Basic Intrusion Detection Information

WhitepaperSteve Lodin<Steven.Lodin@>October 1998Intrusion Detection Product Evaluation CriteriaAbstractIntrusion detection systems (also known as ID systems or IDS for short) are one of the latest security tools in the battle against hackers. The intrusion detection marketplace is extremely dynamic currently, new products being introduced and smaller, single product security companies being purchased by bigger security companies with the aspiration to provide full range security solutions. Current intrusion detection systems provide information about attempted and successful attacks, and can even perform limited counterattacks.This whitepaper provides basic intrusion detection information such as intrusion classification and intrusion detection system taxonomy. It then provides a categorized list of criteria that can be used to evaluate potential intrusion detection systems for selection and implementation. Finally, a method for employing these criteria is presented. Basic Intrusion Detection InformationWhat Is An Intrusion?An intrusion can be defined as:any set of actions that attempts to compromise the integrity, confidentiality or availability ofa resource.Another definition for an intrusion is:the act of a person or proxy attempting to break into or misuse your system in violation ofan established policy.Intrusions are typically categorized into two main classes:• Misuse intrusions are well-defined attacks against known system vulnerabilities. They can be detected by watching for specific actions being performed on specific objects.• Anomaly intrusions are based on activities that are deviations from normal system usage patterns. They are detected by building a profile of the system or users being monitored, and detecting significant deviations from this profile.Potential intruders are categorized into two types:• Outside Intruders - This is the most publicized form of intruder and receives the bulk of attention during security implementations. Typical terms used to identify outside intruders are hacker and cracker. The mainstream media is greatly responsible for the heightened perception of this threat.• Inside Intruders - Studies by the Computer Security Institute in conjunction with the FBI have revealed that most intrusions and attacks come from within an organization and result from an authorized user maliciously invoking an authorized process or by manipulating a known vulnerability. This type of intrusion has the potential for causing the greatest damage to the organization. Think about it -- an insider already knows the layout of your system, where the valuable data is and what security mechanisms are in place.So despite the fact that most security measures are put in place to protect the inside from a malevolent outside world, historically most intrusion attempts actually occurred from within an organization. The trend in attacks has been toward more external and less internal to the point where they are about equal in percentage. A mechanism is needed to detect both types of intrusions -- a break-in attempt from the outside and a knowledgeable insider attack. An effective intrusion detection system detects both types of attacks.With the advent of extranets and the proliferation of business partner network connections, the distinction between inside and outside is blurred. The network classification has become private, semi-private, and public. The semi-private network, usually called the extranet, will present the biggest challenge in developing effective barriers and providing effective intrusion management solutions.The activity of intrusion detection is only one part of the information protection process. The detection activity occurs after the risks, vulnerabilities and threats have been identified and analyzed and after the prevention, mitigation, and safeguard controls have been analyzed and implemented. After detection occurs, the response and recovery activities take place. It is imperative that the intrusion detection system selected detect the activities identified by the risk, vulnerability and threat assessment as “interesting or important” and provide the necessary linkages with the response and recovery processes.How Are Intrusions Detected?An intrusion detection system, or IDS, attempts to detect an intruder breaking into your system or a legitimate user misusing system resources. The IDS will run constantly on your system or network, working away in the background, and only notifying you when it detects something it considers suspicious, anomalous or illegal. Whether or not you appreciate that notification depends on how well you've configured your intrusion detection system!Providing complete coverage is a key problem for ID systems. They can provide either host- or network-based monitoring. Network-based detection systems utilize remote monitoring-like sensors on the wire that watch for attack signatures in packets coming into the network. However, this approach leaves the system vulnerable to internal attack. Internal attacks that avoid network-based detection systems typically occur by users on the console or serially attached terminals. In these situations, there are no network packets to inspect and evaluate. Host-based systems use intelligent agents on key servers to sift through system logs for known signatures. Usually this means an attacker has already entered the network and pilfered data on the servers where the agents are deployed.Not surprisingly, Internet connections are becoming the primary point of network attack. The Internet was the source of 54% of attacks on networks reported by 520 IS security managers, according to the March 1998 Computer Security Institute/FBI Computer Crimes Survey.F or this reason, many IS departments choose network-based ID systems. Typically set up at a switch or router on the network between the Internet and the firewall (commonly referred to as the demilitarized zone or DMZ), these systems listen to network traffic and send alerts when they read packets containing known attack signatures. Sometimes, they can even take automatic action such as terminating TCP connections. When used in conjunction with network components, the automated response to Denial of Services attacks (such as the Syn Flood attack) can be configured to adjust the router configuration file on the fly thereby blocking the Denial of Service attack at the ingress router. More interesting “strikeback” concepts are possible, including pure information gathering (e.g., running finger or ident on the attacker) to active reverse Denial of Service (e.g., sending a Syn Flood, Land, Ping O’ Death, etc.) to shut down the attacker.Network Associates' CyberCop, Cisco Systems' NetRanger (formerly sold by WheelGroup), Harris Corporation’s Stake Out, Internet Security Systems' RealSecure, Netect's Netective, AbirNet's SessionWall-3, Internet Tools' ID-Trak, Touch Technologies’ INTOUCH INSA, and MimeStar's SecureNet Pro all take this approach. With some variations, these systems are sold as consoles, along with sensors that are priced separately.Internal breaches still make up a significant portion of attacks-44%, according to the Computer Security Institute/FBI survey, which emphasizes the need for detecting intrusions on the machines inside the network as well as the perimeter. SAIC’s Computer Misuse Detection System, Axent Technologies’ Intruder Alert, and Security Dynamics’(formerly Intrusion Detection) Kane Security Monitor are examples of host-based ID systems.Instead of reading packet headers over the wire, host-based detection systems push "intelligent agents" out to each system needing protection and capture audit data generated by operating systems. A manager-agent device would interpret all the audit trails and manage the data in a way that the administrator would know what to do immediately. This functionality makes it easier to monitor security based on compliance with security-management policies. Intrusion detection, combined with policy enforcement, looks for anomalies. These systems could be used to flagemployee activity outside the norm. However, the current state of development of anomaly detection systems is still fundamentally based in academia with research into statistics among other things.Analyzing commercial intrusion detection products is best done by systematically finding answers to a long series of questions. The process helps a security practitioner consider products objectively and choose those that are best for the security problem at hand. A suggested list of criteria follows, grouped according to information category. Market DynamicsA s shown in the product names listed previously, many of the current products originated with one company, but are now products of a different company. Stalker, the host-based product from Network Associates, was originally developed by Steve Smaha at Haystack Labs. Haystack was purchased by Trusted Information Systems, who was in turn recently purchased by Network Associates and is now known as the TIS Labs division of Network Associates. NetRanger was originally developed by WheelGroup who was purchased by Cisco. Why is this important? As the security industry consolidates, product ownership will continue to change, and even product names will change. This is significant because product origination and history are important to the viability of an ID product. Don’t discount a “new” product out of hand because it might have recently been purchased and re-badged with a new name.An additional factor in the market dynamics is the introduction of new products. There are two forces at work here. First, is the introduction of new products that are the result of academic work. Tripwire by Tripwire Security Systems (formerly Visual Computing Corporation) is a good example of this. Tripwire was available for free for many years by Purdue University. They recently licensed the Tripwire intellectual property to Tripwire Security Systems and a commercial product was recently made available with bug fixes, an expanded set of supported platforms, and commercial support. The other force is the introduction of new products by newcomers to the security market. Many forecasting reports from companies such as the Gartner Group and others indicate huge growth in the intrusion detection market and many companies are trying to take advantage of this. Why is this important? A security review of products today may not reflect the current marketplace when you are performing a product selection.IDS Product Evaluation CriteriaGeneral Characteristics of a Good Intrusion Detection SystemAn intrusion detection system should address the following issues, regardless of what mechanism it is based on:• It should support, not interfere with the security policies and the business operations of the organization.• It must run continually without human supervision. The system must be reliable enough to allow it to run in the background of the system being observed. However, it should not be a "black box". That is, its internal workings should be examinable from outside.• It must be fault tolerant in the sense that it must survive a system crash and not have its knowledge-base rebuilt at restart. Typically, this is accomplished by journalling in combination with other fault tolerant features.• On a similar note to above, it must resist subversion. The intrusion detection system should monitor itself to ensure that it has not been subverted.• It must impose minimal overhead on the system. It must keep pace with the information (logs or network traffic) it is monitoring. In host-based situations, a system that slows a computer to a crawl will simply not be used. In network-based situations, a system that drops packets will also not be used.• It must observe deviations from normal activity.• It must be easily customized to the system in question. Every system has a different usage pattern, and the defense mechanism should adapt easily to these patterns.• It must cope with changing system behavior over time as new applications are being added. The system profile will change over time, and the IDS must be able to adapt.• Finally, it must be difficult to fool even with full knowledge of internal workings by attackers.IdentificationThis section denotes criteria about the product identifying characteristics. This information can usually be found in product literature or the product web pages.• Manufacturer and vendor• Product version number• Type of ID mechanism employed - host-based ornetwork-based?• Does it monitor logs or network packets or both?• Available as standalone or client/server(console/probe)?• Available as hardware, software, or both?Documentation and SupportProper configuration is extremely important to the effectiveness of the IDS. This section identifies information about the product documentation and support mechanisms.• Comprehensive, clear, concise, and well organizedproduct documentation• Tutorial or manual style or both• Electronic and paper available• Available product training• Training included in the purchase price of the product • Training provided by the manufacturer or by consultants• Technical support available (how qualified is the support, and at what hours is it available)• Technical support accuracy, effectiveness and promptness• Are technical support or service contracts included in the purchase price?FunctionalityThis section identifies criteria about the functionality including product features, integration capabilities and technical specifications.• Product integration with existing systems• Plug and-play, or does it require an extensive setupand adjustment to work well with existing systems?• Compatible or supported software platforms, such as operating systems (UNIX, NT, OS/2, proprietary)• Can the product be readily integrated with other IDS or firewall services and support tools?• How does the product interact with other IDS or firewall products?• Possible, supported, or required local network topologies (Internet/intranet, demilitarized zones,virtual private networks, network address translation)• Base for the management agent (http, Telnet, SNMP, DECnet, or remote serial terminal)• Management protocols supported (SNMP, SNMPv3, proprietary, Out Of Band)• Enterprise management platforms the product interacts/integrates with (HP OpenView, Solstice SunNet Manager, Tivoli NetView)• Supported physical network topologies (Ethernet, Fast Ethernet, token ring, asynchronous transfermode, FDDI)• Is the product available as an open source system (source code included in its distribution)?• What are the application programmer interfaces (APIs) and how extensible are they?• Integration with vulnerability scanning tools• User and system transparency• Network protocols supported (IP, IPX, Appletalk, XNS, SNA, and X.25)• Does the product run as root or require kernel modifications to install and operate?• List of applications monitored (Web, SAP, etc.)• Will intrusion detection still continue if themanagement console is disconnected, disabled, orexperiences a denial of service?Reporting and AuditingCriteria related to reporting and auditing features and functionality are identified in this section.• Flexible, extensible, and configurable reporting mechanisms • Available in per-user, per-host, per-site, and per-service formats?• Can the data be exported to external databases?• Available reports (usage, operation, incident,summary)• Real-time notification possible (e-mail, SNMP traps, or paging)• Audit media are supported (hard copy, write-once/read-multiple (WORM) drives, remote logging)• Audit analysis tools available or included• Software for generating and individualizing reportsavailable or included• What is the percentage of false positives?• What is the percentage of missed attacks (falsenegatives)?Detection and ResponsesThe criteria that describe the product’s detection and response mechanisms are listed in this section. The list of attacks detected is not meant to be comprehensive.• Network-based attack scenarios protected against (address spoofing, sequence number prediction,session hijacking, fragmentation, source routing,spoofed naming-service (such as DNS) packets,spoofed routing packets, spoofed control packets, port scanning, “Christmas tree” packets, and/orspoofed multicast and broadcast packets)• Counterattack or counterintelligence capability offered, such as information gathering about theapparent origin sites of malicious packets or router configuration• Fault tolerance capability of the product or architecture • Behavior under adverse conditions (heavy loads and congestion, after a power failure, and during boottime)• Data content recognition (viruses, executable code, Java script or ActiveX code, or mail attachments)• Congestion control or traffic management mechanisms• Are there different levels of alerts and are they administrator configurable?• How does it alert about suspicious activity (pages, e-mails, SNMP traps, console messages)?Security AdministrationCriteria about the administration of the product and security mechanism employed to enhance the security of the administration process are detailed in this section.• How secure and flexible is administrative access tothe IDS product?• Does the product provide encryption?• Delay introduced by encryption• Encryption of administrative dial-up connectionsprovided• Administrator-to-console encryption• Available encryption algorithms and key lengths• Key-exchange protocol and frequency of key exchange (compliant with the IPSec protocolsdeveloped by the IP Security Working Group of the Internet Engineering Task Force (IETF) such asISAKMP/Oakley or Internet Key Exchange (IKE))• Authentication mechanisms support (Bellcore S/Key, Security Dynamics SecurID, Digital PathwaysSecureNet Key, CryptoCard RB-1, or Enigma LogicSafeWord)• Encryption of traffic between the probes and the console • Can the administration separate management tasks and delegate roles?• Support for multiple management consoles• Automated integrity checks• How does the product appear to the external network (is it network-addressable, or are there no mechanisms for accessing it and attacking it overthe network)• Bandwidth or aggregate throughput, as measured by its packet-monitoring rate or event monitoring rate• Performance benchmarks available fromindependent testing laboratories• Load and network bandwidth balancing features• Is it easy to specify and implement a filtering policy?• Filters supported (protocols, addresses, services,and user-defined patterns)Implementation and Life Cycle SupportInformation about the installation and maintenance criteria of the product are listed in this section.• Installation requirements (processor, RAM, harddisk)• Third-party code required• Prerequisite software (network management, operating systems, database)• Prerequisite hardware (routers, hosts, electric power, network interfaces)• Will any existing routers or hosts have to bereplaced or augmented?• Ease of installation for hardware and/or software• Default settings (detection services enabled or disabled, logging enabled or disabled, alertingmechanisms)• Does the vendor provide quick fixes for product related security issues?• Upgrade schedule for the product (periodic or ad-hoc)• Signature upgrade schedule (periodic or ad-hoc)• Upgrade distribution mechanism (tapes, diskettes, on-line)• Are updates or signatures encrypted or digitally signed?Deployment IssuesCriteria related to deployment issues are listed in this section.• Number of probes or agents required• Placement of the probes or agents• Scalability requirements for the enterprise• Number of probes or agents per managementconsoleFuzzy IssuesThere are some non-quantifiable aspects of ID systems that might need to be considered when selecting a product. These questions identify some of these criteria.• Is the vendor already on the corporate-approved buying list?• What is the viability of the company selling and/or supporting the product?• Does the product integrate with existing security solutions already in place at the client?• Is the product’s primary platform one that is supported in client organization?• What is the history of the product and how long has it been commercially available?• Does the product have the ability to effectively map to the organizational security policy requirements?Bottom Line ConsiderationsLast, but certainly not least, criterion about the product cost is gathered in this section.• What is the price tag for the hardware, software, extra equipment, installation and migration, training (basic and advanced), service contracts, andongoing administration?• What corporate or quantity discounts can be applied to the purchase?• How many FTEs are required to support thesystem?• What benefits does the product’s warranty provide?Applying the criteriaThere are obviously many different ways to apply the above criteria to help in the selection of an intrusion detection system.The following methodology described below and shown in Figure 1 is presented as an example.To begin the methodology, an organization somehow recognizes the need to investigate the benefits of an intrusion detection system. This could be just a step in the growth and development of the information protection program, or it could be a sudden trigger event such as the installation of a new system or network connection that requires greater security and monitoring. It could even be triggered by a serious intrusion incident. In any event,the need or requirement surfaces.Once the need has been identified, the next step the security practitioner should employ is requirements gathering. This step is usually overlooked or poorly performed. The more formal the method utilized in this step, the more accurate the data gathered and the more effective the solution will be at meeting the needs.Here the practitioner needs to determine answers to the questions what, where, how, why, and how much.If the intrusion detection system is protecting a single host or a small network, the owner of the host or network should be able to provide some of the answers to those questions as well as the organizational security policy and procedures. In the case where the intrusion detection system is protecting an entire corporate network or campus network, trying to determine the answers to those questions leads to confusion and political infighting. In this case, one of the key characteristics of the chosen product should be flexibility.More than likely, the requirements gathering phase will not uncover all the requirements independently. It issuggested to take the list of criteria developed in this whitepaper and use it to prompt the system or network owner.Formally documenting the requirements in this phase provides benefits in the future. Since the implementation of an intrusion detection system is (or should be) a continuous process with an associated life cycle, the list of requirements can be reused when reassessing the intrusion detection system.Once the requirements have been gathered, the list can be overlaid against the list of criteria listed above. The result will be a list of criteria important to the organization that can be used to evaluate the potential solutions in the marketplace. This list can be categorized and weighted to help determine the ranking of the criteria in terms ofimportance to the organization. This scheme is commonly employed by the industry trade magazines in their product evaluations. An example vulnerability scanning tool product evaluation from Network Computing is shown in Figure 2.At this point, a list of potential products can be developed. Possible methods for accomplishing this include searching the web, reviewing some of the web sites listed in the References section, or searching the Computer Security Institute Security Product Buyers Guide. Once the list of potential candidates is developed, then each of thecandidates can be evaluated against the list of criteria. This will provide a rating for each of the candidates that can be used in the final selection. The process of selecting a final IDS should include developing a set of intrusion test scenarios important to the organization and evaluating the response to those scenarios by a small set of IDS product evaluation lab configurations.Figure 1: Flowchart for applying IDS productselection criteriaAfter selecting and implementing an intrusion detection system, the system should be periodically reassessed. All criteria from the initial selection that are still valid should be reviewed, including technical merits, corporate direction,vendor responsiveness, and effectiveness of security. The traditional way to determine effectiveness of security is to measure the number of intrusions detected. This metric,however, doesn’t really tell the whole story because inintrusion detection, it’s not so much catching what you know as it is catching what you don’t already know. Perhaps a better metric is the efficiency of the vendor at providingeffective solutions to the latest bugs and exploits. If a vendor can provide a solution to you in one week from time of public announcement, then your exposure to the vulnerability without detection is only one week. The quicker the vendor can provide a solution, the better protected you are and the more effective your intrusion detection system is for your organization.IDS Vulnerabilities and System SelectionIntrusion detection systems are not perfect. As described inthe whitepaper Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection by Network Associates (formerly Secure Networks, Inc.) network-based detection systems can be fooled (or foiled) by sophisticated packet manipulation attacks leaving the supposedly protected hosts and networks vulnerable. The authors describesituations in which the IDS either fails to properly recognize an attack (by inserting extraneous or invalid packets) or fails to work due to a denial of service attack (which puts the IDS in a “fail-open” state). One possible response to the insertion or evasion attacks is to closely match the OS or TCP/IP stack of the intrusion detection system and the host(s) being protected. For example, this might require an NT-based IDS to protect NT servers. Another possible response is to locate the IDS probe or agent as close as possible in terms of network topology to the host being protected.The denial of service (DoS) attacks take two forms, traditional DoS attacks executed against hosts and resource exhaustion attacks. In response to the traditional DoS attacks, having a very responsive vendor is critical tomaintaining the effectiveness and availability of the IDS. Resource exhaustion attacks are more difficult to respond to since they will typically require more memory (to support larger buffers) and/or more processing power (to process packets and content faster). When selecting a system, processing power and RAM will be important characteristics.While the vulnerabilities outlined demonstrate serious issues with the capabilities of network-based detectionsystems, exploiting these vulnerabilities requires sophisticated tools and techniques much more advanced than the current set of point and click hacker tools. However, with the ease of worldwide distribution, via IRC channels, web sites, and mailing lists, only one knowledgeable hacker is necessary to create a GUI attack tool that any hacker wannabe can use. Many of these attacks also require insider knowledge and/or insider access that minimizes the vulnerability of attack from the outside. The onus to address these attacks lies primarily with the IDS vendors. As a result of the SNI whitepaper, the important lessons to the security practitioner are:• Trust, but verify.• The most effective security is security in layers. Think of intrusion detection as just one of those layers.These statements can be summarized by stressing that an intrusion detection system is only as good as the data it receives. How much trust can you place in the validity of the data sources feeding the IDS? It should also bestressed that intrusion detection is a complementary technology with existing security tools and techniques. It doesFigure 2: Example Product Evaluation from NetworkComputing。