An intrusion detection system (IDS), usually found in a hardware-based offering, detects attackers, and unwanted/unauthorised access to a computer network. This article is for network administrators and architects, as well as senior IT management, who need to know the basic and complex feature sets to make the best use of these systems.
In a typical network scenario, a firewall is usually capable of keeping bad guys out. While anti-virus (AV) software detects and stops most viruses, password protection systems take care of access-control etc. Thus, most IT management naturally question, “Why do I need an IDS?
The reasons are in the fundamental working of IDSs. A firewall controls network traffic at the TCP/IP port level, by blocking access to unwanted ports. However, it keeps open those ports used by applications—for example, port 80 for HTTP traffic. Thus, all attacks over HTTP will not be stopped by the firewall. Similarly, AV systems are great at detecting viruses, but time has proven that they fail to protect from malware such as adware or spyware. Passwords certainly provide the basic building block in security systems, but are prone to attacking attempts; they could be stolen manually or electronically, or could be easily guessed, in a worst-case scenario.
Thus, having basic security only yields the feeling of security, rather than actual security. Modern attackers are experts who exploit software vulnerabilities by using technical tools, and devise methods to break into a network to achieve their purpose. To handle smart attack attempts, an even smarter security mechanism is needed, which will proactively and intelligently keep an eagle’s eye on the network, and monitor and report incidents swiftly. IDSs or IPSs (Intrusion Protection Services) are solutions that encompass these requirements.
How does an IDS work?
An IDS is essentially a network-based solution, typically designed around a UNIX or Linux kernel. Please refer to Figure 1, which depicts how an IDS device is incorporated in a network. While other forms of security defense such as routers, firewalls are required in a network, IDSs act as a complementary means to further strengthen security.
From the installation point of view, the IDS device is usually situated in a demilitarized zone (DMZ), whereby the basic level of protection is taken care of by routers and firewalls, followed by a further level of intelligent intrusion detection. It comes equipped with network interfaces capable of handling heavy network traffic, and configured to work in a promiscuous mode, which enable it to sniff the entire network traffic without causing disruption or slow-downs. It monitors all network packets right from OSI Layer 2 (Data) to Layer 7 (Application), and stores this vast amount of information in its database. It also assimilates that information by applying intelligence to it, to take security decisions.
Intrusion detection mainly focuses on the intention of an attack, rather than just on the methodology. It is capable of doing so by running multiple built-in intelligent algorithms called statistical anomaly-based detection logic. For example, instead of only looking for a virus signature, an IDS device checks network packets and establishes a relationship between the information in the packets, and its potential impact on the network from the security viewpoint. This approach helps the IDS to minimize false alarms. As another example, an IDS can be configured to look for distributed-denial-of-service (DDoS) attacks on a website. While all HTTP traffic coming to the Web server may be legitimate, it takes extra electronic intelligence to check if the traffic is really legitimate, or part of a possible attack. An IDS does this by storing all requests, and using its intelligence to check each network packet, Web request, XML and other forms of Web data, and performing historic analysis etc., before the request reaches the Web server. Due to this difference in the approach to detection, IDSs are “must-have” components in modern network security infrastructures.
What do I need in an IDS?
It is important to note that the security in a network is only as good as the most insecure infrastructure component in that network. For example, if a desktop is not patched, it can become a potential node where viruses, trojans and malware can hide. Hence, the IDS should be installed, configured, and used to look at all network segments in a corporate network, from the internet-facing DMZ to the internal LAN. Typical pre-requisite features of an IDS are:
- Detect attacks originating from a program or a person.
- Record attack patterns to continuously improve detection logics
- Detect attacks from Layer 2 to Layer 7 (data link to application)
- Alert and report using a powerful dashboard and escalation mechanisms.
- Information warehousing to store all previous attacks for future forensic evidence.
In a few advanced IDS devices, we can expect those to perform vulnerability analysis based on historic data, to see recurring culprits; file integrity checks to ensure that security is being imposed to the most granular level; and also a management console, to manage globally dispersed IDS devices from a single administration point.
On the other hand, an IPS not only detects attacks, but is also capable of stopping it, and providing advanced alert facilities. Almost all devices sold in the market today are IPS devices, rather than just being detection systems.
Configuring an IDS/IPS device
If an IDS/IPS device is newly being installed in a network, it is always advisable to configure it first in “alert-only” mode, which means it should not take any proactive actions on the attack. This is essential for the network administrator to set security policies as needed and get used to the device, to understand how aggressively the IPS system can alert about a situation, and whether or not the device runs smoothly in that network without causing any disruptions. Once the admin reaches a better comfort level, the appliance can be configured to start protecting from attacks, but with all the alert levels turned on. This gives more insight into how the device responds to each attack, and helps understand which alarm is a false alarm, and which is not. Since each network scenario is different, the interpretation of an attack, and its severity, may vary. The network admin can then reach a conclusion in terms of tuning alert levels further, to report incidents appropriately.
If available, an IDS/IPS device can be hooked up to a CRM system, whereby a trouble ticket could be generated and escalated based on the severity of the attack situation. With a proper SLA policy and solution designing, an end-to-end security response system can be established. The built-in reporting functionality can be customized to produce detailed technical reports for admin teams, and high-level security reports for the IT management.
Various commercial IDS/IPS products
Since security is of paramount importance in a corporate IT infrastructure, there are a lot of commercial offerings from various vendors in the intrusion detection and protection space. While most products carry a high price tag, there are moderately priced products, as well as open-source solutions for those interested. Let’s take a look at a few popular commercial products.
IBM Proventia: This is a suite of security solutions, which also offers a NIPS device (network intrusion protection service) at its core. This device is a robust tool, ideal for very large and complex networks. Its vast feature set helps network admins detect common as well as the most recent vulnerabilities. Proventia comes with a zero-day patching mechanism, whereby a network administrator can create a defence policy against a newly published attack, before the vulnerable vendor product releases a formally tested official patch. Proventia can be incorporated along with other IBM ISS offerings such as patch management, application scanning etc. to form a complete security solution.
Juniper Networks IDP: Since Juniper Networks established themselves as a provider of technically advanced high-end networking products, they introduced their own IDP solutions in the form of hardware appliances. A few powerful features, such as protocol and traffic anomaly detection, and zero-day worm protection are incorporated in it, which make it suitable for high-performance networks.
Cisco Secure IDS and McAfee Intrushield are also examples of enterprise-level IDS/IPS appliances.
All the above devices are available in different models, categorized based on their network throughput, the number of network ports, and feature sets. While those are meant for large-scale networks of big corporations, there are models available for medium-scale networks with lower network volumes, and that too, without compromising on the feature sets.
Now let’s look at some open-source solutions.
Open-source intrusion protection solutions
Snort: With a large installation base, Snort is the most popular open-source IDS/IPS system available. It is capable of performing real-time protocol analysis and content search to detect malware, similar to a commercial IDS system. Snort supports a wide range of operating systems from XP to Linux/AIX/Solaris etc., and has its own rule-based language to design intrusion-detection policies and protective actions.
OSSEC: Falling in the same category as Snort, OSSEC is another host-based open-source project to address intrusion-protection needs. It comes with ample documentation, and supports multiple operating systems. A network administrator can download and install OSSEC free of cost to try and test, and can purchase commercial support for the product from Trend Micro.
Besides the above products, there a are few other offerings available in the open-source world. Recently, the US Department of Homeland Security and the Open Information Security Foundation worked with multiple security vendors to come up with an open-source engine called Suricata. They claim it to be powerful and more functionally versatile than Snort or any other open-source solution available. While the skepticism about open-source software still persists, firms and corporations who are serious about security have put this at the top of their IT agenda.
Cyber security, like any other form of security, is a process of continuous improvement. As more and more countries in the world connect to the Internet, the resulting increased awareness is going to bring benefits, as well as its own set of problems. Since the most serious threat is cyber security, eventually IDS/IPS devices are going to be a de-facto standard component in any IT infrastructure. Configuring IPS devices is an art, and needs a deep level of networking knowledge, combined with real-time experience. As mentioned before, there are multiple products and solutions available in the market. If a network lacks an IPS, it should be a top priority for IT management to stop attacks before they happen.
Published in Linux For You Magazine