Configuration of and Interaction Between Information Security Technologies: The Case of Firewalls and Intrusion Detection Systems

Proper configuration of security technologies is critical to balance the needs for access and protection of information. The common practice of using a layered security architecture that has multiple technologies amplifies the need for proper configuration because the configuration decision about one security technology has ramifications for the configuration decisions about others. Furthermore, security technologies rely on each other for their operations, thereby affecting each other's contribution. In this paper we study configuration of and interaction between a firewall and intrusion detection systems (IDS). We show that deploying a technology, whether it is the firewall or the IDS, could hurt the firm if the configuration is not optimized for the firm's environment. A more serious consequence of deploying the two technologies with suboptimal configurations is that even if the firm could benefit when each is deployed alone, the firm could be hurt by deploying both. Configuring the IDS and the firewall optimally eliminates the conflict between them, ensuring that if the firm benefits from deploying each of these technologies when deployed alone, it will always benefit from deploying both. When optimally configured, we find that these technologies complement or substitute each other. Furthermore, we find that while the optimal configuration of an IDS does not change whether it is deployed alone or together with a firewall, the optimal configuration of a firewall has a lower detection rate (i.e., allowing more access) when it is deployed with an IDS than when deployed alone. Our results highlight the complex interactions between firewall and IDS technologies when they are used together in a security architecture, and, hence, the need for proper configuration to benefit from these technologies.

[1]  Anindya Ghose,et al.  The Economic Incentives for Sharing Security Information , 2004, Inf. Syst. Res..

[2]  Koral Ilgun,et al.  USTAT: a real-time intrusion detection system for UNIX , 1993, Proceedings 1993 IEEE Computer Society Symposium on Research in Security and Privacy.

[3]  Peter Ove Christensen,et al.  Economics of Accounting , 2003 .

[4]  Dmitri Nizovtsev,et al.  Economic Analysis of Incentives to Disclose Software Vulnerabilities , 2005, WEIS.

[5]  Huseyin Cavusoglu,et al.  The Value of Intrusion Detection Systems in Information Technology Security Architecture , 2005, Inf. Syst. Res..

[6]  Fabian Monrose,et al.  Authentication via keystroke dynamics , 1997, CCS '97.

[7]  Harold Joseph Highland,et al.  A Pattern Matching Model for Misuse Intrusion Detection , 1995 .

[8]  Richard Lippmann,et al.  The 1999 DARPA off-line intrusion detection evaluation , 2000, Comput. Networks.

[9]  CavusogluHasan,et al.  Configuration of and Interaction Between Information Security Technologies , 2009 .

[10]  Paul Helman,et al.  An immunological approach to change detection: algorithms, analysis and implications , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[11]  Peter G. Neumann,et al.  EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances , 1997, CCS 2002.

[12]  Terrence August,et al.  Let the Pirates Patch ? An Economic Analysis of Network Software Security Patch Restrictions , 2006 .

[13]  A. Ozment,et al.  Bug Auctions: Vulnerability Markets Reconsidered , 2004 .

[14]  Mohamed G. Gouda,et al.  Firewall design: consistency, completeness, and compactness , 2004, 24th International Conference on Distributed Computing Systems, 2004. Proceedings..

[15]  Herbert J. Mattord,et al.  Guide to Firewalls and Network Security 2nd Edition , 2008 .

[16]  Richard A. Kemmerer,et al.  Penetration state transition analysis: A rule-based intrusion detection approach , 1992, [1992] Proceedings Eighth Annual Computer Security Application Conference.

[17]  Huseyin Cavusoglu,et al.  Intrusion-Detection Policies for IT Security Breaches , 2008, INFORMS J. Comput..

[18]  R. Jagannathan,et al.  A prototype real-time intrusion-detection expert system , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[19]  Terrence August,et al.  Network Software Security and User Incentives , 2006, Manag. Sci..

[20]  Mark Ciampa Security+ Guide to Network Security Fundamentals , 2008 .

[21]  Teresa F. Lunt,et al.  A survey of intrusion detection techniques , 1993, Comput. Secur..

[22]  Dmitri Nizovtsev,et al.  Understanding and Influencing Attackers' Decisions: Implications for Security Investment Strategies , 2006, WEIS.

[23]  Herbert J. Mattord,et al.  Principles of Information Security , 2004 .

[24]  Huseyin Cavusoglu,et al.  Efficiency of Vulnerability Disclosure Mechanisms to Disseminate Vulnerability Knowledge , 2007, IEEE Transactions on Software Engineering.

[25]  Huseyin Cavusoglu THE ECONOMICS OF INFORMATIONTECHNOLOGY (IT) SECURITY , 2002 .

[26]  Srinivasan Raghunathan,et al.  Cyber Insurance and IT Security Investment: Impact of Interdependence Risk , 2005, WEIS.

[27]  Huseyin Cavusoglu,et al.  Configuration of Detection Software: A Comparison of Decision and Game Theory Approaches , 2004, Decis. Anal..

[28]  Harry L. Van Trees,et al.  Detection, Estimation, and Modulation Theory, Part I , 1968 .

[29]  Peter G. Neumann,et al.  Experience with EMERALD to Date , 1999, Workshop on Intrusion Detection and Network Monitoring.

[30]  Jun Zhang,et al.  Security Patch Management: Share the Burden or Share the Damage? , 2008, Manag. Sci..

[31]  Eugene H. Spafford,et al.  New directions for the AAFID architecture , 1999, Recent Advances in Intrusion Detection.

[32]  Terrence August,et al.  Let the Pirates Patch? An Economic Analysis of Software Security Patch Restrictions , 2008, Inf. Syst. Res..

[33]  Julia H. Allen,et al.  Security for Information Technology Service Contracts , 1998 .

[34]  John E. Gaffney,et al.  A Decision Analysis Method for Evaluating Computer Intrusion Detection Systems , 2004, Decis. Anal..

[35]  Harry L. Van Trees,et al.  Detection, Estimation, and Modulation Theory: Radar-Sonar Signal Processing and Gaussian Signals in Noise , 1992 .

[36]  Stefan Axelsson,et al.  The base-rate fallacy and the difficulty of intrusion detection , 2000, TSEC.

[37]  Eugene H. Spafford,et al.  A PATTERN MATCHING MODEL FOR MISUSE INTRUSION DETECTION , 1994 .

[38]  Lawrence A. Gordon,et al.  Sharing Information on Computer Systems Security: An Economic Analysis , 2003 .

[39]  Wei T. Yue,et al.  Tuning the Quality Parameters of a Firewall to Maximize Net Benefit , 2003, IWDC.

[40]  Mark Ciampa,et al.  Security+ Guide to Networking Security Fundamentals, Second Edition , 2004 .

[41]  Eric Miller,et al.  Testing and evaluating computer intrusion detection systems , 1999, CACM.

[42]  Peter Ove Christensen,et al.  Economics of Accounting: Volume II - Performance Evaluation , 2005 .

[43]  Stuart E. Schechter How to Buy Better Testing , 2002, InfraSec.

[44]  Frank Piessens,et al.  A taxonomy of causes of software vulnerabilities in Internet software , 2002 .