Intrusion detection systems (IDS) An IDS is a computer security system which detects misuse, attacks against, or compromise of computers connected to a network. They operate by passively examining network packets as they travel over the wire and alerting administrators when they see something unusual or malicious. IDS monitors packets on the network wire and attempts to discover if a hacker/cracker is attempting to break into a system (or cause a denial of service attack). A typical example is a system that watches for large number of TCP connection requests (SYN) to many different ports on a target machine, thus discovering if someone is attempting a TCP port scan. IDS Models Classification of IDS essentially falls under two models: the misuse or signature-based model and the anomaly model. The misuse or signature-based is the most-used IDS model. Signatures are patterns that identify attacks by checking various options in the packet, like source address, destination address, source and destination ports, flags, payload and other options. The collection of these signatures composes a knowledge base that is used by the IDS to compare all packet options that pass by and check if they match a known pattern. The anomaly model tries to identify new attacks by analyzing strange behaviors in the network. To make this possible, it first has to ``learn'' how the traffic in the network works and later try to identify different patterns to then send some kind of alert to the sensor or console. IDS made using this model have higher tendency for raising false alarm, as they often suspicious about all network behavior irrespective of malicious or legitimate. IDS in Common 1. NIDS Open Source a). Snort – www.snort.org It is the most popular Open Source IDS in use today. It supports both Unix and Windows systems. It works by examining the traffic entering into the network typically VLANs, that connect the servers to the NACIO Netsource Center. It compares the traffic to a database of known attack signatures and abnormal behaviors and generates an alert when it detects an intrusion. Because of its popular use, signatures are for new types of intrusions and exploits are updated to the database as quickly as they appear. b). Bro – www.icir.org Bro is an intrusion detection system that works by passively watching traffic seen on a network link. It is built around an event engine that pieces network packets into events that reflect different types of activity. Some events are quite low-level, such as the monitor seeing a connection attempt; some are specific to a particular network protocol, such as an FTP request or reply; and some reflect fairly high-level notions, such as a user having successfully authenticated during a login session. Bro runs the events produced by the event engine through a policy script, which the Bro administrator supply, though in general it is done by using large portions of the scripts (``analyzers'' that come with the Brodistribution. Commercial a). ISS RealSecure Network Sensor – www.iss.net It is a more efficient, automated, real-time intrusion protection system for computer networks and hosts. RealSecure provides unobtrusive, continuous surveillance for intercepting and responding to security breaches and network abuse before systems are compromised. As the central component of the RealSecure Protection System, RealSecure provides effective intrusion protection solutions by offering diversified sensors and management consoles. RealSecure Network Sensor runs on a dedicated system that monitors network traffic for attack signatures – definitive identifiers that an intrusion is underway. Attack recognition, incident response, and intrusion prevention occur immediately, with full customization of signatures and response capabilities. RealSecure SiteProtector’s integrated environment enables creation of shared custom group structures for monitoring intrusion activity, vulnerability assessment or in-depth analysis of ongoing security activity. Event prioritization and correlation enable real-time attack and misuse tracking. SiteProtector’s interface helps administrators work more efficiently through flexible views built around asset grouping and event aggregation, allowing a single operator to easily process large numbers of events. Powerful filters screen for event exceptions and false alerts. In addition, SiteProtector automates RealSecure Protection System deployment, and enables multiple site management via secure remote administration. Security administrators gain the ability to operate, administer and monitor security system remotely, including via high-speed cable modem connectivity. This comprehensive information protection environment reduces the total cost of ownership compared to other security management solutions. b). Intrusions Inc. Secure Net Sensor- www.intrusions.com 2. Host Intrusions Detection Systems (HIDS) Open Source HIDS a). LIDS - www.lids.org LIDS stand for Linux intrusion detection system. It is a project that tries to give Linux some extra security features deployed as kernel patches, which include file and process protection and port-scan detection. File and process protection will guard even against root super user changes. This is very useful because when a cracker exploits a bug in the system, such as a buffer overflow, that person will have root access that permits him or her to do almost anything, such as install rootkits, change logs, erase HTML pages, etc. The implementation can be done easily using Access Control Lists to control files and include passwords to access/change them, avoiding changes from unauthorized users, even root. The same is valid for process because it will protect the system from altered binaries/daemons. Another good feature is that it offers a port-scan detector in kernel space. b). AIDE - www.cs.tut.fi/~rammer/aide.html Commercial HIDS a). Tripwire- www.tripwire.com Tripwire data integrity assurance software monitors the reliability of critical system files and directories by identifying changes made to them. It does this through an automated verification regimen run at regular intervals. If Tripwire detects that a monitored file has been changed, it notifies the system administrator via email. Because Tripwire can positively identify files that have been added, modified, or deleted, it can speed recovery from a break-in by keeping the number of files which must be restored to a minimum. These abilities make Tripwire an excellent tool for system administrators seeking both intrusion detection and damage assessment for their servers. Tripwire works by comparing files and directories against a database of file locations, dates they were modified and other data. This database contains baselines — which are snapshots of specified files and directories at a specific point in time. The contents of the baseline database should be generated before the system is at risk of intrusion, meaning before it is connected to the network. After creating the baseline database, Tripwire compares the current system to the baseline and reports any modifications, additions, or deletions. The following flowchart illustrates how Tripwire works: ~Source: www.RedHat.com FAQs on TripWire for Servers: http://www.tripwire.com/products/servers/faqs.cfm b). eye Blink - www.eeye.com c). Symantec Host IDS - www.symantec.com 3. Intrusion Prevention/Protection Open Source IPS a). Lak-IPS Commercial IPS b). ISS Preventia - www.iss.net c). ForeScout Active Scout - www.forescout.com d). Netscreen IDP - www.netscreen.com e). McAfee IntruShield - www.networkassociates.com f). Cisco Systems http://www.cisco.com/warp/public/cc/pd/sqsw/sqidsz/index.shtml