Purchasing an IDS

Purchasing an IDS comprises several steps that must be undertaken in order:

• Purchasing appropriate software and hardware

• Purchasing an IDS

• Purchasing documentation

• Purchasing technical support services

Purchasing Appropriate Software and Hardware

Before deploying an IDS in a corporate network, you will need to buy all the necessary software and hardware. Here, the term "software" is used in a broad sense - i.e., not just the IDS itself. In addition to the IDS, the software also includes the operating system in which the IDS will run, along with add-on application software, such as Internet Explorer or Oracle. Purchasing a specialized hardware-software combination (a security appliance) solves this problem, as it comes with all the required software pre-installed, and the only remaining job is to buy add-on software for the management console.

In terms of hardware, it is recommended that you choose reliable equipment that has a good reputation. This is not an item on which to economize, especially given the fact that IDS failure due to unreliable equipment or manufacturing defects can result in serious damage. In my practice, I have had the experience of having to handle a case in which a vendor supplied defective computers to one of my clients. One of the computers failed after two weeks of running the IDS. One week later, we had to replace the second computer. The client suffered no serious damage and managed to thwart attacks, but only thanks to multiple-layer security made up of access-control lists on Cisco routers, a combination of the advanced firewalls - Check Point Firewall-1 and Cisco PIX Firewall - joined into clusters, and the Cisco IDS 4200 and RealSecure Network Sensor IDSs.

Since an IDS is an intensive user of available resources - especially RAM, hard-disk space and network adapter resources - and given that the protected network segment will inevitably increase in size over time, it is advisable to purchase scalable hardware and software. If you have chosen reliable, fault-tolerant hardware, it is also desirable to provide a fault-tolerance level that will allow a failed component to be replaced within a reasonable period of time. Although such a solution may seem somewhat redundant, it provides a sufficient level of support to the security system. If spare parts of backup equipment are difficult to come by, consult the vendor for information on replacing the failed components. All major brands - Cisco, Compaq, IBM, Hewlett Packard, etc. - usually have enough stock available to allow them to supply spare parts with minimum delay. (Cisco, for example, guarantees such supplies within one day.)

It is impossible to deploy and bring into operation an IDS without purchasing all the required software and hardware components. For example, although it may be possible to bring an IDS into operation with insufficient amount of RAM, in a high-throughput network or when analyzing the security of a large number of hosts, some attacks may remain undetected, or even worse, the IDS may fail. Moreover, when the missing components are purchased, the whole IDS will have to be reconfigured.

IDS hardware may include the following components:

• CPU. Experience has shown that the more processors are installed on the host running the IDS, the more efficient is the analysis of network traffic or remote hosts. In contrast to relatively small networks - which can survive with a single-processor system and compensate for the lack of extra processors by the amount of RAM - in large networks or backbones, two-processor or four-processor systems are recommended. This approach has been adopted by Compaq, which supplies hardware with RealSecure Network Sensor pre-installed. Based on this, it should be noted that, although the IDS may theoretically use 100 percent of processor resources, under normal conditions this value should not exceed between 2 percent and 10 percent.

• RAM. Like processors, more RAM makes an IDS more efficient. This is especially true for networ sensors. The amount of RAM required for a host-level IDS does not exceed the amount required by the operating system itself. In practice, such systems consume from 1 MB to 5 MB of available RAM. For other types of IDS, this element is not as important, since security scanners, integrity control systems, and other similar applications are not characterized by consistently high levels of activity. Rather, they consume resources intensively only when specific events occur, after a predefined time period, or at the request of the security administrator. From personal experience, I can say that when setting up a network sensor, you will need to optimize its settings for the efficient support of a large amount of RAM.

• Peripherals. (CD-ROM drive, floppy disk drive, keyboard, monitor, etc.) These components are required for installing and operating the IDS. For IDS network sensors, a keyboard and monitor are usually optional, since network sensors are managed remotely from the central console. This also applies to an IDS' management server and security scanners based on three-tier architecture.

• Hard-disk space. The amount of hard-disk space needed depends on the type of operating system installed, the IDS chosen, any add-on software, the log-file size, frequency of event logging, and frequency of log-file rotation. As a rule, the hard disk must be at least between 4 MB to 6 MB. It is best to combine hard drives into RAID arrays, or another distributed storage systems, which ensures fault tolerance and a high level of performance.

• Network adapters. Similar to the rule that "the security of the network is equal to the security of its weakest link," it is possible to say that "network performance is equal to the performance of the slowest device." The network interface is one such device. Consequently, IDS performance depends directly on the performance of the network interface. It is recommended that you use PCI-compliant network adapters in promiscuous mode. PCI has become the architecture of choice, as the speed of data exchange between the bus and RAM is the critical factor that influences the performance of the network-level IDS, and PCI devices are characterized by a better performance than other architectures, such as Sbus. The overall performance of the IDS depends on the performance of the network adapter, and therefore, it would be best ito choose a server configuration for the network sensor that increases the level of network traffic processing significantly - i.e., by 30 to 40 percent. This performance can be achieved with a built-in processor that significantly reduces the PC processor workload by eliminating the need for transmitting frames from the RAM to the network. Examples of such adapters include Intel's PRO/100 (1000, 100+) Server Adapter, or 3Com's Fast EtherLink Server, which are based on Intel Adaptive Technology and Parallel Tasking II, respectively. Another important criterion in choosing a network adapter is the amount of on-board RAM: 1 MB will be enough to monitor a high-speed network. Management functions - such as SNMP, RMON, DMI, ACPI, WfM, Remote Wake-Up, and so on - are not mandatory for an IDS, and purchasing them is solely dependent on an organization's standards and on the amount of money available. One network adapter is sufficient for an IDS' or security scanner's system console, as well as for a control server, in a three-tier scheme. For network sensors, however, two network adapters are best, in order to allow the implementation of stealth mode, although it is possible to manage with a single adapter if two prove too expensive. Although it may seem obvious, the network adapters must operate at the speeds adopted by the network. Otherwise, a 10-Mbit network interface could be connected to a 100-Mbit port in the network switch - in this case, the network sensor will work inefficiently, and most attacks will go undetected.

• Backup hardware. (CD-ROM drive, streamer, etc.) These devices store log files, which contain information on the IDS' logged events and distribution sets, including all the configuration files and rules for traffic processing and analysis

• Power supplies. Power supplies, UPSs, backup power supplies, etc. ensure the IDS's independence from the organization's power supply. This is especially important for the system's most critical components, which must be available at all times.

The hardware requirements for the computer on which the IDS' network sensor is to be installed are determined by the following factors (partially discussed in the previous chapter):

• The amount of traffic transmitted in the protected segment

• The average packet size within the protected segment

• The types of traffic (e-mail, files, multimedia, etc.)

• The number and type of signatures in the relevant template (dependent on the protocols, services, and operating systems used in the protected segment)

• The methods used for log file or network traffic analysis

• The predefined response types

• The network topologies - Ethernet, Fast Ethernet, FDDI, Gigabit Ethernet, etc. - used in the protected segment

• The number of hosts in the protected segment

• The average and peak values of the network workload

Manufacturers develop their recommendations based on the average statistical values of these parameters. For example, Compaq recommends the following configuration for installing an IDS' network sensor (particularly for installing the RealSecure Network Sensor):

• Standard configuration (for low bandwidth networks):

  • Proliant 1600 server

  • 1xPentium II 450 processor

  • 128 MB RAM

  • 1x9.1-GB hard disk

• Enhanced configuration (for high-speed networks):

  • Proliant 1600 server

  • 2xPentium II 450 processors

  • 256 MB RAM

  • SmartArray2 controller

  • 3x9.1-GB hard disks (for implementing RAID-5)

Although the situation has changed in the four years since these recommendations were published, the approach suggested by Compaq illustrates the trends described above quite well.

The software platform for an IDS may include the following components (besides the components of the IDS itself):

• Operating system. In contrast to host-level IDSs, for which the solution is obvious, this choice for a network-level IDS (with the exception of a security appliance) is more important. Experience has shown that, despite the wide range of alternatives (Table 10.2), the following are the most common choices: Windows NT (although recently Windows 2000 has become more prevalent), Solaris, or a shareware Unix clone such as Linux or FreeBSD. The last option is generally preferred under limited budget conditions, whereas the first two are usually preferred by large customers with stable finances. I can not make a definitive recommendation for any one specific system, as it depends on a large number of parameters (operating systems already in use, the vendor, financial resources, the IT personnel's knowledge and skills, etc.). In the past, I have recommended Solaris for heavily loaded networks: For example, this is the best choice for an internal Web or database server with thousands of users. However, since the release of Windows 2000, the situation has changed, and for the moment, the following advice is the least that I can give: for a 100-Mbit network, it is preferable to use a Unix clone (Solaris in particular), while a host running Windows 2000 should undertake the monitoring of a Gigabit network. Table 11.2 lists all the operating systems that can be used for installing the various components of an IDS.

• Operating system and software updates. These software components (patches, hotfixes, and service packs) eliminate known vulnerabilities and errors in the operating system and application software, thereby strengthening system security and improving reliability.

• IDS updates. As noted previously, the efficiency of an IDS depends on frequent updates of its database of attack and vulnerability signatures. IDS purchasers should make sure that the system is supplied with the developer's latest updates.

• Drivers for all required devices. (Network adapters, streamer, CD-ROM, etc.) To avoid hardware compatibility problems, which can lead to the IDS malfunctioning, drivers released by the software or hardware manufacturer are preferable.

• Software/hardware customization software. Practically all combinations of software and hardware require customization. This can be performed using both built-in software and add-on tools. Usually, add-on tools are supplied with the system, but sometimes come at an additional cost (especially for sophisticated combinations of hardware and software).

• Protocol analyzers and attack-modeling tools. These tools, which test that the IDS is operating correctly, include Dragon Sensor Workbench from Enterasys Networks and nidsbench from Anzen. The latter program - a set of utilities running under BSD, Linux, and Solaris - is especially interesting. It includes three utilities:

  • TCPreplay - used for analyzing the IDS' performance by sending real network traffic containing attacks. It allows the user to set traffic transmission speed, and can increase or decrease this speed. In addition, TCPreplay is compatible with the previously mentioned TCPdump.

  • FragRouter - analyzes the efficiency of a network-level IDS by sending fragmented packets containing attacks, as well as other attacks described elsewhere [Ptacek1-98], [Paxson1-98]. The program can be downloaded from the developer's Web site (http://www.monkey.org/~dugsong/fragroute/). (This server was the victim of an unpleasant hacking incident: The hacker who compromised the server modified the source codes of the FragRouter and dsniff utilities with a Trojan that allowed a user with the IP address 216.80.99.202 to run commands remotely on the host on which the modified programs are installed. The source codes were modified on May 17, 2002, and all copies of FragRouter downloaded since then have contained the Trojan code.)

  • IDStest - used for evaluating network-level IDS efficiency by testing the means of sending real attacks to the IDS. In effect, it is no different from the various attack modeling scanners.

One other system is worth mentioning. At the time of writing, Blade Software's IDS Informer was one of the best testing kits available.

Purchasing Documentation and Support Services

Depending on the complexity of the IDS, the technical staff's skill levels, the system, and other factors, an organization may need technical support from the manufacturer or vendor, training services, and so on.

Users who are unfamiliar with the technologies and principles upon which the chosen IDS is based will always be prone to err, which can cost an organization quite a lot. Such errors can result in delays in installation and deployment, and furthermore, can complicate the operation and maintenance of the IDS. Therefore, it is advisable to purchase documentation and technical support services at the same time as the IDS. (This is especially true for large companies.)

It is not a good idea merely to purchase the bare minimum (usually just the CD and instructions). Most system administrators are usually short on time, and therefore, do not even study the documentation supplied with the system. This lack of knowledge can result in the IDS actually simplifying penetration into the network instead of protecting it. Manufacturer support is especially important should difficult situations not described in the documentation arise. Technical support often doubles as training, which can provide a large amount of valuable information in a short time.

Most companies, such as ISS and Cisco, provide high-quality technical service. For example, each request to the technical support service is answered by a message confirming receipt of the request and promising to answer it within a set period of time (depending on the services paid for). This guarantees that the client's request is being processed by a group of highly qualified specialists.

As was mentioned, the technical support provided by a manufacturer usually includes several layers that differ in their response time to client requests. The following types of support are commonly used:

• Consulting via phone and e-mail

• Support via the web server

• Software and hardware updates

• On-site support and maintenance

Based on real-world practice, most manufacturers have adopted the following technical support parameters as standard:

• Support during standard business hours (9 a.m. to 6 p.m., Monday through Friday).

• A technical support warranty valid for the first year after purchase. When this runs out, the agreement is usually extended for another year, and so on.

• Average technical support prices usually are anywhere from 20 to 25 percent of the total cost of the IDS, although this figure can be as high as 50 percent. This mainly relates to the so-called Platinum Support Level, which guarantees a response within one hour, with technical support available 24 hours a day.

When discussing the IDS' technical support agreement, it is worth considering similar support for other software and hardware, in order to avoid an unpleasant situation in which the IDS runs smoothly, but problems with the working environment constantly disrupt its operation. Moreover, it is worth making sure that the technical support agreement includes a paragraph relating to periodic updates of the IDS and other software. Subscribing to the IDS manufacturer's mailing list is also useful, as it keeps the user informed of all news related to the IDS and companion software.