Everyone has an opinion as to the longevity of this type of technology, its validity and its capabilities as a security tool. Most security professionals will agree that an IDS cannot be used as your only form of defence. If an IDS is deployed in the correct manner, that is as part of an overall security program, with the correct processes and procedures in place governing operation maintenance and incident handling, can an organisation afford to be without one?
When analysing the purchase of any security device especially one that professes to help in the protection of the network perimeter and provide you with a Return On Investment (ROI) a requirement analysis should be carried out. Part of this analysis will lead to some or all of the following questions being asked:
- What is the requirement?
- What are the benefits?
- What is the cost of maintenance?
- What are the measures required to support this system?
- What is the ROI?
What is an IDS?
An IDS is the real-time monitoring of network/system activity and the analysing of data for potential vulnerabilities and attacks in progress.
There are two primary types of IDS:
- Network based Intrusion Detection systems
- Host based Intrusion Detection Systems
Network based Intrusion Detection systems
A Network Intrusion Detection system (NIDS) transparently monitors network traffic, looking for patterns indicative of an attack on a computer or network device. By examining the network traffic, a network based intrusion detection system can detect suspicious activity such as a port scan or Denial of Service (DOS) attacks.
A NID monitors the network traffic it has access to, by comparing the data in the TCP/IP packet to a database of attack signatures. In a network environment, it can see packets to and from the system(s) that it monitors. In a switched environment, it can see packets coming to and from the system(s) that it monitors, providing it can see all data traffic on the ports that connect to the systems.
Once a NIDS detects an attack, the following actions may be taken:
- Send email notification
- Send an SNMP trap to a network management system
- Send a page (to a pager)
- Block a TCP connection
- Kill a TCP connection
- Run a user defined script
In general terms a NID will be deployed on a DMZ. This assumes that you have a firewall in place and that you have a DMZ configured. When deployed behind the firewalls, the NID will detect attacks from protocols and sources allowed through the firewall and from internal users. By taking an action, such as sending an SNMP trap or a page, it can alert network staff that an attack is in progress and enable them to make decisions based on the nature of the attack.
It is recommended that the IDS is used for detection and alerting only and not for proactive defence i.e. killing/blocking TCP connections as this can often cause more problems.
Host based intrusion detection system
In most cases, a Host Intrusion Detection System (HIDS) component is made up of two parts: a centralised manager and a server agent. The manager is used to administer and store policies, download policies to agents and store information received by agents. The agent is installed onto each server and registered with the manager. Agents use policies to detect and respond to specific events and attacks. An example of a policy would be an agent that sends an SNMP trap when three concurrent logins as root have failed on a UNIX server. System logs and processes are also monitored to see if any actions that violate the policy have occurred. If a policy has been violated, the agent will take a predefined action such as sending an email or sending a SNMP trap to a network management system.
The decision on which IDS to purchase, HIDS or NIDS, is dependent on your organisational requirements, the structure of your network, and teh security policies in place. The safest implementation would be to implement a HID on systems that are on the DMZ (i.e. mail servers, Web servers, etc.). The majority of Internet attacks will be targeting these systems, so it makes sense to install a HIDS on these systems. In a situation where there is only one NIDS, then it is advisable to implement the sensor on the DMZ. In a large organisation additional sensors can be added to monitor internal traffic if required.
It is important to understand an IDS is not a preventive device; it will inform you of any malicious activity occurring on your ntework or system, but your administrator/analyst is responsible for the containment and eradication of the incident.
Figure 1: Placement of HIDS and NIDS
Benefits of an IDS
In today’s corporate market, the majority of businesses consider the Internet as a major tool for communication with their customers, business partners and the corporate community. This mentality is here to stay; as a result businesses need to consider the risks associated with using the Internet as communication tool, and the methods available to them to mitigate these risks.
Many businesses are already aware of the types of risks that they are facing, and have implemented measures such as Firewalls, Virus detection software, access control mechanisms etc. However it is all too apparent that although these measures may deter the “hobby hacker”, the real danger and threat comes from the “determined hacker”. The determined hacker is just that “determined” and they will find a way of penetrating your system, sometimes for malicious intent but mostly because they can and it is a test of skills.
Whilst the above mentioned tools are preventative measures, an IDS is more of an analysis tool, that will give you the following information:
- Instance of attack
- Method of attack
- Source of attack
- Signature of attack
This type of information is becoming increasingly important when trying to design and implement the right security programme for an organisation. Although some of this information can be found in devices such as Firewalls and access control systems as they all contain log information on system activity In these instances the onus is on the administrator to check the logs to determine if an attempted attack has occurred or after the event find out when the attack occurred and the source of the attack. Usually information pertaining to the method of the attack and the signature of the attack cannot be found in the logs. This is because devices such as Firewalls are designed to check the IP packet header information and not the payload portion of the IP packet.
An IDS will check the payload of the packet to determine if the pattern of data held within, matches that of a known attack signature. The benefits of the above information are as follows:
- Instance of attack: An IDS will alert when an attack is in progress, this gives you the benefit of counteracting the attack as it happens, without having to go through lengthy logs to find out when this particular attack occurred.
- Method of attack: An IDS will let you know what area of your network or system on your network is under attack and how it is being attacked. This enables you to react accordingly and hopefully limit the damage of the attack by i.e. disabling communications to these systems.
- Source of attack: An IDS will let you know the source of an attack, it is then down to the administrator to determine if it is a legitimate source. By determining the legitimacy of the source the administrator is able to determine if he/she can disable communications from this source.
- Signature of attack: An IDS will identify the nature of the attack, and the pattern of the attack and alert accordingly. This information alerts the organisation to the types of vulnerabilities that they are susceptible to and permits them to take precautions accordingly.
The above information allows an organisation to:
- Build a vulnerability profile of their network and the required precautions.
- Plan its corporate defence strategy
- Budget for security expenditure
The Internet is a vast tool for communication that is not policed and should not be, as a result the threat of attack is ever present. So long as this is true, the task of assessing an organisation’s network vulnerabilities remains continuous and should not be taken lightly.
A look at the latest computer crime survey carried out by the Computer Security Institute shows “40% of respondents experienced a system penetration, 36% a denial of service attack, 26% reported theft of proprietary information and 12% financial fraud. 18% reported sabotage, 23% had their web site hacked ten or more times 90% of which resulted in vandalism and 13% included the theft of transaction information.
These figures are frightening, but more importantly they are real!
Additional measures required to support an IDS
It is clear from the discussion so far in the paper, that an IDS cannot run itself. The benefits of an IDS are largely dependent on the support mechanisms available within the organisation to operate and maintain it effectively. Support mechanisms such as skilled staff and correct procedures are key to ensuring the efficiency and effectiveness of your IDS.
The Role of the Intrusion Detection Analyst
Purchasing an IDS alone will not guarantee a more secure network: employing the right staff with necessary skills required to analyse and maintain an IDS will. The intrusion detection analyst role is key in determining a real attack from a fake attack, and once the decision is made, how to act upon this threat. This requires experience and in-depth knowledge of the network that is being protected.
The following is a list of capabilities an intrusion detection analyst should possess:
- Acquiring the necessary knowledge of the networks being monitored so that the determination of misuse vs. anomalous is clear
- Determine the difference between fake attacks and real attacks
- Be aware of the latest security breaches and how they can affect his/her network
- Periodically download signature attacks from IDS vendor
- Be capable of writing customised signatures
- Be cognisant of the company’s corporate security policy and system standards
- Adhere to the company’s incidence response programme
- Work collaboratively with other security personnel both internally and externally
None of the above tasks can be learnt over night, this is why the intrusion detection analyst is just as important as the IDS. Having the right analyst will sometimes compensate for having a bad IDS because a good analyst will recognise a poor IDS.
Incidence Response Programme (IRP)
An Incidence Response Programme is an integral part of an organisations security programme. The implementation of an IRP and the supporting controls is key in ensuring that an organisation possesses the ability to react quickly and effectively to minimise the impact of a situation. The primary goal of an IRP is to prevent an operational security problem becoming a business problem that impacts on revenue
There are a number of considerations to take into account when responding to an incident, some of which are as follows:
- What has happened?
- What has been damaged?
- What is the extent of the damage?
- What business processes are affected and how can we minimise the impact?
- Who did it and how?
- Are there any legal issues?
- Can and should any forensic information be preserved?
- Has the damage been contained or is it still continuing?
The IRP forms part of the tools that an Intrusion Detection Analyst and any other security analyst within an organisation require to perform their jobs efficiently. These documents and procedures form the basis of your organisation’s security programme.
The absence of an Incidence Response Programme could cost an organisation millions, if they are unable to provide evidence that they have been attacked. This could be because the system administrator was unaware of how long to keep the logs for as there were no guidelines set out by the organisation.
When developing an Incidence Response Programme it is important to ensure that the following key areas are included:
- Prevention
- Planning
- Detection
- Analysis
- Containment
- Investigation
- Evaluation
- Post-mortem
It is important to understand that an IDS is one of the many security controls that are deployed within an organisation. An organisation should have the following procedures and guidelines, which govern the way in which business is conducted securely on a daily basis in place:
Corporate security policy:This should include the security objectives and goals an organisation will undertake to protect the continuing operation of their business. The guidelines for which will be provided in sub documents.
System Security Policy: This should cover teh following areas: scope of the system, information classifications of data held on the system, minimum-security measures to be implemented for this sytem, responsibilities for enforcing these measures.
System Interconnection Security Policy: This should detail the minimum-security standards for the interconnection of systems/networks to both internal and external resources.
System Operating Procedures: This should cover the day-to-day operations of a system(s)/network(s) within an organisation.
Incidence Response programme: as defined above.
What is the Return on Investment (ROI)
In today’s current climate, it is important to have an estimate as to what the ROI is to be for implementing a system such as an IDS, as this will help to justify to senior management its importance.
This calculation is mainly based around estimating the following:
- What is the cost to your organisation if your Internet presence is abused or un-available?
- What is the estimated monetary cost to your organisation if you experience a security breach?
- What is the estimated monetary cost to your reputation, if you experience a security breach?
- What is the estimated monetary cost to your organisation for implementing your Business continuity Plan or parts there of?
For most organisations, the cost of the above will by far outweigh the cost of purchasing, implementing and maintaining an IDS.
Summary
In conclusion, the choice of whether to purchase an IDS and which IDS to purchase is down to the organisations business and security requirements. However for most organisations on calculation of the ROI, will agree that in today’s climate where proprietary information makes up a considerable proportion of your organisations assets, you cannot really afford to be without security tools such as an IDS.
The standard analogy is to compare your network to your office building; your office no doubt has a burglar alarm, security locks, CCTV and a security guard, to deter unwanted intrusion. One would not rely on only one of these methods to protect your building, however a combination of some or all of the above would give you greater confidence that the building is secure. The same principle applies to your network, the combination of Firewalls, IDS’s access control mechanisms, skilled staff, policy’s, and incident response programmes will give you the confidence that you are taking all the necessary measures required to protect your network from unwanted intrusions.
Trinity Security Services (Trinity) is a leading independent information
security solutions and services provider. Customers include a range of FTSE
250 customers across UK and Europe
Trinity provides its customers with market leading expertise, delivering
solutions ranging from the technical such as IDS, VPN and E-commerce, to
strategic services including security policy and procedure development.
