Contact:[email protected]
The ABCs of IDSs (Intrusion Detection Systems) by Carolyn Meinel You have the world's best firewall, your Windows computers update their antivirus software regularly and your Information Security staffers enforce your policies with an iron fist. Does this mean you're safe? Maybe not. In 1998, a news story asserted that the firewall for the New York Times was one of the best. Yet at 7:08 a.m. on Sunday, Sept. 13, 1998, someone on the paper's network e-mailed reporters: ...COM3 V1S1T HTTP://WWW.NYTIMES.COM AND S33 0UR LAT3ST P13C3 0F ART. 1F 1T D0ESN'T L0AD, JUST H1T 'REL0AD' A F3W T1MES. CL3V3R ADMINZ HAD S0M3 W3IRD CR0NTABZ OR S0METHING. 0H. W3 0WN YOU. Y0U JUST HAV3NT N0T1C3D US 0N Y3R N3TW0RK Y3T. UNT1L THE N3XT T1M3... No one at the Times had noticed weeks worth of the Hacking for Girliez gang on their network. The intruders finally chose to go public by defacing the opening page of their Web site�on the day the Times expected millions of visitors to view the Monica Lewinsky transcripts. Instead, visitors encountered soft porn and an ad for Lewinsky-scented cigars. Thanks to a cron job (that is, a Unix job that schedules events), several attempts to eliminate the offensive index page failed, exposing yet more thousands of patrons to the Girliez' exploit. It took almost two weeks to eradicate the intruders' back doors from the New York Times' network. Damage was estimated at $1.5 million, and a grand jury is currently hearing testimony in the case. All this might have been avoided had the Times been running a good enough intrusion detection system (IDS). What Is an Intrusion Detection System? Intrusions fall into two major classes. Misuse intrusions are attacks on known weak points of a system. An IDS looks for this type of attack by comparing network traffic with signatures of known attacks. The second class, anomaly intrusions, consists of unknown attacks and other anomalous activity. This may include detection of an intruder who is already inside a network. Anomaly detection is hardly a plug-and-play function. It requires an intimate knowledge of one's network and patterns of user behavior, and an IDS with powerful scripting options. The basic function of an IDS is to record signs of intruders at work inside and to give alerts. Depending on the product, how it is deployed and its network configuration, an IDS may only scan for attacks coming from outside one's network or it may also monitor activities inside the network. Some also look for anomaly intrusions. This requires an IDS that can be extensively configured by the user to match the peculiarities of the network to be defended. When Susie the systems administrator is at work at 2 a.m., this may be her normal behavior. But when Artie the administrative assistant logs on to his workstation at 2 a.m., that is most likely an anomaly. An IDS that detects anomalies must be scripted to tell the difference between the two log-ons. In the New York Times case, the intruders installed a number of "root kits" to hide themselves and open back doors. An installation process like this may be detected as an anomaly�if one can set up an IDS to tell the difference between installing a root kit and a legitimate program. An IDS may include a feature to take automatic action when certain conditions occur, for example to page the systems administrator on call. Many IDSs are flexible enough that one can configure them to launch automatic attacks against suspected intruders, such as denial-of-service attacks. In many situations, this is illegal and inadvisable. And some IDSs are optimized to gather forensic data, including replaying an intruder's activity in real-time. Types of IDSs IDSs fall into three main groups: A network IDS uses network cards in promiscuous mode, sniffing all packets on each network segment. A typical network IDS consists of one or more sensors and a console to aggregate and analyze data from the sensors. It could include a system integrity verifier to look for evidence that key files may have been altered. A log file monitor may gather and analyze log files on many computers. A host-based IDS looks only at packets addressed to the computer on which it resides and/or watches processes inside the host. Some host-based IDSs may operate entirely independently. In other systems, each host-based IDS may report to a master system that evaluates their reports. This architecture would be a hybrid IDS. A hybrid IDS combines a host IDS with a network IDS. Exactly how this works depends on the product, making a hybrid IDS hard to define. Some IDSs offer scripting languages. This feature is crucial for those operating in a middleware environment and is essential for managing anomaly detection. Personal firewalls with IDS functionality�a type of host-based IDS�are fast becoming popular. Their major market is people who fear that their home computers may be invaded by teen vandals. An Achilles heel of large enterprises is the employee who works from home or from a laptop while on the road. Personal firewalls can fill this gap. The problem is, they lack the ability to report intrusion activity to a network IDS console. Let's say Joe the salesperson has installed a pornographic screen saver. Can he be trusted to volunteer the information that his personal firewall reports that this application was infected by a back door? What About Honeypots? A honeypot simulates one or more vulnerable systems, to tempt attackers to focus on an apparent easy kill. Once the honeypot has been invaded, it will alert the information security manager of the intrusion. A honeypot also protects other parts of a network by diverting attention to something that can't be harmed. Some honeypots can simulate many different computers. You can get an idea of what your attacker is after by seeing which apparent operating systems he or she ends up "owning." Perhaps most important, a honeypot can collect forensic evidence. Even though an intruder may not do any damage, his or her actions on the honeypot can provide proof of criminal intent. Characteristics of a Good IDS If you are managing middleware, it's a sure bet that no single IDS vendor will be able to take care of all your needs. More than 150 commercial, freeware and shareware IDS products exist. So how do you choose which ones to use? The Purdue University IDS research project has proposed the following evaluation criteria for an IDS: It must run continually without human supervision. The IDS must be reliable enough to allow it to run in the background of the system being observed. However, it should not be a "black box"; that is, its internal workings should be examinable from the outside. It must be fault-tolerant in the sense that it can survive a system crash and will not have its knowledge base rebuilt upon restart. It must be able to monitor itself to ensure that it has not been subverted. It must impose minimal overhead on the system. It must observe deviations from normal behavior (a.k.a. anomaly detection). It must be easily tailorable to the system in question. Every system has a different usage pattern. It must be able to adapt to changes in the system profile that occur over time. Finally, it must be difficult to fool. Noted computer security expert Neil Buckley suggests some additional criteria: Timely signature updates. Signature accuracy. Capable, experienced support staff. Proven installations in complex environments. Integration with other monitoring frameworks and security devices. The missing factor in most discussions of what makes a good IDS, however, is whether it can collect data that can be used in court against your attackers. Forensics Few businesses report computer crime. Often, it isn't even noticed. For example, "Are you Giving Away your Databases" shows how easy it can be to steal database information without the theft ever being discovered. Even when computer crime is noticed, and even when it is serious, most companies sweep it under the rug. Steve Manning has considerable experience with computer forensics. Manning used to work for the Air Force Office of Special Investigations on computer crime, and currently he is the CEO of Securitygurus.com. He explains the reasons for this attitude: "They see going to law enforcement as long drawn out, nothing to gain. They fear stockholder or customer backlash if they learn of attacks. Or they don't see it as a major loss or don't have a staff trained in computer security." The result? Today cyberspace is the Wild West, with essentially no law enforcement. This author has been approached with several requests to commit serious computer crime, for example, a lucrative request to obtain spreadsheets (the answer was NO!!!). One hacker has told the author that his two previous employers pressured him to steal competitors' customer databases (which is why they are ex-employers). So when you see persistent attacks, don't assume it is just some kid wanting to be a "haxor." It may well be your competitor. And you may never realize how much damage was done to you unless you bring the perpetrators to justice. According to Manning, this free ride for criminal competitors may be coming to an end. "Today we are beginning to see an effort to formalize security and train staff." Once your company gets an IDS that can gather forensic data that will serve well in court, and knows how to use it, competitors had better be on their best behavior. Standards If you have a large, heterogeneous network, you may be unable to find a single-vendor IDS solution. In this case, you must be able to manage the reports of several different IDS products from more than one vendor. IDS is a sufficiently recent trend in computer security that an industry standard for reporting intrusion incidents doesn't yet exist. Thus, managing the outputs from IDSs of several vendors can become a middleware nightmare. Two reporting standards are vying for acceptance. The Internet Engineering Task Force has proposed an XML-based reporting format, the Intrusion Detection Message Exchange Format Extensible Markup Language. The other effort, the Common Intrusion Detection Framework (CIDF), has been funded by the Defense Advanced Research Projects Agency (DARPA) in response to U.S. Department of Defense concerns that no single IDS vendor can address the entire spectrum of attacks. In the meantime, systems administrators needing more than one IDS vendor to cover the complexities of their network have no easy solution to the problem of aggregating and correlating IDS data. When All Else Fails You've invested in the best firewalls, the best vulnerability scanners and the best IDSs. Yet some Sunday morning your IDS pages you to report that an anomaly has occurred: Someone has plastered "W3 0WN YOU" on your Web site. You can ease the pain if your company has taken advantage of the latest trend: IDS bundled with computer crime insurance. Some IDS vendors will vouch that its defenses are state-of-the-art and provide insurance at a less than ruinous rate. Vendors of computer crime insurance include: Internet Security Systems (www.iss.net) Counterpane (www.counterpane.com) IBM Global Services (www.ibm.com) J.S. Wurzler Website Insurance & Security (www.jswum.com) Axent Technologies (www.axent.com) Insuretrust.com LLC (www.insuretrust.com) Ace Ltd. (www.acelimited.com) IDS Products Following is a partial list of the more widely used commercial and free IDS products. For more exhaustive lists, see www.networkintrusion.co.uk and www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html. Company Product/ OS Required Type Description Internet Security Systems www.iss.net Real Secure Network sensor: Windows NT or Solaris Host: Windows NT, Solaris, HP-UX, AIX Hybrid IDS pioneer and market leader. Vendor: "Suspicious activities trigger administrator alarms and other configurable responses ... specifically designed to lessen the workload of security administration ... integrates with leading network and systems management applications ... monitoring parameters easily adjust to different network situations ... readily configured from a central console." Network Associates www.pgp.com Cybercop Monitor Windows NT Solaris Hybrid Vendor: "Not only watches data coming into your network devices; it also monitors traffic flowing out." Detects network-based and system-level attacks, coalesces events to suppress excess data and prevent denial-of-service attacks. Network Ice www.networkice.com Black Ice Sentry Windows NT Network Vendor: "Promiscuous agents that watch all network traffic for suspicious or hostile traffic directed against any device, from printers to notebooks to mainframes." Black Ice Defender Windows 95/98 NT/2000 Host Vendor: "The first corporate-strength security solution for home and small office users. It combines both firewall and intrusion detection in a single, easy-to-use package." Network Security Wizards www.securitywizards.com Dragon Sensor Appliance or Solaris Network Vendor: "Watches live network packets and looks for signs of computer crime, network attacks, network misuse and anomalies. When it observes an event, the Dragon Sensor can send pages, e-mail messages, take action to stop the event and record it for future forensic analysis." Dragon Squire Host "Looks at system logs for evidence of malicious or suspicious application activity in real-time. It also monitors key system files for evidence of tampering." Dragon Server Network "Secure management of all Dragon Sensors and Dragon Squires ... aggregates all alerts into one central database." Axent www.axent.com NetProwler Professional Three-device appliance Network SC Magazine review: "A wide range of predefined operating system and application attack signatures that may be enabled for a single host or range of hosts. Customization of the attack-signature database is the most flexible we have seen to date, and there is even an Attack Definition Wizard to help with the process." Intruder Alert Windows NT, most nixes, Netware Host Vendor: "Gives you a full complement of tools to create new rules and apply new rules in near real-time. SRI International www.sdl.sri.com Emerald Solaris Network Free evaluation version. Vendor: Scalable network surveillance High-volume event analysis Lightweight distributed sensors Generic infrastructure and pluggable components Easy customization to new targets and specific policies Intrusion.com www.intrusion.com SecureNet Pro Red Hat Linux Network Vendor: "100 Mbps ... capable of monitoring over 50 segments simultaneously ... has 100 percent defragmentation [capability], TCP session reassembly, stateful protocol decoding, active countermeasures and session playback." Powerful stealth ability. Kane Secure Enterprise Windows NT workstation Analysis of input from other IDSs "Integrates audit and event data from a variety of sources, including Windows NT and Solaris servers and desktops, Cisco IOS routers, Check Point FireWall-1, ISS RealSecure and Cisco Secure IDS ... integration of data from a multitude of agents and proprietary systems ... tracks the activity, usage and behavioral patterns of individuals to build a statistical profile of each user." Kane Security Monitor Windows NT Analysis "Centralized collection facility for event logs ... automated review of event logs for abuse patterns ... analyzes ... monitors ... event logs on thousands of NT servers and workstations." Network Flight Recorder Inc. www.nfr.net Network Flight Recorder (NFR) Network Vendor: "An NFR...sits and watches traffic pass and records what you told it to. A typical NFR system runs on a workstation or PC with a hard disk size based on how much data you want to retain...NFR is...end-user programmable...gather basic statistics, watch firewalls and track user activity." Research Version Network Free. A configurable tool kit, not plug-and-play. Snort www.snort.org Snort Win32, Solaris Network Vendor: "A lightweight network intrusion detection system capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching ... real-time alerting capability." En Garde Systems, Inc. engarde.com T-sight Windows NT/2000 Network Windows NT and 2K Vendor: "The first Advanced IDS for Windows NT and Windows 2000. T-sight is not an automatic intrusion detection system ... it is specifically designed to ... investigate that activity and then take action to stop the attack (take over or terminate the connection)." Powerful forensics tool has been used to put the attackers of a number of government systems behind bars. Cisco www.cisco.com Secure IDS Sensor appliance Secure IDS Director Openview on Solaris or HP/UX Network This product was formerly Wheel Group's Netranger. Vendor: "Secure IDS Sensors, which are high-speed network 'appliances,' analyze the content and context of individual packets to determine if traffic is authorized. If an intrusion is detected ... Secure IDS Sensors can detect the misuse in real-time, forward alarms to a Cisco Secure IDS Director management console for geographical display and remove the offender from the network." CiscoSafe Integrated package, including a firewall and IDS. Anzen Computing www.anzen.com Anzen Flight Jacket (AFJ) Intel PIII 700 MHz 256 MB 18 GB HD 10/100, FDDI NIC O/S: NFR IDA Network Vendor: "A user-programmable, real-time network monitoring system for intrusion detection and traffic analysis. It passively examines network traffic, identifying attacks, probes and other security-related events in real-time. Unlike other IDS solutions, AFJ uses a set of 'anomaly detection' filters, not signatures, as the main basis for attack recognition." Cybersafe www.cybersafe.com Centrax Windows NT/ 2000, Solaris, AIX Hybrid Vendor: "Provides detection and response for internal and external threats ... watching all user activity from accessing files to the movement of individuals through a corporation's network. Centrax includes host-based intrusion detection, network-based intrusion detection ... the only intrusion detection software to include ... network node intrusion detection." GFI FAX & VOICE www.languard.com LANguard Network Windows NT Vendor: "LANguard allows you to monitor internal network traffic and detect other computers running network sniffers." CERT www.cert.org ACID PHP-enabled Apache Web server Processes IDS data Free. Vendor: "ACID (Analysis Console for Incident Databases) is a PHP analysis engine to search and process a database of alerts generated by IDSs ... search interface for finding alerts matching practically any criteria." Hiverworld www.hiverworld.com To be announced Network Product to be announced at the October SANS 2000 Network Security conference. Will be able to monitor at gigabit Ethernet speeds. Zone Labs www.zonelabs.com Zone Alarm Windows 95/98/ME Windows NT/2000 Personal firewall IDS Free to individual users. While this product is primarily a firewall, it also alerts users to attacks and to attempts by applications on the host to connect with the Internet. By clicking on a pop-up button, users can see an analysis of each attack at the Zone Labs Web site. Sygate Technologies www.sygate.com Sygate Personal Firewall Personal firewall IDS SC Magazine review: "Basic IDS capabilities plus a personal firewall rolled into a single package." Symantec www.symantec.com Symantec Desktop Firewall 2.0 Personal firewall IDS Vendor: Monitors "both inbound and outbound communications ... optimized for always-on broadband connections such as DSL and cable modems." Logs origins of attacks. McAffee www.mcaffee.com McAfee Personal Firewall Personal firewall IDS Windows 95/98/NT IE 4.0 or higher Vendor: "Monitors all network activity and stops all known hacks, nukes, trojans and DOS attacks. Even if your PC is infected with a trojan, you will never lose control. Nothing enters or leaves your system without your permission." Verizon Technology Organization www.itsecure.bbn.com NetFacade Sun Ultra Sparc 5 Solaris 7 Honeypot Vendor: "NetFacade only has to be concerned with traffic to its simulated hosts. A high level of data reduction and low rate of false-positive type incidents since all NetFacade traffic is suspicious. No limit on the number and types of detected attacks, including new and unknown. Distraction of attackers away from the real hosts." Fred Cohen & Associates Deception Toolkit (DTK) *nix Honeypot Free for personal use. Vendor: "DTK's deception is programmable, but it is typically limited to producing output in response to attacker input in such a way as to simulate the behavior of a system which is vulnerable to the attacker's method." NETSEC www.specter.ch SPECTER Pentium 90 or greater Honeypot SC Magazine review: "Logs the attempt and can even launch a finger or port scan back at the hacker to glean as much information as possible ... can simulate one of nine different operating systems (Windows NT, Windows 95/98, MacOS, Linux, SunOS/Solaris, Digital Unix, NeXTStep, Irix and Unisys Unix)." PGP Security www.pgp.com Cybercop Sting Honeypot Vendor: "Simulates a virtual network on a single machine ... logs intrusive traffic to determine its origin and collects evidence against attackers ... various types of silent alarms." IDS FAQs http://www.robertgraham.com/pubs/network-intrusion-detection.html ; http://www.ticm.com/kb/faq/idsfaq.html DARPA Information Assurance and Survivability Program http://www.iaands.org/ ; http://dtsn.darpa.mil/iso/programtemp.asp?mode=147 Back to the Index