An intrusion occurs when someone attempts to break into or misuse a system. The word misuse is broad, and can refer to a whole range of actions, from stealing confidential data to something as minor as using your e-mail system for spam. The smallest element of intrusion detection data is referred to as an event. An event is an auditable occurrence on the network.
The challenges in securing a computer network can be viewed in three stages:
Prevention To avoid intrusions, if possible
Detection To know as soon as possible when an intrusion attempt occurs
Reaction To respond to an intrusion, and to prevent and detect it in the future
Any approach to securing networks, computers, and the data they contain must address each of these three stages. And the work that is needed through all three stages is continuous. According to Matthew Kovar, director of the Yankee Group's Security Solutions & Services research and consulting practice, "Security vulnerabilities and threats, like diseases, are dynamic and can mutate or combine with each other to make a more severe impact with far greater detrimental effects to IT systems. Drugs are countermeasures that are put in place and include solutions such as anti-virus, firewalls, intrusion detection, content screening, and virtual private networks." However, Kovar warns, "Security professionals, like medical professionals, must interact with a patient continuously to monitor and diagnose in real time the security health of an organization."
Preventing security breaches altogether is the right place to startand it is where the most money is spent in today's IT security marketplace. It is an ongoing battle. You can usually prevent the attacks that are well understood or for which patches or fixes exist, but you often can't prevent ones that the systems' architects never envisioned.
There is always something new on the horizon. New attacks can occur because of newly found vulnerabilities that are latent in old software: for example, a hole that has been in a product for years, but that has just been discovered or exploited. New attacks also can occur when new software is installed or when peculiar interactions occur between existing software and hardware.
It is well known that insiders cause most security breaches. So, the first step in securing your system is to know your users well. You should have strong validation for each user: Are they really who they say they are? You should also have strong access controls in place for each user: what objects is each user allowed to read, write, modify, create, or delete? Is the data they manipulate properly authenticated? Are the access controls consistent across all systems? When users change roles or jobs (or leave the area), are the access controls updated appropriately? Are changes to the validation, authentication, and access control audited?
The next step is defending against known vulnerabilities. There are software-based tools that do vulnerability assessments (VAs). They examine your hardware and software, and let you know how to remove the vulnerabilities used in active invasions. They don't necessarily stop invasions; they help you patch the security holes used by invaders. They ask, for example, "What ports are open?" "What files should be encrypted?" "What exploitable applications are running?" VA rules are frequently updated, as new (initially vulnerable) software is shipped or as new vulnerabilities are discovered in existing software and hardware.
Another common threat is software viruses. Antivirus (AV) detection tools watch for the byte sequences that indicate a computer virus has attached itself to a file. These tools also need to be updated and run frequently. It is startling to observe that computers that are not checked frequently with VA and AV tools become more vulnerable to outside attack simply because time passes.
A third type of preventative measure is firewalls. Firewalls work to block invasions at the point where the invading traffic enters a local network. Firewalls not only can inspect incoming and outgoing network traffic, but can also log unusual activity as it occurs.
David Freeman has noted that "the security war can seem like an infinite standoff; for every new defense researchers devise, invaders develop countermeasures, leading to countermeasures, and so on." But he added, "Fortunately, defenders don't have to make it impossible to break into networks; they only have to make getting in so difficult, or so fraught with risk of being tracked down, that the bad guys think twice."
Despite the preventive steps you take, intrusions that involve new techniques usually succeed. With hackers, spies, and saboteurs continually finding new ways to break into networks and computers, chances are it is only a matter of time before they get in. Therefore, a principle emphasized during SANS (System Administration, Networking, and Security) Institute training is that "prevention is ideal, but detection is a must." Not only is detection a must, but detection must be achieved in real timenot several hours or days after the intrusion has occurred.
An intrusion detection system (IDS) is designed to detect intrusion attempts as they occur. Intrusion detection systems can be broken into several categories:
Host-based intrusion detection system (HIDS) Work to detect attacks originating within individual computers. They can detect intrusions in two ways:
- By monitoring the actions within a computer, such as file accesses or login attempts. This frequently involves identifying attacks as they occur, by the sequence and timing of bytes or system calls (the attack signature) or by correlating information in event logs.
- By using heuristic techniques to prevent or detect attacks as they occur.
System integrity verifier (SIV) Monitor system files to detect when an intruder changes thempotentially leaving behind a back door to be exploited later. An SIV may watch other components as well, such as the Windows Registry, to find well-known signatures. It may also detect when a normal user somehow acquires root/administrator-level privileges.
Network intrusion detection system (NIDS) Monitor packets on the network, to discover when someone tries to break into a system or cause a denial-of-service (DoS) attack. An example is a system that watches for large numbers of TCP connection requests to many different ports on a target computer, to discover whether someone is attempting a TCP port scan. A NIDS may run either on the target computer, which watches its own traffic (usually integrated with the TCP/IP stack and services themselves), or on an independent computer promiscuously watching all network traffic (in hubs, routers, and switches).
Log file monitor (LFM) Observe the log files generated by network services. Like NIDS, these systems look for patterns in the log files that suggest an intruder is attacking. One example is a program that analyzes web server log files, looking for intruders who try to exploit well-known security holes.
Deception system Contain pseudo-services that emulate well-known holes to trap intruders. Some deception systems (also known as decoys, lures, fly-traps, or honeypots) are simple tricks, such as renaming the administrator account on Windows, and then setting up a dummy account with no rightsbut extensive auditing.
When an intrusion is detected, how does your team react? You would like your team to take a systematic approachclear steps to be followed when a security breach occursto stop the intrusion or stop its spread, repair any damage, catch the perpetrator, and avoid it in the future.
Reacting should be more effective than simply tearing your hair. Software tools offer short-term responsesthings you do immediatelyand longer-term, more thoughtful responses. The goal of these actions is to stop the intrusion, reduce the damage it causes, and quarantine it (to prevent further spread).
An alarm may be the simplest short-term response: notify an administrator that an intrusion is occurring. Beep, play a WAV file, send an e-mail message, or page the system administrator. Write event details to the local operating system's event log. Perhaps an even better alarm is to forward a trap to a system management console, such as NetIQ Application Manager, Microsoft Operations Manager, or HP OpenView.
Modern detection systems have rules that automate the short-term reaction to a breach. In addition to alarms, they can launch programs or run scripts to handle the event. For instance, these systems can stop an offending process or session on a local computer. Or, they can direct a firewall to filter out packets from the IP address of the intruder. They might stop the offending TCP sessions by forging TCP RST packets to force their connections to terminate.
You also want your system to collect detailed information about the intrusion. The better the quality of the data about an intrusion, the better the quality of the reaction. Log the attack, saving the attack information (time stamp, intruder IP address, victim IP address/port, protocol information). Save a trace file of the raw packets for later analysis.
Over the longer term, you want to prevent a repeat intrusion. One way is to catch those who initiated the intrusion, with the hope that the legal system will prevent them from causing future damage. Who did what to whom? Determining this usually requires a process called forensicsa thorough examination of the available evidence. The material you collect when you detect an intrusion may need to be turned over to law enforcement.
You also want to review what occurred, to improve your team's prevention and detection processes for "the next time." Such a review asks the following:
What procedures need to change?
What software needs to be updated?
What policies need to be strengthened?
What rules and actions need to be improved?
What went well (it can't all be bad news)?
Finally, there is a much longer-term cycle related to overall systems management. What are the historical trends? How often do intrusions occur? What damage do they do? What does it cost to prevent or detect intrusions? Are the staff and budget adequate?
The background information on general network and computer security has been covered. It is now time for a look at some of the specific problem areas associated with VoIP security.