Now we must define what the security perimeter of our computer system or network actually is.. Instead, the security perimeter of a network refers to the virtual perimeter surrounding an
Trang 1CHAPTER 14
Intrusion Detection
261
Copyright 2001 The McGraw-Hill Companies, Inc Click Here for Terms of Use
Trang 2Intrusion detection is another tool for security staff to use to protect an organization
from attack Intrusion detection is a reactive concept that tries to identify a hacker when a penetration is attempted Ideally, such a system will only alarm when a suc-cessful attack is made Intrusion detection can also assist in the proactive identification of active threats by providing indications and warnings that a threat is gathering informa-tion for an attack In reality, as we will see in the following pages, this is not always the case Before we discuss the details of intrusion detection, let’s define what it actually is Intrusion detection systems (IDS) have existed for a long time Some of the earliest forms included night watchmen and guard dogs In this case, the watchmen and guard dogs served two purposes: they provided a means of identifying that something bad was happening and they provided a deterrent to the perpetrator Most thieves were not inter-ested in facing a dog so they were unlikely to attempt to rob a building with dogs The same is true for a night watchman Thieves did not want to be spotted by a watchman who might have a gun or who would call the police
Burglar and car alarms are also forms of IDS If the alarm system detects an event that
it is programmed to notice (such as the breaking of a window or the opening of a door), lights go on, an alarm sounds, or the police are called The deterrent function is provided
by a window sticker or a sign in the front yard of the house Cars often have a red light visible on the dashboard to give an indication that an alarm is active
All of these examples share a single, principal aim: detect any attempt to penetrate the security perimeter of the item (business, building, car, and so on) being protected In the case of a building or car, the security perimeter is easy to identify The walls of the build-ing, a fence around the property, or the doors and windows of the car clearly define the security perimeter Another characteristic that all of these examples have in common is well-defined criteria for what constitutes a penetration attempt and what constitutes the security perimeter
If we translate the concept of the alarm system into the computer world, we have the base concept of an IDS Now we must define what the security perimeter of our computer system or network actually is Clearly, the security perimeter does not exist in the same way as a wall or fence Instead, the security perimeter of a network refers to the virtual perimeter surrounding an organization’s computer systems This perimeter can be de-fined by firewalls, telecom demarcation points, or desktop computers with modems It may also be extended to include the home computers of employees who are allowed to telecommute or a business partner that is allowed to connect to the network
A burglar alarm is designed to detect any attempted entry into a protected area dur-ing times of non-occupancy An IDS is designed to differentiate between an authorized entry and a malicious intrusion, which is much more difficult A good analogy to further explain this is a jewelry store with a burglar alarm If anyone, even the owner, opens the door, the alarm sounds The owner must then notify the alarm company that he has opened his store and all is well An IDS is more like the guard at the front door watching every patron of the store and looking for malicious intent (carrying a gun for example) Unfortunately, in the virtual world the gun is very often invisible
Trang 3The second issue that must be dealt with is the definition of what events constitute a
violation of the security perimeter Is an attempt to identify live systems such an event?
What about the use of a known attack against a system on the network? As these
ques-tions are asked, it becomes clear that the answers are not black and white Instead, they
depend upon other events and the state of the target system
TYPES OF INTRUSION DETECTION SYSTEMS
There are two primary types of IDS: host-based (H-IDS) and network-based (N-IDS) An
H-IDS resides on a particular host and looks for indications of attacks on that host An N-IDS
resides on a separate system that watches network traffic, looking for indications of
at-tacks that traverse that portion of the network Figure 14-1 shows how the two types of
IDS may exist in a network environment
Host-Based IDS
An H-IDS exists as a software process on a system Traditionally, H-IDS systems have
ex-amined log entries for specific information On Unix systems, the logs that are normally
examined include Syslog, Messages, Lastlog, and Wtmp On Windows systems, the
Sys-tem, Application, and Security Event Logs are examined Periodically, the H-IDS process
looks for new log entries and matches them up to pre-configured rules If a log entry
matches a rule, the H-IDS will alarm If the H-IDS is to function properly, the necessary
information must appear in the logs Therefore, if the information that is most interesting
is generated by an application, the application must place that information into the
stan-dard logs on the system or the H-IDS must be capable of examining the application logs
More recently, a new form of H-IDS has been created that examines calls to the
oper-ating system kernel This type of H-IDS is programmed with known attack signatures
and will alarm if a system call matches any of the signatures
Both types of H-IDS are capable of checking files on the system for modification This
is done by performing a cryptographic checksum on the file using a hashing function
such as MD5 (see Chapter 12) This value is then stored and used as a comparison against
periodic checksums of the file If the checksums do not match, the file has been altered
and the H-IDS will report this information
There are three primary advantages to an H-IDS system:
▼ The H-IDS will not miss attack traffic that is directed at a system as long
as the attack generates a log message (or a system call)
■ The H-IDS can determine if an attack was successful by examining log
messages or other indications on the system (such as the modification
of key system binaries or configuration files)
▲ The H-IDS can be used to identify unauthorized access attempts by legitimate
system users
Trang 4There are three disadvantages to an H-IDS system:
▼ The H-IDS process may be identified and disabled by an attacker
■ The H-IDS system can only alarm if the log entries or system calls match pre-configured rules or signatures
▲ Certain H-IDS systems may impact support and maintenance agreements on operating system software This is primarily associated with an H-IDS that examines system calls
Figure 14-1. Examples of IDS placement in a network environment
Trang 5Network-Based IDS
An N-IDS exists as a software process on a dedicated hardware system The N-IDS places
the network interface card on the system into promiscuous mode, meaning that the card
passes all traffic on the network (rather than just traffic destined for that system) to the
N-IDS software The traffic is then analyzed according to a set of rules and attack
signa-tures to determine if it is traffic of interest If it is, an event is generated
At this time, N-IDS systems are primarily signature-based This means that a set of
at-tack signatures has been built into the systems and these are compared against the traffic
on the wire If an attack is used that is not in the signature file, the N-IDS will not pick it
up N-IDS systems also have the capability to specify traffic of interest based on the
source address, destination address, source port, or destination port This allows
organi-zations to define traffic to watch for that is outside of the attack signatures
The most common configuration for an N-IDS is to use two network interface cards
One card is used to monitor a network This card is placed in a “stealthy” mode so that it
does not have an IP address and, therefore, does not respond to incoming connections
The stealthy card does not have a protocol stack bound to it so that it cannot respond to
probes such as a ping The second card is used to communicate with the IDS management
system and to send alarms This card is attached to an internal network that is not visible
to the network being monitored
Advantages of an N-IDS include
▼ The N-IDS can be completely hidden on the network so an attacker will not
know that he is being monitored
■ A single N-IDS can be used to monitor traffic to a large number of potential
target systems
▲ The N-IDS can capture the contents of all packets traveling to a target system
Disadvantages of an N-IDS system include
▼ The N-IDS system can only alarm if the traffic matches pre-configured
rules or signatures
■ The N-IDS can miss traffic of interest due to high bandwidth utilization
or alternate routes
■ The N-IDS cannot determine if the attack was successful
■ The N-IDS cannot examine traffic that is encrypted
▲ Switched networks (as opposed to shared media networks) require special
configurations so that the N-IDS can see all the traffic
Is One Type of IDS Better?
Is one type of IDS better? It depends Both types have their advantages and
disadvan-tages as we have seen While an N-IDS may be more cost-effective (a single N-IDS can
Trang 6monitor traffic to a large number of systems), an H-IDS may be more appropriate for or-ganizations that are more concerned about legitimate users than about external hackers Another way to say this is that the choice of which type of IDS to use depends upon the primary threats to the organization
SETTING UP AN IDS
In order to get the most out of an IDS, a lot of planning must be done beforehand Even before an appropriate policy can be created, information must be gathered, the network must be analyzed, and executive management must be involved As with most complex systems, the policy must be created, validated, and tested prior to deployment The spe-cific steps in creating an IDS policy are
1 Define the goals of the IDS
2 Choose what to monitor
3 Choose the response
4 Set thresholds
5 Implement the policy
Defining the Goals of the IDS
The goals of the IDS provide the requirements for the IDS policy Potential goals include
▼ Detection of attacks
■ Prevention of attacks
■ Detection of policy violations
■ Enforcement of use policies
■ Enforcement of connection policies
▲ Collection of evidence
Keep in mind that goals can be combined and that the actual goals for any IDS depend
on the organization that is deploying it This is by no means a comprehensive list The IDS can allow an organization to detect when an attack starts and may allow for the collection
of evidence or the prevention of additional damage by terminating the incident Of course, that is not the only purpose that an IDS can serve Since the IDS will gather de-tailed information on many events taking place on the network and computer systems of
an organization, it can also identify actions that violate policy and the real usage of net-work resources