Category list

Part I: Intrusion Detection: Primer

Chapter List:

Chapter 1: Understanding Intrusion Detection
Chapter 2: Crash Course in the Internet Protocol Suite
Chapter 3: Unauthorized Activity I
Chapter 4: Unauthorized Activity II
Chapter 5: Tcpdump

Chapter 1: Understanding Intrusion Detection

Overview

On June 11, 2003 the Gartner Group , a research and advisory firm, reported that intrusion-detection systems are a market failure, have failed to provide value relative to their costs, and will be obsolete by 2005. While this brought Gartner a lot of attention, the fact is that intrusion detection and prevention is here to stay, not as a silver bullet, but as part of a strong defense strategy. Many industry research groups and the thousands of companies that have deployed or are planning to deploy intrusion-detection and intrusion-prevention systems are a testament to the usefulness of this technology.

Intrusion detection has had its problems, such as false positives, operational issues in high-speed environments, and the difficulty of detecting unknown threats. In addition, intrusion prevention is still in its infancy. Most of the problems with intrusion detection are caused by improper implementation and misunderstanding of what the technology can and cannot do.

This book focuses on what intrusion detection and prevention can and cannot do. We will examine ways to get the most from this technology, and look at how it can be managed to benefit your organization.

This chapter will introduce intrusion-detection system (IDS) and intrusion-prevention system (IPS) technologies, explaining what they are, as well as pointing out their differences. We will examine why these systems may be important to your organization, and look at the general types of analysis processes used by both IDSs and IPSs. Finally, we will review the pros and cons of both IDS and IPS technologies and clear up some of the myths about them.

Intrusion-Detection and Intrusion-Prevention Basics

Any dictionary will provide a definition of intrusion , but its meaning in the computer security context has been debated. Many people consider intrusions to include unsuccessful attacks, while others see a distinct difference between attacks and intrusions. We’ll work with the definition that an intrusion is an active sequence of related events that deliberately try to cause harm , such as rendering a system unusable, accessing unauthorized information, or manipulating such information. This definition refers to both successful and unsuccessful attempts.

Security professionals may want to have IDS systems record information about both successful and unsuccessful attempts so that security professionals will have a more comprehensive understanding of the events on their networks. One way this can be done is by placing devices that examine network traffic, called sensors , both in front of the firewall (the unprotected area) and behind the firewall (the protected area) and comparing the information recorded by the two.

What Is an Intrusion-Detection System (IDS)?

An intrusion-detection system (IDS) can be defined as the tools, methods , and resources to help identify, assess, and report unauthorized or unapproved network activity. The intrusion detection part of the name is a bit of a misnomer, as an IDS does not actually detect intrusions—it detects activity in traffic that may or may not be an intrusion. Intrusion detection is typically one part of an overall protection system that is installed around a system or device—it is not a stand-alone protection measure.

You can loosely compare firewalls to locked doors, intrusion detection to alarm systems, and intrusion prevention to guard dogs. Let’s say that you have a warehouse full of secret documents that you want to protect with a fence around the perimeter, an alarm system, locked doors, and security cameras . The locked doors will stop unauthorized individuals from entering the warehouse. By themselves , they do nothing to alert you of an intrusion, but they deter unauthorized access. The alarm system will warn you in case an intruder tries to get into the warehouse. By itself, it does nothing to prevent an intrusion, but it alerts you to the potential of an intrusion. The guard dog, in some instances, is able to prevent an intrusion by taking measures to thwart the attack from happening by biting intruders before they can enter the protected perimeter, thereby stopping the intrusion.

As you can see, the door locks, alarm system, and guard dog play separate but complementary roles in the protection of this warehouse. This is also true of firewalls and IDSs and IPSs. All of these are different technologies that can work together to alert you and can prevent intrusions into a network. In addition, how these technologies are implemented determines whether or not they increase security. For instance, in the warehouse example, the most effective strategy may be to place alarms and locks on all the windows and doors, as well as motion detectors inside the warehouse. You may also want several dogs deployed within the perimeter to watch for possible intruders. Implementing IDSs and IPSs is no different—the placement of the technology makes all the difference between a secure network and an unsecured one.

It is also important to note that IDSs and IPSs are just two of many methods that should be employed in a strong security program. Using a layered approach, or defense in depth, based on careful risk analysis is critical in any information protection program because a network is only as secure as its weakest link. This means that a network should have multiple layers of security, each with its own function, to complement the overall security strategy of the organization. Figure 1-1 illustrates a defense- in-depth approach that will protect a network on many levels.

click to expand
Figure 1-1: Defense in depth

IDSs work at the network layer of the OSI model (see Table 1-1), and passive network sensors are typically positioned at choke points on the network. They analyze packets to find specific patterns in network traffic—if they find such a pattern in the traffic, an alert is logged, and a response can be based on the data recorded. IDSs are similar to antivirus software in that they use known signatures to recognize traffic patterns thatmaybe malicious in intent.

Table 1-1: Layers in the OSI Reference Model
Layer	Function	Protocols
Application ( user interface)	This layer is used for applications, such as HTTP, specifically written to run over the network and allows accesses to network services. It handles issues like network transparency, resource allocation, and problem partitioning. The application layer is concerned with the user's view of the network, like formatting. In addition, this layer allows access to services that support applications and handle network access, flow, and recovery.	DNS, FTP, TFTP, BOOTP, SNMP, RLOGIN, SMTP, MIME, NFS, FINGER, TELNET, APPC, AFP,
Presentation (translation)	The presentation layer helps to translate between the application and the network formats. This is also where protocol conversion takes place.	Named Pipes, Mail Slots, RPC, NCP, SMB
Session	The session layer helps to establish, maintain, and end sessions across the network.	NetBios
Transport (packets; flow control and error-handling)	The transport layer manages the flow control of data between parties across the network.	TCP, ARP, RARP, SPX, NWLink, ATP, NetBEUI
Network (addressing; routing)	The network layer translates logical network addresses and names to their physical addresses and is responsible for addressing and managing network problems such as packet switching, data congestion, and routing.	IP, ARP, RARP, ICMP, RIP, OSFP, IGMP, IPX, NWLink, OSI, DDP, DECnet
Data link (data frames to bits)	The data-link layer turns packets into raw bits on the sending end, and at the receiving end turns bits into packets. It handles data frames between the network and physical layers.
Physical (hardware; raw bit stream)	The physical layer transmits the raw bit stream over the physical cable or airwaves (when dealing with wireless). It defines cables, cards, and other physical aspects.	IEEE 802, IEEE 802.2, ISO 2110, ISDN

Types of IDS Systems

IDSs fall into one of three categories: host-based intrusion-detection system (HIDS), network-based intrusion-detection system (NIDS), and hybrids of the two.

A HIDS system will require some software that resides on the system and can scan all host resources for activity; some just scan syslog and event logs for activity. It will log any activities it discovers to a secure database and check to see whether the events match any malicious event record listed in the knowledge base.

A NIDS system is usually inline on the network, and it analyzes network packets looking for attacks. A NIDS receives all packets on a particular network segment, including switched networks (where this is not the default behavior) via one of several methods, such as taps or port mirroring. It carefully reconstructs the streams of traffic to analyze them for patterns of malicious behavior. Most NIDSs are equipped with facilities to log their activities and report or alarm on questionable events. In addition, many high-performance routers offer NID capabilities.

A hybrid IDS combines a HIDS, which monitors events occurring on the host system, with a NIDS, which monitors network traffic. Table 1-2 shows some of the differences between a HIDS and a NIDS.

Table 1-2: Network-Based vs. Host-Based Intrusion-Detection Systems
NIDS	HIDS
Broad in scope ( watches all network activities)	Narrow in scope (watches only specific host activities)
Easier setup	More complex setup
Better for detecting attacks from the outside	Better for detecting attacks from the inside
Less expensive to implement	More expensive to implement
Detection is based on what can be recorded on the entire network	Detection is based on what any single host can record
Examines packet headers	Does not see packet headers
Near real-time response	Usually only responds after a suspicious log entry has been made
OS-independent	OS-specific
Detects network attacks as payload is analyzed	Detects local attacks before they hit the network
Detects unsuccessful attack attempts	Verifies success or failure of attacks

The basic process for an IDS is that a NIDS or HIDS passively collects data and preprocesses and classifies them. Statistical analysis can be done to determine whether the information falls outside normal activity, and if so, it is then matched against a knowledge base. If a match is found, an alert is sent. Figure 1-2 outlines this activity.

click to expand
Figure 1-2: Standard IDS system

What Is an Intrusion-Prevention System (IPS)?

It is still early in the development of intrusion-prevention systems (IPSs), but generally an IPS sits inline on the network and monitors it, and when an event occurs, it takes action based on prescribed rules. This is unlike IDSs, which do not sit inline and are passive. Some people see IPSs as next -generation IDS systems, because they take detection a step further, but others think in broader terms and consider the IPSs to be yet another tool in the security infrastructure that could help prevent intrusions. IPS has developed out of IDS, but they are really different security products that have different functionality and strengths.

There are two primary ways to collect data on a switched network: port mirroring and network taps. Port mirroring , also referred to as spanning , is when copies of incoming and outgoing packets are forwarded from one port of a network switch to another port where the packets can be analyzed. Network taps are put directly in-line of the network traffic, and they copy the incoming and outgoing packets and retransmit them back out on the network. Both methods have advantages and disadvantages that should be explored when making implementation decisions.

IPS systems are similar in setup to IDS systems—an IPS can be a host-based IPS (HIPS), which work best at protecting applications, or a network-based IPS (NIPS). User actions should correspond to actions in a predefined knowledge base; if an action isn’t on the accepted list, the IPS will prevent the action. Unlike an IDS, the logic in an IPS is typically applied before the action is executed in memory. Other IPS methods compare file checksums to a list of known good checksums before allowing a file to execute, and to work by intercepting system calls.

An IPS will typically consist of four main components :

Traffic normalizer
Service scanner
Detection engine
Traffic shaper

The traffic normalizer will interpret the network traffic and do packet analysis and packet reassembly, as well as performing basic blocking functions. The traffic is then fed into the detection engine and the service scanner. The service scanner builds a reference table that classifies the information and helps the traffic shaper manage the flow of the information. The detection engine does pattern matching against the reference table, and the appropriate response is determined. Figure 1-3 outlines this process.

click to expand
Figure 1-3: Standard IPS system

IDS vs. IPS

IDS and IPS technology each have their own place in a security program because they perform separate functions. Table 1-3 clarifies some of the differences between them.

Table 1-3: Intrusion-Detection Systems vs. Intrusion-Prevention Systems
IDS	IPS
Installed on network segments (NIDS) and on hosts (HIDS)	Installed on network segments (NIPS) and on hosts (HIPS)
Sits on network passively	Sits inline (not passive)
Cannot parse encrypted traffic	Better at protecting applications
Central management control	Central management control
Better at detecting hacking attacks	Ideal for blocking web defacement
Alerting product (reactive)	Blocking product (proactive)