|
Index
Intrusion Detection Systems
Passive vs. Active Response
Host-based vs. Network-based
Signature vs. Behavior
Limitations and drawbacks
Honey Pots
Intrusion Detection Systems
An Intrusion Detection System (IDS)
monitors and analyzes traffic on a network or activity on
a system in an attempt to detect malicious activity. The exact
meaning of the word intrusion differs per IDS product and
the systems and services it is monitoring. It can be anything
from a port scan to an attempt to gain unauthorized access.
Other examples include RIP spoofing, ping sweeps, malicious
SQL injections, DoS attacks, Trojans, and unauthorized changes
to system files and settings.
When an IDS detects an intrusion, it will
log the event, store relevant data/traffic, notify an administrator,
and in some cases it will try to intervene. Besides the obvious
advantages of an IDS, the stored data and the logs provide
valuable forensic information and may be used as evidence
in a legal case against the attacker. An IDS is much like
an alarm system, some being more advanced and intelligent
than others. IDSs can be classified based on various characteristics
of which the most common are described in the following paragraphs.
Most IDS products combine features from these different types.
Passive vs. Active Response
Many intrusion detection systems merely log the intrusion
and notify someone, by email or pager for example. This is
known as passive-response intrusion detection, as
it does not actively attempts to stop the intrusion. Instead,
a system administrator or someone else will have to respond
to the alarm, take appropriate action to halt the attack,
and possibly identify the intruder. Modern IDSs offer a wide
range of options to send notifications of intrusions, including
pager, cell phone, email, SNMP trap messages, or simply a
message box on the administrator’s PC. It is important
to make sure that the notifications are send in a secure manner
to prevent the attacker from intercepting or altering them.
Active-response IDSs automatically
take action in response to a detected intrusion. The exact
action differs per product and depends on the severity and
type of attack. A common active response is increasing the
sensitivity level of the IDS to collect additional information
about the attack and the attacker. Another possible active
response is making changes to the configuration of systems
or network devices such as routers and firewalls to stop the
intrusion and block the attacker. This could involve blocking
the source address of the attacker, restarting a server or
service, closing connections or ports, and resetting TCP sessions.
Another less common active response that is not advisable
from a legal perspective is retaliation – attacking
the attacker.
Several passive response IDS products allow
plug-ins for communication with a central management console.
This allows you to use the passive response product in a decentralized
active response system, in which the passive IDS reports to
the central console, which in turn can actively control involved
network devices and systems.
Host-based vs. Network-based
A host-based IDS is usually a software
application installed on a system and monitors activity only
on that local system. It communicates directly with the operating
system and has no knowledge of low-level network traffic.
Most host-based IDSs rely on information from audit and system
log files to detect intrusions. They can also monitor system
files and system resources, and incoming application data.
Because a host-based IDS can produce a lot of data, hence
an extra administrative load, they are often placed only on
critical servers. To further reduce the load, the IDSs can
report to a central console.
A network-based IDS can be a dedicated
hardware appliance, or an application running on a computer,
attached to the network. It monitors all traffic in a network
or coming thru an entry-point such as an Internet connection.
The network card of a network-based IDS runs in promiscuous
mode, which means it picks up all traffic from the media even
if the destination address is not the IDS. It basically works
like a sniffer. It is passive while it collects real-time
raw network traffic; other hosts are usually not aware of
the IDS and no extra load is put on the network.
A network-based IDS can monitor traffic only
in its local network segment, unless it employs sensors. In
switched and routed networks, a sensor is required in each
segment (collision domain) in which network traffic is to
be monitored. When a sensor detects a possible intrusion,
it will report it to a central management console, which will
take care of the appropriate passive or active response. Communication
between the remote sensor and the management console should
be secure to avoid interception or alteration by the intruder.
Signature vs. Behavior
Another common way to distinguish intrusion
detection systems is by the method they use to recognize an
intrusion – how they separate the good from the bad.
(Note that the following types are not pertinent to CompTIA’s
Security+ exam, but are merely included for completeness.)
The first and most common type is a signature-based
IDS, also known as a rule-based, knowledge-based,
or misuse-detection IDS. It employs a database with
signatures to identify possible attacks and malicious activity.
These signatures are similar to the ones used by anti-virus
software, but instead of containing virus information, IDS
signatures describe known attacks patterns. For example, a
signature can describe the format of a malformed header in
a packet, the symptoms of a port scan, or key terms in traffic
used for known exploits.
Because new attacks are being developed all
the time, it is essential to keep the signature database current
by frequently downloading updates. Signature-based IDSs usually
produce a relatively low number of false alarms compared to
behavior-based IDSs – the other main type of intrusion
detection, which is described in the following paragraph.
Behavior-based intrusion detection
is also known as anomaly-based or statistical-based
intrusion detection. As theses names imply, a behavior-based
IDS monitors traffic and system activity for unusual behavior
- anomalies based on statistics. To differentiate malicious
activity from normal behavior it first has to learn what behavior
is normal. When you activate a behavior-based IDS for the
first time, it will log network bandwidth usage, processor
and memory activity, disk usage, and other system activity
over a certain period to create a baseline. After the learning
period, activity that doesn’t match the statistics/abnormal
system performance, the baselines, will result in an alert.
The main advantage of this type of IDS is that it dynamically
adapts to new vulnerabilities. Because system behavior can
fluctuate for normal reasons, it usually produces a high number
of false alarms.
Limitations and drawbacks
Although some intrusion detection systems
have become very advanced, the data produced by software and
the methods of the attackers are also becoming more complex
all the time. This makes it hard to distinguish legitimate
use of a system from a possible intrusion. When an IDS incorrectly
identifies an activity as a possible intrusion it will results
in a false alarm, also referred to as a false positive.
Especially badly configured IDSs and behavior-based IDSs in
particular can produce many false positives. In case of a
passive-response IDS, this could result in an excessive administrative
load (getting paged for a false alarm every 3 minutes becomes
annoying very quickly). In case of an active-response IDS,
this may even create a DoS situation. If the IDS would mistakenly
block a legitimate user’s IP address. Therefore, it
takes careful planning and consideration before implementing
an IDS. To keep the number of false positives to a minimum,
some product allow you to configure clipping levels, which
are thresholds on a certain activities. For example, failed
logon attempts to the admin account won’t be reported
unless it occurs three times in a row over a short amount
of time.
A network-based IDS may not always be able
to pick up and process all data in busy networks. Another
challenge for a network-based IDS is encrypted data; most
are able to inspect compressed data, but encrypted data remains
an obstacle simply because the IDS does not have access to
the keys of every devices in the network.
Intrusion detection systems are typically not preventive;
they should not be used to replace other security measures
such as a firewall. Instead, they should be used to complement
a firewall. Last but not least, an
IDS is another possible target to attack, they also have bugs/exploits.
Honey Pots
A honey pot is a decoy that lures
attackers away from production systems. It’s usually
a computer attached to the network that runs special software
to emulate services, applications, protocols. A honey pot
should not contain any data other than the information specifically
created to trick the attacker. Nor should it be allowed to
connect to any other system except other honey pots, to prevent
the attacker from using the honey pot to launch an attack.
|
Members-only
Printer-friendly version
Discuss this TechNote 
