Network Intrusion Detection

I started out my technology career in a manner similar to many others in the industry, by supporting the network and systems of a small Midwestern company. My main task was to simply keep the network up and running so people could access files and print reports. Security was not really a consideration, as only two or three people had Internet access, and I had not yet learned that even dial-up access can provide a security risk to a business.
As the company grew, an always-on Internet connection was added to the network so that all users could conduct research and use e-mail. This dedicated Internet connection was not initially protected by a firewall. Several months passed before the ownership of the company was convinced that spending several thousand dollars on a firewall appliance was truly necessary. Within an hour of the installation of the firewall, I identified traffic from an IP address that was identified as being registered to the Ministry of Education, Republic of Taiwan. I also identified traffic from India, Brazil and Texas. I was astonished! I fell victim to a common network security misconception — we are a small business and nobody is interested in our data or our systems. But in reality, any computer connected to the Internet is vulnerable.

An unprotected system can be used in several ways:
• An attacker can look around to see if there is anything of interest to collect, such as credit card numbers, social security numbers and other personal information.
• An intruder can store stolen materials, such as child pornography, copyrighted materials (music and movies) or credit card numbers.
• Someone wishing to distribute malicious software can use a compromised system to automatically distribute malware. Or the system can be configured to operate as a “bot” — a system that can be controlled remotely to distribute software or launch “attacks” on other systems.

Often, an attacker can perform one or more of the activities listed above, as demonstrated by the 2003 breach of the computers in the international students office at the University of Kansas, where a hacker stole personal information for more than 1,400 foreign students. In addition, “the university’s investigation revealed that the hacker apparently intruded five times into the university’s computer systems…The other attacks used the university’s machines to illegally download and install copyrighted moves and pornography,” according to The Chronicle of Higher Education (Jan. 2003).

Strengthening the Perimeter
These threats and the publicity surrounding breaches of security should cause all businesses that are connected to the internet to “harden” their perimeter. This is analogous to medieval castles being surrounded by very large and very thick walls.

The tool most commonly associated with protecting a network is the firewall. Firewalls are designed to keep hostile traffic from entering a network. In theory, firewalls seem like the perfect solution to stop potential hackers in their tracks. Essentially, it is a roadblock for attackers; however, firewalls are not perfect, “set-it and forget-it” devices. They can have vulnerabilities, they can be improperly configured, they can fail or a new method of attack can be developed. Because of this it is important to put an additional layer of protection in place to detect attacks or other anomalous behavior.

One of the best solutions is to install an intrusion detection system or IDS. These systems are designed to identify abnormal network traffic or when a system has been modified or compromised. There are several types of intrusion detection systems. One is network-based, which monitors the flow of network packets; the other is host-based, which monitors activity on a particular system.

Many current intrusion detection systems are hybrids of these two types. They can also be differentiated by how they function. Some perform “anomaly detection,” which searches for abnormal activity; and some perform “misuse detection,” which attempts to identify known attack patterns. Anomaly detection IDS systems generally compare activity to a normal profile of the network or system. The weakness of an anomaly detection system is that it will not flag an intrusion that is being masked as normal activity. Misuse detection’s weakness is that it will not always detect “yet to be discovered” attack patterns.

On paper, an IDS sounds fairly straightforward — simply monitor network and system activity and look for hostile or unusual behavior. While it sounds simple, it is actually complex. The average computer user (or security professional) has the perspective that the only activity on a computer or network is “user-generated.” They have no idea that there is an incredible amount of activity occurring on a computer even when it is “idle.” One simply has to watch the constantly flashing light on a network interface card to recognize that there is traffic on the network cable connected to the computer. But to truly understand the volume of traffic on a network, one should download and run Wireshark (

According to the Wireshark User’s Guide, “Wireshark is a network packet analyzer. A network packet analyzer will try to capture network packets and tries to display that packet data as detailed as possible.” If you are not an IT professional, the output from Wireshark will look like gibberish, however it is worth running simply to see the amount of traffic that is communicating with your computer. To run Wireshark, download the installer from the previously mentioned Web site. The installation is fairly straightforward. The one requirement is to install the Winpcap library and drivers if prompted. Once installed, run the application. To start capturing packets, click on “Capture” and then “Options.” Select an “interface” (the one you are looking for will probably include the word “Ethernet”), and then click “Start.” Take your hands off the keyboard and watch what happens. Network activity will start scrolling past at a rapid pace. To gain an idea of what is happening on your computer, download and run “Process Monitor,” which is “an advanced monitoring tool for Windows that shows real-time file system, registry and process/thread activity.” Once again, for the uninitiated, the output from Process Monitor will not mean anything, however seeing the amount of activity on the computer will be enlightening.

These tools are not intrusion detection systems, but they bring to light one of the problems surrounding the identification of an intrusion. There is an incredible amount of activity that needs to be monitored, analyzed, and identified. Compound this with the fact that many IDS systems are incredibly sensitive and must be adjusted to minimize the false positives and focus on potential threats. Having an IDS in place is wonderful, but what is the system supposed to do when it identifies a problem? Simply log the anomaly or event for an administrator to review at a later time? E-mail or page a system administrator so they can respond appropriately? And what is the appropriate response? Are there written policies and procedures in place that define appropriate responses? Should an intrusion detection system be integrated with a firewall or Intrusion Prevention System (IPS) to automatically stop or block the activity identified by the IDS?

Planning and Preparation
The point of these questions is to point out that implementing an IDS is not a simple process. It requires proper planning and preparation. One of the steps that should be accomplished is benchmarking systems prior to being placed on a “live” or production network. It is important to know what a standard, uncompromised system looks like, so that when receiving an alert, the process of identifying a true problem becomes much easier.
Here is a simple, non-technical example of this concept. My wife and I left for a two night get away and left our teenage son home alone. Upon our return, it took me only a matter of minutes to recognize that something had occurred during our absence. While the house was clean, various “knick knacks” were not resting in the locations they had occupied for years. I knew immediately that he had had a party in our absence and was able to properly discipline my son and deflect the “Do you know what went on while you were gone?” questions.

A system administrator should be able to quickly recognize when something is amiss on his network. Numerous tools exist that can help with benchmarking such as Windows Forensic Toolchest (WFT), which can be downloaded from or it is part of the Helix CD, Other tools include WinAudit (, and Pstools (

In addition, those persons that are required to support, maintain and monitor the intrusion detection systems so that they can intelligently perform their responsibilities. A good start would be to be in a position to interpret the output of tools like Wireshark and Process Monitor. Besides downloading the tools and “playing” with them, there is some excellent training available such as Wireshark University’s Self-Paced Courses, or SANS Institutes’s “Intrusion Detection In-Depth,”

Another consideration when implementing an intrusion detection system is that many “attacks” may take place over an extended period of time. A serious attacker will take time to collect intelligence on the organization they are trying to infiltrate. They will look at publicly accessible information to try to identify registered IP address ranges for their target. They will look at Web pages to learn possible naming conventions for e-mail and network accounts. They may begin to start “fingerprinting” the network, trying to identify what operating systems and applications are in use. This may take the place of periodic “probes” of the system they may not be picked up by the intrusion detection system. Once the attack occurs, it may be constructed in such a way so that no alarms are set off. Having the ability to review historical data could be critical in identifying the source of an attack. This type of attack is often difficult to detect and has a higher percentage of being successful.

Part of the process should include a review of all of the options available. There are several open-source programs that can be implemented such as Snort, a popular network-based intrusion detection program ( and OSSEC, a popular host-based intrusion detection solution ( Commercial products are essentially too numerous to mention, but there are products available from Cisco, Juniper Networks, Computer Associates and Sourcefire, among others. Or, you can outsource the entire management process to SecureWorks, which provides a “Managed Intrusion Prevention and Detection Service.”

Know What to Look For
Firewalls and Intrusion Detection Systems are designed as strong perimeter defenses. These are great products as long as there is a well-defined perimeter to the network. Unfortunately, most networks do not have a single in/out port. Now there are multiple entry points into the network, such as wireless access points, VPN, portable devices and possibly dial-up connections for maintenance or back-up purposes.
It is important to recognize that when perimeter defenses became stronger, attackers looked for easier ways to steal information. Attackers now target users by sending out phishing scams, convincing users to willingly give up their login credentials for online banking and ecommerce sites.

Despite constant training and reminders, people still succumb to phishing scams. End-users still download and install unauthorized software on their corporate computers, installing rootkits. And confidential information continues to leave an organization via e-mail attachments, USB devices and free online storage sites. Now corporations are faced with the concept of “extrusion detection,” monitoring and analyzing network traffic as it leaves an organization.
While intrusion detection systems are “a fact of life,” just like any other security mechanism, they are only a part of the overall security posture of an organization.
The concept of “defense in depth” — or multiple layers of security — is still the most valid approach to protecting an organization’s infrastructure and assets.

John Mallery is a managing consultant for BKD LLP, one of the ten largest accounting firms in the United States. He works in the Forensics and Dispute Consulting unit and specializes in computer forensics. He is also a co-author of “Hardening Network Security,” which was published by McGraw-Hill. He can be reached at