Of Pens and Swords

It won’t seem like such a chore to keep two separate blogs when this one covers a wide breadth of topics, to include tech subjects. The first one will be the last posting, which is an essay.

18 December 2006

Intrusion Detections Systems, an Essay

Introduction

One of the most important reasons that there are advances in technology is because of fighting others. Humans will go to great lengths to invent something that can cause some sort of destruction to another, or creating measures to protect one self from others, to hopefully be one step ahead of the adversary. In the movies, these protective measures will signal intrusions with a loud claxon or flash computer monitors with warnings of a hacker in the network. These are the Hollywood versions of Intrusion Detection Systems; the real versions are too boring for TV. However, Intrusion Detection Systems (IDS) seem to be the buzzword for hardening networks today. For those who are not exactly sure of what an IDS is, having one seems to be the perfect way to make a network impervious to outside attack. For those who do know what an IDS is and what it is capable of, it becomes another valuable resource for stopping, mitigating, or researching attacks to the network. The possibility of introducing one of these systems to your network can raise questions such as: What is an Intrusion Detection System and what is it capable of, where is a resource to find and track intrusions or, what is not considered an Intrusion Detection System?

Intrusion Detection System

An intrusion detection system inspects all inbound and outbound network activity and identifies suspicious patterns that may indicate a network or system attack from someone attempting to break into or compromise a system (Intrusion, 2002). There are many ways an IDS can perform its task, and can be broken down into these categories: Network or Host based systems, Misuse or Anomaly Detection, and Passive or Active detection systems. A system can perform functions across multiple categories if needed, or can be concentrated on only one method. An example of this is a Network based IDS that is also an Active system.

A network based system is just this. It is a computer that resides on the network for the sole purpose of providing protection against intrusions. Typically, these devices reside somewhere between the router and switches on the network. This way it can capture packets and analyze them as soon as they get through the router but before they are sent to the computers. It does, however, have shortcomings that a HIDS, or Host-based IDS, can compensate for. Host intrusion detection systems are intrusion detection systems that are installed locally on host machines. This makes HIDS a very versatile system compared to NIDS (Magalhaes, 2004). This means that intrusions can be detected on any network segment when installed, whereas a NIDS sometimes cannot. Using a host based solution, computers can be on any segment, and still be centrally administered. The drawback to an HIDS is that the big picture isn’t readily seen, and correlation between attacks at different locations can be difficult (Early, 2006)

The second largest distinction between IDS systems is whether they are active or passive systems. An active IDS is just that, it actively watches every packet coming in and going out to look for malformed packets, or any other data that fits a certain signature. If an attack matching an attack signature is seen, then that IDS can actively stop that traffic from passing. Active systems can also forward this attack traffic to another system or Honeypot so that intelligence can be gained, while protecting the network. Finally an active system can make on the fly adjustments to other devices on the network, such as routers and firewalls. It is because of this that an attack may be permanently defeated. Passive systems, typically, do none of these actions. The passive IDS will track all traffic as the active system, but instead of closing the connection or making any changes, it logs the anomalies and notifies the administrator. It leaves all the decisions up to this person as to which course of action to take.

DShield.org

There are websites that can help the administrator focus his or her attention to what is generally happening out in the internet world. Knowing what threats are the most common and which ones have the worst consequences are important pieces of information to secure a network. For this document, one website is going to be specifically used, DShield.org. DShield is slated as a Distributed Intrusion Detection System, meaning that it is not concerned with one network in particular, but gets information from networks world-wide. With having such a wide base of comparison, a true picture of current trends and threats can be seen, which can be very useful to the security people.

Some of the information off of this website is immediately seen. The section labeled Internet Storm Center (ISC) gives a once-over-the-world look at the current state of affairs online. At the time of this writing (December 7, 2006), the status was Green, meaning “Everything is normal. No significant new threat known.” (SANS, 2006). Other levels are displayed as Yellow, Orange, and Red, representing threats that are new, posing significant damage, or disrupting vast parts of the internet, respectively. This can be initially helpful since it can be an indicator of problems to come, or problems that a security system may be dealing with. Problems such as the Slammer worm in 2003 could have been perplexing to security administrators at first, but if they may have looked at the status of the ISC, and saw the threat level to be Orange, and multiple sites across the globe were affected, that administrator could change objectives and start working with other agencies for a solution.

DShield.org also has detailed logs that thousands of people send in that identify the amount of times an attack occurs, and by whom. These attacks are broken down by which IP port the threat is attacking, which program it is specifically targeting, and who is doing the attack. This feature, coupled with the “FightBack” program, enables users at any level to report attacks to the ISP. By having the detailed records that include the what’s, when’s, and where’s, and sending this information to the Internet Service Provider who issued the IP address, they can then trace down the actual individual and shut them down.

Not an “IDS”

The terminology IDS has become synonymous with other terms such as Firewalls, Penetration testing systems and Anti-Virus. This use of incorrect terminology can lull some into a false sense of security. More than likely, this sense of security is going to be felt at a non-technical level, such as regular managers and business owners. Though having Anti-virus and firewalls installed on systems is an effective means of slowing down the threats of the internet, they are only pieces to the puzzle.

As discussed before, an IDS looks at signatures of a threat to determine what to do. This is what makes it special, and why Firewalls are not in this group. Firewalls are configured to perform the relatively simple function of ‘allow’ or ‘deny’ traffic, but there is not any stateful inspection of individual packets typically. The systems that inspect this traffic, the IDS’s, do inspect every packet of information. So, though similar, there are also great differences.

Anti-virus is also similar in nature to an intrusion detection system, in that it actively scans all data coming into a computer and compares this data to a list of known threat signatures. However, an anti-virus program only does this after a payload has reached the computer in full, it does not do an inspection of the individual packets that are forming the file. Anti-virus also does not protect against threats that happen at the lower 3 levels of communications (physical, data-link, and network levels) where threats such as Denial of Service, or DoS, attacks occur.

End state

Networks have to be protected today. Key information on systems within those networks has to be allowed to flow as well. Having a multi-tiered system of protection on those networks is essential in today’s market, and an intrusion detection system is a key component of that protection. These systems, fitted with hardware and software firewalls, properly configured routers, and anti-virus clients running, ensure that there is a comfortable level of protection for the systems.

With the variety of IDS types, such as Active or Passive, Network based or Host based, a company has many options of picking the level of protection they need and can afford. The decisions have to be made very carefully, since there are key areas that one system may cover but other areas that are left unprotected.

Having websites, such as DShield.org, to help with keeping track of the state of the web-affairs can be helpful to many an administrator. They can provide a means in which to report attempted attacks on a network can verify which ports and programs are being most affected, so forth. These sites can also help an administrator that is currently engaged in an attack focus on what the root problem may be.

No protection is every 100%, however. There are new threats that arrive at our doorsteps everyday, and those typically have the sole intent of circumventing our protective levels that are already established. Complete reliance on systems will never be achieved, but when used correctly they are vital assets in protecting our networks from harm.