Intrusion Detection Systems
The defense-in-depth approach depends on having controls at multiple levels. That means that an attack should encounter multiple controls once it has been detected. One of the tools that enables you to detect an attack is an intrusion detection system (IDS). An IDS provides the ability to monitor a network, host, or application, and report back when suspicious activity is detected. The essence of intrusion detection is the process of detecting potential misuse or attacks and the ability to respond based on the alert that is provided. You can do a lot to secure your systems, but how do you know they are secure? The IDS provides the ability to monitor the systems under your care.
An IDS is a hardware appliance or software-based device that gathers and analyzes information generated by a computer or network. This information is analyzed with the goal of detecting any activity that is unauthorized and suspicious or signs of privileges or access that are being misused. An IDS is essentially a packet sniffer on steroids. A packet sniffer by itself captures traffic; it is up to you to analyze it and look for signs of problems. In the case of an IDS, this capability is extended through the use of rules that allow the IDS to compare the intercepted traffic to known good or bad behavior.
Once an IDS determines that a suspected intrusion has taken place, it then issues an alarm in the form of an email, message, or log file entry that the network administrator will evaluate. Remember that an IDS detects an attack. What it does not do is prevent an attack. If an IDS has detected an attack, it is already occurring.
Before going too far into the topic of IDS, it is necessary to define a few key terms. Each of the following is used to describe the environments and situations in which an IDS is expected to operate and what it is expected to detect:
Intrusion—An unauthorized use or access of a system by an individual, a party, or a service. Simply put, an intrusion is any activity that should not be but is occurring on an information system.
Misuse—The improper use of privileges or resources within an organization. It is not necessarily malicious in nature, but it is misuse all the same.
Intrusion detection—Intrusion detection is the technique of uncovering successful or attempted unauthorized access to an information system.
Misuse detection—Misuse detection is the ability to detect misuse of resources or privileges.
When an IDS is in operation, it has three mechanisms it can use to detect an intrusion, with each one offering distinct advantages and disadvantages:
Signature recognition—Commonly known as misuse detection, it attempts to detect activities that may be indicative of misuse or intrusions. Signature analysis refers to an IDS that is programmed to identify known attacks occurring in an information system or network. For example, an IDS that watches web servers might be programmed to look for the string “phf” as an indicator of a Common Gateway Interface (CGI) program attack. Looking for this particular string would allow the IDS to tip off the system owner that an attacker may be trying to pass illegal commands to the server to gain information. Most IDSs are based on signature analysis.
Anomaly detection—Anomaly detection is a type of detection that uses a known model of activity in an environment and reports deviations from this model as potential intrusions. The model is generated by the system owner based on knowledge of what is accessed and known behavior on the network. In modern systems, the IDS will be configured to observe traffic in a training mode in which it observes and learns what is normal and what is not on a given network.
When an IDS is configured to use one of these methods, it can respond with an alert using one of several criteria. When the IDS responds, it can be in a positive or negative fashion, but it is not that simple because either response can be true or false. In TABLE 15-1, the responses and their respective characteristics are provided.
TABLE 15-1 IDS response matrix. |
||
|---|---|---|
| TRUE | FALSE | |
| POSITIVE | An alert was generated in response to an actual intrusion attempt. | An alert was generated in response to a perceived but nonthreatening event. |
| NEGATIVE | An alert was not generated because no suspicious activity was detected and none occurred. | An alert was not generated because no suspicious activity was detected, but such activity did occur. |
It is important to understand the different types of IDSs available. It is necessary for you as a security professional to know what an IDS can detect and where it may be useful and where it is not. Make sure that you understand what activities each IDS is sensitive to because this will determine the proper deployment for each IDS and where you will get the best results:
Network-based intrusion detection system (NIDS)—An IDS that fits into this category is one that can detect suspicious activity on a network, such as misuse, or other activities, such as SYN floods, MAC floods, or other similar types of behavior. Network-based intrusion detection system (NIDS) devices monitor the network through the use of a network card that is switched into promiscuous mode and connected to a spanning port on a switch so that all traffic passing through the switch is visible. Indications of network intrusion include the following:
Repeated probes of the available services on your machines
Connections from unusual locations
Repeated logon attempts from remote hosts
Arbitrary data in log files, indicating an attempt at creating either a denial of service (DoS) or a crashed service
Host-based intrusion detection system (HIDS)—An IDS that fits into this category is one that can monitor activity on a specific host or computer. The ability of the host-based intrusion detection system (HIDS) extends only to what is on the specific host, not on the network. Included in the functionality of this type of IDS is the ability to monitor access, event logs, system usages, and file modifications. These types of IDS can detect the following:
Modifications to system software and configuration files
Gaps in the system accounting, which indicate that no activity has occurred for a long period of time
Unusually slow system performance
System crashes or reboots
Short or incomplete logs
Logs containing strange timestamps
Logs with incorrect permissions or ownership
Missing logs
Abnormal system performance
Unfamiliar processes
Unusual graphic displays or text messages
Log file monitoring—Software in this category is specifically designed to analyze log files and look for specific events or activities. Software of this type can look for anything in log files, from improper file access to failed logon attempts. Log file activity that can be detected can include the following:
Failed or successful logons
File access
Permission changes
Privilege use
System setting changes
Account creation
File integrity checking—Software in this category represents one of the oldest and simplest types of IDS. It looks for changes in files that may indicate an attack or unauthorized behavior. These devices look for modifications in files using techniques such as hashing to uncover changes. One of the oldest IDS systems around, Tripwire, started by using this sort of technique.
Here are some indications of file system intrusion:
The presence of unfamiliar new files or programs
Changes in file permissions
Unexplained changes in file size
Rogue files on the system that do not correspond to your master list of signed files
Unfamiliar filenames in directories
Missing files
The two main types of IDS discussed here are the HIDS and NIDS because they are the two most commonly encountered in the wild. TABLE 15-2 compares the two to help you understand how they stack up against one another.
TABLE 15-2 NIDS and HIDS features. |
||
|---|---|---|
| FEATURE | NIDS | HIDS |
| Best suited for | Large environments where critical assets on the network need extra observation | Environments where critical system-level assets need monitoring |
| Management concerns | Not an issue in large environments; may incur too much overhead in smaller environments | Requires specific adjustments and considerations on a system level |
| Advantage | Ideal for monitoring sensitive network segments | Ideal for monitoring specific systems |
IDS Components
An IDS is not one thing—it is a collection of items that come together to make the overall solution. The IDS is formed by a series of components that make an effective solution designed to monitor the network or system for a range of intrusions. If you zoom out a bit, you can see that an IDS is not even centered or resident on a single system; it is distributed across a group of systems, each playing a vital role in monitoring the network.
In the solution that forms an IDS, there are a number of components, each with its own responsibilities. These components are responsible for monitoring for intrusion but also can perform other functions, such as the following:
Pattern recognition and pattern matching to known attacks
Analysis of traffic for abnormal communication
Integrity checking of files
Tracking of user and system activity
Traffic monitoring
Traffic analysis
Event log monitoring and analysis
When you move from vendor to vendor, the features that are part of the IDS will vary in scope, capability, and implementation. Some IDSs offer only a subset of the features mentioned here, and others offer substantially more. All IDSs do tend to have the same components no matter which vendor is manufacturing the device.
Components of a NIDS
The most visible component of an IDS is the command console, which represents the component where the network administrator manages and monitors the system. This is where the administrator carries out the day-to-day tasks of monitoring, tuning, and configuring the system to maintain optimal performance. The command console may be accessed from anywhere, or its access may be restricted to a specific system for security purposes.
Working in concert with and monitored by the command console is the network sensor. The network sensor is a discrete software application that runs on a designated device or system as needed. This sensor is essentially the same as a sniffer in that it runs in conjunction with a network card in promiscuous mode. The sensor has the ability to monitor traffic on a specific segment of the network because of the same restrictions that are placed on sniffers. This is why placement of a network sensor is so important: Placement of a sensor on the incorrect network segment could result in a critical segment not being monitored. FIGURE 15-2 illustrates the components of a NIDS.
FIGURE 15-2
Components of a NIDS.
Another mechanism that works with an IDS is a hardware-based device known as a network tap. This device resides on the network and appears physically very similar to a hub or switch, but as part of an IDS it can be of value. A network tap has certain characteristics that make it unique; for example, it has no Internet Protocol (IP) address, it sniffs traffic, and it can be used by an IDS to collect traffic that is used to generate alerts. The main benefit of placing a network tap on the network in conjunction with an IDS, such as a NIDS, is that it will enhance the security and detection capabilities of the system.
An effective and robust alert generation and notification system is required to let the network owner know what is occurring when an attack happens. Alert notification and generation will occur when an event or some activity happens that needs the attention of the security or network administrator. The alerts that are generated can be delivered to the system owner using pop-up alerts, audio alerts, pagers, text messages, and email.
How does an IDS function? The intrusion detection process is a combination of information gathered from several operations. The process is designed to respond to packets sniffed and analyzed. In this example, the information is sniffed from an Ethernet network with a system running the sensor operating in promiscuous mode, sniffing and analyzing packets off of a local segment.
In the following steps, an IDS using a signature-based detection method is used to detect an intrusion and alert the system owner:
A host creates a network packet. At this point nothing is known other than that the packet exists and was sent from a host in the network.
The sensor sniffs the packet off the network segment. This sensor is placed so it can read the packet.
The IDS and the sensor match the packet with known signatures of misuse. When a match is detected, an alert is generated and sent to the command console.
The command console receives and displays the alert, which notifies the security administrator or system owner of the intrusion.
The system owner responds based on the information the IDS provides.
The alert is logged for future analysis and reference. This information can be logged in a local database or in a central location shared by several systems.
Components of a HIDS
A HIDS is designed to monitor the activity on a specific system. Because many vendors offer this type of IDS, the features vary wildly, but the basic components are the same.
The first component of a HIDS is the command console, which acts much like its counterpart on the NIDS. This piece of software is the component that the system administrator will spend the most time with. Here, the administrator will configure, monitor, and manage the system as needs change.
The second component in the HIDS is the monitoring agent software. This agent is responsible for monitoring the activities on a system. The agent will be deployed to the target system and monitor activities such as permission usage, changes to system settings, file modifications, and other suspicious activity on the system. FIGURE 15-3 illustrates the components of a HIDS.
FIGURE 15-3
Components of a HIDS.
Setting Goals
When setting up an IDS, it is necessary to define the goals of the system before deploying it into production. As with any technology of this level of complexity, some planning is required to make things work properly and effectively. The first step in ensuring that an IDS is working as it should is to set goals. Two common goals are response capability and accountability.
When an IDS recognizes a threat or other suspicious activity, it must respond in some fashion. The IDS receives the data, analyzes it, and then compares it with known rules or behaviors, and when a match is found, some response must occur. The question you must answer is what this action will be. In this case, it will be an alert.
Reponses can include any number of potential actions depending on what your goal may be. Some common responses include sending an alert to the administrator as a text message or email, but this is not the only option. Additionally, the IDS will log the event by placing an entry in a log file for later review and retrieval. In most cases, an organization would choose to place information in a log or event log because it provides additional benefits for the business, including the ability to analyze data historically and plan for expenditures. However, logs are not used only for planning budgets. They are also very useful in determining the effectiveness of security measures. Remember that an IDS detects attacks or suspicious activity after it has already occurred. If it has occurred, it means it has gotten around or passed through security measures unimpeded, in which case you need to know why and how it happened.
Accountability
Having the proper response in place is an important detail to address. Without a response plan in place, the system loses its effectiveness. But this is not the only required element; you must establish accountability too. As part of network security policy, you must define a process in which the source and cause of an attack are identified and investigated. This process is necessary because of the potential need to pursue legal action, not to mention the need for finding out the source and cause of the attack to adjust your defenses to prevent the problem from happening again.
Limitations of an IDS
Although an IDS is capable of performing a number of tasks in the realm of monitoring and alerting system administrators to what is happening on their network, it does have its limitations. You should always be aware of the strengths and weaknesses of the technologies you are working with, and IDSs are no exception. Knowing these limitations will also ensure that you use the technology correctly and that it is addressing the issues it was designed to address.
It Is Not the Only Problem Solver
No matter what you are told by the vendor of a particular IDS, it is not a silver bullet that can solve all your problems. An IDS can only supplement existing security technologies; it cannot bring nirvana to the security of your network. You should expect an IDS to provide the necessary element of verification of how well your network security countermeasures are doing their respective jobs.
You should never expect an IDS to be able to detect and notify you about every event on your network that is suspicious. In fact, it will detect and report only what you tell it to. Also, consider the fact that an IDS is programmed to detect specific types of attacks and because attacks evolve rapidly, an IDS will not detect unfamiliar new attacks. It is not programmed nor designed to do so. Remember, an IDS is a tool that is designed to assist you and is not a substitute for good security skills or due diligence. For example, as a system owner and security professional, you must regularly update the signature database of any IDS under your control that uses this mechanism. Another example is to understand your network and update your model or baseline on what is and is not normal behavior because this will change over time.
Failed Hardware
If the hardware that is supporting the IDS fails and it has the sensor or the command console on it, your IDS may become ineffective or worthless. In fact, if a system that has a network sensor located on it fails, there is no way to gather the information to be analyzed. Also, an IDS cannot inform you of or prevent a hardware failure, so if this event occurs, you will be out of luck. Any serious failure in hardware, network communications, or other areas can wreak havoc with your monitoring capabilities. Planning ahead and implementing mechanisms such as redundant hardware and links is a way to overcome this limitation to prevent the IDS from going offline.
Investigation of an Event
An IDS provides a way of detecting an attack but not a way to deal with it. That is the responsibility of an intrusion prevention system (IPS), which will be discussed later. An IDS is extremely limited as to the actions it can take when an attack or some sort of activity occurs. An IDS observes, compares, and detects the intrusion and will report it; it then becomes your responsibility to follow up. All the system can do is warn you if something isn’t right; it can’t give you the reasons why.
As a security professional, you will have to make it a point to review the IDS logs for suspicious behavior and take the necessary action. You are responsible for the follow-up and action.
Analysis of Information Collected
Information from an IDS can be extensive and generated rapidly, and this data requires careful analysis to ensure that every potentially harmful activity is caught. You will have the task of developing and implementing a plan to analyze the sea of data that will be generated and ensuring that any questionable activity is caught.
Intrusion Prevention Systems
The next step beyond an IDS is an intrusion prevention system (IPS). This is a device that is used to protect systems from attack by using different methods of access control. This system is an IDS with additional abilities that make it possible to protect the network.
The devices that were originally developed as a way to extend the capabilities were already present in an IDS. When you look at an IDS in all its forms, you see that it is a passive monitoring device that offers limited response capabilities. An IPS provides the ability to analyze content, application access, and other details to make determinations on access. For example, an IPS can provide additional information that would yield insight into activities on overly active hosts, bad logon activities, access of inappropriate content, and many other Network and Application Layer functions.
Responses that an IPS can use in response to an attack include:
Regulating and stopping suspicious traffic
Blocking access to systems
Locking out misused user accounts
IPSs come in different forms, and each one offers a unique set of abilities:
Host-based—IPSs in this category are those that are installed on a specific system or host and monitor the activities that occur there.
Network—IPSs that fit into this category are designed to monitor the network and prevent intrusions on a specific host when activity is detected. In practice, these types of IPSs are hardware appliances that are purposely built to carry out their function.