Chapter 11. Intrusion Detection and Honeypots
...I think computer viruses should count as life. I think it says something about human nature that the only form of life we have created so far is purely destructive. We’ve created life in our own image....
—Stephen Hawking
By the end of this chapter, you should know and be able to explain the following:
• The essentials of an intrusion detection system (IDS) and why is it necessary even if you have a firewall
• The difference between an IDS and intrusion prevention system (IPS)
• The difference between a network intrusion detection system (NIDS) and a host intrusion detection system (HIDS)
• How an IDS detects intrusions (that is, attacks) and the potential ways a response can occur
• Some of the potential IDS solutions available today
Answering these key questions will enable you to understand the characteristics and importance of intrusion detection systems in your network’s overall security. By the time you finish this chapter, you should have a solid appreciation for network security, its issues, how it works, and why it is important.
The machines have taken over the world. Check into it if you want, but the truth is that they have taken over, and you simply provide the power to run them. You exist as some kind of power cell and nothing more. (Pretty weird so far, huh?)
Does this sound like some kind of nightmare, or perhaps the plot of a high-end science fiction movie? Take a moment to decide whether the guy in the trench coat and sunglasses is telling you the truth. Are you ready to cross through the looking glass to actually see what’s going on? Are you ready to give up 24 hours of cable TV, media propaganda, chocolate milk, and video games? You decide whether you want the truth. You can’t handle the truth! Or can you?
You wake up and find yourself surrounded by a glass cocoon filled with sticky viscous fluid and discover that you have probes plugged in to your spinal cord. Could this story get any worse?
It can, and it does. You start unplugging the probes one by one. Before you completely realize where you are, creepy spider machines start hovering around you and checking you out (don’t you hate it when that happens?) and smacking you around.
And then...and then.... Go ahead and turn the lights back on; yes, you over there by the light switch—flip the switch. You need to stop for a moment to discuss what in the world, if anything; all this has to do with a chapter on intrusion detection systems (IDS) and honeypots.
Although this scenario is “borrowed” from a popular movie produced in 1999, this story gives you a sneak peek at the basic premise of how an IDS works. IDSs function on three basic premises:
• Where to watch
• What to watch for
• How to react
The first premise, “where to watch,” tells the IDS the logical location it will be monitoring for something to happen. The little story has you as the “where to watch” portion. The evil machine empire has instructed the creepy spider machines to monitor you and make sure that you do not wake up.
The second premise, “what to watch for,” tells the IDS conditions for which it is supposed to be looking for to raise an alarm or some other kind of action. In this case, the creepy spiders were programmed to look for you to wake up and unplug the probes. Back in the old days, all it took was someone waking up to get the creepy spiders going. Things have changed, haven’t they?
The third premise, “how to react,” is the action the IDS has been told to take when a situation meets certain parameters. The creepy spiders were programmed to fly up to your pod and smack you around if you happen to wake up and start monkeying around with your sleep chamber.
Now put all the spiders and sci-fi stuff aside for a minute and take a look at a real-world example of an IDS in action:
1. You install an IDS to watch the Internet connection and those trying to get into your network through your firewall.
2. You tell the IDS what types of hacks and attacks to look for based on their packet and connection type and what activities these might generate.
3. You tell the IDS to page you and send you an email when one of these attacks occurs.
4. A malicious hacker attempts to initiate a port scan that scans the first 1000 TCP ports.
5. The IDS sees the sequential connection attempts to all these ports, checks its database, and sees that this behavior matches the profile you entered that tells it how to recognize a port scan.
6. The IDS reacts to the port scan and based on the responses you’ve set up, it attempts to email you and page you.
7. Suddenly, the port scans increase, and they also come from another source.
8. The IDS also notifies you of this attempt.
Now, assuming, that you have properly configured your IDS, it sits and watches your network 24 hours a day, ready to alert you at the first sign of any funny business.
Sounds pretty cool so far, doesn’t it? IDSs have two major flaws:
• They are voyeuristic appliances; in other words, they just watch.
• False positives and complacency can occur.
First, the IDS can watch only one interface at a time and while it is watching that single interface, the IDS watches only for conditions you tell it to monitor for. If it has not been programmed to watch for the port-scan attack, it will not notify you when one does occur.
Finally, an IDS can actually become an ally to hackers. Impossible, you say? How many times do you still run right out of the house and check your car when you hear the factory-installed alarm go off in the middle of the night? The same “crying wolf” situation can occur with an IDS. If your pager starts filling up with messages sent by the IDS, you start filtering out what you believe to be false positives; this could lead to you missing the pages that could mean something.
The secret to successfully configuring and deploying an IDS is tuning. You must deploy the IDS in a lab first, see what normal traffic causes the IDS to alert, and then start “turning down the squelch”—that is, decreasing the IDS’s sensitivity to these conditions. You can also resist the urge to alert on everything that occurs. Most people want to be notified of every little burp that takes place, but this is not realistic. IDSs are not perfect, and they generate false positives from time to time. Now take a real-world look at the essentials behind intrusion detection.