Google

The ABCs of IDSs (Intrusion Detection Systems)

The ABCs of IDSs (Intrusion Detection Systems)

Contact:[email protected]

The ABCs of IDSs (Intrusion Detection Systems)
by Carolyn Meinel

You have the world's best firewall, your Windows computers update their
antivirus software regularly and your Information Security staffers enforce
your policies with an iron fist. Does this mean you're safe?

Maybe not. In 1998, a news story asserted that the firewall for the New York
Times was one of the best. Yet at 7:08 a.m. on Sunday, Sept. 13, 1998,
someone on the paper's network e-mailed reporters:

...COM3 V1S1T HTTP://WWW.NYTIMES.COM AND S33 0UR LAT3ST P13C3 0F ART. 1F 1T
D0ESN'T L0AD, JUST H1T 'REL0AD' A F3W T1MES. CL3V3R ADMINZ HAD S0M3 W3IRD
CR0NTABZ OR S0METHING.

0H. W3 0WN YOU. Y0U JUST HAV3NT N0T1C3D US 0N Y3R N3TW0RK Y3T. UNT1L THE
N3XT T1M3...

No one at the Times had noticed weeks worth of the Hacking for Girliez gang
on their network. The intruders finally chose to go public by defacing the
opening page of their Web site�on the day the Times expected millions of
visitors to view the Monica Lewinsky transcripts. Instead, visitors
encountered soft porn and an ad for Lewinsky-scented cigars.

Thanks to a cron job (that is, a Unix job that schedules events), several
attempts to eliminate the offensive index page failed, exposing yet more
thousands of patrons to the Girliez' exploit. It took almost two weeks to
eradicate the intruders' back doors from the New York Times' network. Damage
was estimated at $1.5 million, and a grand jury is currently hearing
testimony in the case.

All this might have been avoided had the Times been running a good enough
intrusion detection system (IDS).

What Is an Intrusion Detection System?
Intrusions fall into two major classes. Misuse intrusions are attacks on
known weak points of a system. An IDS looks for this type of attack by
comparing network traffic with signatures of known attacks. The second
class, anomaly intrusions, consists of unknown attacks and other anomalous
activity. This may include detection of an intruder who is already inside a
network. Anomaly detection is hardly a plug-and-play function. It requires
an intimate knowledge of one's network and patterns of user behavior, and an
IDS with powerful scripting options.

The basic function of an IDS is to record signs of intruders at work inside
and to give alerts. Depending on the product, how it is deployed and its
network configuration, an IDS may only scan for attacks coming from outside
one's network or it may also monitor activities inside the network.

Some also look for anomaly intrusions. This requires an IDS that can be
extensively configured by the user to match the peculiarities of the network
to be defended. When Susie the systems administrator is at work at 2 a.m.,
this may be her normal behavior. But when Artie the administrative assistant
logs on to his workstation at 2 a.m., that is most likely an anomaly. An IDS
that detects anomalies must be scripted to tell the difference between the
two log-ons.

In the New York Times case, the intruders installed a number of "root kits"
to hide themselves and open back doors. An installation process like this
may be detected as an anomaly�if one can set up an IDS to tell the
difference between installing a root kit and a legitimate program.

An IDS may include a feature to take automatic action when certain
conditions occur, for example to page the systems administrator on call.
Many IDSs are flexible enough that one can configure them to launch
automatic attacks against suspected intruders, such as denial-of-service
attacks. In many situations, this is illegal and inadvisable.

And some IDSs are optimized to gather forensic data, including replaying an
intruder's activity in real-time.

Types of IDSs
IDSs fall into three main groups:

A network IDS uses network cards in promiscuous mode, sniffing all packets
on each network segment. A typical network IDS consists of one or more
sensors and a console to aggregate and analyze data from the sensors. It
could include a system integrity verifier to look for evidence that key
files may have been altered. A log file monitor may gather and analyze log
files on many computers.
A host-based IDS looks only at packets addressed to the computer on which it
resides and/or watches processes inside the host. Some host-based IDSs may
operate entirely independently. In other systems, each host-based IDS may
report to a master system that evaluates their reports. This architecture
would be a hybrid IDS.
A hybrid IDS combines a host IDS with a network IDS. Exactly how this works
depends on the product, making a hybrid IDS hard to define.
Some IDSs offer scripting languages. This feature is crucial for those
operating in a middleware environment and is essential for managing anomaly
detection.

Personal firewalls with IDS functionality�a type of host-based IDS�are fast
becoming popular. Their major market is people who fear that their home
computers may be invaded by teen vandals.

An Achilles heel of large enterprises is the employee who works from home or
from a laptop while on the road. Personal firewalls can fill this gap. The
problem is, they lack the ability to report intrusion activity to a network
IDS console. Let's say Joe the salesperson has installed a pornographic
screen saver. Can he be trusted to volunteer the information that his
personal firewall reports that this application was infected by a back door?

What About Honeypots?
A honeypot simulates one or more vulnerable systems, to tempt attackers to
focus on an apparent easy kill. Once the honeypot has been invaded, it will
alert the information security manager of the intrusion.

A honeypot also protects other parts of a network by diverting attention to
something that can't be harmed. Some honeypots can simulate many different
computers. You can get an idea of what your attacker is after by seeing
which apparent operating systems he or she ends up "owning."

Perhaps most important, a honeypot can collect forensic evidence. Even
though an intruder may not do any damage, his or her actions on the honeypot
can provide proof of criminal intent.

Characteristics of a Good IDS
If you are managing middleware, it's a sure bet that no single IDS vendor
will be able to take care of all your needs. More than 150 commercial,
freeware and shareware IDS products exist. So how do you choose which ones
to use? The Purdue University IDS research project has proposed the
following evaluation criteria for an IDS:

It must run continually without human supervision. The IDS must be reliable
enough to allow it to run in the background of the system being observed.
However, it should not be a "black box"; that is, its internal workings
should be examinable from the outside.
It must be fault-tolerant in the sense that it can survive a system crash
and will not have its knowledge base rebuilt upon restart.
It must be able to monitor itself to ensure that it has not been subverted.
It must impose minimal overhead on the system.
It must observe deviations from normal behavior (a.k.a. anomaly detection).
It must be easily tailorable to the system in question. Every system has a
different usage pattern.
It must be able to adapt to changes in the system profile that occur over
time.
Finally, it must be difficult to fool.
Noted computer security expert Neil Buckley suggests some additional
criteria:

Timely signature updates.
Signature accuracy.
Capable, experienced support staff.
Proven installations in complex environments.
Integration with other monitoring frameworks and security devices.
The missing factor in most discussions of what makes a good IDS, however, is
whether it can collect data that can be used in court against your
attackers.

Forensics
Few businesses report computer crime. Often, it isn't even noticed. For
example, "Are you Giving Away your Databases" shows how easy it can be to
steal database information without the theft ever being discovered. Even
when computer crime is noticed, and even when it is serious, most companies
sweep it under the rug.

Steve Manning has considerable experience with computer forensics. Manning
used to work for the Air Force Office of Special Investigations on computer
crime, and currently he is the CEO of Securitygurus.com. He explains the
reasons for this attitude: "They see going to law enforcement as long drawn
out, nothing to gain. They fear stockholder or customer backlash if they
learn of attacks. Or they don't see it as a major loss or don't have a staff
trained in computer security."

The result? Today cyberspace is the Wild West, with essentially no law
enforcement. This author has been approached with several requests to commit
serious computer crime, for example, a lucrative request to obtain
spreadsheets (the answer was NO!!!). One hacker has told the author that his
two previous employers pressured him to steal competitors' customer
databases (which is why they are ex-employers).

So when you see persistent attacks, don't assume it is just some kid wanting
to be a "haxor." It may well be your competitor. And you may never realize
how much damage was done to you unless you bring the perpetrators to
justice.

According to Manning, this free ride for criminal competitors may be coming
to an end. "Today we are beginning to see an effort to formalize security
and train staff." Once your company gets an IDS that can gather forensic
data that will serve well in court, and knows how to use it, competitors had
better be on their best behavior.

Standards
If you have a large, heterogeneous network, you may be unable to find a
single-vendor IDS solution. In this case, you must be able to manage the
reports of several different IDS products from more than one vendor. IDS is
a sufficiently recent trend in computer security that an industry standard
for reporting intrusion incidents doesn't yet exist. Thus, managing the
outputs from IDSs of several vendors can become a middleware nightmare.

Two reporting standards are vying for acceptance. The Internet Engineering
Task Force has proposed an XML-based reporting format, the Intrusion
Detection Message Exchange Format Extensible Markup Language. The other
effort, the Common Intrusion Detection Framework (CIDF), has been funded by
the Defense Advanced Research Projects Agency (DARPA) in response to U.S.
Department of Defense concerns that no single IDS vendor can address the
entire spectrum of attacks.

In the meantime, systems administrators needing more than one IDS vendor to
cover the complexities of their network have no easy solution to the problem
of aggregating and correlating IDS data.

When All Else Fails
You've invested in the best firewalls, the best vulnerability scanners and
the best IDSs. Yet some Sunday morning your IDS pages you to report that an
anomaly has occurred: Someone has plastered "W3 0WN YOU" on your Web site.
You can ease the pain if your company has taken advantage of the latest
trend: IDS bundled with computer crime insurance. Some IDS vendors will
vouch that its defenses are state-of-the-art and provide insurance at a less
than ruinous rate.

Vendors of computer crime insurance include:

Internet Security Systems (www.iss.net)
Counterpane (www.counterpane.com)
IBM Global Services (www.ibm.com)
J.S. Wurzler Website Insurance & Security (www.jswum.com)
Axent Technologies (www.axent.com)
Insuretrust.com LLC (www.insuretrust.com)
Ace Ltd. (www.acelimited.com)
IDS Products
Following is a partial list of the more widely used commercial and free IDS
products. For more exhaustive lists, see www.networkintrusion.co.uk and
www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html.

Company Product/
OS Required Type Description
Internet Security Systems
www.iss.net Real Secure

Network sensor: Windows NT or Solaris

Host: Windows NT, Solaris, HP-UX, AIX Hybrid IDS pioneer and market leader.

Vendor: "Suspicious activities trigger administrator alarms and other
configurable responses ... specifically designed to lessen the workload of
security administration ... integrates with leading network and systems
management applications ... monitoring parameters easily adjust to different
network situations ... readily configured from a central console."
Network Associates

www.pgp.com Cybercop Monitor

Windows NT

Solaris Hybrid Vendor: "Not only watches data coming into your network
devices; it also monitors traffic flowing out."

Detects network-based and system-level attacks, coalesces events to suppress
excess data and prevent denial-of-service attacks.
Network Ice

www.networkice.com Black Ice Sentry

Windows NT Network Vendor: "Promiscuous agents that watch all network
traffic for suspicious or hostile traffic directed against any device, from
printers to notebooks to mainframes."
   Black Ice
Defender

Windows 95/98 NT/2000 Host Vendor: "The first corporate-strength security
solution for home and small office users. It combines both firewall and
intrusion detection in a single, easy-to-use package."
Network Security Wizards

www.securitywizards.com Dragon Sensor

Appliance or Solaris Network Vendor: "Watches live network packets and looks
for signs of computer crime, network attacks, network misuse and anomalies.
When it observes an event, the Dragon Sensor can send pages, e-mail
messages, take action to stop the event and record it for future forensic
analysis."

 Dragon Squire Host "Looks at system logs for evidence of malicious or
suspicious application activity in real-time. It also monitors key system
files for evidence of tampering."

 Dragon Server Network "Secure management of all Dragon Sensors and Dragon
Squires ... aggregates all alerts into one central database."
Axent

www.axent.com NetProwler Professional

Three-device appliance Network SC Magazine review: "A wide range of
predefined operating system and application attack signatures that may be
enabled for a single host or range of hosts. Customization of the
attack-signature database is the most flexible we have seen to date, and
there is even an Attack Definition Wizard to help with the process."

 Intruder Alert

Windows NT, most nixes, Netware Host Vendor: "Gives you a full complement of
tools to create new rules and apply new rules in near real-time.
SRI International

www.sdl.sri.com Emerald

Solaris Network Free evaluation version.

Vendor:


Scalable network surveillance
High-volume event analysis
Lightweight distributed sensors
Generic infrastructure and pluggable components
Easy customization to new targets and specific policies

Intrusion.com

www.intrusion.com SecureNet Pro

Red Hat Linux Network Vendor: "100 Mbps ... capable of monitoring over 50
segments simultaneously ... has 100 percent defragmentation [capability],
TCP session reassembly, stateful protocol decoding, active countermeasures
and session playback."

Powerful stealth ability.

 Kane Secure Enterprise

Windows NT workstation Analysis of input from other IDSs "Integrates audit
and event data from a variety of sources, including Windows NT and Solaris
servers and desktops, Cisco IOS routers, Check Point FireWall-1, ISS
RealSecure and Cisco Secure IDS ... integration of data from a multitude of
agents and proprietary systems ... tracks the activity, usage and behavioral
patterns of individuals to build a statistical profile of each user."

 Kane Security Monitor

Windows NT Analysis "Centralized collection facility for event logs ...
automated review of event logs for abuse patterns ... analyzes ... monitors
... event logs on thousands of NT servers and workstations."
Network Flight Recorder Inc.

www.nfr.net Network Flight Recorder (NFR) Network Vendor: "An NFR...sits and
watches traffic pass and records what you told it to. A typical NFR system
runs on a workstation or PC with a hard disk size based on how much data you
want to retain...NFR is...end-user programmable...gather basic statistics,
watch firewalls and track user activity."

 Research Version Network Free. A configurable tool kit, not plug-and-play.
Snort

www.snort.org Snort

Win32, Solaris Network Vendor: "A lightweight network intrusion detection
system capable of performing real-time traffic analysis and packet logging
on IP networks. It can perform protocol analysis, content searching/matching
... real-time alerting capability."
En Garde Systems, Inc.

engarde.com T-sight

Windows NT/2000 Network Windows NT and 2K Vendor: "The first Advanced IDS
for Windows NT and Windows 2000. T-sight is not an automatic intrusion
detection system ... it is specifically designed to ... investigate that
activity and then take action to stop the attack (take over or terminate the
connection)." Powerful forensics tool has been used to put the attackers of
a number of government systems behind bars.
Cisco

www.cisco.com Secure IDS Sensor appliance

Secure IDS Director

Openview on Solaris or HP/UX Network This product was formerly Wheel Group's
Netranger.

Vendor: "Secure IDS Sensors, which are high-speed network 'appliances,'
analyze the content and context of individual packets to determine if
traffic is authorized. If an intrusion is detected ... Secure IDS Sensors
can detect the misuse in real-time, forward alarms to a Cisco Secure IDS
Director management console for geographical display and remove the offender
from the network."

 CiscoSafe
 Integrated package, including a firewall and IDS.
Anzen Computing

www.anzen.com Anzen Flight Jacket (AFJ)

Intel PIII 700 MHz

256 MB

18 GB HD

10/100, FDDI NIC

O/S: NFR IDA Network Vendor: "A user-programmable, real-time network
monitoring system for intrusion detection and traffic analysis. It passively
examines network traffic, identifying attacks, probes and other
security-related events in real-time. Unlike other IDS solutions, AFJ uses a
set of 'anomaly detection' filters, not signatures, as the main basis for
attack recognition."
Cybersafe

www.cybersafe.com Centrax

Windows NT/ 2000, Solaris, AIX Hybrid Vendor: "Provides detection and
response for internal and external threats ... watching all user activity
from accessing files to the movement of individuals through a corporation's
network. Centrax includes host-based intrusion detection, network-based
intrusion detection ... the only intrusion detection software to include ...
network node intrusion detection."
GFI FAX & VOICE

www.languard.com LANguard Network

Windows NT Vendor: "LANguard allows you to monitor internal network traffic
and detect other computers running network sniffers."
CERT

www.cert.org ACID

PHP-enabled Apache Web server Processes IDS data Free.

Vendor: "ACID (Analysis Console for Incident Databases) is a PHP analysis
engine to search and process a database of alerts generated by IDSs ...
search interface for finding alerts matching practically any criteria."
Hiverworld

www.hiverworld.com To be announced Network Product to be announced at the
October SANS 2000 Network Security conference. Will be able to monitor at
gigabit Ethernet speeds.
Zone Labs

www.zonelabs.com Zone Alarm

Windows 95/98/ME

Windows NT/2000 Personal firewall IDS Free to individual users. While this
product is primarily a firewall, it also alerts users to attacks and to
attempts by applications on the host to connect with the Internet. By
clicking on a pop-up button, users can see an analysis of each attack at the
Zone Labs Web site.
Sygate Technologies

www.sygate.com Sygate Personal Firewall Personal firewall IDS SC Magazine
review: "Basic IDS capabilities plus a personal firewall rolled into a
single package."
Symantec

www.symantec.com Symantec Desktop Firewall 2.0 Personal firewall IDS Vendor:
Monitors "both inbound and outbound communications ... optimized for
always-on broadband connections such as DSL and cable modems." Logs origins
of attacks.
McAffee

www.mcaffee.com McAfee Personal Firewall Personal firewall IDS

Windows 95/98/NT

IE 4.0 or higher Vendor: "Monitors all network activity and stops all known
hacks, nukes, trojans and DOS attacks. Even if your PC is infected with a
trojan, you will never lose control. Nothing enters or leaves your system
without your permission."
Verizon Technology Organization

www.itsecure.bbn.com NetFacade

Sun Ultra Sparc 5 Solaris 7 Honeypot Vendor: "NetFacade only has to be
concerned with traffic to its simulated hosts. A high level of data
reduction and low rate of false-positive type incidents since all NetFacade
traffic is suspicious. No limit on the number and types of detected attacks,
including new and unknown. Distraction of attackers away from the real
hosts."
Fred Cohen & Associates Deception Toolkit (DTK)

*nix Honeypot Free for personal use.

Vendor: "DTK's deception is programmable, but it is typically limited to
producing output in response to attacker input in such a way as to simulate
the behavior of a system which is vulnerable to the attacker's method."
NETSEC

www.specter.ch SPECTER

Pentium 90 or greater Honeypot SC Magazine review: "Logs the attempt and can
even launch a finger or port scan back at the hacker to glean as much
information as possible ... can simulate one of nine different operating
systems (Windows NT, Windows 95/98, MacOS, Linux, SunOS/Solaris, Digital
Unix, NeXTStep, Irix and Unisys Unix)."
PGP Security

www.pgp.com Cybercop Sting Honeypot Vendor: "Simulates a virtual network on
a single machine ... logs intrusive traffic to determine its origin and
collects evidence against attackers ... various types of silent alarms."


IDS FAQs http://www.robertgraham.com/pubs/network-intrusion-detection.html ;
http://www.ticm.com/kb/faq/idsfaq.html


DARPA Information Assurance and Survivability Program http://www.iaands.org/
; http://dtsn.darpa.mil/iso/programtemp.asp?mode=147


Back to the Index