|
This is the second of two articles intended to introduce readers to some IDS terminology,
some of it basic and relatively common, some of it somewhat more obscure. (To see the
first article, please click here.) As a result of the speed of growth of
IDSs, and the marketing prowess of some IDS vendors, come confusion has arisen about the
proper meaning of certain terms: the same term may be used by different vendors to mean
different things. Wherever possible, I have tried to include all terms except where I
consider usage of the term to be inaccurate or misleading. This is a living document: if
I'm missing any terms or you wish to discuss my interpretation please don't hesitate to
contact me.
IDS Categories
Although we tend to talk about IDSs as though they are one thing, there are actually many
different types of IDS. The following is a list of the various types of IDS, and a brief
explanation of what differentiates them from other types.
IDS Category: Application IDS
Application IDSs are aware of the intrusion signatures for specific
applications, usually the more vulnerable applications such as webservers,
databases etc. However, many of the host-based IDSs that ordinarily look at
operating systems, are becoming more application-aware. Many of the host-based
IDSs that aren't application-aware by default can be trained to become so.
For example, KSE (a host-based IDS) tells you everything that is going on from the
event logs, including output from the event log reporting applications.
Most of these events can be filtered by the operator because they have no
security relevance, but those events with a security significance, such as
viruses or failed access can be given a higher priority.
One example of an application-specific IDS is Entercept Web Server
Edition.
IDS Category: Consoles
In order to make an IDS suitable for the corporate environment, the
dispersed IDS agents need to report to a central console. These days many
central consoles will also accept data from other sources, such as other
vendors' IDSs, firewalls, routers etc. This information can be correlated
to present a more complete attack picture. Some consoles will also add
their own attack signatures to those supplied at agent level. Many
consoles provide the facility of remotely administering the IDS.
Examples include Intellitactics Network Security Monitor and Open
Esecurity Platform.
IDS Category: File Integrity Checkers
When a system is compromised an attacker, it will often alter certain key
files to provide continued access and prevent detection. By applying a
message digest (cryptographic hash) to key files, the files can be checked
periodically to see if they have been altered, thus providing a degree of
assurance. Upon detecting such a change, the file integrity checker will
trigger an alert. The same process can be employed by a system
administrator after being successfully attacked, allowing him/her to
ascertain the extent to which the system has been compromised.
Previously, file integrity checkers detected intrusions long after the
event; however, more products have recently been emerging that check files
as they are accessed, thereby introducing a near real time IDS element.
Examples include Tripwire and Intact.
IDS Category: Honeypots
As mentioned in the first
article in this series, a honeypot is a system
that can simulate one or many vulnerable hosts, providing an easy target
for the hacker to attack. The honeypot should have no other role to fill;
therefore, all connection attempts should be deemed suspicious. Another
purpose is delay: the attacker wastes time on the honeypot while the
original entry hole is secured, leaving the truly valuable assets alone.
Although one of the initial purposes of honeypots was to gather evidence for the
prosecution of malicious hackers, there is much talk of entrapment when deploying
honeypots; however, does the vulnerability of the honeypot give the hacker the right to
attack it? In order to reach the honeypot an attacker would have had to circumvent at
least one bonafide security device provided the honeypot is inside your network. In some
countries law enforcement agencies cannot prosecute using evidence from a honeypot.
Examples of honeypots include Mantrap and Sting.
IDS Category: Host-based IDS
This kind of IDS monitors sys/event logs from
multiple sources for suspicious activity. Host-based IDSs (also known as host IDS) are
best placed to detect computer misuse from trusted insiders and those who have
infiltrated your network evading traditional methods of detection. What I've just
described is really an event log viewer (with attitude). A true host IDS will apply
some signature analysis across multiple events/logs and/or time. Many will also
incorporate heuristics into the product. Some will introduce an added benefit: because
they operate at near real time, system faults are often detected quickly, this makes them
popular with techies as well as security personnel. The term host-based IDS has been
applied to any kind of IDS sitting on a workstation/server. Vendors have tried this for
various products from Network Node IDS to File Integrity Checkers, while I can understand
their logic, this can be misleading to the buyer.
Examples include Kane Secure Enterprise and Dragon Squire.
IDS Category: Hybrid IDS
Modern switched networks have created a problem for intrusion detection operators. By
default, switched networks don't allow network interface cards to fully operate in a
promiscuous fashion (although some allow spanning ports or link mode Terminal Access
Points (TAPs), whereby a certain TAP will see the traffic on all other TAPs.) However,
some switches will not allow it at all, making the installation of a traditional network
IDS difficult. Furthermore, high network speeds mean that many of the packets may be
dropped by a NIDS. A solution has arisen in the form of Hybrid IDSs, which takes
delegation of IDS to host one stage further, combining Network Node IDS and Host IDS in a
single package. In my experience, while this solution gives maximum coverage,
consideration should be given to the amount of data and cost that may result. Many
networks reserve hybrid IDS for critical servers.
Some vendors refer to any IDS that fills more than one role as being
Hybrid IDS; however, I feel this is more out of marketing greed than
genuine honesty. The term "Hybrid IDS" was flavor of the month circa
mid-2000 and many vendors wanted to jump on the bandwagon.
Examples of hybrid IDS include CentraxICE and RealSecure Server Sensor.
IDS Category: Network IDS (NIDS)
Monitors all network traffic passing on the segment where the agent is
installed, reacting to suspicious anomaly or signature-based activity.
Traditionally these were promiscuous packet sniffers with IDS filters,
though these days they have to be far more intelligent, decoding protocols
and maintaining state etc. They come in the guise of appliance-based
products that you just plug in to software that can be installed on off-the- shelf
computers. They analyze every packet for attack signatures,
though under network load many will start to drop packets.
Many Network IDS have the facility to respond to attacks, which was covered under
'Automated Response' in part
1. There was some hype in late 2000 about how Network IDS had seen its day pass due
to high speeds and switched networks, but some Network IDS can cope with gigabit speeds
with minimal dropped packets, and switched networks can be overcome with spanning ports
or TAPs such as those supplied by Shomiti.
Examples of Network IDS include SecureNetPro and Snort.
IDS Category: Network Node IDS (NNIDS)
Switched and/or high-speed networks have brought with them a problem: some
Network IDS are unreliable at high speeds, when loaded they can drop a
high percentage of the network packets. Switched networks often prevent a
network IDS from seeing passing packets promiscuously. Network Node IDSs
delegate the network IDS function down to individual hosts, alleviating the
problems of both high speeds and switching.
While Network Node IDSs are closely related to personal firewalls, there are differences.
For a personal firewall to be classed as an NNIDS, event analysis would have to be
applied to the attempted connections. For instance, rather than "attempted connection to
port *****" as you find on many personal firewalls, a NNIDS should identify a "whatever"
probe, applying a signature for the "whatever" attack. A NNIDS would also pass events
received at the host to a central console. Despite these differences, I suspect that many
personal firewall vendors will start to push their products as NNIDS.
Examples of an NNIDS include BlackICE Agent and Tiny CMDS.
IDS Category: Personal Firewall
Personal firewalls sit on individual systems and prevent unwanted
connections, incoming or outgoing. While not infallible, they are very
effective in protecting hosts from attack. Not to be confused with Network
Node IDS.
Examples include ZoneAlarm and Sybergen.
IDS Category: Target-Based IDS
This is one of those ambiguous IDS terms, which means different things to different
people. One definition may refer to them being File Integrity Checkers, while an
alternative is a network IDS that only looks for signatures of attacks to which the
protected network may be vulnerable. The objective of the latter definition is to speed
up the IDS by not looking for unnecessary attacks. Personally, I want to know about
every attack regardless of its chance of success. My point of view is that
because the term has meant very different things, it's use should be avoided for a few
years - in effect, quarantining the term to avoid confusion.
Intrusion
Detection Working Group (IDWG)
The purpose of the Intrusion Detection Working Group is to define data
formats and exchange procedures for sharing information of interest to
intrusion detection systems and response systems, and to management systems which
may need to interact with them. The Intrusion Detection Working Group will
coordinate its efforts with other IETF
working groups.
Incident Handling
Detecting an intrusion is just the beginning. More often than not, the
console operator will be receiving alerts almost constantly, therefore
he/she cannot spare the time to follow up each potential incident in
person. The operator will tag events of interest for further investigation
by the incident handling team. After the initial response the event then
needs to be handled, looking at issues such as investigation, forensics
and prosecution. Chris Jordan's paper "Analyzing IDS Data" covers
first and second level analysis of IDS alerts
Incident Response
The initial reaction to a detected potential incident, which is then
handled according to incident handling procedures.
Islanding
Cutting the network off from the Internet, islanding is a drastic action,
almost a last resort. It is occasionally used by some organizations faced
with a large virus outbreak, or even when the threat of an attack is
considered significant enough.
Promiscuous
By default, the IDS network interface only sees information to or from the
host - this is termed non-promiscuous. By making the interface
promiscuous, you can see all the network traffic on your segment
regardless of the source or destination. This is essential for a Network
IDS, but by the same token can be used by packet sniffers to monitor your
network traffic. Switched hubs go a long way to prevent this and many
have span ports where you can see all the traffic.
Routers
A router is a device for connecting sub-networks. They operate at the
Transport and Network layers of the OSI 7 layer model. More basically,
routers help to navigate network packets to their destinations. Many also
have Access Control Lists (ACLs) that will allow you to filter out
undesirable packets. Many routers can feed their logs into an IDS,
providing valuable information about blocked attempts to access a network.
Scanners
Scanners are automated tools that will scan network for hosts and/or vulnerabilities.
Like intrusion detection systems, these also come in a variety of guises. I have included
a list of scanners below, along with a description of each. (For a full list
of available products visit my website.)
Scanner Category: Network Scanners
Network scanners are designed to map a network, finding all the hosts on
that network. Traditionally they would use an ICMP ping, but this is too
noisy and can be detected with ease. As the network scanners had to
become a lot stealthier, they began to use a variety of other methods,
such as ack scans and fin scans, to achieve their goal undetected. The
other advantage in using these more obscure methods is that different
operating systems will respond to these scans in different ways giving the
attacker more valuable information.
One example of such a tool is nmap.
Scanner Category: Network Vulnerability Scanners
Taking the network scanner a stage further, a network vulnerability scanner will check
the target host(s), highlighting any vulnerabilities that can be exploited by the hacker.
They are used by attackers and security professionals and are very noisy - they make the
Network IDS go ballistic. Some vulnerability scanners such as Whisker look for
vulnerabilities in webservers, it even has an anti-IDS setting, making it difficult for
an Network IDS to detect.
Retina and CyberCop Scanner are examples of network vulnerability scanners.
Scanner Category: Host Vulnerability Scanners
Operating as a privileged user, these tools will scan the host from the
inside, checking a wide range of things from password quality and security
policy to file permissions. It can be detected by a Network IDS and,
particularly, by a Host IDS. SecurityExpressions is a remote Windows
vulnerability scanner that will also auto fix. Some tools such as ISS
database scanner will scan a database for vulnerabilities
Script Kiddies
Rather than do it the hard way, a script kiddie will use exploit scripts written by
others to achieve their aims. There is much talk about belittling a Script Kiddies
capability, even the name sounds a little derogatory. However, tread carefully they are
a force to be reckoned with, as grc.com know only too well. An analogy given to me
by a Policeman from the Royal Air Force CERT; script kiddies are like kids with guns,
they don't need to understand ballistics or be able to build the gun to make them a
formidable foe, at no time should they be under estimated.
Shunning
Shunning is the practice of configuring border devices to reject any
packets from objectionable sources. Some networks have been known to shun
IP addresses from a specific country. More often than not ISP's with a
poor clean up rate will be shunned.
Signatures
At the heart of the IDS is the attack signature, this is what makes the IDS trigger on an
event. Too short and it triggers (too often creating false positives,) too long and it
slows the IDS down. Some people see the number of signatures that an IDS supports as a
benchmark of the IDS's quality. However, while one vendor has one signature covering
many attacks another vendor may list the signatures separately, giving the impression (to
some) that because it appears to include more signatures, it's a better IDS.
Stealth
Stealth interfaces allow an IDS to be invisible to the outside world while
still being able to detect attacks. They are most used outside the DMZ,
beyond the protection of firewalls. There are drawbacks such as automated
response.
|
