home |  contact

Network Intrusion Detection

Introduction

Network intrusion detection (NID) watches network traffic looking for suspicious traffic. The common real-world analogy for NID systems is the burglar alarm. It is not meant to prevent malicious behavior. It is meant to detect attacks to trigger an incident response. Most systems have their foundation in high performance signature matching engines that match bit patterns in captured traffic to a database of attack signatures. Most techniques of network based detection systems require access to the packets of the target traffic and enough performance to handle processing of the traffic volume.

Benefits

Where access control systems such as firewalls are meant to prevent malicious behavior, NID is meant to monitor malicious behavior. This is meant to give security administrators feedback on their preventive measures. While we may be stopping many intruders from breaching systems in our network with our security tools and practices, NID tells us that these attacks are occurring. This addresses the fact that the attacks even being executed, not their effectiveness, is cause for concern within the stronghold. NID also lets us assess risk related to the shortcomings of our access control systems. If we must allow certain types of network traffic through our firewall, NID can tell us if this trust is being misused within the limits of our access control system but beyond the trust specified in our security policy.

Most available NID systems allow implementors to leverage a wide body of security expertise well beyond the capabilities of the security administrator. NIDS consolidate many known attack signatures and behavioral patterns normally derived from extensive experience and manual analysis. Most NIDS can recognize many attacks and patterns that their implementors would not have encountered in the past or through personal research.

These benefits can be broken into three major areas. Accelerated response to incidents is the primary benefit of intrusion detection techniques. NID allows administrators to respond to attacks with actions appropriate to their security policy. It may trigger the reaction of increased logging, reconnaissance on attack sources, or in extreme cases, deactivation of the target system. A second benefit concerns forensic analysis of a breached system. Records of known attacks during a post mortum can guide investigators in assessing the damage caused to a system. Finally, intrusion detection measures adds a level of deterrence and difficulty for would-be attackers. A reaction to activities of attackers will at least deter the casual attackers and script kiddies just as home and car alarms cause casual thieves to move on to easier targets.

Shortcomings

The bane of any intrusion detection technique is the false positive. This is the phenomenon of a NIDS reporting an attack when presented with completely legitimate traffic. These “mistakes” on the part of an NIDS are not a problem by themselves, however enough mistakes will present the administrator with too much “noise” in the reports and logs given by the NIDS. This can cause the administrator to miss attacks during analysis or, worse, ignore that class of attack warning during analysis altogether. An extreme danger of the false positive exists when NIDS is integrated with access control systems. Many newer NIDS can “react” to attacks by either reconfiguring access control systems or sending “kill” packets to malicious connections. In these systems, if the intrusion detection engine detects an attack, it can reconfigure access control systems to, for example, block all traffic coming from the source of the attack. In other cases, the NIDS can generate FIN packets for TCP connections in order to force the connection closed. With the existence of the false positive, legitimate traffic could be inadvertently dropped if the NIDS believes it is malicious. In more extreme cases, attackers could generate traffic from addresses spoofed from an unwitting victim to cause NIDS to prevent their access.

Of recent interest is the susceptibility of NIDS to false negatives and denial of service. Many researchers and attackers have been looking at ways of attacking the NIDS themselves. One of the first widespread techniques of fooling NIDS has been malicious fragmentation of packets to evade signature matching. Tools such as fragrouter can break a TCP stream up to make parts of a signature spread across multiple packets to miss comparison to a signature in a NID database. 8thPort has also found some shortcomings of many NIDS when bombarded with their “stick” stress testing tool. ISS RealSecure crashed outright while snort pegged CPU and started dropping packets.

Tricks

Security Focus ran an article with some tips on using snort. I found the tips quite ingenious and worth repeating. The author, Mark Burnett, suggests utilizing hosts to give hints to the NID. The main focus is to not detect attacks from incoming attack signatures, but detect the results of a potential attack on its way out of the network. The first advantage of this approach is that attackers have fewer tools to manipulate packet generation at the target side of the connection. While they may be able to hide attack signatures though fragmentation and packet manipulation on their side, they usually cannot affect how the target generates replies when attacked. This means, the NIDS has an easier time of finding signatures in out bound packets since they will be fragmented and flagged normally. Also, Burnett suggests reducing the number of target signatures needed to detect attacks by planting tags throughout data and looking for those tags coming from the targets. With this technique, one can detect confidentiality breaches even from attacks that are not known by the NIDS. This approach resembles the effectiveness of firewalls and other techniques. Firewalls are effective because they do not attempt to find and prevent malicious behavior. They prevent all activity except well defined acceptable behavior. By reversing the focus of NIDS, one can just look for inappropriate behavior from friendly hosts. The defender knows what data should be passing from their own hosts to the outside world. Data outside this defined set would indicate inappropriate activity. Instead of looking for individual attack signatures, the NIDS simply watches for outgoing directory listings or script sources or command prompts.

Links

• http://www.securityfocus.com/infocus/1316
• http://www.snort.org/
• http://www.nfr.com/
• http://www.iss.net/products_services/enterprise_protection/rsnetwork/index.php

Home

Services

Partners

About Us

Contact Us