Security+ TechNotes - Intrusion Detection Systems

 

Index
Intrusion Detection Systems
Passive vs. Active Response
Host-based vs. Network-based
Signature vs. Behavior
Limitations and drawbacks
Honey Pots

Intrusion Detection Systems

An Intrusion Detection System (IDS) monitors and analyzes traffic on a network or activity on a system in an attempt to detect malicious activity. The exact meaning of the word intrusion differs per IDS product and the systems and services it is monitoring. It can be anything from a port scan to an attempt to gain unauthorized access. Other examples include RIP spoofing, ping sweeps, malicious SQL injections, DoS attacks, Trojans, and unauthorized changes to system files and settings.

When an IDS detects an intrusion, it will log the event, store relevant data/traffic, notify an administrator, and in some cases it will try to intervene. Besides the obvious advantages of an IDS, the stored data and the logs provide valuable forensic information and may be used as evidence in a legal case against the attacker. An IDS is much like an alarm system, some being more advanced and intelligent than others. IDSs can be classified based on various characteristics of which the most common are described in the following paragraphs. Most IDS products combine features from these different types.


Passive vs. Active Response

Many intrusion detection systems merely log the intrusion and notify someone, by email or pager for example. This is known as passive-response intrusion detection, as it does not actively attempts to stop the intrusion. Instead, a system administrator or someone else will have to respond to the alarm, take appropriate action to halt the attack, and possibly identify the intruder. Modern IDSs offer a wide range of options to send notifications of intrusions, including pager, cell phone, email, SNMP trap messages, or simply a message box on the administrator’s PC. It is important to make sure that the notifications are send in a secure manner to prevent the attacker from intercepting or altering them.

Active-response IDSs automatically take action in response to a detected intrusion. The exact action differs per product and depends on the severity and type of attack. A common active response is increasing the sensitivity level of the IDS to collect additional information about the attack and the attacker. Another possible active response is making changes to the configuration of systems or network devices such as routers and firewalls to stop the intrusion and block the attacker. This could involve blocking the source address of the attacker, restarting a server or service, closing connections or ports, and resetting TCP sessions. Another less common active response that is not advisable from a legal perspective is retaliation – attacking the attacker.

Several passive response IDS products allow plug-ins for communication with a central management console. This allows you to use the passive response product in a decentralized active response system, in which the passive IDS reports to the central console, which in turn can actively control involved network devices and systems.


Host-based vs. Network-based

A host-based IDS is usually a software application installed on a system and monitors activity only on that local system. It communicates directly with the operating system and has no knowledge of low-level network traffic. Most host-based IDSs rely on information from audit and system log files to detect intrusions. They can also monitor system files and system resources, and incoming application data. Because a host-based IDS can produce a lot of data, hence an extra administrative load, they are often placed only on critical servers. To further reduce the load, the IDSs can report to a central console.

A network-based IDS can be a dedicated hardware appliance, or an application running on a computer, attached to the network. It monitors all traffic in a network or coming thru an entry-point such as an Internet connection. The network card of a network-based IDS runs in promiscuous mode, which means it picks up all traffic from the media even if the destination address is not the IDS. It basically works like a sniffer. It is passive while it collects real-time raw network traffic; other hosts are usually not aware of the IDS and no extra load is put on the network.

A network-based IDS can monitor traffic only in its local network segment, unless it employs sensors. In switched and routed networks, a sensor is required in each segment (collision domain) in which network traffic is to be monitored. When a sensor detects a possible intrusion, it will report it to a central management console, which will take care of the appropriate passive or active response. Communication between the remote sensor and the management console should be secure to avoid interception or alteration by the intruder.


Signature vs. Behavior

Another common way to distinguish intrusion detection systems is by the method they use to recognize an intrusion – how they separate the good from the bad. (Note that the following types are not pertinent to CompTIA’s Security+ exam, but are merely included for completeness.)

The first and most common type is a signature-based IDS, also known as a rule-based, knowledge-based, or misuse-detection IDS. It employs a database with signatures to identify possible attacks and malicious activity. These signatures are similar to the ones used by anti-virus software, but instead of containing virus information, IDS signatures describe known attacks patterns. For example, a signature can describe the format of a malformed header in a packet, the symptoms of a port scan, or key terms in traffic used for known exploits.

Because new attacks are being developed all the time, it is essential to keep the signature database current by frequently downloading updates. Signature-based IDSs usually produce a relatively low number of false alarms compared to behavior-based IDSs – the other main type of intrusion detection, which is described in the following paragraph.

Behavior-based intrusion detection is also known as anomaly-based or statistical-based intrusion detection. As theses names imply, a behavior-based IDS monitors traffic and system activity for unusual behavior - anomalies based on statistics. To differentiate malicious activity from normal behavior it first has to learn what behavior is normal. When you activate a behavior-based IDS for the first time, it will log network bandwidth usage, processor and memory activity, disk usage, and other system activity over a certain period to create a baseline. After the learning period, activity that doesn’t match the statistics/abnormal system performance, the baselines, will result in an alert. The main advantage of this type of IDS is that it dynamically adapts to new vulnerabilities. Because system behavior can fluctuate for normal reasons, it usually produces a high number of false alarms.


Limitations and drawbacks

Although some intrusion detection systems have become very advanced, the data produced by software and the methods of the attackers are also becoming more complex all the time. This makes it hard to distinguish legitimate use of a system from a possible intrusion. When an IDS incorrectly identifies an activity as a possible intrusion it will results in a false alarm, also referred to as a false positive. Especially badly configured IDSs and behavior-based IDSs in particular can produce many false positives. In case of a passive-response IDS, this could result in an excessive administrative load (getting paged for a false alarm every 3 minutes becomes annoying very quickly). In case of an active-response IDS, this may even create a DoS situation. If the IDS would mistakenly block a legitimate user’s IP address. Therefore, it takes careful planning and consideration before implementing an IDS. To keep the number of false positives to a minimum, some product allow you to configure clipping levels, which are thresholds on a certain activities. For example, failed logon attempts to the admin account won’t be reported unless it occurs three times in a row over a short amount of time.

A network-based IDS may not always be able to pick up and process all data in busy networks. Another challenge for a network-based IDS is encrypted data; most are able to inspect compressed data, but encrypted data remains an obstacle simply because the IDS does not have access to the keys of every devices in the network.

Intrusion detection systems are typically not preventive; they should not be used to replace other security measures such as a firewall. Instead, they should be used to complement a firewall.
Last but not least, an IDS is another possible target to attack, they also have bugs/exploits.


Honey Pots

A honey pot is a decoy that lures attackers away from production systems. It’s usually a computer attached to the network that runs special software to emulate services, applications, protocols. A honey pot should not contain any data other than the information specifically created to trick the attacker. Nor should it be allowed to connect to any other system except other honey pots, to prevent the attacker from using the honey pot to launch an attack.

 

Current related exam topics for the Security+ exam:

DOMAIN 3.0: Infrastructure Security

3.1 Understand security concerns and concepts of the following types of devices
- IDS (Intrusion Detection System)

3.4 Differentiate the following types of intrusion detection, be able to explain the concepts of each type, and understand the implementation and configuration of each kind of intrusion detection system
- Network Based
- Active Detection
- Passive Detection
- Host Based
- Active Detection
- Passive Detection
- Honey Pots


Date: Thursday, April 24, 2005
TechExams.Net
Author: Johan Hiemstra
CNA CCNA CCDA MCSE NT4
MCSA 2000/2003 Security+ CWNA