Network Intrusion Detection by Rik Farrow and Richard Power Some new products work at discovering and responding to networks attacks in realtime. Intrusion detection has a long history. Early watchman could listen for the rustling of leaves, or a snapped twig. In World War II, soldiers would attach a string between two trees, and dangle a can containing pebbles. If the can rattled, someone was coming. More recently, infrared detectors and even doppler radar are used to detect intruders. Intrusion detection in computers also has a long history, beginning with research in the seventies. The focus then was on determining if the behaviour of a user on a single computer represented normal activity or an attack. Various systems have been devised to follow audit trails, attempting to distinguish between the signature of every day activities and system abuse. With most computers now attached to networks, it seems natural that we should have network-based intrusion detection systems. These systems ignore individual hosts in favor of eavesdropping on network communications, trying to identify patterns of abuse or actual attacks. Just like the watchmen of yore, intrusion detection systems have to distinguish between a falling leaf and a stealthy footstep. This task, only detecting real attacks, and, most importantly, not missing the signs of an actual attack, is not easy or simple. Various techniques have been created over the years for ferreting out real attacks, and these techniques are now being applied to network intrusion detection. We'll discuss these techniques, and look at several products which employ these techniques within the realm of networks. Rustling Leaves What distinguishes the activity of a legitimate user from an attacker? Truth be known, in many cases, very little. Early intrusion detection systems focused on anomoly detection, looking for events which shouldn't happen. For host security, this might mean many failed login attempts, indicating password guessing. With networks, a packet found behind a firewall with an external source address could be a significant anomoly. In other words, events which should not occur if no one is misbehaving, and everything is working properly. There are also events which indicate misuse. For a host system, attempts to write to a critical file, or more subtly, the execution of a privileged program with arguments which result in the execution of a non-restricted command interpreter, a favorite attack on UNIX systems today. In the world of networking, misuse can take on several flavors. There can be misuse at the Internet and transport layer protocols. The SYN flood denial of service attack, for example, involves sending many packets which appear to initiate new connections from a server, but in reality have spoofed source addresses. These connections can never be completed, but will block legitimate requests from succeeding. This is an attack often aimed at Web servers. ICMP (Internet Control Message Protocol) packets can be used to probe a network or to crash a host by using an excessively long data length (the Ping of Death). A network can be probed for TCP servers by attempting to open connections at a range of ports on one or more systems. Misuse can certainly appear at the application protocol level. Where attacks at the lower layers of the TCP/IP stack result in denial of service, attacks at the application layer can result in interactive access to a computer, or changes in the computer's state. The Internet Worm provided an early example of application layer attacks: overly long arguments to the finger server, the use of the debug command with a popular mail server, and abuse of trust on systems supporting remote login. The number of known attacks at this layer is very large (one vendor lists eighty different attacks). False Alarm Intrusion detection systems must use an exhaustive set of attack signatures, so as to not miss any abusive activities. This may lead to many false alarms, and a system which nobody listens to because it has "cried wolf" too often. The earliest systems simply used misuse detection and thresholds. A failed login attempt would have to be repeated several times before an alarm would be raised. Setting the threshold too low meant too many false alarms. Too high a threshold may mean that attacks are missed. Systems focusing on anomaly have been much more complicated. Some systems attempt to create a "user profile", a set of normal user behaviour, and sets off an alarm when "abnormal" behaviour occurs. The problem with these systems has been that there really is no such thing as "normal" user behaviour (ask any help desk). A more recent approach has been to look only for behaviour indicating abusive activity--excessive browsing (scanning many files), accessing critical files, changes in user privilege level. This approach works better than looking for abnormal behaviour, and is used in the network intrusion detection products. The Watchers Let's look at three products which each take different approaches to the problem of network intrusion detection: the Wheelgroup's NetRanger, ISS' RealSecure, and Network Flight Recorder. One thing that does not vary for each product--they all must be placed at points in the network where they have access to all network traffic. This is relatively easy for network backbones or non-switched Ethernet, and more difficult for switched Ethernet (where network throughput can exceed the bandwidth of non-switched Ethernet, and tapping the network requires the sacrifice of one port). The focus of these products is TCP/IP networks, although NetRanger has limited support for IPX, and RealSecure plans to support Microsoft's SMB (file sharing) protocols. The Wheelgroup Corporation has focused on consulting, and the NetRanger can stand alone or be an integral part of Wheelgroup's consulting practice. NetRanger is designed so that individual components report to one or more Directors, and a Director might be at a Wheelgroup support site. Router or sniffer-based computers, called NSX's, are attached to each network segment. The router or sniffer collects selected packets and sends them to PC or workstation running Sun's Solaris and the NetRanger software. This device looks for predefined attack signatures, collects network statistics, and sends reports and alarms to the Directors. An encrypted channel is used to send reports, and also to receive configuration instructions and updates from the Directors. The keys to correct operation in NetRanger are the attack signatures and appropriate placement of the NSX components. The Wheelgroup Corporation boasts of extensive knowledge of attacks, which given the background of some of the group in Information Warfare, appears plausible. Up-to-the minute attack signatures, which are both specific enough to avoid false alarms, but general enough to detect minor variations in attacks (for example, a non-sequential port scan over a long period of time) are required for success. A big weakness in the NetRanger design lies in the hardware. Each NSX requires two devices, either a Network Systems Borderguard router or a Network General sniffer. You either replace your existing routers, or place a Network Systems router on each network segment (assuming you are not in a switched environment). The router or sniffer sends packets to a Pentium-class PC, and each combination costs $16,000. In Wheelgroup's marketing literature, they claim that their system is less expensive than a firewall, and more functional. In reality, a single NSX, without a Director module, costs more than a typical firewall. A press release from the Wheelgroup talks about a single installation which costs $2.5 million. Because NetRanger uses routers in their primary design, it can block packets which fit into attack signatures. NetRanger can also perform string recognition on data, for example, block an e-mail message which contains a keyword or phrase. Note that this is not so different than what some firewalls can do. The difference is that this goes on __within__ your network, instead of just at network boundaries. The Director integrates with SNMP-based management systems such as HP Open View, providing a visual, icon-based interface. An alert situation, like port scanning, turns the icon from green to yellow, while an attack signature, such as using sendmail's debug command, turns the icon red. A secondary icon shows details of the type of attack, and the Director can command the NSX to send more details, and can create reports. The Wheelgroup can have a replicated director at their own site, and provide off-hours or 7x24 hour support. ISS' RealSecure seems a natural offshoot of their SafeSuite of products. The founder of ISS started by writing a program which performed network scans, looking for a short list of UNIX system vulnerabilities (similar to SATAN, although much simpler). Today, ISS products look for weaknesses in individual or networked UNIX or NT systems, networked Windows systems, Web servers, and firewalls. RealSecure extends this approach to the network. A system running the RealSecure engine listens to all traffic on an attached network, looking for attack signatures. ISS's Web site listed 80 different attack signatures (not a bad list), and we can safely assume that more are being added weekly. RealSecure can display alarms, log the attack, send e-mail, and, in some cases, terminate the attack. The attack can also be recorded for later playback, depending on how the engine is configured. RealSecure engines run on a variety of platforms and operating systems: SunOS and Solaris, Linux after version 1.3, and NT (with some limitations). Unlike NetRanger, which generally is installed so that it cooperates with routers, RealSecure cannot block traffic by dynamically introducing packet filters. RealSecure can stop some attacks, for example SYN flooding and TCP-based attacks, by sending a spoofed TCP packet with the reset flag set--shutting down the TCP connection. Dispensing with the routers and PC hardware, the price is much less too--$5,000 for an engine and a management console running on one platform. RealSecure has a central management console, which can support many RealSecure modules. Logs and data are stored in an ODBC-compliant database at the engines, and can be queried to produce reports on attacks and some network statistics. Like NetRanger, encryption is used to protect communications. Bright Orange Boxes Network Flight Recorder, the brainchild of Marcus Ranum, takes a different approach to the network intrusion detection problem. A flight recorder sits behind the cockpit in commercial aircraft, recording control data and cockpit communications just in case something bad happens. The box is painted bright orange, so it will be easy to find (after something __really__ bad happens). Network Flight Recorder (NFR) is software designed to run on NT systems, which will monitor directly connected networks. Rather than focusing on the issue of simply detecting attack signatures, NFR's main focus is on data collection--collecting summaries of what has been defined as "normal" network traffic, while recording other network traffic in greater detail. There is a decision engine, which processes the collected data and can issue alerts. But there is a real focus on collecting network information which can be used either to reconstruct an attack, or be used as evidence in court. One argument put forth but Ranum and company is that there will always be new attacks, and reconstructing how an attack took place is difficult using the audit trails and logs of the systems that were attacked. These logs are often modified by successful attackers to cover up their approach to breaking a system. With NFR, a record can be used to reconstruct an attack scenario, making it possible to detect such attacks in the future, and to block those attacks by disabling or updating the targeted software. NFR uses Java applets for adminstration, which means that any Web browser which supports Java can be used as a management console (as long as the user can provide proper authentication). Also unlike the other products, source code for the software will be made available for non-commercial use, such as research. Listening Posts Network intrusion detection and response products do not replace firewalls. They watch network traffic with the aim of detecting attacks within the Intranet boundaries--attacks that might have slipped past a firewall, or originated __within__ an organization. NetRanger is the Cadillac of network intrusion, with the highest cost and changes required in the network infrastructure, and surely the very paranoid with very high risk systems will be very fond of this approach. RealSecure leverages on ISS' reputation for collecting and testing for attack signatures. Network Flight Recorder wants to go beyond mere attack recognition, becoming a tool for network monitoring, discovering new attacks, and providing a legal record that will stand up in court. If you have networks which contain very sensitive systems, or you just want to be certain that your firewall is working correctly, you will want a network intrusion detection product. ### Resources Web sites with information about Intrusion Detection: Short list of papers about Intrusion Detection http://www.underground.org/intrusion_detection/ Very complete bibliography of intrusion detection: http://cs.purdue.edu/coast/intrusion_detection/ids_bib.html Intrusion detection for large networks: http://seclab.cs.ucdavis.edu/arpa/arpa.html The Kumar-Spafford paper has a long introduction about Intrusion Detection techniques. Vendors: Wheelgroup Corporation: http://www.wheelgroup.com/, info@wheelgroup.com Internet Security Systems, Inc: http://iss.net/, info@iss.net Network Flight Recorder, Inc: http://www.nfr.net/