Nowhere to hide
- By Earl Greer, Vincil Bishop
- Apr 12, 2004
In Texas, we have a saying that even a blind hog finds an acorn now and then. The saying applies to unpleasant experiences in identifying network attacks, such as when a user discovers an intrusion only because the hacker carelessly left a window open. As difficult as these network hacks are to find, the threat of undetected attacks is more disturbing.
StealthWatch+Therminator, developed by Atlanta-based Lancope Inc., is an intrusion-detection appliance designed to catch sneaky intruders, no matter how well they hide their activities. The unit comes in the form of a standard, rackmount PC running a hardened Linux operating system.
StealthWatch passively watches traffic on the network and rates the suspiciousness of new traffic by comparing it to recognized traffic. StealthWatch can tell what is normal by gathering baseline statistics, typically compiled over a two-week period after installation. Using complex algorithms and network heuristics, StealthWatch can rate suspicious events according to a concern index that shows how unusual or serious the event might be.
For example, say you have a Web server that you do not use for FTP, and one day that server starts to service FTP requests. StealthWatch will send an alarm to the administrator with a notice of an important change. In this example, the administrator may find that a hacker has compromised the server and is using it to distribute pirated software or music.
Because StealthWatch relies on baseline comparisons and algorithms, as opposed to downloaded signatures, it can catch penetration attempts for which signatures don't yet exist or penetrations that can't be detected by signatures.
Because StealthWatch examines traffic, it must be installed so that it can observe network activity. If we assume that we are using a switched Ethernet environment, a good spot for StealthWatch is a Switched Port Analyzer, which receives a copy of traffic on other ports.
In a large environment, you will need several StealthWatch units, each placed at key points throughout the network. Lancope provides a StealthWatch Management Console, allowing you to control the units from your Web browser.
Typically, you place the first port on the first StealthWatch unit on your Internet gateway. This port will listen to outside traffic, while the second port might listen to your server data farm. Still a third port could be set to listen to a subnetwork of workstations. On large installations, you probably can't catch every packet crossing the network, but if the units are well positioned it should be difficult for an intruder to circumvent detection.
To get a feel for what StealthWatch reports, we decided to generate malicious traffic and watch the product react.
We pointed our Linux Nessus vulnerability scanner toward a Microsoft Corp. Windows 2000 file server and commanded our demon of daemons to try every hack in the book on the unsuspecting Microsoft box.
While the attack was in progress, we logged in to the StealthWatch Web interface on a Secure Sockets Layer encrypted session. We navigated to the Security menu of the application to see if StealthWatch detected anything suspicious — and did it ever! StealthWatch reported a constant stream of concerns, detailing specific services and ports that the attack involved.
The Nessus scan that we were performing generated reports of hundreds of abnormal events on the network. And StealthWatch quickly identified our Nessus server as the culprit of the attacks.
To put StealthWatch to a tougher test, we decided to see if it could detect more fiendishly subtle violations of company network policy. We loaded a popular peer-to-peer file-sharing program on our Windows XP workstation and left StealthWatch running to monitor our traffic.
After a few minutes of scanning for our favorite Grateful Dead bootlegs, we checked back with StealthWatch to see what it found. Although StealthWatch did not explicitly tell us that a file-sharing program was in use, it did create a concern index and reported that our XP workstation was scanning the network and searching for peers with whom to share files.
Be aware that although StealthWatch presents a large amount of information in an easy-to-read format, the operator of the program must possess a fair amount of network knowledge. The product presents information in a concern index, and if you want specific information about a concern, you are given the affected TCP/UDP port numbers with their corresponding protocols. Although this made perfect sense to us, it would be gibberish to anyone not trained in protocol analysis.
Our testing thus far was with the default StealthWatch configuration. But the default configuration doesn't even touch StealthWatch's real power. The product's value comes with the ability to define network policies that mirror the way your network works.
StealthWatch can determine what is normal on your network in two ways. The first is by configuring network policies and specifying what protocols are allowed for hosts in certain defined zones.
The second way is by using StealthWatch's proprietary heuristic algorithms. When you first install StealthWatch, you usually configure it in learning mode. In this mode, it accumulates statistics about normal network traffic. After you take the unit out of learning mode, it has the historical information to determine if a particular network event is sufficiently unusual to report to the security administrator.
What we liked
We like the fact that the system stands alone and requires no contact with hosts outside the network. For high-security installations, this is an important consideration.
We like Lancope's choice to run a standard hardened Linux kernel on standard server hardware. We feel these decisions contribute to the stability and resilience of the product.
We like the appliance-style approach that Lancope applies to this product. Even when we logged directly into the server's console, we were not presented with a command prompt. Rather, we were given the opportunity to choose by number such functions as Edit IP Settings, Change Host Name and Add Trusted Host. As we were installing the product, we kept the manual close by, fully expecting to wade through a complicated and cryptic Linux command line configuration. To our surprise, upon logging into StealthWatch, we were presented with only a few choices. We didn't even need the manual to assign the system an IP address and add trusted hosts. We give big points to Lancope for ease of setup.
Finally, StealthWatch is nonintrusive and only listens to traffic on your network. If the unit happens to fail, there will be no impact on your network traffic.
What we would like to see
Although this product is not perfect, we offer little criticism. The system carries
the same drawbacks as other intrusion-
detection systems: It has a limited network view, is expensive to deploy and provides cryptic information. But until someone circumvents the physical laws of the network, these drawbacks and limitations will be present in all intrusion-detection systems worth their salt. If information derived from protocol analysis doesn't appear cryptic, then the product probably isn't telling you anything useful.
We would like to see some sort of interface between StealthWatch and a firewall that would trigger the firewall to block malicious traffic. StealthWatch only reports concerns. We feel that Lancope may have serious competition if some firewall vendor also offers a corresponding intrusion-detection unit that would drop malicious traffic.
Overall, we give this system high marks. After examining the system's components, we are confident that StealthWatch is capable of providing years of service in an ever-changing network environment.
Even considering probable future growth in network technologies, it is hard for us to imagine any attack method that StealthWatch would not detect.
Greer is a network analyst at a large Texas state agency. Bishop operates PeoplesInformation.com, an Internet consulting firm. They can be reached at firstname.lastname@example.org.
Lancope Inc.'s StealthWatch+Therminator offers three basic types of tools to detect intruders:
Visualization tools. StealthWatch analyzes and displays the patterns of change that occur as traffic flows back and forth across the network among user-defined groups of network devices. The solution generates graphs that highlight potential intrusions.
Event logs. StealthWatch maintains a log of the underlying network activity reflected in the graphs. The two tools are nicely integrated, so that with one mouse click, users can access log details of suspicious events.
Advanced flow logs and packet analysis. The event logs are also correlated with host-level activity and underlying packet details that can be examined more closely using advanced flow logs and packet analysis.
Source: Lancope Inc.