HostedDB - Dedicated UNIX Servers

Intrusion Detection within a Secured Network
Intrusion Detection within a Secured Network
 .--.  .--.  .--. .---. 

: .--': .--': .; :: .; :

`. `. `. `. :    ::   .'

 _`, : _`, :: :: :: :.`.


This information was provided and written by OptikNerve. This text file describes how to detect an intrusion within a secured network for the system's administrator. The programs that are used in this text file are: RealSecure 3.0, Centrax 2.2, and AXENT NetProwler.

Site Resources:


Introduction to Intrusion Detection
Intrusion detection methods are pretty much based on the assumption that an intruder's activity is noticeably different then the regular/usual behavior of a regular user. The distinguishing characteristics characteristics of an ID include the set of parameters they examine and the source of their data.

Host-based Intrusion detections are of two different types: application specific and operating system-specific. In both types, an agent generally runs on the server being monitored, and analyzes log files, access records, and application log files. Anomaly detection module which are based on statistical camparisons to normal patterns are typically used on a Host-based systems. In the case of operating system-specific monitors, abnormal sessions, such as unsuccessful logins which are compared to a behavoiral model of normal usage using criteria, such as time of access and the number and types of files created and accessed. Application-specific intrusion detection tools usually define a set of rules describing suspicious activity based on logged events. Generally, these tools don't operate in real time and don't have access to the protocol or other real packet-level information while searching for the patterns of suspicious activity.

Network-based intrusion detection monitors have the benifit of potentially analyzing all layers of the network communication. These tools can reside on their own servers, therefore, can eliminate performance hits on the application server(s). They can also use a rule base to describe common attack techniques. Patterns (known as attack signitures), define the sequence of network events that constitute an attack. Attack signatures can be defined dynamically as user-definable patterns or statically as functions within the application.

Deploying Intrusion Detection
Since intrusion detection operate by analyzing network traffic, the monitors provide protection only for local segments. There are four common deployment strategies:

Most attacks were carried out from within the organization, but this is beginning to change: In various survey's, this statement would be considered false. Right now, the number of internet attacks, are made from internal sources.

If you're concerned interdepartmental traffic, the network backbone is another location for an intrusion detection. Network administrators with large modem pools may consider wanting to monitor traffic immediately behind the modems.


RealSecure 3.0
RealSecure 3.0 is a member of Internet Security Systems SAFEsuite package of network security software. Other applications include Internet Scanner, a network vulnerability system that checks TCP/IP services, Web servers, and firewalls for specific vulnerabilities or exploits. System Scanner, an operating system-specific vulnerability checker; and Database Scanner, a risk assessment product for Microsoft SQL server and Sybase databases.

RealSecure supports two types of detectors: system agents and network engines. Network engines monitor network packets on a segment looking for attack patterns. System agents monitor activity on hosts to determine whether an intruder has gained access to the system. RealSecure is administered from a console application, which communicates with other components using strong authentication.

ISS recommends running RealSecure on dedicated hosts. The detectors and console are both memory insensive applications and shouldn't be running together on the same machine. A 300MHz server with 128MB of RAM is recommended for running detectors on NT 4.0. The console should have a 200MHz with 64MB of RAM on NT 4.0. Determining the ammount of disk space can be difficult, and will depend on the volume of traffic and the RealSecure configuration. Security administrators need to determine which events are worth monitoring to prevent excessive use of disk space.

The first task with RealSecure is to add detectors to your configuration using the console. Setting up a detector will define the attack signature to monitor, user-defined connection events, user-specified actions, filters, e-mail notifications, and SNMP traps. The detector and consoles communicate using strong encryption methods. Policies specifiying what type of traffic to monitor, the priority of events, and how to detector responds to events.

RealSecure uses three types of events: connection, security and user defined filter. Security events use a static set of attack signatures to recognize suspicious activity that might be comming from an intruder. Connection events recognize connections through particular ports, from certain addresses, or with a certain type of protocol. User-defined filters allow the detectors to ignore particular kinds of traffic, based on the protocol, source and the destination IP addresses, and the source and its destination ports.

When an event is detected, an action is carried out. RealSecure supports 10 types of actions; the most important are logging summary information, logging raw data, sending e-mail notification, killing a session, locking the firewall, viewing a session, and running user-defined actions. Sessions are killed by sending a TCP reset command to both parties. Locking the firewall sends a command to the firewall to block traffic from the offending source IP address for a specified period of time. Viewing a session allows a security manager to monitor communications if real time. User-provided executables carry out user-defined actions.

Centrax 2.2 is an integrated host- and network based intrusion detection with the vulnerability assessment and policy management features that was made by CyberSafe. Centrax consists of a Command Console and target services. As with RealSecure, the console lets security managers monitor and configure the intrusion detection software. The console runs on an NT server; the target services can run on both Solaris and NT systems. CyberSafe recommends that the Console is run on atleast a 166MHz with 64MB of RAM. Target services can run on NT Workstation or Server 3.51 or 4.0 with atleast a 486 processor and 32MB of RAM.

Around 50 or more attack signatures are provided for Solaris and around 80 signatures are provided for NT. Monthly updates to the attack signature set are avialable from the CyberSafe website. As with RealSecure, administrators can sonfigure the responses to an event(s) and shut down the system, log off the user, or even disable the account. The attack signatures cover a range of objects and activities, including audit and administrative activities, critical system objects, decoy files, password changes, administrative groups, and user administration.

Since this includes a host-based system, there will be some performance penalty which will be around two to five percent when optimally configured-- unlike configured network-based systems that require a dedicated system and monitor traffic. Another difference between network- and host-based systems, such as Centrax, is that the latter belong within the intranet, not on the permineter of the network.

The Centrax 2.2 Console is made up of serveral components. Target Agents communicates with target services to distribute audit and collection policies, along with gathering status information from the services. Assessment Manager evaluates security vulnerabilities, such as problem with guest accounts and administrative privileges. Alert Manager notifies security managers of a detected intrusion/threat. Detection Policy Editor is used to define the list of potential attacks to watch for and means of notification. Gathering data from the target services is run by policies defined in the Collection Policy Editor. Last, the Report Manager provides forensic analysis and detailed reports of the current system(s) activities.

AXENT NetProwler
AXNET NetProwler is a network-based intrusion detection tool that lets users define custom signatures. Initially configured with more then 200 well-known attack profiles/signatures which include: port scanning, denial of service, TCP sequence number spoofing, and IP address spoofing. NetProwler provides a GUI tool that lets users create attck signatures for less common types of attacks, such as attempts to an Oracle database and more. In addition, NetProwler provides other network management tools, which include consistency check for DNS server tables, Web and FTP daemon content, time-of-day access restrictions, and inactive session purging.

NetProwler, similar to RealSecure and Centrax, uses a combination of centralized management, distributed collection and detection agents, and data repository. The NetProwler console is a Java-based tool, that runs from a Web browser. The centralized data repository supports Microsoft Access and SQL daemons.

As like the other tools, administrators can configure their own systems to monitor activity and review attack signatures from the console. The most distinguishing characteristic that NetProwler provides is its ability to define custom attack signatures using an attack signature wizard.

Stateful Signature Inspection (SDSI) comprises a virtual processor, an intrusion set for defining attack signatures, and a cache for maintaining the state of connections monitored by the processor. When a packet is processed, the previously gathered information on the cache, and attack signature definitions are executed on the virtual processor. When an attack pattern is found, the actions associated with the attack are executed. Since attack signatures are data-driven, you are allowed to add new ones in real time. AXNET maintains an Internet Security team, which researches new threats and vulnerabilities then they publishe attack signatures that can be downloaded as needed.

A graphical user interface is used to configure and monitor the system, allowing administrators to monitor both network-based and host-based intrusion detection systems across the network. When first installed, NetProwler analyzes traffic on the network, and examines hosts on the segment to determine the attack profiles that should be loaded. This assessment also includes discovery of popular systems and applications. At any point, after the installation, an administrator can add custom attack signatures using a drag-and-drop tool. Three types of attacks can be defined:

All three types are defined by using keywords; for example, TCP Stack, and a set of predefined expressions, such as conditional statements.


Protecting User Privacy
PlanetAll, provides a Web-Based contact management repository for its clients. Users can define address books and link to other PlanetAll users sharing scheduling and address information. They have a strict policy of safeguarding a user's privacy, believing that contact information should be completely private, and its shared only when users explicitly choose to share it. As part of the overall security plan for protecting customer information, PlanetAll uses NetProwler.

On the downside, NetProwler, and network-based detection mechanisms in general, don't work on switched networks since traffic isn't broadcasted through the entire segment. To provide NetProwler with access to the entire traffic stream, PlanetAll had to place its server outside the sweitched network segment.

Intrusion detection is another type of security tool that IT managers must create to protect their information resources. Intrusion detection complements firewalls by allowing a higher level of analsis of traffic on a network, and by monitoring its behavior of the sessions on the servers. Network-based detection allows access to the entire OSI stack, but is limited on switch networks and Virtual Private Networks because of encryption reasons. Host-based intrusion detection systems provide a more operating specific monitoring, but can't protect against low-level attacks such as a denial-of-service attack. Intrusion detection vendors have known of the limitation of these approaches and are now offering multiple programs, such as NetProwler's host-based counterpart from AXENT, Intruder Alert, to provide more accurate coverage and logs.


Copyright Secure System Admistrating Research, 1999 all rights reserved.