Intrusion detection systems (IDS)
An IDS is a computer security system which detects misuse, attacks against, or
compromise of computers connected to a network. They operate by passively examining
network packets as they travel over the wire and alerting administrators when they see
something unusual or malicious. IDS monitors packets on the network wire and attempts
to discover if a hacker/cracker is attempting to break into a system (or cause a denial of
service attack). A typical example is a system that watches for large number of TCP
connection requests (SYN) to many different ports on a target machine, thus discovering
if someone is attempting a TCP port scan.
IDS Models
Classification of IDS essentially falls under two models: the misuse or signature-based
model and the anomaly model.
The misuse or signature-based is the most-used IDS model. Signatures are patterns that
identify attacks by checking various options in the packet, like source address, destination
address, source and destination ports, flags, payload and other options. The collection of
these signatures composes a knowledge base that is used by the IDS to compare all
packet options that pass by and check if they match a known pattern.
The anomaly model tries to identify new attacks by analyzing strange behaviors in the
network. To make this possible, it first has to ``learn'' how the traffic in the network
works and later try to identify different patterns to then send some kind of alert to the
sensor or console. IDS made using this model have higher tendency for raising false
alarm, as they often suspicious about all network behavior irrespective of malicious or
legitimate.
IDS in Common
1. NIDS
Open Source
a). Snort – www.snort.org
It is the most popular Open Source IDS in use today. It supports both Unix
and Windows systems. It works by examining the traffic entering into the
network typically VLANs, that connect the servers to the NACIO
Netsource Center. It compares the traffic to a database of known attack
signatures and abnormal behaviors and generates an alert when it detects
an intrusion.
Because of its popular use, signatures are for new types of intrusions and
exploits are updated to the database as quickly as they appear.
b). Bro – www.icir.org
Bro is an intrusion detection system that works by passively watching
traffic seen on a network link. It is built around an event engine that pieces
network packets into events that reflect different types of activity. Some
events are quite low-level, such as the monitor seeing a connection
attempt; some are specific to a particular network protocol, such as an FTP
request or reply; and some reflect fairly high-level notions, such as a user
having successfully authenticated during a login session.
Bro runs the events produced by the event engine through a policy script,
which the Bro administrator supply, though in general it is done by using
large portions of the scripts (``analyzers'' that come with the
Brodistribution.
Commercial
a). ISS RealSecure Network Sensor – www.iss.net
It is a more efficient, automated, real-time intrusion protection system for
computer networks and hosts. RealSecure provides unobtrusive,
continuous surveillance for intercepting and responding to security
breaches and network abuse before systems are compromised. As the
central component of the RealSecure Protection System, RealSecure
provides effective intrusion protection solutions by offering diversified
sensors and management consoles.
RealSecure Network Sensor runs on a dedicated system that monitors
network traffic for attack signatures – definitive identifiers that an
intrusion is underway. Attack recognition, incident response, and intrusion
prevention occur immediately, with full customization of signatures and
response capabilities.
RealSecure SiteProtector’s integrated environment enables creation of
shared custom group structures for monitoring intrusion activity,
vulnerability assessment or in-depth analysis of ongoing security activity.
Event prioritization and correlation enable real-time attack and misuse
tracking. SiteProtector’s interface helps administrators work more
efficiently through flexible views built around asset grouping and event
aggregation, allowing a single operator to easily process large numbers of
events. Powerful filters screen for event exceptions and false alerts.
In addition, SiteProtector automates RealSecure Protection System
deployment, and enables multiple site management via secure remote
administration. Security administrators gain the ability to operate,
administer and monitor security system remotely, including via high-speed
cable modem connectivity. This comprehensive information protection
environment reduces the total cost of ownership compared to other
security management solutions.
b). Intrusions Inc. Secure Net Sensor- www.intrusions.com
2. Host Intrusions Detection Systems (HIDS)
Open Source HIDS
a). LIDS - www.lids.org
LIDS stand for Linux intrusion detection system. It is a project that tries to
give Linux some extra security features deployed as kernel patches, which
include file and process protection and port-scan detection. File and
process protection will guard even against root super user changes. This is
very useful because when a cracker exploits a bug in the system, such as a
buffer overflow, that person will have root access that permits him or her
to do almost anything, such as install rootkits, change logs, erase HTML
pages, etc. The implementation can be done easily using Access Control
Lists to control files and include passwords to access/change them,
avoiding changes from unauthorized users, even root. The same is valid
for process because it will protect the system from altered
binaries/daemons. Another good feature is that it offers a port-scan
detector in kernel space.
b). AIDE - www.cs.tut.fi/~rammer/aide.html
Commercial HIDS
a). Tripwire- www.tripwire.com
Tripwire data integrity assurance software monitors the reliability of
critical system files and directories by identifying changes made to them.
It does this through an automated verification regimen run at regular
intervals. If Tripwire detects that a monitored file has been changed, it
notifies the system administrator via email. Because Tripwire can
positively identify files that have been added, modified, or deleted, it can
speed recovery from a break-in by keeping the number of files which must
be restored to a minimum. These abilities make Tripwire an excellent tool
for system administrators seeking both intrusion detection and damage
assessment for their servers.
Tripwire works by comparing files and directories against a database of
file locations, dates they were modified and other data. This database
contains baselines — which are snapshots of specified files and directories
at a specific point in time. The contents of the baseline database should be
generated before the system is at risk of intrusion, meaning before it is
connected to the network. After creating the baseline database, Tripwire
compares the current system to the baseline and reports any modifications,
additions, or deletions.
The following flowchart illustrates how Tripwire works:
~Source: www.RedHat.com
FAQs on TripWire for Servers:
http://www.tripwire.com/products/servers/faqs.cfm
b). eye Blink - www.eeye.com
c). Symantec Host IDS - www.symantec.com
3. Intrusion Prevention/Protection
Open Source IPS
a). Lak-IPS Commercial IPS
b). ISS Preventia - www.iss.net
c). ForeScout Active Scout - www.forescout.com
d). Netscreen IDP - www.netscreen.com
e). McAfee IntruShield - www.networkassociates.com
f). Cisco Systems http://www.cisco.com/warp/public/cc/pd/sqsw/sqidsz/index.shtml