Skip Links

IDS finds niche as analytical tools

By Joel Snyder, David Newman and Rodney Thayer, Network World Global Test Alliance, Network World
October 13, 2003 12:10 AM ET

Page 3 of 3

Fourth scenario: Finding the worms

Because our test network was intentionally behind on its patches, we knew the Microsoft RPC DCOM vulnerability would hit us hard. The question was who got hit? In a large network, being able to ask that question and quickly find (and patch) those machines would be a high-priority security problem to solve. These systems are especially easy to find, because they start scanning other networks, looking for systems to infect. We turned to the forensics features of the IDSs to help.

Barbedwire was a disappointment. The issues we had with performance came back to haunt us. Because the infected systems were generating traffic at a furious rate, we had databases with more than 100,000 events each day. That's not an unreasonable amount for an enterprise network to generate on a bad day, but it was way too much for the Barbedwire systems to handle. Any attempt to generate reports just didn't work.

With NFR, the key to any forensics investigation is figuring out what event you're looking for. We knew from CERT's advisory to look for PING traffic and dove into NFR. Our first guess, "ICMP Pingflood," turned out to be wrong, but after a few seconds, we came up with "IP Hostscan." NFR gave us the attacker IP addresses we needed, but little else. For example, we could not see what port numbers were being attacked, which might have been useful in other contexts. NFR's GUI is also difficult in forensics mode: When you want to see the description for a particular event, you have to jump to another part of the GUI.

This test also exposed a problem common to all the products (except Barbedwire) - you can't see the offending packets. You never get to check the signatures to see if they are generating false positives.

Intrusion's forensics tool opens with a set of canned views into the forensics database: by attacker, by target, by priority and by signature group. We started with signature groups and clicked on the first level of the tree. Each major signature group was shown, along with a count of events. The group we were looking for stood out like a sore thumb, with hundreds of thousands of events. One more click (on "firewall services") and ICMP Ping Sweep and SMB Scan both stood out again - teaching us something we hadn't learned with NFR.

At this point, Intrusion doesn't further sort items, which means that if we went with the out-of-the-box product, we'd have to sort through long lists of events. But building a new tree was the quick solution to that. A few clicks let us add a new summarization level underneath signature and source IP address, and now we had the information we wanted. Sort of. We could see it on the screen, but there was no way to simply drop it into a spreadsheet.

ISS didn't let us quickly move to the signature we wanted, but gave us a few pre-built options. An obvious one, event analysis by attacker, created one line item for every "attacker" in the network. We sorted by count, and the infected machines on our network slipped to the top immediately. ISS would have let us trim the query by putting in only our corporate IP addresses, but because we had multiple sites, the ranges weren't compatible with its GUI.

From the list of attackers, we picked up our favorite feature in any of the products. We right-clicked on an attacker, and up came a list of questions you might like answered. In our case, it was "what events were generated by this attacker?" We clicked and wait 2 seconds, and then we knew what ISS was going to call the worm attackers.We right-clicked again on the relevant event, and there was our analysis question: "what are the sources of this event?" Another 10 seconds, and there was our list. Select the column, copy and there's the full list, exported. ISS got this right, in spades.

Cisco didn't have the slick response time of ISS, but did have similar features. In Cisco's event view, the basic paradigm is of a spreadsheet with movable and expandable columns. Grab whatever column you think is most important and drag it to the left, and Cisco's IDS Management Center will sort your data according to that column and summarize repeated items, giving a count along the way. It's a beautiful way to look at your data and would have been even better than ISS except for one flaw: When you move a column, you lose your place in the data.

Find something interesting and want to drag that column to the left to resort the data? Cisco does it, but whatever you were most interested in gets put back into the pile.

In our tests, ISS came though with flying colors, giving us the freedom to go through our data quickly, searching for patterns and problems. Cisco and, to a lesser extent, Intrusion both have a similar capability, but could learn a lot from the flexibility and freedom in the ISS interface.

Cisco and Intrusion are actually more flexible than ISS for some queries, because you can pivot on any column in its interfaces, whereas ISS limits you to the most common possibilities. However, in two months of working with these products, we never hit a wall with ISS.

Which IDS is right for you?

If you already know that you want an IDS, our two candidates would be ISS and NFR. If you think that writing signatures is going to be part of your application and if you're looking for a combination of policy enforcement and security, NFR comes in a clear winner with its N-Code language.

But if you think signatures should come from the vendor, ISS provided the best ability to manage the data thousands of systems would generate.

Network World gratefully acknowledges the support of vendors that supplied key infrastructure for this project:
American Power Conversion supplied its SmartUPS XL5000 uninterruptible power supply.
HP supplied ProLiant ML330 servers to act as "sacrificial lambs" hosting a variety of Unix and Windows operating systems.
Atanda Web Presence Services hosted the San Jose site within our test bed.
Click to see:

If you're not happy with ISS' options, Intrusion offers a similar product line but with reduced management capabilities.

Cisco has wide potential and enormous breadth in its sensor options. If the company is successful at integrating the CTR technology into its product, Cisco will be a clear contender. While its Web-based GUI is relatively slow, it also has some brilliant engineering behind it. Likewise, Intrusion has potential with its pieces but needs to build them into a better-integrated whole.

Barbedwire, the newcomer in this bunch, builds on the respected high-performance Snort engine. However, Barbedwire's choice of database and tuning on its hardware platform were major errors in execution. Performance problems on the low-speed networks we threw at its products suggest that it needs to go back to the engineering table. It could spend less time on elegant Linux GUI management pieces and more on the security application its platform is supposed to support.

Read more about security in Network World's Security section.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News