|
|
.--. .--. .--. .---. : .--': .--': .; :: .; : `. `. `. `. : :: .' _`, : _`, :: :: :: :.`. `.__.'`.__.':_;:_;:_;:_; |
This information was provided and written by OptikNerve. This text file describes how to detect an intrusion within a secured network for the system's administrator. The programs that are used in this text file are: RealSecure 3.0, Centrax 2.2, and AXENT NetProwler.
Site Resources:
Introduction to Intrusion Detection
Intrusion detection methods are pretty much based on the
assumption that an intruder's activity is noticeably different then the
regular/usual behavior of a regular user. The distinguishing characteristics
characteristics of an ID include the set of parameters they examine and the
source of their data.
Host-based Intrusion detections are of two different types:
application specific and operating system-specific. In both types, an agent
generally runs on the server being monitored, and analyzes log files, access
records, and application log files. Anomaly detection module which are based on
statistical camparisons to normal patterns are typically used on a Host-based
systems. In the case of operating system-specific monitors, abnormal sessions,
such as unsuccessful logins which are compared to a behavoiral model of normal
usage using criteria, such as time of access and the number and types of files
created and accessed. Application-specific intrusion detection tools usually
define a set of rules describing suspicious activity based on logged events.
Generally, these tools don't operate in real time and don't have access to the
protocol or other real packet-level information while searching for the patterns
of suspicious activity.
Network-based intrusion detection monitors have the benifit of
potentially analyzing all layers of the network communication. These tools can
reside on their own servers, therefore, can eliminate performance hits on the
application server(s). They can also use a rule base to describe common attack
techniques. Patterns (known as attack signitures), define the sequence of
network events that constitute an attack. Attack signatures can be defined
dynamically as user-definable patterns or statically as functions within the
application.
Deploying Intrusion Detection
Since intrusion detection operate by analyzing network traffic,
the monitors provide protection only for local segments. There are four common
deployment strategies:
RealSecure 3.0
RealSecure 3.0 is a member of Internet Security Systems
SAFEsuite package of network security software. Other applications include
Internet Scanner, a network vulnerability system that checks TCP/IP services,
Web servers, and firewalls for specific vulnerabilities or exploits. System
Scanner, an operating system-specific vulnerability checker; and Database
Scanner, a risk assessment product for Microsoft SQL server and Sybase
databases.
RealSecure supports two types of detectors: system agents and
network engines. Network engines monitor network packets on a segment looking
for attack patterns. System agents monitor activity on hosts to determine
whether an intruder has gained access to the system. RealSecure is administered
from a console application, which communicates with other components using
strong authentication.
ISS recommends running RealSecure on dedicated hosts. The
detectors and console are both memory insensive applications and shouldn't be
running together on the same machine. A 300MHz server with 128MB of RAM is
recommended for running detectors on NT 4.0. The console should have a 200MHz
with 64MB of RAM on NT 4.0. Determining the ammount of disk space can be
difficult, and will depend on the volume of traffic and the RealSecure
configuration. Security administrators need to determine which events are worth
monitoring to prevent excessive use of disk space.
The first task with RealSecure is to add detectors to your
configuration using the console. Setting up a detector will define the attack
signature to monitor, user-defined connection events, user-specified actions,
filters, e-mail notifications, and SNMP traps. The detector and consoles
communicate using strong encryption methods. Policies specifiying what type of
traffic to monitor, the priority of events, and how to detector responds to
events.
RealSecure uses three types of events: connection, security and
user defined filter. Security events use a static set of attack signatures to
recognize suspicious activity that might be comming from an intruder. Connection
events recognize connections through particular ports, from certain addresses,
or with a certain type of protocol. User-defined filters allow the detectors to
ignore particular kinds of traffic, based on the protocol, source and the
destination IP addresses, and the source and its destination ports.
When an event is detected, an action is carried out. RealSecure
supports 10 types of actions; the most important are logging summary
information, logging raw data, sending e-mail notification, killing a session,
locking the firewall, viewing a session, and running user-defined actions.
Sessions are killed by sending a TCP reset command to both parties. Locking the
firewall sends a command to the firewall to block traffic from the offending
source IP address for a specified period of time. Viewing a session allows a
security manager to monitor communications if real time. User-provided
executables carry out user-defined actions.
Centrax
Centrax 2.2 is an integrated host- and network based intrusion
detection with the vulnerability assessment and policy management features that
was made by CyberSafe. Centrax consists of a Command Console and target
services. As with RealSecure, the console lets security managers monitor and
configure the intrusion detection software. The console runs on an NT server;
the target services can run on both Solaris and NT systems. CyberSafe recommends
that the Console is run on atleast a 166MHz with 64MB of RAM. Target services
can run on NT Workstation or Server 3.51 or 4.0 with atleast a 486 processor and
32MB of RAM.
Around 50 or more attack signatures are provided for Solaris and
around 80 signatures are provided for NT. Monthly updates to the attack
signature set are avialable from the CyberSafe website. As with RealSecure,
administrators can sonfigure the responses to an event(s) and shut down the
system, log off the user, or even disable the account. The attack signatures
cover a range of objects and activities, including audit and administrative
activities, critical system objects, decoy files, password changes,
administrative groups, and user administration.
Since this includes a host-based system, there will be some
performance penalty which will be around two to five percent when optimally
configured-- unlike configured network-based systems that require a dedicated
system and monitor traffic. Another difference between network- and host-based
systems, such as Centrax, is that the latter belong within the intranet, not on
the permineter of the network.
The Centrax 2.2 Console is made up of serveral components.
Target Agents communicates with target services to distribute audit and
collection policies, along with gathering status information from the services.
Assessment Manager evaluates security vulnerabilities, such as problem with
guest accounts and administrative privileges. Alert Manager notifies security
managers of a detected intrusion/threat. Detection Policy Editor is used to
define the list of potential attacks to watch for and means of notification.
Gathering data from the target services is run by policies defined in the
Collection Policy Editor. Last, the Report Manager provides forensic analysis
and detailed reports of the current system(s) activities.
AXENT NetProwler
AXNET NetProwler is a network-based intrusion detection tool
that lets users define custom signatures. Initially configured with more then
200 well-known attack profiles/signatures which include: port scanning, denial
of service, TCP sequence number spoofing, and IP address spoofing. NetProwler
provides a GUI tool that lets users create attck signatures for less common
types of attacks, such as attempts to an Oracle database and more. In addition,
NetProwler provides other network management tools, which include consistency
check for DNS server tables, Web and FTP daemon content, time-of-day access
restrictions, and inactive session purging.
NetProwler, similar to RealSecure and Centrax, uses a
combination of centralized management, distributed collection and detection
agents, and data repository. The NetProwler console is a Java-based tool, that
runs from a Web browser. The centralized data repository supports Microsoft
Access and SQL daemons.
As like the other tools, administrators can configure their own
systems to monitor activity and review attack signatures from the console. The
most distinguishing characteristic that NetProwler provides is its ability to
define custom attack signatures using an attack signature wizard.
Stateful Signature Inspection (SDSI) comprises a virtual
processor, an intrusion set for defining attack signatures, and a cache for
maintaining the state of connections monitored by the processor. When a packet
is processed, the previously gathered information on the cache, and attack
signature definitions are executed on the virtual processor. When an attack
pattern is found, the actions associated with the attack are executed. Since
attack signatures are data-driven, you are allowed to add new ones in real time.
AXNET maintains an Internet Security team, which researches new threats and
vulnerabilities then they publishe attack signatures that can be downloaded as
needed.
A graphical user interface is used to configure and monitor the
system, allowing administrators to monitor both network-based and host-based
intrusion detection systems across the network. When first installed, NetProwler
analyzes traffic on the network, and examines hosts on the segment to determine
the attack profiles that should be loaded. This assessment also includes
discovery of popular systems and applications. At any point, after the
installation, an administrator can add custom attack signatures using a
drag-and-drop tool. Three types of attacks can be defined:
Protecting User Privacy
PlanetAll, provides a Web-Based contact management repository for its clients.
Users can define address books and link to other PlanetAll users sharing
scheduling and address information. They have a strict policy of safeguarding a
user's privacy, believing that contact information should be completely private,
and its shared only when users explicitly choose to share it. As part of the
overall security plan for protecting customer information, PlanetAll uses
NetProwler.
On the downside, NetProwler, and network-based detection
mechanisms in general, don't work on switched networks since traffic isn't
broadcasted through the entire segment. To provide NetProwler with access to the
entire traffic stream, PlanetAll had to place its server outside the sweitched
network segment.
Conclusion
Intrusion detection is another type of security tool that IT
managers must create to protect their information resources. Intrusion detection
complements firewalls by allowing a higher level of analsis of traffic on a
network, and by monitoring its behavior of the sessions on the servers.
Network-based detection allows access to the entire OSI stack, but is limited on
switch networks and Virtual Private Networks because of encryption reasons.
Host-based intrusion detection systems provide a more operating specific
monitoring, but can't protect against low-level attacks such as a
denial-of-service attack. Intrusion detection vendors have known of the
limitation of these approaches and are now offering multiple programs, such as
NetProwler's host-based counterpart from AXENT, Intruder Alert, to provide more
accurate coverage and logs.
Copyright Secure System Admistrating Research, 1999 all rights reserved.