Spotting mischief

• By Maggie Biggs
• Oct 01, 2001

Some technology managers assume that if they implement intrusion detection, their security woes will be solved. Nothing could be further from the truth. However, when intrusion-detection solutions are deployed along with the other six security layers experts recommend, they form a security system that will leave agencies well prepared to combat attacks on or misuse of computing resources.

The most effective security models combine the following layers:

* A regularly updated security policy.

* Security tools tailored to user devices and servers.

* Scheduled security audits.

* Router-based security measures.

* Firewalls.

* Intrusion detection in real time or near-real time.

* A strategy for responding to incidents.

Intrusion-detection technology is still evolving, but it has improved greatly in the past several years. Two types of intrusion detection are currently available: network-based and host-based.

Network-based solutions monitor traffic as it traverses your network. Sensor software or hardware sensors—usually called security appliances —are installed in your network. They examine data packets that cross your network and look for matches against signatures or rules, which are definitions of known types of intrusions.

As with other parts of the security process, you'll need to keep your signature or rules files updated regularly. Network packets are usually scanned for unusual data strings, port accesses or suspicious header information.

Host-based intrusion detection involves loading one or more pieces of software on a server that will be monitored. The software performs a variety of functions, including monitoring communication traffic on the host, verifying the integrity of system files and keeping an eye out for suspicious system processes.

There are two categories of host-based intrusion-detection solutions. TCPWrappers are useful for examining all packets that try to access the host, as well as connection or log-in attempts. Agent-based software, on the other hand, helps you monitor accesses and changes to system files and changes in security privileges.

Whether network-based or host-based, intrusion-detection solutions usually employ one of two modes of operation. Most solutions are said to be "knowledge-based," which means they use the latest information—provided you keep your signatures or rules files updated—to detect and deflect suspicious or malicious activity.

A newer breed of solutions is beginning to use a "behavior-based" approach. They "learn" the accepted behavior of systems and users and can quickly identify new threats as they arise. However, system administrators must be savvy enough to recognize normal and abnormal behavior because, during its learning phase, the solution will produce a number of alarms and the administrator's responses will help define legitimate user behavior.

You'll likely want to use a combination of network-based and host-based intrusion detection to get the best coverage, but you don't need to spend significant sums of money.

Network-Based Solutions

Most network-based intrusion-detection solutions monitor network traffic in real time. The ones we tested that were real time did not impede performance on the network. In addition, some network-based intrusion-detection solutions allow you to monitor in near-real time by pulling snapshots of traffic at defined intervals.

Cisco Systems Inc. offers a combination hardware and software solution to monitor network packets in real time. Retail pricing starts at $6,120. The hardware portion consists of a security appliance (sensor) that is installed on the network. There are two appliance models—the IDS 4210 and the 4230. The former is optimized for 45 megabits/sec networks and is ideal for T1, T3 and Ethernet settings. The latter is better suited to Fast Ethernet settings and is optimized for 100 megabits/sec networks.

Data captured by the security appliances is managed through a software-based console. The company also offers a subscription service called Active Update, so that customers can keep their signature files up-to-date.

The open-source community also offers useful intrusion-detection solutions. One of these is called Snort (www.snort.org); we found it marvelously easy to set up and use. Like the Cisco solution, Snort's real-time monitoring did not slow network performance.

Snort supports a variety of platforms, including Linux and Windows. We decided to try it on one network segment on a Linux system and on another network segment on a Windows machine.

Aside from Snort itself, we had to download the latest rules file (updated every 30 minutes, according to the Snort site), Apache Software Foundation Web server, a PHP Hypertext Preprocessor, mySQL AB's mySQL database and the Analysis Console for Intrusion Data.bases (ACID). Snort, together with mySQL, monitors and records network traffic looking for misuse or malicious activity. Apache, PHP and ACID form a browser-accessible front end that an administrator uses to manage the solution.

The installation was straightforward and took less than three hours. Once running, Snort quickly picked up any malicious activity we threw at it, such as port scans. We chose to use Snort with Apache Web server, but it can also be installed with other Web servers that support PHP.

Agencies looking for a hybrid solution might want to investigate Internet Security Systems Inc.'s RealSecure (www.iss.net). This software-based solution combines network-based and host-based intrusion monitoring in a single product and starts at $8,995.

The only real drawback to RealSecure is that its management interface is limited to Microsoft Corp. Windows 2000 and Windows NT, which could pose a problem for Unix-based agencies.

NFR Security Inc.'s Network Intrusion Detection (www.nfr.com) has two flavors: NID-200, starting at $12,500, and NID-100, starting at $4,500. NID-200 is a security appliance that compares favorably to Cisco's IDS appliances and is useful for higher-end network settings. Its counterpart—NID-100 —is a software-based intrusion-detection solution suitable for smaller agencies.

Unix- or Linux-based agencies might also examine another network-based intrusion-detection solution maintained by Naval Surface Warfare Center, Dahl.gren Division (www.nswc.navy.mil/ISSEC/CID). Known as SHADOW, this intrusion-detection solution monitors your network in near-real time. Like Snort, SHADOW relies on software-based sensors on your network and uses the Apache Web server to display its management interface.

We found that SHADOW took a bit longer to set up than Snort, mainly because the instructions were not as detailed. We were able to install both the sensor and the analyzing software after a time, and we liked the results. But we'd recommend this solution only for those with experienced Unix or Linux administrators on hand.

Host-Based Solutions

Agencies have even more intrusion- detection options when it comes to host-based monitoring. If you run Unix, Linux or BSD platforms, your systems likely have one or more intrusion-detection tools included. Additionally, you might examine one or more "trusted" operating system versions, such as Sun Microsystems Inc.'s Trusted Solaris, because these versions include many added security features that deter unauthorized access.

Aside from the tools available with the host system software, there are several free and fee-based intrusion-detection solutions to choose from. Entercept Security Technologies (www.entercept.com) offers a unique host-based intrusion-detection solution.

Unlike some solutions, Entercept includes support for monitoring system and application program interface calls before they reach the server's operating system. This low-level approach is good for deterring would-be attackers or those seeking unauthorized access. Entercept costs $4,995 per server and $995 per agent.

We also found the open-source Linux Intrusion Detection System (LIDS) (www.lids.org) quite easy to install and a useful addition to our systems running Version 2.2 or 2.4 of the Linux kernel. LIDS offers mandatory access controls, file protection, a port scan detector and process protection.

There are other useful open-source tools, such as FCheck, which can monitor Unix or Windows files, directories or file systems. Another tool is Advanced Intrusion Detection Environment (AIDE), which also checks Unix file integrity, and Swatch, which monitors system log files for suspicious activity. Swatch runs on any platform that is O'Reilly and Associates Inc.'s Perl 5-capable.

Tripwire Inc., one of the first intrusion-detection providers, offers a commercial product (www.tripwire.com) and an open-source one (www.tripwire.org) for Linux platforms. Both the commercial product, which starts at $595, and the open-source one monitor file changes, verify integrity and notify administrators if anything is detected.

Another useful commercial solution is Symantec Corp.'s Intruder Alert. It monitors hosts, applications and data for unauthorized activity, and unlike some other solutions, it can take precautionary measures based on settings defined by the administrator.

Biggs has more than 15 years of business and IT experience in the financial sector.