Guide to Network Defense and Countermeasures Chapter 8

Chapter 8 - Intrusion Detection: An Overview Describe intrusion detection system components Follow the intrusion detection process step-by-step Understand options for configuring intrusion detection systems Know the issues involved in choosing an intrusion detection system

Intrusion Detection System Components Intrusion detection systems, in an overall network defense configuration, involve three core functions: Intrusion prevention, or stopping intrusions at the edge of the network; firewalls perform this function Intrusion detection, or checking for security breaches on a network; intrusion detection systems (IDSs) perform this function Intrusion response, or swift, safe, and purposeful reaction to an intrusion; network administrators perform this function

Intrusion Detection System Components Network sensor: Sensors are the electronic eyes of an IDS; they monitor in- and outbound network traffic in real time When sensors detect suspicious events, an alarm is triggered; attacks are either single-session, in which the intruder makes a single isolated attempt to gain network access, or they are multiple-session, in which the intruder makes many attempts, over time, to gain network access (port/network scans) Place sensors at common entry points, such as: gateways; LAN connections; remote access servers; and at VPN devices

Intrusion Detection System Components Alert systems: An IDS sounds or sends an alert when it encounters packets or traffic patterns that seem suspicious To respond to such events, the IDS uses a trigger, a set of conditions that cause an alert to be sent; alerts result from two types of triggers, anomaly detection (an unsuspected event) and misuse detection (recognition of a known attack) Alert messages come as pop-up windows, e-mail messages, sounds, pager messages, or as any combination of these forms

Intrusion Detection System Components Alert systems (cont.): An anomaly detection system requires the use of profiles for each authorized user or group; the profile describes user normal network access Effective anomaly detection depends on the accuracy of the profiles created for the IDS Misuse detection triggers alarms based on the characteristic signatures of known attacks Misuse detection has a jumpstart in that IDSs come with a set of signatures; attack signatures not in the initial list need to be added periodically

Intrusion Detection System Components Command console: A command console is software that provides a network administrator with a graphical front-end interface to the IDS; administrators receive/analyze alert messages and manage log files at consoles Response system: Some of the more sophisticated IDS devices can be set up to take countermeasures when intrusions are detected; however, this is not a substitute for the judgement of a network administrator in the determination of appropriate countermeasures

Intrusion Detection System Components Database of attack signatures or behaviors: Misuse-based systems call upon a database of known attack signatures in order to have a source of information against which they can compare traffic The key with attack signature databases is that they are kept up-to-date; the SecurityFocus online database of known vulnerabilities is frequently updated, and can be searched for attack data Anomaly detection can make use of “normal traffic” databases against which network traffic is compared; SecurVantage 3.0 is such a database

Intrusion Detection Step-by-Step The process of network intrusion detection can be broken into seven general steps that apply to virtually all IDS systems Step 1: Installing signature and profile databases, along with the IDS hardware and software itself Step 2: Gather data by allowing network sensors to read and monitor every network packet Step 3: Sending alert messages when the sensor determines that a packet matches an attack signature or deviates from normal network usage

Intrusion Detection Step-by-Step The intrusion detection process (cont.): Step 4: The IDS responds if it is configured to take action at the same time a suspicious packet is received and an alert message sent; actions include sending an alarm to the console, dropping the packet without notifying sender, and resetting TCP traffic by stopping and restarting network traffic Step 5: The administrator assesses damage by examining the alert; false alarms may mean that the database needs to be fine tuned; incidents that should cause alarms, but don’t, must be considered

Intrusion Detection Step-by-Step The intrusion detection process (cont.): Step 6: Pursuing escalation procedures if necessary, where a predetermined set of procedures is followed if an attack is detected; attacks are often classified based on their severity, level one being the lowest, level three the highest Step 7: Logging and reviewing the event enables an administrator to determine if this was a single-session attack, or whether patterns of misuse have been occurring such as they do in multiple-session attacks

Options for Implementing an IDS Network-based IDS (NIDS): A NIDS is a set of components that includes a command console and sensors positioned at the network perimeter where they monitor/sniff traffic Three common locations for NIDS sensors are behind the firewall and before the LAN, between the firewall and the DMZ, or on any network segment A NIDS typically has its primary management and analysis software installed on a dedicated computer NIDS must keep up with a large volume of traffic, and they must respond quickly to detected packets

Options for Implementing an IDS Host-based IDS (HIDS): A HIDS is deployed on each host in the LAN that is protected by the firewall; packets generated by the host itself are monitored and evaluated by the HIDS The HIDS gathers system variables such as system processes, CPU usage, and file access; system events that match signatures of known attacks reach the IDS on the host, which sends an alert A HIDS does not sniff packets like a NIDS; instead, it monitors log file entries and user activity

Options for Implementing an IDS HIDS (cont.): A HIDS can have a centralized or distributed configuration; if centralized, the HIDS sends all gathered data to a central location (command console) for analysis; if distributed, the data analysis is distributed among the individual hosts Host computer performance requirements are minimal on a centralized configuration, but must be well equipped for distributed configuration use A HIDS can inform if host attack attempts were successful; A HIDS cannot detect a network-wide intrusion attempt

Options for Implementing an IDS Hybrid IDS implementations: A hybrid IDS increases flexibility and security by combining the functionality from multiple systems One type of hybrid combines host- and network-based systems; this enables positioning of sensors on network segments and on individual hosts; this system responds to both network and host attacks Another hybrid type combines anomaly and misuse detection; this has the ability to detect internal use that deviates from normal usage patterns and has a database of well-known attacks; this system responds to both internal and external attacks

Options for Implementing an IDS Hybrid IDS implementations (cont.): A shim IDS is a type of NIDS, but the sensors are installed in selected hosts and network segments A distributed IDS, or a DID, is a system where multiple IDSs are deployed to monitor traffic and report suspicious events; administrators are better able to assess developing patterns and distinguish between harmless anomalies and genuine attacks A key advantage of hybrid IDS systems is being able to monitor the network as a whole; drawbacks include getting disparate systems to work together, and the data gathered can be difficult to analyze

Evaluating an IDS The first step in evaluating an IDS, is to review the topology of the network to protect Pay particular attention to those parts of the network that have direct interaction with the IDS, such as, the number of network entry points, the use of firewalls, the segmenting of the network The next step involves choosing the best IDS type for meeting network security needs The freeware NIDS, Snort, is ideal for monitoring traffic on a small network or an individual host

Evaluating an IDS Choosing an IDS (cont.): The commercial HIDS, Norton Internet Security, is designed for home-based standalone computer, or a computer on a small network; it also contains a limited number of intrusion detection features The anomaly-based IDS, Tripwire, has long been one of the most highly regarded software IDS packages; after establishing a baseline for normal usage, any configuration changes trigger an alert; Tripwire is excellent for situations in which employee activity needs to be closely monitored

Evaluating an IDS Choosing an IDS (cont.): The network-based IDS, RealSecure, is one of the most comprehensive and widely used IDS products; RealSecure makes use of a distributed client-server architecture; it can be implemented as a hybrid IDS with multiple RealSecure Sensor products to scan network and host traffic IDS hardware appliances have a greater ability to handle network traffic and scalability than software IDS packages; a big advantages of hardware devices is the plug-and-play capability; as well, hardware appliances do need periodic updates

Evaluating an IDS Choosing an IDS (cont.): The signature-based IDS, Cisco Secure IDS, draws on a database of attack signatures to detect intrusion attempts; the signatures available to the system are broken into various types of of network traffic (IP, ICMP, TCP, UDP, Web/HTTP, string-matching, etc.); this NIDS makes use of sensors and it also watches for patterns of attacks as it monitors network traffic

Chapter Summary This chapter presented an overview of intrusion detection systems (IDSs), which provide a supplementary line of defense behind firewalls and anti-virus software. Some IDSs go beyond simply transmitting alarms, they reset TCP communications, block selected IP addresses, and provide evidence used in disciplinary actions or used to prevent attacks

Chapter Summary Some IDS systems consist of software programs and others combine hardware devices, but they all use similar elements. A network sensor should be placed at the openings to the network and individual network segments. Alert messages are sent from triggers, which can result from anomaly detection or misuse detection, or a combination of both. The alert message is sent to a command console, which provides the administrator with a single interface to the data gathered by the IDS. A response system built into the IDS instructs it to drop packets or reset traffic if attacks are detected. In order to remain accurate and avoid false alarms, the database of signatures or user profiles must remain current

Chapter Summary The step-by-step intrusion detection process begins with the installation of a set of attack signatures (for misuse detection) or normal network usage profiles (for anomaly detection). Next, the sensors monitor packets. Alert messages are sent when a packet matches an attack signature or deviates from normal network usage. An alert message is transmitted to the command console. In addition, the IDS can also respond by dropping the packets or resetting a connection. False alarms are likely and will require the system to be fine-tuned to allow legitimate traffic to pass through without an alarm. If the intrusion is found to be an attack, escalation procedures should be pursued. The IDS also logs each alarmed event so it can be reviewed later on. Exporting the data to a database for analysis can reveal the real nature and intent of attacks

Chapter Summary Next, the IDS is implemented. A network-based intrusion detection system (NIDS) uses sensors positioned around the perimeter of the network or of network segments. A host-based intrusion detection system (HIDS) uses sensors that are deployed on each host that needs to be protected. A HIDS uses data generated by each host. A hybrid IDS combines the functionality of a NIDS and a HIDS. It can also combine anomaly- and misuse-based detection. A shim IDS makes use of sensors installed both on network segments and hosts. A distributed IDS collects data gathered from multiple IDSs and firewall logs in order to analyze data across a wide area

Chapter Summary Different types if IDSs exist. In the freeware and shareware category, the best known program is called Snort, which makes use of a set of predetermined rules and that is designed to monitor traffic on a small-scale network. Commercial firewall programs such as Norton Internet Security include limited sets of IDS features. Anomaly-based systems like the highly regarded Tripwire for Network Devices establish a baseline for normal network usage. RealSecure is a network-based IDS that makes use of one or more network sensors and a command console.

Chapter Summary Hardware appliances can handle a higher traffic load than software programs and offer plug-and-play functionality. The Cisco Secure IDS system draws on the database of attack signatures, but also monitors suspicious traffic patterns, much like a firewall