• United States
by Throop Wilder, special to Network World

Intrusion-detection apps boost security

Jan 13, 20034 mins
Intrusion Detection SoftwareSecurity

In their earliest versions, intrusion-detection systems focused extensively on postevent audit-trail analysis. Today, IDS applications monitor, detect and respond to unauthorized activities within networks in real time. IDS applications have emerged to strengthen security on the perimeter and maximize the capabilities of already deployed network firewalls.

Most intrusion attacks are in one of three major categories – reconnaissance (ping sweeps, port scans and indexing public Web servers to find Common Gatewat Interface holes), exploits (using hidden features or bugs to gain network access) or denial-of-service attacks, through which an intruder tries to crash a system or overload a network.

IDSs attempt to stop these attacks by scanning network traffic for signatures (any pattern or sequence of patterns that constitutes a known security violation); for policy anomalies, such as variations in traffic or network protocol that can signal impending illegal activity; and for signs of unwarranted activity that could point to attacks from inside or outside the network.

Every user or device has a pattern of usage, one that is potentially unique. Any anomalies that cannot be resolved are considered potential attacks and are investigated. Once an attack signature is detected, several actions can be taken to stop or trace the attacker, as well as record the event and notify an administrator.

Network IDSs have three primary components: sensors, managers and consoles. Sensors are applications that are deployed throughout networks to monitor for suspicious behavior. Managers store signature data and alert data from the sensors and activity logs. Consoles are graphical user interfaces for managing individual sensors throughout networks.

Typically, sensors are deployed inside and outside firewalls. A sensor outside a firewall can watch for unsuccessful reconnaissance missions from unauthorized users, and if a hacker gets past the firewall, provide a complete audit trail of how the intrusion occurred, to prevent future unauthorized entries. Behind the firewall, sensors collect data that is fed from switched network segments.

As traffic flows through an IDS sensor, the sensor analyzes TCP packets to determine if the destination address (or other criteria) falls within the range for which it is responsible; if not, it ignores the packet and the corresponding sensor eventually picks it up. If it does fall within the range of responsibility, the sensor compares the packet against the manager’s database of attack signatures. Many IDS applications now allow for stateful signature inspection, wherein a sensor can detect, identify and prevent more sophisticated attacks that take place over a series of packets, which individually seem innocuous. IDS managers also can store and dynamically develop baseline metrics for a network’s typical operating profile throughout the day, week, month and year. Traffic patterns that don’t adhere to the baselines represent potential intrusions.

When a sensor sees a subset of a packet, an entire packet or set of packets whose bit sequence matches an attack signature, it triggers an alarm and potentially might block a specific offending traffic stream. Typically, these response modes include notifying an administrator via e-mail or pager; capturing packets for the remainder of a session for analysis; generating a log file for terminating an attacker’s session through a TCP/IP reset command; reconfiguring or hardening a firewall; and executing a batch file. A sensor will send the event to a higher-level manager, which can terminate the connection and record the session for forensic analysis.

Like all new technologies, IDS has growing pains. Perhaps the most widely perceived issue is “false positive” overload. Because intrusion detection is somewhat imprecise, legitimate traffic can have characteristics that resemble intrusions or network attacks.

Typically, at that point, alerts are generated and security administrators notified. But an overabundance of intrusion alerts can numb administrators to real attackers. Fortunately, IDS vendors and a new class of management software called security information management are providing methods of reducing false positives or through better tuning or the correlation of multiple security device logs.

Wilder is a co-founder and vice president of marketing for Crossbeam Systems. He can be reached at throop@crossbeamsys