Intrusion and Response for the Enterprise Net

[Originally published in Internet World, on March 22, 1999. Copyright (c) Penton Media, Inc., 1100 Superior Ave. Cleveland, OH 44114-2543; All rights reserved. Posted with permission.]

By Frederick M. Avolio and David M. Piscitello

When mainframes were the mainstay of computing, we encased them in glass houses. Locked doors and security badges were sufficient to secure our computing resources. But computing is now pervasive, and threats to computing resources have multiplied almost beyond comprehension. In a world where the network is more relevant than any single computer, locked doors simply don't do the job.

The security challenge posed by today's computing paradigm is daunting: Business-critical and highly sensitive information, residing on servers with known and exploitable vulnerabilities, is supposed to be accessible from virtually anywhere. We deploy anti-virus systems to protect our computers and networks and Internet firewalls to block unauthorized access from the public Internet, and we hope that our staff is smarter than the attackers. But, while an organization's network vulnerability grows with each increase in the number of access points and network services required, most can't grow competent security staff as quickly. New and automated mechanisms are needed to deal with network vulnerabilities.

Intrusion detection systems (IDSs) are one such mechanism. While the name may conjure images of an omniscient intelligence doing the work of 10 or 100 network and system managers, tirelessly monitoring computers and networks for malicious behaviors and sounding an alarm at the first hint of a problem, while holding the hacker at bay or tracking him across the Internet-reality falls somewhat short of this.

Today's intrusion detection systems are not as sophisticated or impenetrable as we'd wish-neither psychic nor able to discern bad intent or motive. They are, nonetheless, useful and effective additions to security defenses, and they are being used by small and large enterprises today: According to industry estimates, the market for intrusion detection products has grown from $40 million in 1997 (Yankee Group) to $100 million in 1998 (Aberdeen Group).

TO SCAN OR MONITOR?

There are two types of IDS systems: scanners and monitors, both of which can be deployed on networks or individual computers. Scanners are static analysis tools that we might call vulnerability checkers. They look for known problems-things like bad passwords, missing security patches and weak configurations (such as a desktop machine allowing anyone to mount and read its C: drive). Scanners can also check to see whether important files have been removed or modified, and warn of vandalism or system administrator errors. Monitors are dynamic analysis tools, looking for attacks in progress.

Scanners are used periodically, checking important servers, firewall machines, or any computer on a network. Network scanners check network services offered by individual computers on a network. Some also check for changes in security state, access controls, and passwords. System scanners make a cryptographic "snapshot" of a system, so they can later tell if important files-system configuration files, system programs, even web pages-have been modified. Some are set up simply to sound an alarm; others can also replace changed files with "good," cached copies. Tripwire Security Systems' Tripwire, BindView Development's HackerShield, and WebTrends' Security Analyzer are among the growing number of vulnerability checkers available today, with support for different Unix systems as well as Windows NT. Among those that do network vulnerability checking are Axent's NetRecon.

Pete Cafarchio, Program Manager of the Intrusion Detection Systems Consortium at ICSA enumerates some major benefits of vulnerability checkers: "They can help reduce the huge amount of security audit trails and logs into useful information, allowing administrators to fine tune systems. They help spot system configuration errors that have security implications, and are used to monitor the integrity of other key security servers like firewalls. It's very common for us to hear of people who discover some major security holes that they never knew existed within the first 30 minutes after installing an IDS."

Bill Tillery of National Bank of Alaska uses BindView's NOSadmin clients for both Windows NT and Novell, and reports, "With this tool, we were able to automate manual tasks that were time-intensive. We now have more information to work with and it's more accurate."

Dynamic analysis systems are also known as "threat monitors." They examine events as they are happening. There are two types of threat monitors: Anomaly detectors ask, "what is unusual here?" while misuse detectors ask, "what is bad here?"

An anomaly detector is told, or actively "learns," what normal behavior is-for an individual, a system, or a network-and takes action when some event falls outside of some normal range. Basically, they let us know when "something is fishy." People can be trained to do anomaly detection very well. It's very difficult to do by computer.

Much research has been done in the area of anomaly detection, but only very simple anomaly detection systems are in real use today. Disk usage growth or shrinkage outside of a certain rate per minute can be tagged as an anomaly. Individual user activities outside of "normal use" hours, or connections to the network that are not from the user's "usual" machines are easily flagged as anomalous behavior. Sophisticated systems, where, for example, an individual user's typing patterns or network use patterns are "learned" are not here yet.

The other kind of dynamic analysis is misuse detection. There are two types of misuse detection systems. For the first type, we make a list of things that should not happen, and then the IDS watches for these events. "What should not happen" is based directly on the network security policy. For example, if the security policy says only HTTP, FTP, and SMTP are permitted from the Internet through the firewall, a misuse system watches for other types of packets from the firewall. This is difficult for an attacker to fool. The second type of misuse detection system is also called an attack signature recognition system. Misuse or attack signatures are first codified, then a data source -a network telemetry system or an operating system audit log-is monitored for patterns of attack. A user-level process that starts up and acquires system or "root" privileges without executing the "su" (set user) command is an example of a simple misuse signature on a Unix system. NetProwler (Axent) and Anzen Flight Jacket for NFR, among others, handle this job at the network level, while CyberCop Server ( Network Associates) and Axent's Intruder Alert are two of the products that monitor activity on servers in an enterprise level.

Some vendors have suites of products that work together and scan for threats and vulnerabilities on systems and the networks around them. Examples of this are eNTrax (Centrax Corporation) and SafeSuite (Internet Security Systems).

IDS IN THE FUTURE

Intrusion detection systems are already in fairly widespread use today enhancing the security of enterprise networks. In the future, as with all network security mechanisms, IDSs will have to work in concert with other security systems. Prevention systems, such as firewalls and access servers, could change configuration based on actions from detection systems. Internet Security Systems calls this adaptive network security. Network Associates calls it active security. No matter how marketing departments label these, prevention, detection, and response systems that work together are within our grasp. Intrusion detection systems are key to making this happen.

Fred Avolio is a security and e-mail consultant.

David Piscitello is a principal consultant at Core Competence.