"Beware the intentions of Uninvited Guests." | ||
| --Samir Datt | ||
Intruders on a network are any network administrators' worst nightmare. Survey after survey conducted by the world's most trusted organizations point indisputably to the fact that, statistically, when it comes to network breaches, it is not a matter of if my network gets breached, but a matter of when my network gets breached. Some of the famous sites and networks that have been attacked in the past include the Pentagon, NATO, White House, and so on. As a network forensics investigator, it is critical to understand ways and means of intrusion detection and prevention.
Intrusion detection/prevention systems come in a multitude of flavors. There can be a host-based IDS/IPS or network-based IDS/IPS. Host-based systems monitor activity on the host computer, whereas network-based systems monitor activity based on network traffic captures.
This chapter focuses on detecting and preventing intrusions using a Network Intrusion Detection System (NIDS) and Network Intrusion Prevention System (NIPS). We will study their functionality and compare the differences between the two. You will also learn how to use the open source tool, SNORT, to acquire evidence in NIDS/NIPS mode from a practical perspective.
This chapter will cover the following topics:
- Understanding Network Intrusion Detection Systems
- Understanding Network Intrusion Prevention Systems
- Using modes of detection
- Differentiating between NIDS and NIPS
- Using SNORT for network intrusion detection and prevention
A Network Intrusion Detection System (NIDS) is a bit like the early warning alarm sirens that we see and hear in prison escape movies. These are triggered by a predefined event (such as an attempted break in/out) that is identified by a rule set enabled by the administrator/investigator. Just like a burglar alarm in a house, the NIDS is designed to detect an intruder and issue an alert to an authorized person.
Normally, a NIDS is able to detect intrusions in the network segment that it is monitoring. The key to its effective functioning is the correct placement of the NIDS device to enable it to monitor all network traffic entering and leaving the system. One way to do this is by placing it on the network and passing mirrored traffic through it. This is done to ensure that all the network traffic passes through the NIDS device.
The NIDS will monitor all inbound and outbound traffic and identify attempted intrusions by detecting anomalous patterns in the network traffic. This is done by identifying any known intrusion or attack signature, which is found in the intercepted traffic. A signature-based IDS is essentially a passive system that captures traffic, looks within the packets, compares content with known bad signatures, and raises corresponding alerts. This is depicted in the following image:
A typical IDS maintains a large database of attack signatures. These could represent signatures of attempted or actual intrusions, viruses, or worms. During its operation, the IDS will review all network traffic and compare it with the database of known signatures. Thus, any IDS is only as good as the quality of its signature database. A good-quality database will produce less false positives and is worth its weight in gold.
Let's take a quick look at the following table, which lists the type of alert states generated by NIDS:
|
Type |
Event |
Action |
Description |
|---|---|---|---|
|
True Positive |
Attack |
Alert |
A genuine attack that triggers an alarm |
|
False Positive |
No attack |
Alert |
An event triggering an alarm even when no attack has taken place |
|
False Negative |
Attack |
No alert |
A genuine attack that triggers no alarm |
|
True Negative |
No attack |
No alert |
An event when no attack has taken place and no alarm is triggered |
As we can see from the preceding table, both False Positive and False Negative are areas of great concern.
A false positive alarm takes up valuable resources to resolve whether the alarm is genuine or not. Consequently, a large number of false positive alarms could end up discrediting the IDS completely, allowing true positive alerts to be ignored in the general noise, and thus causing a lot of harm. A typical Cry Wolf situation!
False negatives are of much greater concern. When an attack slips in silently unnoticed, the time taken for discovery and, ultimately, resolution increases dramatically. This can cause huge losses to an organization.