Network intrusion detection systems. IDS subtypes based on attack detection methods
Today, intrusion detection capabilities are becoming essential additions to every large company's information security infrastructure. The question of whether an intrusion detection system (IDS) is necessary is no longer a question for information security professionals, but they are faced with the problem of choosing such a system for a particular organization. In addition, the high cost similar products forces us to take a more careful approach to justifying the need for their use.
Types of Intrusion Detection Systems
Today there are several various types IDS, differing in different data monitoring algorithms and approaches to their analysis. Each type of system corresponds to certain features of use, advantages and disadvantages.
One way to classify IDS is based on what they actually control. Some control everything network traffic and analyze network packets, others are deployed on individual computers and monitor the operating system for signs of intrusion, while others typically monitor individual applications.
IDS protecting a network segment
This class of IDS is currently the most common among commercial products. The system usually consists of several specialized servers that analyze network traffic in various network segments and transmit messages about a possible attack to a centralized management console. No other applications run on the servers used by the IDS, so they can be protected from attack, including by special means. Many of them can operate in stealth mode, making it difficult to detect attackers and determine their location on the network.
Advantages:
A few well-placed systems can control a large network;
their deployment has little impact on the existing network. Such IDSs are usually passive devices that intercept network traffic without loading the network with service flows;
the system can be very protected from attacks on itself, and its individual nodes can be made invisible to attackers.
Flaws:
unable to recognize an attack initiated at the moment high load networks. Some developers are trying to solve this problem by implementing IDS based on hardware that has more high speed. In addition, the need to quickly analyze packets forces developers to detect an attack with minimal computational resources, which seriously reduces detection efficiency;
many of the advantages of IDS of small segments (usually one high-speed Ethernet channel per server) and provide dedicated channels between servers served by the same switch. Most switches do not provide universal management ports, which reduces the monitoring range of the COB sensor. In such switches, a single port often cannot reflect all the traffic passing through the switch;
are unable to analyze encrypted information;
report an initiated attack without analyzing the degree of penetration.
IDS protecting a single server
These systems work by analyzing the activity of processes on the specific server on which they are installed; collect information about the server they control. This allows IDS to analyze actions on the server with high degree granularity and pinpoint which users are performing malicious activities on the server operating system.
Some IDSs in this class have the ability to manage a group of servers, preparing centralized reports on possible attacks, which are summarized in the security administrator console. Others generate messages compatible with network management systems.
Advantages:
detect attacks that do not detect IDS protecting a network segment, since they have an idea of events localized on a specific server;
operate on a network that uses data encryption when the information is in open form on the server before it is sent to the consumer;
operate in switched networks.
Flaws:
information collection mechanisms must be installed and maintained on each server that will be monitored;
can be attacked and blocked by a prepared opponent;
are not able to control the situation throughout the network, since they “see” only network packets received by the server on which they are installed;
difficulties in detecting and countering denial of service attacks;
use the computing resources of the server they control, thereby reducing the efficiency of its operation.
IDS based on application protection
These systems control events that occur within separate application, and often detect attacks when analyzing application system logs. The ability to communicate directly with the application through a service interface, as well as a wealth of application knowledge about the application, allows this class of IDS to provide a more detailed understanding of suspicious activity in the application.
Advantages:
monitor activities with a very high degree of detail, allowing them to monitor the unauthorized activities of individual users;
capable of working in encrypted environments.
Some experts note that the difference between systems based on application protection and systems based on individual server protection is not always clearly visible, therefore, in the future, both classes will be referred to as intrusion detection systems based on individual server protection.
Approaches to event analysis.
Currently, there are two main approaches to event analysis: signature detection and anomaly detection.
Signature-based IDS
The signature-based intrusion detection approach identifies activity that matches a predefined set of events that uniquely describe a known attack. Therefore, signature-based systems must be pre-programmed to detect every known attack. This technique is extremely effective and is the main method used in commercial programs.
Advantages:
are very effective at detecting attacks without generating a significant number of false alarms.
Flaws:
Signature-based systems must be pre-programmed to detect every attack, and constantly modified with the signatures of new attacks;
The signatures themselves in many systems of this class are defined quite narrowly, which makes it difficult for them to detect variants of traditional attacks whose signature differs slightly from the one in their database.
In the review of corporate IPS solutions on the Russian market from Anti-Malware, released last week, everything is good, except, in fact, the review itself Russian decisions. Let me complement my colleagues a little.
Like most products on our market information security, attack detection/prevention systems can be classified according to the following two criteria:
- certification:
- absent
- made minimal “for show”
- high level of certification
- recognition (prevalence) of the product:
- known and used in the world
- present only on the regional market
Depending on the combination of these two parameters, the type of vendor can be described this way, taking into account, of course, that in practice, the situation will most often be mixed.
Now, in fact, let’s move on to domestic IPS/IDS, the very fact of whose existence is largely determined by the presence of relevant regulatory requirements. The FSB has had formalized requirements for this class of solutions for quite a long time (since 2002), and the FSTEC also appeared last year.
The FSB calls this class of devices SOA (attack detection systems) and distinguishes 4 classes - from G to A (from lowest to highest), with each subsequent class including all the functionality of the previous ones. The FSB requirements are marked “For official use” and cannot be easily obtained.
FSTEC calls such systems IDS (intrusion detection systems), which is incredibly convenient, since FSB and FSTEC certification can never be confused =) The essence of FSTEC requirements is a little easier: there is at least general information in a letter on the FSTEC website, which explains that a total of six classes of SOV protection are established (the sixth is the lowest). There are no corresponding protection profiles for classes six to four on the FSTEC website (although the letter states otherwise), but you can find them on the Internet if you wish.
In total, according to the requirements of the FSB, six products (all domestic) are certified, and according to the new requirements of the FSTEC, only four are so far (two domestic and two imported). At the same time, there are also IDSs certified by FSTEC for compliance with technical specifications (TU) even before the new requirements for IDS came into force, but today we are only interested in domestic manufacturers, and among these solutions only two are.
The final list of domestic IDS and their certificates looks like this:
You can argue with me, but in my opinion, all these products clearly fall into the “Paper Makers” category, no matter how offensive such a definition may sound for them.
Unfortunately, for some solutions there is only fragmentary information available to the public, which is apparently due to their very specific area of application. Partially domestic systems attack detection, perhaps the most informative source was this presentation by FSB representative D.N. Satan. I have added descriptions of all products found on the Internet and in order not to duplicate information from the Catalog in the post, I provide only links to products.
Intrusion detections are software or hardware tools for detecting attacks and malicious actions. They help networks and computer systems fight back properly. To achieve this goal, IDS collects information from numerous system or network sources. The IDS then analyzes it for attacks. This article will attempt to answer the question: "IDS - what is it and what is it for?"
What are intrusion detection systems (IDS) for?
Information systems and networks are constantly subject to cyber attacks. Firewalls and antiviruses are clearly not enough to repel all these attacks, since they are only able to protect the “front door” of computer systems and networks. Various teenagers who imagine themselves to be hackers constantly scour the Internet in search of cracks in security systems.
Thanks to world wide web They have a lot of completely free malicious software at their disposal - all kinds of slammers, blinders and similar harmful programs. Competing companies use the services of professional hackers to neutralize each other. So systems that detect intrusion (intrusion detection systems) are an urgent need. It's no surprise that they are becoming more widely used every day.
IDS elements
IDS elements include:
- detector subsystem, the purpose of which is the accumulation of network events or computer system;
- an analysis subsystem that detects cyber attacks and questionable activity;
- storage for storing information about events, as well as the results of analysis of cyber attacks and unauthorized actions;
- a management console with which you can set IDS parameters, monitor the state of the network (or computer system), and have access to information about attacks and illegal actions detected by the analysis subsystem.
By the way, many may ask: “How is IDS translated?” The translation from English sounds like “a system that catches uninvited guests in the act.”
The main tasks that intrusion detection systems solve
An intrusion detection system has two main tasks: analysis and an adequate response based on the results of this analysis. To perform these tasks, the IDS system performs the following actions:
- monitors and analyzes user activity;
- audits the system configuration and its weaknesses;
- checks the integrity of the most important system files, as well as data files;
- conducts statistical analysis system states, based on comparison with those states that occurred during already known attacks;
- carries out audit operating system.
What an intrusion detection system can provide and what it cannot
With its help you can achieve the following:
- improve integrity parameters;
- track the user’s activity from the moment he logs into the system until the moment he causes harm to it or performs any unauthorized actions;
- recognize and notify about changes or deletion of data;
- automate Internet monitoring tasks to find the latest attacks;
- identify errors in the system configuration;
- detect the beginning of an attack and notify about it.
The IDS system cannot do this:
- fill deficiencies in network protocols;
- play a compensatory role in the event of weak identification and authentication mechanisms in the networks or computer systems that it monitors;
- It should also be noted that IDS does not always cope with problems associated with packet-level attacks.
IPS (intrusion prevention system) - continuation of IDS
IPS stands for Intrusion Prevention System. These are advanced, more functional varieties of IDS. IPS IDS systems are reactive (unlike conventional ones). This means that they can not only detect, record and report an attack, but also perform protective functions. These features include resetting connections and blocking incoming traffic packets. Another distinguishing feature of IPS is that they operate online and can automatically block attacks.
Subtypes of IDS by monitoring method
NIDS (that is, IDS that monitor the entire network) analyze the traffic of the entire subnet and are managed centrally. Correct location Several NIDS can achieve monitoring of a fairly large network.
They operate in promiscuous mode (that is, they check all incoming packets rather than doing so selectively), comparing subnet traffic to known attacks from their library. When an attack is identified or unauthorized activity is detected, an alert is sent to the administrator. However, it should be mentioned that in a large network with a lot of traffic, NIDS sometimes fails to check all information packets. Therefore, there is a possibility that during rush hour they will not be able to recognize the attack.
NIDS (network-based IDS) are those systems that are easy to integrate into new network topologies, since they do not have much impact on their functioning, being passive. They only capture, record and alert, unlike the reactive type of IPS systems discussed above. However, it must also be said about network-based IDS that these are systems that cannot analyze information that has been encrypted. This is a significant drawback because, due to the increasing adoption of virtual private networks (VPNs), encrypted information is increasingly used by cybercriminals for attacks.
NIDS also cannot determine what happened as a result of the attack, whether it caused harm or not. All they can do is record its beginning. Therefore, the administrator is forced to independently double-check each attack case to make sure that the attackers achieved their goal. Another significant problem is that NIDS has difficulty detecting attacks using fragmented packets. They are especially dangerous because they can interfere with the normal operation of the NIDS. What this might mean for an entire network or computer system doesn't need to be explained.
HIDS (host intrusion detection system)
HIDS (host-monitoring IDS) serve only a specific computer. This naturally provides much higher efficiency. HIDS analyze two types of information: system logs and operating system audit results. They take a snapshot of system files and compare it with an earlier snapshot. If files critical to the system have been changed or deleted, then an alarm is sent to the administrator.
A significant advantage of HIDS is the ability to perform its work in situations where network traffic can be encrypted. This is possible due to the fact that host-based information sources can be created before the data can be encrypted, or after it is decrypted on the destination host.
The disadvantages of this system include the possibility of blocking it or even prohibiting it using certain types of DoS attacks. The problem here is that the sensors and some of the HIDS analysis are on the host that is being attacked, meaning they are also being attacked. The fact that HIDS use the resources of the hosts whose work they monitor is also difficult to call a plus, since this naturally reduces their performance.
IDS subtypes based on attack detection methods
Anomaly method, signature analysis method and policy method - these are the subtypes of attack detection methods that the IDS system has.
Signature Analysis Method
In this case, data packets are checked for attack signatures. An attack signature is an event that matches one of the patterns that describe a known attack. This method is quite effective because it reduces the number of reports of false attacks.
Anomaly method
It helps detect illegal activities on the network and on hosts. Based on history normal operation host and network, special profiles are created with data about this. Then special detectors come into play and analyze the events. With help various algorithms they analyze these events by comparing them with the “norm” in the profiles. The absence of the need to accumulate a huge number of attack signatures is a definite advantage of this method. However, a considerable number of false signals about attacks during atypical, but completely legal events on the network is its undoubted disadvantage.
Policy method
Another method for detecting attacks is the policy method. Its essence is to create network security rules, which, for example, may indicate the principle of interaction between networks and the protocols used. This method is promising, but the difficulty lies in the rather complicated process of creating a policy base.
ID Systems will provide reliable protection for your networks and computer systems
The ID Systems group of companies is today one of the market leaders in the field of creating security systems for computer networks. She will provide for you reliable protection from cyber villains. With ID Systems protection systems, you won't have to worry about your important data. Thanks to this, you will be able to enjoy life more because you will have less worries in your mind.
ID Systems - employee reviews
A wonderful team, and the main thing, of course, is the correct attitude of the company’s management towards its employees. Everyone (even fledgling beginners) has the opportunity to grow professionally. True, for this, naturally, you need to prove yourself, and then everything will work out.
There is a healthy atmosphere in the team. Beginners will always be taught everything and shown everything. There is no sense of any unhealthy competition. Employees who have been working in the company for many years are happy to share all the technical details. They respond kindly, even without a shadow of condescension, to the most Silly questions inexperienced workers. In general, working at ID Systems brings nothing but pleasant emotions.
The attitude of the management is pleasantly pleasing. It’s also gratifying that they obviously know how to work with personnel here, because the team they have chosen is truly highly professional. The opinion of employees is almost clear: they feel at home at work.
Like many new technologies, intrusion detection has a mixed reception among many people. This technology is also understood ambiguously. Attack detection is a very broad field that covers many aspects, from motion sensors and video surveillance systems to real-time fraud detection systems. This lecture does not allow us to talk about all aspects of this technology. Therefore, I will only consider detecting non-physical attacks on computing or network resources. And, before starting the further story, I will give a definition of attack detection technology, from which I will build.
Attack Detection is the process of identifying and responding to suspicious activity aimed at computing or network resources.
Attack is any action of an intruder that leads to the implementation of a threat by exploiting the vulnerabilities of a computer system.
Introduction to Intrusion Detection Systems
Reports of intrusions into corporate networks and attacks on Web servers in Lately appear with alarming frequency. The number and complexity of information technologies offered on the market is growing periodically. Very often, attackers overcome the security measures installed in a company or bank (authentication systems, firewalls, etc.) installed to restrict access to corporate network resources. As their skills increase, attackers become more sophisticated in developing and using methods to penetrate security barriers. It is very difficult to detect such attackers. They disguise themselves as authorized users, use intermediate nodes to hide their true address, carry out attacks distributed in time (over several hours) and space (from several nodes simultaneously), etc. Many attacks are carried out in a very short time (minutes and even seconds), which also does not allow them to be detected and prevented by standard protective measures.
This is due to the fact that most computer security systems are built on classic models access control systems developed in the 70s and 80s. According to these models, a subject (user or program), based on specified rules, is allowed or denied access to an object (for example, a file). However, the actions takensubject over the object, is not regulated in any way and thus it is impossible, for example, to prevent copying of a file by a user who has access to this file allowed. The development of these models made it possible to eliminate these shortcomings by controlling the confidentiality (Bell-Lapadula model) or integrity (Beebe model) of information flows. However, a natural contradiction arises between the ease of use of the system and the level of security it provides. You have to sacrifice something. Either by the ease of use of the protected system, or by the level of its security. It is very difficult to come to a compromise and find a system configuration that combines both a sufficient level of security and ease of use.
In addition, access control models cannot help in the event of attacks from “dedicated”, authorized users or processes (programs) that have passed the authentication procedure. If an attacker guesses or intercepts your password (and this is done quite easily), then no access control system will help prevent the theft or substitution of information available to the compromised user.
More recently, when corporate networks and the Internet were not as widespread as they are today, a system administrator could afford to occasionally browse security mailing lists (ISS X-Force, CERT Advisory, Bugtraq, etc.) and, if found, new vulnerability, prevent an attacker from using it by installing new patches and hotfixes for your operating system. However, this update may have been uninstalled by a user or another administrator accidentally or during operation. After a week or a month, the administrator could check his system again and install the necessary “patch” again. However, now everything has changed, network and information technologies are changing so quickly that static protective mechanisms, which include access control systems, firewalls, and authentication systems, are very limited and in many cases cannot provide effective protection. Therefore, dynamic methods are needed to detect and prevent security breaches.
One technology that can be used to detect violations that cannot be identified using access control models is intrusion detection technology.
To describe an intrusion detection technology, it is necessary to consistently answer four questions that almost completely cover all aspects of this technology.
Whatever effective method of obtaining information about attacks is used, the effectiveness of the attack detection system largely depends on the methods used to analyze the received information. The earliest intrusion detection systems, developed in the early 1980s, used statistical methods to detect attacks. However, mathematics does not stand still, and now many new techniques have been added to statistical analysis, starting with fuzzy logic and ending with the use of neural networks.
Each of the methods described below has a number of advantages and disadvantages, and therefore it is now practically difficult to find a system that implements only one of the described methods. As a rule, these methods are used in combination.
Statistical method
In the analyzed system, profiles are initially determined for all its subjects. Any deviation of the used profile from the reference one is considered unauthorized activity. The main advantages of the statistical approach are adaptation to the behavior of the subject and the use of an already developed and proven apparatus of mathematical statistics. In addition, statistical methods are universal, because no knowledge of possible attacks and the vulnerabilities they exploit is required. However, several problems arise with these techniques.
First, "statistical" systems can be "trained" by attackers over time so that attack actions are seen as normal. Secondly, “statistical” systems are not sensitive to the order of events. And in some cases, the same events, depending on the order in which they occur, can characterize abnormal or normal activity. Finally, it is very difficult to set threshold values for the characteristics monitored by an intrusion detection system in order to adequately identify anomalous activity. In addition, these methods are not applicable in cases where there is no pattern of typical behavior for the user or when unauthorized actions are typical for the user.
Using expert systems
The use of expert systems is a second common method in which attack information is formulated in the form of rules that can be recorded, for example, as a sequence of actions or as a signature. If any of the rules are met, a decision is made regarding unauthorized activity.
The main advantage of this approach is the almost complete absence of false alarms. However, there are also disadvantages, the main one of which is the inability to repel unknown attacks. Even a small change is already known attack can be a big obstacle for the intrusion detection system.
Neural networks
Most modern approaches to the attack detection process use some form of rule-based or statistical-based controlled space analysis. The controlled space can be logs or network traffic. This analysis relies on a set of predefined rules that are created by the administrator or the intrusion detection system itself. Expert systems represent the most common form of rule-based attack detection approaches. An expert system consists of a set of rules that capture the knowledge of a human “expert.” Unfortunately, expert systems require constant updating in order to remain constantly up-to-date. While expert systems offer good visibility into log data, required updates may either be ignored or manually performed by an administrator. At a minimum, this will lead to an expert system with insufficient (weakened) capabilities. In the worst case, the lack of maintenance will reduce the security of the entire network, misleading its users about the actual level of security.
Any separation of an attack, either over time or across multiple attackers, is difficult to detect using expert systems. Network attacks are constantly changing as hackers take individual approaches and due to regular changes in the software and hardware of target systems. Due to the unlimited variety of attacks and hackers, even special constant updates rules database expert system will never be guaranteed to accurately identify the full range of attacks.
One way to eliminate these problems is to use neural networks. Unlike expert systems, which can give the user a definite answer whether or not the characteristics under consideration correspond to the characteristics embedded in the rule database, a neural network analyzes the information and provides the opportunity to evaluate whether the data is consistent with the characteristics that it is trained to recognize. While the degree of correspondence of a neural network representation can reach 100%, the reliability of the choice depends entirely on the quality of the system in analyzing examples of the task (so-called training).
Initially, the neural network is trained by correctly identifying pre-selected examples subject area. The response of the neural network is analyzed and the system is adjusted in such a way as to achieve satisfactory results. In addition to the initial training period, the neural network also gains experience over time as it analyzes domain-related data. The most important advantage of neural networks in detecting abuse is their ability to “learn” the characteristics of deliberate attacks and identify elements that are unlike those previously observed on the network.
Correlation (in the area under consideration) is the process of interpreting, summarizing and analyzing information from all available sources about the activities of the analyzed system in order to detect attacks and respond to them.
Without going into detail about the data correlation process, there are two aspects that you should pay attention to when choosing an attack detection system. The first aspect is the number of sessions (network or user) analyzed simultaneously. IN currently Almost all systems analyze only one session at a given time, which does not allow, for example, to detect coordinated attacks from several sources.
The second aspect is when to carry out the analysis, in real time or after the attack. It would seem that the answer is obvious - in real time, of course. However, everything is not so simple. Greater accuracy (although sometimes at the expense of efficiency) of recognition can be achieved precisely after the attack, when all the information about the incident is at your disposal.
It is not enough to detect an attack. We also need to react to it in a timely manner. Moreover, the reaction to an attack is not only blocking it. It is often necessary to “let” an attacker into a company’s network in order to record all his actions and subsequently use them in the investigation process. Therefore, existing systems use a wide range of response methods, which can be divided into 3 categories: notification, storage and active response. The use of a particular reaction depends on many factors, the description of which is beyond the scope of this article.
Notification
The simplest and most common method of notification is to send the security administrator notifications about the attack on the intrusion detection system console. Since such a console cannot be installed for every employee responsible for security in an organization, and also in cases where these employees may not be interested in all security events, other notification mechanisms must be used. Such a mechanism is sending messages via e-mail, by pager, by fax or by telephone. The last two options are present only in the RealSecure attack detection system of the American company Internet Security Systems, Inc.
The "notification" category also includes sending control sequences to other systems. For example, to network management systems (HP OpenView, Tivoli TME10, CA Unicenter, etc.) or to firewalls (CheckPoint Firewall-1, Lucent Managed Firewall, Raptor Firewall, etc.). In the first case, a standardized SNMP protocol, and in the second - internal or standardized (for example, SAMP) protocols.
Preservation
The “preservation” category includes two response options: logging the event in a database and replaying the attack in real time. The first option is widespread in other protection systems and is not worth dwelling on. The second option is more interesting. It allows the security administrator to reproduce in real time (or at a specified speed) all actions performed by the attacker. This allows you not only to analyze “successful” attacks and prevent them in the future, but also to use the collected data for investigations.
Active response
This category includes the following response options: blocking the attacker’s work, ending the session with the attacking node, managing network equipment and security measures. This category of response mechanisms, on the one hand, is quite effective, but on the other, they must be used very carefully, because their incorrect operation can lead to disruption of the entire computing system.
User requirements
It is necessary to determine in advance what and from whom you need to protect your computer system. It is necessary to determine the relationship between the costs (often considerable) of purchasing and operating an intrusion detection system and the benefits from its use. The process of choosing one of more than 30 systems existing on the market can take more than one week or month. But the effort is worth it. Choosing the right intrusion detection system can save hundreds of thousands of dollars that could otherwise be lost if a computer system were compromised.
However, no matter how effective the mechanisms built into an intrusion detection system are, it will not be used if it does not meet user requirements. The more complex the attack detection system, the higher its cost. However, cost is not the only fundamental factor when making a choice. It is also necessary to take into account the mechanisms used to obtain information about attacks, algorithms for analyzing and correlating data, response options, system performance, its reliability, etc. The number of such parameters is quite large. In general, all the requirements that must be taken into account when choosing intrusion detection systems can be divided into several groups:
- Installation and deployment of the system;
- Security of the system itself;
- Attack detection;
- Response to attacks;
- System configuration;
- Event control;
- System data management;
- System performance;
- System architecture;
- Technical support systems.
You should not choose an intrusion detection system based only on the current situation. Try to look into the future and analyze the growth of the computing system, changes in the services it provides, etc. With this in mind, you can effectively invest in a security system now.
An important issue is the implementation of an attack detection system into existing information processing technology and then adapting it to environmental conditions. Simultaneously with implementation, it is necessary to train personnel in the rules of using the system in the organization. It should be noted that an intrusion detection system will not be able to provide absolute protection against all attacks; it will help identify suspicious traffic and other forms of unauthorized access. However, the greatest effectiveness when using an intrusion detection system can be achieved if it is “attached” by specialists who are able to properly operate the system and understand when and how to respond to the messages it produces.
In more detail, the requirements for attack detection systems can be found in the document “Attack detection systems. Selection strategy”, developed by the Scientific and Engineering Enterprise “Informzashchita”, which can be obtained by contacting www.infosec.ru.
Intrusion detection systems or firewalls?
A very often asked question is: “Do I need an intrusion detection system if we already have a firewall in place?” Definitely needed. An intrusion detection system is an essential addition to a firewall, but not a replacement for it. Firewalls are designed to prevent the bad guys from invading the network. However, sometimes these tools, due to design errors, hardware failures, user error, or simply ignorance, do not provide an acceptable level of access. For example, someone does not understand the need to protect the network and leaves the modem turned on at their workplace to access the computer from home. The firewall cannot not only protect in this case, but also detect this fact. In this case, attack detection systems are indispensable. No matter how reliable and effective your firewall's filtering capabilities are, users often find ways to bypass whatever barriers you set up. For example, ActiveX objects or Java applets can introduce new attack vectors through firewalls. In addition, according to statistics, at least 75% of all computer crimes occur from within the corporate network, from its employees. And, as mentioned above, “classical” security measures, which include firewalls, do not allow protecting a corporate network in the event of bad intent on the part of the user who has access to it. Therefore, a firewall cannot replace an attack detection system, and both of these tools are needed to build an effective information security system.
Think of your network as a multi-story high-rise building, where the firewall is the doorman at the entrance, and each intrusion detection system monitoring module is the watchdog at each specific door. As a rule, the doorman is happy to let people in who look pretty good and detain suspicious people. However, a clever criminal is able to get past the doorman and enter the building without arousing his suspicion. The watchdog knows better who he can let into a given door and instantly reacts to an intrusion.
Attack detection systems in Russia
The first attack detection system appeared in Russia in mid-1997, when an agreement was concluded between the Informzashchita Scientific and Engineering Enterprise and the then little-known American company Internet Security Systems, Inc. (ISS), which developed the RealSecure attack detection system. Since then the situation has changed for the better. ISS is currently the market leader in attack detection tools (52% of the total market in 1999, according to IDC). In Russia, the situation is similar - the RealSecure system has captured most of the Russian market for attack detection tools. This was preceded by a lot of painstaking work to create the appropriate infrastructure to support this system. Its Russification is currently being completed.
In addition to the RealSecure system on Russian market The following products of foreign companies are presented:
- NetRanger from Cisco Systems.
- OmniGuard Intruder Alert from Axent Technologies.
- SessionWall-3 by Computer Associates.
- Kane Security Monitor from Security Dynamics.
- CyberCop Monitor by Network Associates.
- NFR by Network Flight Recodred.
The top three, led by RealSecure, are leaders throughout the world. In total, more than 30 commercially distributed attack detection systems are known.
Standards and Guidance Documents
Since the end of last year - the beginning of this year, work has been underway to develop guidance documents that will allow for an adequate analysis and assessment of attack detection systems offered on the Russian market. Similar work is being carried out abroad. An example is the CIDF or IDEF standards being developed by the US Department of Defense and the IETF working group.
Prospects and development trends
It can be noted that both solutions: IDS at both the network and system levels have their own advantages and disadvantages, which effectively complement each other and also eliminate each other’s shortcomings.
So, briefly I described existing solutions in the field of attack detection. But will they, as they exist now, be applicable into the next millennium? Hardly. And that's why. Today's networks are becoming so complex that they are difficult to control using existing methods. The number of nodes in networks is growing at an unprecedented rate, and the use of gigabit speeds and VLAN-based switched networks is expanding. The volume of traffic transmitted over networks increases by several orders of magnitude. We need completely new approaches to detecting attacks to cope with these factors.
Microagents
As noted above, existing attack detection systems belong to either the network class (network-based) or the system class (host-based). However, the ideal solution would be to create a system that combines both of these technologies, i.e. an attack detection system agent would be installed on each monitored node and monitor not only attacks on application level(OS level and application level), but also network attacks aimed at this node. This approach has several advantages over existing solutions.
First, high network speed is no longer an issue because the specified agent only looks at the traffic for a given node instead of all the traffic on the entire network. Secondly, packets are decrypted before they reach the agent. Finally, because it resides directly on each monitored computer, dial-up networks also impose no restrictions on their use.
These agents combine the characteristics of a real-time network tracking module with the tactical advantages of a system-level agent. Currently, only Internet Security Systems (ISS) has announced developments in this area)
. ISS has named this development Micro Agent and plans to complete it by the end of this year. These micro-agents will complement the existing network and system tracking modules of ISS's RealSecure intrusion detection system.
Presentation of data in attack detection systems
To effectively detect attacks, it is necessary to monitor and record in detail a large number of events that occur in information system. As a result, a large volume of data is generated, most of which is of no interest, but is stored in the hope that its analysis will allow timely detection of a suspicious event. Storage large volumes data leads to two tasks:
- Develop mechanisms for efficient use of disk space for storing logs and network traffic data;
- Develop mechanisms for effectively presenting to the administrator only those data that are of interest to him.
These two problems are interrelated, but I will only touch on the second problem. Many specialists have encountered a situation where an attack detection system generates hundreds, and in large networks, thousands of records about ongoing events. The administrator cannot analyze these events manually. And although in the attack detection systems on the market there are mechanisms for combining several events of the same type into one, this work is still far from complete.
Methods for effectively presenting data are currently being developed various manufacturers and research centers. For example, ISS at the end of June this year announced the creation of “Fusion Technology”, which will allow hundreds of events recorded by the RealSecure intrusion detection system and other third-party security tools to be grouped into one or two notifications presented on the management console screen . The COAST research center is moving in the same direction, in which a working group has been created to develop an effective format for logs and data presentation to the security administrator. Among Russian developers, NIP Informzashita implements such mechanisms in its new information security management technology "Berkut".
Decision making, attack prediction
Intrusion detection systems in the new millennium must become more intelligent than their modern counterparts. And this applies not only to the process of detecting attacks, which can be implemented using various mechanisms, incl. and using the neural networks described above. Intelligence will be present in the decision-making process about responding to attacks, as well as in predicting new attacks on the corporate network. The first step in creating such systems can be called the creation by ISS of a product called SAFEsuite Decisions. This system allows you to receive data received from various security tools, incl. firewalls, security analysis and attack detection systems. This data can then be analyzed, summarized, and based on it, the susceptibility of a particular node or network segment to attacks from external or internal attackers can be determined. Knowledge of vulnerabilities obtained from security analysis systems, along with knowledge of the frequency of attacks obtained from firewalls and attack detection systems installed on various network segments, makes it possible to predict attacks on nodes and network segments, incl. and coordinated attacks carried out simultaneously from multiple locations.
This topic covers mainly those issues that you should pay attention to when choosing an intrusion detection system. However, by installing the chosen system, you have not yet fully protected yourself from attacks. And this must be understood. An intrusion detection system is just a necessity, but clearly insufficient condition to ensure an effective security system for the organization. It is necessary to carry out a whole range of organizational and technical measures to build a complete security system for your organization. This includes risk analysis, development of a security policy, installation and configuration of various security tools (firewalls, security analysis systems, etc.), and training of specialists, etc.
To summarize, we can say that an intrusion detection system is more than several tracking modules installed on various nodes of the corporate network. Efficient and reliable system attack detection allows you to collect, summarize and analyze information from many remote sensors on the central console. It allows this information to be stored for later analysis and provides the means to perform such analysis. This system constantly monitors all installed tracking modules and responds instantly in the event of an alarm. Finally, an intrusion detection system is nothing more than an expensive toy unless you have information security experts on staff who know how to use the system and how to respond to the ever-growing information threat. The use of all these components together forms a real and effective attack detection system.
A network intrusion detection system can protect against attacks that pass through firewall to the internal LAN. Firewalls can be misconfigured, allowing unwanted traffic into the network. Even when working properly, firewalls usually allow some application traffic inside that can be dangerous. Ports are often forwarded from the firewall to internal servers with traffic destined for an email or other public server. A network intrusion detection system can monitor this traffic and flag potentially dangerous packets. A properly configured network intrusion detection system can cross-check firewall rules and provide additional protection for application servers.
Network intrusion detection systems are useful in protecting against external attacks, but one of their main advantages is the ability to detect internal attacks and suspicious activity users. Firewall will protect against many external attacks, but when the attacker is in local network, firewall is unlikely to be able to help. It only sees traffic that passes through it and is usually blind to activity on the local network. Consider a network intrusion detection system and firewall complementary security devices such as a secure door lock and network security alarm system. One of them protects your outer border, the other protects your inner part (Fig. 7.1).
Rice. 7.1.
There's a good reason to keep a close eye on traffic internal network. FBI statistics show that more than 70 percent of computer crimes originate from an inside source. Although we tend to believe that our colleagues will not do anything to harm us, but sometimes this is not the case. Insider Attackers- not always night hackers. They may also be offended system administrators, and careless employees. The simple action of downloading a file or opening a file attached to email, can introduce a Trojan horse into your system, which will create a hole in the firewall for all sorts of mischief. By using network system With intrusion detection, you can stop such activity, as well as other possible computer intrigues. A well-configured network intrusion detection system can act as an electronic "alarm system" for your network.
|
New generation of intrusion detection systems Detection-based intrusion detection systems abnormal activity Instead of using static signatures that can only detect clearly malicious activity, next-generation systems monitor normal levels for various types of activity on the network. If there is a sudden surge in FTP traffic, the system will warn you about it. The problem with these types of systems is that they are very prone to false positives- that is, issuing alarms when normal, acceptable activity takes place on the network. So, in the example with FTP traffic, downloading is especially large file will raise an alarm. It should also be taken into account that an intrusion detection system based on the detection of anomalous activity takes time to build an accurate model of the network. At first, the system generates so many alarms that it is of little use. In addition, such intrusion detection systems can be fooled by knowing the network well. If hackers are stealthy enough and use protocols that are actively used on the network, they will not attract the attention of these types of systems. On the other hand, an important advantage similar systems- no need to constantly update the set of signatures. Once this technology reaches maturity and sufficient intelligence, it will likely become a common intrusion detection method. Intrusion Prevention Systems A new type of network intrusion detection system, called intrusion prevention systems, is declared as the solution to all problems corporate security. The basic idea is to take response actions when alarms are generated, such as writing custom firewall rules on the fly and routers, blocking the activity of suspicious IP addresses, requests or even counterattacks of offending systems. Although this new technology is constantly evolving and improving, it is still too far from analyzing and making decisions at the human level. The fact remains that any system that is 100% machine and software dependent can always be cheated by a dedicated person (although some failed chess grandmasters may disagree). An example of an open source intrusion prevention system is Jed Hale's Inline Snort, a free module for the Snort network intrusion detection system discussed in this lecture. |