intruders in Real-Time - Essay Example

Bro: A System for Detecting Network Intruders in Real-Time Grade (March. 22, Bro: A System for Detecting Network Intruders in Real-Time A short overview of the article The increase in internet connectivity has brought with it the better chances of network intrusion. In response to this, different systems have been developed; to help address this danger that is posed to network privacy. There are types of security systems that have been developed to address the network intrusion issues, with the host audit being the most common, and now the stand-alone real-time monitoring systems that detect a network intrusion and report it in real time. Bro is one such system that has been developed to monitor network intrusion and generate notifications of such detected intrusions in real-time (Paxson, 1999). Therefore, the Bro system works to defeat the network intrusion problem through using a variety of feature-combinations that creates a system for identifying and reporting the network intrusion traffic in real time. The notable feature of the Bro system is its combination of high speed and large volume monitoring, such that the system monitors the traffic flow with the speed of up to 100 Mbps (Paxson, 1999). Further, the system ensures to prevent any pocket filter drops, which would in turn result in increased risk of non-detection of the intrusions, through ensuring the pocket filters do not run out of buffer. In addition, the system has also taken into consideration the need for easy extension of the new knowledge on the newly arising threats to the networks. However, the greatest short-coming associated with the Bro system of network intrusion monitoring is that the system does not seek to create an airtight network security system, but instead seeks to emphasize more on monitoring and detecting, as opposed to blocking and averting any intrusions (Paxson, 1999). A description of the chosen aspect Real-time notification is the aspect of the Bro network intrusion security system that has been chosen. The Real-time notification concept of the system works towards ensuring that the detected intrusion on the particular network where the Bro system has been installed is reported immediately and in real-time (Paxson, 1999). This process works through the establishment of a timing system that generates notifications of any connection establishment attempt, which is then reported based on the nature of the attempt identified by the Bro script writing language. The language has been specified such that there are those connection establishment attempts that it will find suitable based on the security policy that has been set to allow such connections, while finding other attempts to establish connections as unacceptable per the security policy, and thus classifying them as intrusions. It is these connection attempts that are classified as intrusions, which the Bro system uses to generate real-time notifications, alerting the system authorized user of the possibility of a network intrusion attempt on the host serve of the system (Paxson, 1999). This timing system has been applied, in order to help avoid any lengthy delays that might be incurred before a possible intrusion on the network is reported, despite having been detected in good time. Why do you like or dislike this aspect of Bro systems design? The reason I like the Real-time aspect of the Bro system is because it has taken caution against delayed reporting of a possible intrusion on the network, thus allowing for immediate action by the authorized user of the network. The real-time concept of the Bro system serves to generate real-time notifications both on the attempted connection establishment to the network, and the source of that attempted connection (Paxson, 1999). In this respect, the authorized user of the network can easily take the remedial action of identifying the source of the intrusion and clarify the real identity of the intrusion threat. This way, it becomes possible for the authorized network user to then proceed with the necessary action such as tracing back the attacker and reporting them in good time. The authorized user of the system can easily react by telephoning back the site from which the network intrusion threats are coming, notifying the source of the awareness of the potential intrusion, which would in turn help to make the intruders stop. Thus, while the bro system does not work towards averting the threats that might be targeted at a given network in an airtight manner, the system works towards enabling the immediate action by the owners of the network, in realizing and taking action against the possible threats (Paxson, 1999). This way, the network applying the Bro security system is guaranteed of recognizing and reacting to the larger amount of network threats that might be targeted at the system, and only leaving the system exposed to minimal threats of intrusion. Why does this aspect impress you the most? The most impressive thing about the real-time aspect is that it does not allow the network owners to react fast towards averting possible intrusion, but also enables the owners of the network to trace the source of the possible intrusion threat in real-time (Paxson, 1999). This characteristic of the system is impressive, because unlike the traditional network intrusion detecting systems that blocked the possible intrusion to a network, this system does not block the intrusion, but rather allows the network owners to react to the intrusion. The importance of allowing the network owners to react to the threat of intrusion in real-time is that the system owners are able to prevent further break-ins into the network by the particular intruders, by helping to identify, report or telephone them and ask them to stop (Paxson, 1999). This means that the intruders are either forced to seek alternative strategies for attack or create new channels for attack, something that is cumbersome and inefficient for the intruders. In addition, the real-time aspect of the Bro system helps to ensure that the damage that can be caused by the intruders are minimized, since with the real-time detection of the possible intrusion, the intrusions can be reacted to and stopped before they have caused any meaningful damage to the network (Paxson, 1999). Further, as opposed to the traditional network intrusion guard systems that merely block an intrusion to a network, the Bro system allows for easier tracking and keeping record of the intrusion threats, as opposed to only tracing them when the threat has already been blocked. The real-time full recordings of the network threats enable the owners of the network to be in a state of constant lookout for any further intrusion threats, thus helping to keep the system more secure. Further, the Bro system offers the combined advantage of real-time threat detection and the maintenance of extensive permanent logs of network activity, which can also be acted upon by tracing them to months back (Paxson, 1999). To which extent does this aspect enhance or deepen your understanding about security and management? The real-time aspect of the Bro system has created a great insight into the need for immediate reaction to a possible network intrusion threat. While the blocking of the threats might help to constantly avert and keep away such threats, it is the real-time and immediate reaction to a threat that makes the work of the intruders difficult, by making them know that their attempts to intrude the system have been detected, and causing them either to stop the attempts or to change tactics and channels of attacks, which is highly inefficient for the intruders (Paxson, 1999). In addition, the Bro real-time aspect of threat notification has created insight into the need for constant monitoring of the network system. It is through the constant monitoring that the actual changes in the intruders tactics, channels and knowledge of intrusion can be created, as opposed to blocking the threats and tracing them back months later. Reference Paxson, V. (1999). Bro: A System for Detecting Network Intruders in Real-Time. Computer Networks, 31(23-24), 2435-2463. Read More