|
|
|
Date Submitted:
06/18/05
Hits: 147 Rating:  based on 0 votes
Introduction to Network Security - Intrusion DetectionAdded by Papergrl
Written by: Mitchell Rowton Overview of Intrusion Detection System (IDS) An Intrusion Detection System is designed to detect unscrupulous activities that compromise the confidentiality, integrity, or availability of network or computer systems. This paper first discusses the two different types of IDSs, network based and host based. It then covers the two methods used to detect intrusions, signature based and behavior based. This is a basic paper that will only touch on a broad overview of IDS technologies; it is only intended for the security engineer needing a high level overview of intrusion detection. Network Intrusion Detection Systems A network IDS (NIDS) monitors all traffic on the network segment that it is placed on. This is generally accomplished by placing the network interface card in promiscuous mode to capture all network traffic that crosses its network segment. Network traffic on other segments can't be monitored unless the traffic is directed to the NIDS promiscuous interface. Network Intrusion Detection involves looking at the packets on the network as they pass by the NIDS. The NIDS can only see the packets that are carried on the network segment it’s attached to. Packets are considered to be of interest if they match a signature or certain behavior. Host Based Intrusion Detection Systems A Host IDS (HIDS) uses a piece or pieces of software on the system to be monitored. The loaded software uses log files and/or the system's auditing agents as sources of data. In contrast, a NIDS monitors the traffic on its network segment as a data source. Host based intrusion detection involves not only looking at the network traffic in and out of a single computer, but also checking the integrity of your system files and watching for suspicious processes. To get complete coverage at your network with HIDS, you must load the software on every computer. Host based Intrusion Detection is much more effective in detecting insider attacks than is NIDS. The below diagram shows a HIDS.  Signature based IDS Almost all IDSs are signature based, also known as knowledge based. Signature based IDSs monitor network traffic and analyze this traffic against specific predefined attacks. When an attack is detected an alarm is generated. This means that any traffic that doesn’t specifically match a signature is considered safe. Signature based IDSs obviously require that the signature base be updated regularly to detect new exploits. If legitimate network traffic triggers an alarm this is called a false positive. The amount of false positives generated by signature based IDSs can be significantly less than behavior based IDSs. Behavior based IDS Behavior-based intrusion detection techniques assume that an intrusion can be detected by observing a deviation from normal or expected behavior of the system or the users. The model of normal or valid behavior is extracted from reference information collected by various means. The intrusion detection system later compares this model with the current activity. When a deviation is observed, an alarm is generated. In other words, anything that does not correspond to a previously learned behavior is considered intrusive. Advantages of behavior-based approaches are that they can detect attempts to exploit new and unforeseen vulnerabilities. They can even contribute to the automatic discovery of these new attacks. They are less dependent on operating system-specific mechanisms. They also help detect 'internal abuse' types of attacks that do not actually involve exploiting any security vulnerability. In short, this is the paranoid approach: Everything which has not been seen previously is dangerous. The high false alarm rate is the primary drawback of behavior-based techniques because the entire scope of the behavior of an information system may not be covered during the learning phase. Also, behavior can change over time, introducing the need for periodic online retraining of the behavior profile, resulting either in unavailability of the intrusion detection system or in additional false alarms. The information system can undergo attacks at the same time the intrusion detection system is learning the behavior. As a result, the behavior profile contains intrusive behavior, which is not detected as anomalous. Network Placement In order for Network IDSs to function properly, they must monitor all traffic on the network segment that it is responsible for. This can be easier in a network segment containing a hub than one containing a switch. The difficulty of implementing IDS into a switched environment stems from the basic differences between standard hubs and switches. Hubs have no concept of a connection and thus will broadcast every packet to every port on the hub, excluding the port the packet came in on. So in a hub network segment, you can place the IDS almost anywhere, while with switches specific workarounds must be used to assure the sensor is able to see the traffic required. The below figure shows a Network IDS attached to a hub, this IDS receives all traffic on its local network segment.  If the above diagram included a switch instead of a hub, then the IDS would not receive all the traffic in the network segment. That’s because a switch is based on connections, when a packet comes in a temporary connection in the switch is made to the destination port, and the packets are forwarded on. Therefore, the IDS will not see all traffic destined to individual computers. In order to use IDSs in a switched environment you must span the switch port, so that the IDS receives a copy of the traffic passing through the spanned port. Basically, a spanning port allows the switch to behave like a hub for a specific port.  The figure above shows the switch port to the router set to spanning mode, copying all network traffic to the IDS. You can span send traffic, receive traffic, or sometimes both. The drawback of this setup is that the IDS does not receive traffic among computers in its same network segment, it only receives traffic between the switch and router. Using a hubs or TAPS is a very similar solution, the hub or tap is placed between the connections to be monitored. This is usually between two switches, a router and switch, or a server and switch, etc. In the below diagram a hub has been placed between the resource machine and the switch. This allows traffic to still flow between the switch and the Resource while the properties of the hub cause a copy of the traffic to be copied off to the IDS. This, like the span port is only suitable for single machines. Multiple machines on the hub would cause network problems and remove the benefits of a switched solution. In addition, to get a fault tolerant hub would increase the cost of the solution dramatically. Also, hubs do not allow for full-duplex connections. Taps are by design fault tolerant having the main connection (i.e. the connection between the resource and the switch), hardwired into the device, preventing failure and often times are full duplex.  Conclusion An Intrusion Detection System is very helpful in detecting threats to the confidentiality, integrity, and availability of organizations information. However without proper documented policies and procedures to outline monitoring and response steps this information is of little use. You don't have permission to post replies. Please login or register. |