Spotting mischief
- By Maggie Biggs
- Oct 01, 2001
Some technology managers assume that if they implement intrusion detection,
their security woes will be solved. Nothing could be further from the truth.
However, when intrusion-detection solutions are deployed along with the
other six security layers experts recommend, they form a security system
that will leave agencies well prepared to combat attacks on or misuse of
computing resources.
The most effective security models combine the following layers:
* A regularly updated security policy.
* Security tools tailored to user devices and servers.
* Scheduled security audits.
* Router-based security measures.
* Firewalls.
* Intrusion detection in real time or near-real time.
* A strategy for responding to incidents.
Intrusion-detection technology is still evolving, but it has improved
greatly in the past several years. Two types of intrusion detection are
currently available: network-based and host-based.
Network-based solutions monitor traffic as it traverses your network.
Sensor software or hardware sensorsusually called security appliances
are installed in your network. They examine data packets that cross your
network and look for matches against signatures or rules, which are definitions
of known types of intrusions.
As with other parts of the security process, you'll need to keep your
signature or rules files updated regularly. Network packets are usually
scanned for unusual data strings, port accesses or suspicious header information.
Host-based intrusion detection involves loading one or more pieces of
software on a server that will be monitored. The software performs a variety
of functions, including monitoring communication traffic on the host, verifying
the integrity of system files and keeping an eye out for suspicious system
processes.
There are two categories of host-based intrusion-detection solutions.
TCPWrappers are useful for examining all packets that try to access the
host, as well as connection or log-in attempts. Agent-based software, on
the other hand, helps you monitor accesses and changes to system files and
changes in security privileges.
Whether network-based or host-based, intrusion-detection solutions usually
employ one of two modes of operation. Most solutions are said to be "knowledge-based,"
which means they use the latest informationprovided you keep your signatures
or rules files updatedto detect and deflect suspicious or malicious activity.
A newer breed of solutions is beginning to use a "behavior-based" approach.
They "learn" the accepted behavior of systems and users and can quickly
identify new threats as they arise. However, system administrators must
be savvy enough to recognize normal and abnormal behavior because, during
its learning phase, the solution will produce a number of alarms and the
administrator's responses will help define legitimate user behavior.
You'll likely want to use a combination of network-based and host-based
intrusion detection to get the best coverage, but you don't need to spend
significant sums of money.
Network-Based Solutions
Most network-based intrusion-detection solutions monitor network traffic
in real time. The ones we tested that were real time did not impede performance
on the network. In addition, some network-based intrusion-detection solutions
allow you to monitor in near-real time by pulling snapshots of traffic at
defined intervals.
Cisco Systems Inc. offers a combination hardware and software solution
to monitor network packets in real time. Retail pricing starts at $6,120.
The hardware portion consists of a security appliance (sensor) that is installed
on the network. There are two appliance modelsthe IDS 4210 and the 4230.
The former is optimized for 45 megabits/sec networks and is ideal for T1,
T3 and Ethernet settings. The latter is better suited to Fast Ethernet settings
and is optimized for 100 megabits/sec networks.
Data captured by the security appliances is managed through a software-based
console. The company also offers a subscription service called Active Update,
so that customers can keep their signature files up-to-date.
The open-source community also offers useful intrusion-detection solutions.
One of these is called Snort (www.snort.org); we found it marvelously easy
to set up and use. Like the Cisco solution, Snort's real-time monitoring
did not slow network performance.
Snort supports a variety of platforms, including Linux and Windows.
We decided to try it on one network segment on a Linux system and on another
network segment on a Windows machine.
Aside from Snort itself, we had to download the latest rules file (updated
every 30 minutes, according to the Snort site), Apache Software Foundation
Web server, a PHP Hypertext Preprocessor, mySQL AB's mySQL database and
the Analysis Console for Intrusion Data.bases (ACID). Snort, together with
mySQL, monitors and records network traffic looking for misuse or malicious
activity. Apache, PHP and ACID form a browser-accessible front end that
an administrator uses to manage the solution.
The installation was straightforward and took less than three hours.
Once running, Snort quickly picked up any malicious activity we threw at
it, such as port scans. We chose to use Snort with Apache Web server, but
it can also be installed with other Web servers that support PHP.
Agencies looking for a hybrid solution might want to investigate Internet
Security Systems Inc.'s RealSecure (www.iss.net). This software-based solution combines network-based and host-based intrusion monitoring in a single product and starts at $8,995.
The only real drawback to RealSecure is that its management interface
is limited to Microsoft Corp. Windows 2000 and Windows NT, which could pose
a problem for Unix-based agencies.
NFR Security Inc.'s Network Intrusion Detection (www.nfr.com) has two
flavors: NID-200, starting at $12,500, and NID-100, starting at $4,500.
NID-200 is a security appliance that compares favorably to Cisco's IDS appliances
and is useful for higher-end network settings. Its counterpartNID-100
is a software-based intrusion-detection solution suitable for smaller
agencies.
Unix- or Linux-based agencies might also examine another network-based
intrusion-detection solution maintained by Naval Surface Warfare Center,
Dahl.gren Division (www.nswc.navy.mil/ISSEC/CID). Known as SHADOW, this
intrusion-detection solution monitors your network in near-real time. Like
Snort, SHADOW relies on software-based sensors on your network and uses
the Apache Web server to display its management interface.
We found that SHADOW took a bit longer to set up than Snort, mainly
because the instructions were not as detailed. We were able to install both
the sensor and the analyzing software after a time, and we liked the results.
But we'd recommend this solution only for those with experienced Unix or
Linux administrators on hand.
Host-Based Solutions
Agencies have even more intrusion- detection options when it comes to
host-based monitoring. If you run Unix, Linux or BSD platforms, your systems
likely have one or more intrusion-detection tools included. Additionally,
you might examine one or more "trusted" operating system versions, such
as Sun Microsystems Inc.'s Trusted Solaris, because these versions include
many added security features that deter unauthorized access.
Aside from the tools available with the host system software, there
are several free and fee-based intrusion-detection solutions to choose from.
Entercept Security Technologies (www.entercept.com) offers a unique host-based
intrusion-detection solution.
Unlike some solutions, Entercept includes support for monitoring system
and application program interface calls before they reach the server's operating
system. This low-level approach is good for deterring would-be attackers
or those seeking unauthorized access. Entercept costs $4,995 per server
and $995 per agent.
We also found the open-source Linux Intrusion Detection System (LIDS)
(www.lids.org) quite easy to install and a useful addition to our systems
running Version 2.2 or 2.4 of the Linux kernel. LIDS offers mandatory access
controls, file protection, a port scan detector and process protection.
There are other useful open-source tools, such as FCheck, which can
monitor Unix or Windows files, directories or file systems. Another tool
is Advanced Intrusion Detection Environment (AIDE), which also checks Unix
file integrity, and Swatch, which monitors system log files for suspicious
activity. Swatch runs on any platform that is O'Reilly and Associates Inc.'s
Perl 5-capable.
Tripwire Inc., one of the first intrusion-detection providers, offers
a commercial product (www.tripwire.com) and an open-source one (www.tripwire.org) for Linux platforms. Both the commercial product, which starts
at $595, and the open-source one monitor file changes, verify integrity
and notify administrators if anything is detected.
Another useful commercial solution is Symantec Corp.'s Intruder Alert.
It monitors hosts, applications and data for unauthorized activity, and
unlike some other solutions, it can take precautionary measures based on
settings defined by the administrator.
Biggs has more than 15 years of business and IT experience in the financial
sector.