Network Intrusion Detection

Securing an organization’s digital assets and information at the perimeter


Strengthening the Perimeter
These threats and the publicity surrounding breaches of security should cause all businesses that are connected to the internet to “harden” their perimeter. This is analogous to medieval castles being surrounded by very large and very thick walls.

The tool most commonly associated with protecting a network is the firewall. Firewalls are designed to keep hostile traffic from entering a network. In theory, firewalls seem like the perfect solution to stop potential hackers in their tracks. Essentially, it is a roadblock for attackers; however, firewalls are not perfect, “set-it and forget-it” devices. They can have vulnerabilities, they can be improperly configured, they can fail or a new method of attack can be developed. Because of this it is important to put an additional layer of protection in place to detect attacks or other anomalous behavior.

One of the best solutions is to install an intrusion detection system or IDS. These systems are designed to identify abnormal network traffic or when a system has been modified or compromised. There are several types of intrusion detection systems. One is network-based, which monitors the flow of network packets; the other is host-based, which monitors activity on a particular system.

Many current intrusion detection systems are hybrids of these two types. They can also be differentiated by how they function. Some perform “anomaly detection,” which searches for abnormal activity; and some perform “misuse detection,” which attempts to identify known attack patterns. Anomaly detection IDS systems generally compare activity to a normal profile of the network or system. The weakness of an anomaly detection system is that it will not flag an intrusion that is being masked as normal activity. Misuse detection’s weakness is that it will not always detect “yet to be discovered” attack patterns.

On paper, an IDS sounds fairly straightforward — simply monitor network and system activity and look for hostile or unusual behavior. While it sounds simple, it is actually complex. The average computer user (or security professional) has the perspective that the only activity on a computer or network is “user-generated.” They have no idea that there is an incredible amount of activity occurring on a computer even when it is “idle.” One simply has to watch the constantly flashing light on a network interface card to recognize that there is traffic on the network cable connected to the computer. But to truly understand the volume of traffic on a network, one should download and run Wireshark (www.wireshark.org).

According to the Wireshark User’s Guide, “Wireshark is a network packet analyzer. A network packet analyzer will try to capture network packets and tries to display that packet data as detailed as possible.” If you are not an IT professional, the output from Wireshark will look like gibberish, however it is worth running simply to see the amount of traffic that is communicating with your computer. To run Wireshark, download the installer from the previously mentioned Web site. The installation is fairly straightforward. The one requirement is to install the Winpcap library and drivers if prompted. Once installed, run the application. To start capturing packets, click on “Capture” and then “Options.” Select an “interface” (the one you are looking for will probably include the word “Ethernet”), and then click “Start.” Take your hands off the keyboard and watch what happens. Network activity will start scrolling past at a rapid pace. To gain an idea of what is happening on your computer, download and run “Process Monitor,” which is “an advanced monitoring tool for Windows that shows real-time file system, registry and process/thread activity.” Once again, for the uninitiated, the output from Process Monitor will not mean anything, however seeing the amount of activity on the computer will be enlightening.

These tools are not intrusion detection systems, but they bring to light one of the problems surrounding the identification of an intrusion. There is an incredible amount of activity that needs to be monitored, analyzed, and identified. Compound this with the fact that many IDS systems are incredibly sensitive and must be adjusted to minimize the false positives and focus on potential threats. Having an IDS in place is wonderful, but what is the system supposed to do when it identifies a problem? Simply log the anomaly or event for an administrator to review at a later time? E-mail or page a system administrator so they can respond appropriately? And what is the appropriate response? Are there written policies and procedures in place that define appropriate responses? Should an intrusion detection system be integrated with a firewall or Intrusion Prevention System (IPS) to automatically stop or block the activity identified by the IDS?

Planning and Preparation
The point of these questions is to point out that implementing an IDS is not a simple process. It requires proper planning and preparation. One of the steps that should be accomplished is benchmarking systems prior to being placed on a “live” or production network. It is important to know what a standard, uncompromised system looks like, so that when receiving an alert, the process of identifying a true problem becomes much easier.
Here is a simple, non-technical example of this concept. My wife and I left for a two night get away and left our teenage son home alone. Upon our return, it took me only a matter of minutes to recognize that something had occurred during our absence. While the house was clean, various “knick knacks” were not resting in the locations they had occupied for years. I knew immediately that he had had a party in our absence and was able to properly discipline my son and deflect the “Do you know what went on while you were gone?” questions.

A system administrator should be able to quickly recognize when something is amiss on his network. Numerous tools exist that can help with benchmarking such as Windows Forensic Toolchest (WFT), which can be downloaded from www.foolmoon.net/security/wft/ or it is part of the Helix CD, www.e-fense.com/helix/. Other tools include WinAudit (www.pxserver.com/WinAudit.htm), and Pstools (technet.microsoft.com/en-us/sysinternals/bb896649.aspx).

In addition, those persons that are required to support, maintain and monitor the intrusion detection systems so that they can intelligently perform their responsibilities. A good start would be to be in a position to interpret the output of tools like Wireshark and Process Monitor. Besides downloading the tools and “playing” with them, there is some excellent training available such as Wireshark University’s Self-Paced Courses, www.wiresharktraining.com or SANS Institutes’s “Intrusion Detection In-Depth,” www.sans.org/training/description.php?mid=43.

Another consideration when implementing an intrusion detection system is that many “attacks” may take place over an extended period of time. A serious attacker will take time to collect intelligence on the organization they are trying to infiltrate. They will look at publicly accessible information to try to identify registered IP address ranges for their target. They will look at Web pages to learn possible naming conventions for e-mail and network accounts. They may begin to start “fingerprinting” the network, trying to identify what operating systems and applications are in use. This may take the place of periodic “probes” of the system they may not be picked up by the intrusion detection system. Once the attack occurs, it may be constructed in such a way so that no alarms are set off. Having the ability to review historical data could be critical in identifying the source of an attack. This type of attack is often difficult to detect and has a higher percentage of being successful.

Part of the process should include a review of all of the options available. There are several open-source programs that can be implemented such as Snort, a popular network-based intrusion detection program (www.snort.org) and OSSEC, a popular host-based intrusion detection solution (www.ossec.net/main). Commercial products are essentially too numerous to mention, but there are products available from Cisco, Juniper Networks, Computer Associates and Sourcefire, among others. Or, you can outsource the entire management process to SecureWorks, which provides a “Managed Intrusion Prevention and Detection Service.”