IPkey.com
information security
monitoring & management
Information Security Bulletin
September 2003
Feature Story:
Intrusion Detection &
Prevention Systems.
Intrusion Detection Systems (IDS) are frequently misunderstood, even by security experts. In part, that’s because the people who make IDS hardware and software have different opinions of what it does. Simply defined, IDS should first detect, and then log or report an intrusion. So what constitutes an intrusion? Well that’s the $64,000 question? To explore the answer, let’s use the human body as a metaphor.
An IDS protecting your network has the same challenge as the immune system of the human body. That is, “What’s OK vs. what is harmful?” It’s a very tricky problem. Now, your network probably has an Internet firewall which only allows certain pre-defined types of data packets from specific sources through, and blocks everything else. In this sense, a firewall is like the human sense of taste and smell. You are not likely to put anything in your body that doesn’t smell or taste right. That's the first line of defense, but as exquisitely sensitive these senses can be, we all know that they are not perfect. We may be able to smell bad food that would make us sick, but we can’t smell bacteria or a virus transmitted on that food.
That’s when the immune system kicks in. It may recognize that something bad has entered the body, or it may detect unusual activity such as the rapid replication of a virus. IDS does the same thing – it looks for unusual patterns of behavior and also checks a list of ‘bugs’ that it knows about . Currently there are thousands of behavior patterns that IDS' can look for, and new ones come along almost every day.
The metaphor described above is only partially accurate, because the immune system acts on the intrusion instead of just reporting it - it fights back. A true IDS only reports what is going on; it doesn't have the capability to block traffic. However, when an IDS and a firewall work together, you can engineer an Intrusion Prevention System (IPS). This is the active counterpart which acts like a digital immune system to stop the infection spreading. An IPS can use a variety of strategies to stop, deflect or deceive an intrusion, just like human antibodies.
Now what get confusing is that some marketing people use the terms IDS and IPS interchangeably. Personal firewalls such as Zone Alarm and Black Ice also have IPS features built in. Some IDS systems have IPS capabilities, and many firewalls have some basic IPS functions. However, many of these are tacked on and lack the 'memory' of previous events that's required to look for patterns of behavior.
Any IDS/IPS system has to have a memory of recent events in order to be able to recognize intrusion attempt. For example, a Port Scan is a common attack by a hacker looking for open ports. They do this by trying to open one port on a public IP address, then another, and then another. ->
IPkey Hot Links!
Security
Solutions
Evaluation
Remediation
Monitoring
Management
Recovery
New!
InfoSecurity
Center
Welcome
to the
Information Security Bulletin. This is your source for the latest
practical information you can use to protect your organization's critical
information and
network services.
Marcus Clarke
ISB Editor
email me your opinions!
Managed
Monitoring
Start your
free
30 day trial today
Learn more
/
Register
or call
(866) 330-1010
-> Often this is done sequentially. After detecting a few port open attempts, any decent IDS system will determine that a port scan is in being perpetrated. It will then report the attempt, and if it's an IPS, will temporarily block all traffic from that IP address.
At this point, we need to distinguish between two common IDS types. There's Network IDS (NIDS), and there is also host based IDS. The former is what we will be discussing in this ISB, but the latter is certainly useful. Host based IDS runs on a single computer and 'protects' just that computer. It's commonly used for a public server, such as a web server, that is accessible from the Internet. Conversely, NIDS/NIPS aims to protect your entire network.
You might expect NIDS/NIPS to detect intrusions on the Internet connection. That makes sense because traditionally someone on the Internet (outside) wants to get on your network (inside). However, NIDS has become even more valuable when running on the LAN (internal) connection. "But wait", you say, "that doesn't make sense. Why would I want to detect intrusions from by secure, private network going to the Internet?"
There is good reason, but the term 'intrusion' is no longer really appropriate. A NIDS system running inside your network can be very effective in detecting the activity of something bad that did make it into your network, just like the human immune system we discussed earlier. Hackers now find it much easier to infiltrate your network by planting 'trojans' (remote control agents) on your PCs to do their bidding rather than brute force their way through a firewall. This technique has become so successful because Windows and IE are so easy to exploit. Tricking your users to visit an innocent looking web site is all it takes. Once this happens, the hacker will use that PC to spread to other computers, launch other attacks, communicate back to their 'controller' for new orders and send confidential files out. All of these activities will trigger IDS alerts on a correctly configured system.
Using NIDS on internal interfaces is a wise recognition of a truth that's hard to swallow - it's almost impossible to keep rogue code out of our private networks anymore. We may as well accept that fact and invest some effort in making sure that we get an early warning that it's happening (IDS) and try and stop it from affecting other PCs or transmitting confidential data outside the network (IPS).
Final Thought
If you've been reading your
ISBs, you already know that network security is no longer a simple problem
of with easy answers. You do everything you can to secure the
perimeter to stop the bad guys from getting in. Then you do everything
you can to make sure your computers are not vulnerable if they do get
in. Finally, you must do everything you can to stop it spreading if it
does get and it does compromise a computer. NIDS is the
ONLY tool which will let you know when your other security systems have
failed to stop an intrusion.
It's the kind of tool our old friend Murphy would trust.
Got Security Policy?
Before you begin to delve into IDS or even outbound port blocking on your
firewall, you should have a clear, written Internet and Computer Use
Policy. This becomes the 'rule book' that defines what activity, and what
traffic, should be on your network. IDS/IPS requires a high level of
integration with other network security systems, especially the firewall.
They both operate from a common security policy that defines what's OK vs.
what's not. Without a coherent security policy, you will not be able
to truly managed your network or make it secure.
ISB Takeaway #1:
You can gain many
of the benefits of IDS from using outbound port blocking on your firewall.
Configure it so that only 'normal' ports such as HTTP can leave your
network. Report anything else that tries to get out.
ISB Takeaway #2:
An IDS/IPS should allow you to disable specific intrusion detection
signatures. Sometimes legitimate traffic can cause false alarms; you need to
be able to suppress the the particular signature.
ISB Takeaway #3:
Unless your network is squeaky clean, you will probably start seeing a LOT of events reported. Almost all of these are false alarms caused by improperly configured equipment. Be prepared to spend quite some time chasing these down until you know what's really on your network.
The ISB is a monthly email newsletter
published by IPkey.com, your source for
affordable information security monitoring and
management.
IPkey.com is part of Meridian Group, a New Mexico based corporation serving
the IT need of it's clients for 14 years. We encourage you to forward ISB to your
co-workers, colleagues and friends. To subscribe or unsubscribe to the
ISB newsletter, email us at isb@ipkey.com.
Past issues of this newsletter are available at IPkey.com
ISB Archive
I invite you to call or email me with your questions and comments. As always we are here to assist you with your Information Security needs.
Next Month:
ISB Reader's Choice!
All contents copyright (C) 2003 Meridian Group Inc.