When it comes to intrusion detection, most network executives are interested in recognizing an attack and fixing the vulnerability so it can't happen again. But Paul Howell is focused on responding to a hack as it's occurring and catching the intruder in the act. Howell is senior systems research programmer for Merit Network, a non-profit Internet service provider in Ann Arbor, Mich., that performs Internet research and development for the state's educational community. He uses Anzen Computing's Flight Jacket for NFR to watch for suspicious activity on his network. Over the years, Howell has researched and tried several different network traffic analysis products. Some were common off-the-shelf (COTS) intrusion detection tools capable of identifying common attack methods. These products monitor network traffic and compare it to known patterns of attack. However, network administrators can't alter these attack signatures, and another downside is that as many as 1,000 packets may be needed to recognize a security threat. Moreover, there's no way to verify that the COTS tools work other than trying them to see if they can detect a particular type of attack. "COTS-based tools find COTS-based attacks. On a deeper level, these tools don't address the sophisticated ways of breaking in," says Howell. Prior to installing FlightJacket for NFR, Howell found himself writing Perl scripts to analyze TCP/IP dumps to determine how much traffic was HTTP and Usenet news. He realized he needed an intrusion detection package with a programmable sniffer that he could easily re-configure to use at sites with widely different architectures. Such a tool inspects and analyzes packet flows to detect connection patterns that indicate an attack. Howell evaluated a research version, or pre-release copy, of Network Flight Recorder's Network Flight Recorder intrusion detection software upon its release in 1998.He could examine data packets, filter traffic, and watch totals of a specific type of traffic in real-time. Moreover, he could use the source code to write an application to detect an attack, and record an intruder's activities to produce a trail of physical evidence. At the time, NFR didn't offer a license to install its product in an operational environment. He turned to a value-added reseller (VAR) version of the product called Flight Jacket for NFR from Anzen Computing. Howell based his purchasing decision on the product's capabilities, price and performance, as well as the reputations of both vendors. In particular, he was impressed with NFR's programmable interface that he uses to write custom filters. He says the language is very easy to pick up, especially if you've done any Unix shell, C, or Perl programming. The current version of Flight Jacket for NFR costs $16,000 per segment for a turnkey package that offers multi-platform support and secure sockets layer/secure shell protocol encryption. Howell found some of the product's pre-packaged filters useful for reducing programming time, and notes that the filters perform particularly well when the network is flooded with traffic. Anzen offers one filter that can examine three types of attacks, which helps boost performance. Typically, intrusion detection tools offer separate filters for three different types of attacks. Flight Jacket for NFR provides real-time intruder tracking and can be customized to alert administrators of any new attacks or system compromises. Howell uses the product to respond to intrusions and coordinate efforts with law enforcement, as well as to perform routine network analysis, such as viewing traffic by type or spotting anomalies. Unlike many other intrusion detection tools, Flight Jacket for NFR doesn't offer user-definable automated scripts to act on alerts. These scripts would disable a user account or session by relaying shut-off commands directly to devices such as firewalls or routers. However, Howell believes these decisions are best left to humans so the product doesn't cut off legitimate communications that it mistakes for an attack. RELATED LINKS
Contact Associate Features Editor Suzanne Gaspar
Review: Intrusion detection
See why we give our highest marks to Network ICE. Network World, 10/4/99.
Intrusion detection buyer's guide
Use it to compare the specs for 11 different models or download all the specs to perform your own analysis.
Getting the drop on network intruders
A look at trends in intrusion detection and what you should think about before installing a system. Network World, 10/4/99.
