The ABCs of IDSs (Intrusion Detection Systems) (November 26)
by Carolyn Meinel

You have the world's best firewall, your Windows computers update their antivirus software regularly and your Information Security staffers enforce your policies with an iron fist. Does this mean you're safe?

Maybe not. In 1998, a news story asserted that the firewall for the New York Times was one of the best. Yet at 7:08 a.m. on Sunday, Sept. 13, 1998, someone on the paper's network e-mailed reporters:

No one at the Times had noticed weeks' worth of the Hacking for Girliez gang on their network. The intruders finally chose to go public by defacing the opening page of their Web site—on the day the Times expected millions of visitors to view the Monica Lewinsky transcripts. Instead, visitors encountered soft porn and an ad for Lewinsky-scented cigars.

Thanks to a cron job (that is, a Unix job that schedules events), several attempts to eliminate the offensive index page failed, exposing yet more thousands of patrons to the Girliez' exploit. It took almost two weeks to eradicate the intruders' back doors from the New York Times' network. Damage was estimated at $1.5 million, and a grand jury is currently hearing testimony in the case.

All this might have been avoided had the Times been running a good enough intrusion detection system (IDS).

What Is an Intrusion Detection System?

Intrusions fall into two major classes. Misuse intrusions are attacks on known weak points of a system. An IDS looks for this type of attack by comparing network traffic with signatures of known attacks. The second class, anomaly intrusions, consists of unknown attacks and other anomalous activity. This may include detection of an intruder who is already inside a network. Anomaly detection is hardly a plug-and-play function. It requires an intimate knowledge of one's network and patterns of user behavior, and an IDS with powerful scripting options.

The basic function of an IDS is to record signs of intruders at work inside and to give alerts. Depending on the product, how it is deployed and its network configuration, an IDS may only scan for attacks coming from outside one's network or it may also monitor activities inside the network.

Some also look for anomaly intrusions. This requires an IDS that can be extensively configured by the user to match the peculiarities of the network to be defended. When Susie the systems administrator is at work at 2 a.m., this may be her normal behavior. But when Artie the administrative assistant logs on to his workstation at 2 a.m., that is most likely, an anomaly. An IDS that detects anomalies must be scripted to tell the difference between the two log-ons.

In the New York Times case, the intruders installed a number of "root kits" to hide themselves and open back doors. An installation process like this may be detected as an anomaly—if one can set up an IDS to tell the difference between installing a root kit and a legitimate program.

An IDS may include a feature to take automatic action when certain conditions occur, for example to page the systems administrator on call. Many IDSs are flexible enough that one can configure them to launch automatic attacks against suspected intruders, such as denial-of-service attacks. In many situations, this is illegal and inadvisable.

And some IDSs are optimized to gather forensic data, including replaying an intruder's activity in real-time.

Types of IDSs

IDSs fall into three main groups:

• A network IDS uses network cards in promiscuous mode, sniffing all packets on each network segment. A typical network IDS consists of one or more sensors and a console to aggregate and analyze data from the sensors. It could include a system integrity verifier to look for evidence that key files may have been altered. A log file monitor may gather and analyze log files on many computers.

• A host-based IDS looks only at packets addressed to the computer on which it resides and/or watches processes inside the host. Some host-based IDSs may operate entirely independently. In other systems, each host-based IDS may report to a master system that evaluates their reports. This architecture would be a hybrid IDS.

• A hybrid IDS combines a host IDS with a network IDS. Exactly how this works depends on the product, making a hybrid IDS hard to define.

Some IDSs offer scripting languages. This feature is crucial for those operating in a middleware environment and is essential for managing anomaly detection.

Personal firewalls with IDS functionality—a type of host-based IDS—are fast becoming popular. Their major market is people who fear that their home computers may be invaded by teen vandals.

An Achilles heel of large enterprises is the employee who works from home or from a laptop while on the road. Personal firewalls can fill this gap. The problem is, they lack the ability to report intrusion activity to a network IDS console. Let's say Joe the salesperson has installed a pornographic screen saver. Can he be trusted to volunteer the information that his personal firewall reports that this application was infected by a back door?

What About Honeypots?

A honeypot simulates one or more vulnerable systems, to tempt attackers to focus on an apparent easy kill. Once the honeypot has been invaded, it will alert the information security manager of the intrusion.

A honeypot also protects other parts of a network by diverting attention to something that can't be harmed. Some honeypots can simulate many different computers. You can get an idea of what your attacker is after by seeing which apparent operating systems he or she ends up "owning."

Perhaps most important, a honeypot can collect forensic evidence. Even though an intruder may not do any damage, his or her actions on the honeypot can provide proof of criminal intent.

Characteristics of a Good IDS

If you are managing middleware, it's a sure bet that no single IDS vendor will be able to take care of all your needs. More than 150 commercial, freeware and shareware IDS products exist. So how do you choose which ones to use? The Purdue University IDS research project has proposed the following evaluation criteria for an IDS:

1. It must run continually without human supervision. The IDS must be reliable enough to allow it to run in the background of the system being observed. However, it should not be a "black box"; that is, its internal workings should be examinable from the outside.

2. It must be fault-tolerant in the sense that it can survive a system crash and will not have its knowledge base rebuilt upon restart.

3. It must be able to monitor itself to ensure that it has not been subverted.

4. It must impose minimal overhead on the system.

5. It must observe deviations from normal behavior (a.k.a. anomaly detection).

6. It must be easily tailorable to the system in question. Every system has a different usage pattern.

7. It must be able to adapt to changes in the system profile that occur over time.

8. Finally, it must be difficult to fool.

Noted computer security expert Neil Buckley suggests some additional criteria:

9. Timely signature updates.

10. Signature accuracy.

11. Capable, experienced support staff.

12. Proven installations in complex environments.

13. Integration with other monitoring frameworks and security devices.

The missing factor in most discussions of what makes a good IDS, however, is whether it can collect data that can be used in court against your attackers.

Forensics

Few businesses report computer crime. Often, it isn't even noticed. For example, "Are you Giving Away your Databases" shows how easy it can be to steal database information without the theft ever being discovered. Even when computer crime is noticed, and even when it is serious, most companies sweep it under the rug.

Steve Manning has considerable experience with computer forensics. Manning used to work for the Air Force Office of Special Investigations on computer crime, and currently he is the CEO of Securitygurus.com. He explains the reasons for this attitude: "They see going to law enforcement as long drawn out, nothing to gain. They fear stockholder or customer backlash if they learn of attacks. Or they don't see it as a major loss or don't have a staff trained in computer security."

The result? Today cyberspace is the Wild West, with essentially no law enforcement. This author has been approached with several requests to commit serious computer crime, for example, a lucrative request to obtain spreadsheets (the answer was NO!!!). One hacker has told the author that his two previous employers pressured him to steal competitors' customer databases (which is why they are ex-employers).

So when you see persistent attacks, don't assume it is just some kid wanting to be a "haxor." It may well be your competitor. And you may never realize how much damage was done to you unless you bring the perpetrators to justice.

According to Manning, this free ride for criminal competitors may be coming to an end. "Today we are beginning to see an effort to formalize security and train staff." Once your company gets an IDS that can gather forensic data that will serve well in court, and knows how to use it, competitors had better be on their best behavior.

Standards

If you have a large, heterogeneous network, you may be unable to find a single-vendor IDS solution. In this case, you must be able to manage the reports of several different IDS products from more than one vendor. IDS is a sufficiently recent trend in computer security that an industry standard for reporting intrusion incidents doesn't yet exist. Thus, managing the outputs from IDSs of several vendors can become a middleware nightmare.

Two reporting standards are vying for acceptance. The Internet Engineering Task Force has proposed an XML-based reporting format, the Intrusion Detection Message Exchange Format Extensible Markup Language. The other effort, the Common Intrusion Detection Framework (CIDF), has been funded by the Defense Advanced Research Projects Agency (DARPA) in response to U.S. Department of Defense concerns that no single IDS vendor can address the entire spectrum of attacks.

In the meantime, systems administrators needing more than one IDS vendor to cover the complexities of their network have no easy solution to the problem of aggregating and correlating IDS data.

When All Else Fails

You've invested in the best firewalls, the best vulnerability scanners and the best IDSs. Yet some Sunday morning your IDS pages you to report that an anomaly has occurred: Someone has plastered "W3 0WN YOU" on your Web site. You can ease the pain if your company has taken advantage of the latest trend: IDS bundled with computer crime insurance. Some IDS vendors will vouch that its defenses are state-of-the-art and provide insurance at a less than ruinous rate.

Vendors of computer crime insurance include:

• Internet Security Systems (www.iss.net)

• Counterpane (www.counterpane.com)

• IBM Global Services (www.ibm.com)

• J.S. Wurzler Website Insurance & Security (www.jswum.com)

• Axent Technologies (www.axent.com)

• Insuretrust.com LLC (www.insuretrust.com)

• Ace Ltd. (www.acelimited.com)

IDS Products

For an exhaustive lists, see www.networkintrusion.co.uk and www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html.

About the Author

Carolyn Meinel, author of "The Happy Hacker: A Guide to Mostly Harmless Hacking," is a professional in the area of computer security and has been a subcontractor to the DARPA Intrusion Detection Evaluation program. She may be reached at cmeinel@techbroker.com

Back to Top