Introduction To Network Security - Part 1 - 5. Intrusion Detection Systems

Intrusion Detection Systems

IDS's have become the 'next big thing' the way firewalls were some time ago. There are bascially two types of Intrusion Detection Systems :

• Host based IDS
• Network based IDS

Host based IDS - These are installed on a particular important machine (usually a server or some important target) and are tasked with making sure that the system state matches a particular set baseline. For example, the popular file-integrity checker Tripwire -- this program is run on the target machine just after it has been installed. It creates a database of file signatures for the system and regularly checks the current system files against their known 'safe' signatures. If a file has been changed, the administrator is alerted. This works very well as most attackers will replace a common system file with a trojaned version to give them backdoor access.

Network based IDS - These are more popular and quite easy to install. Basically they consist of a normal network sniffer running in promiscuous mode (in this mode the network card picks up all traffic even if its not meant for it). The sniffer is attached to a database of known attack signatures and the IDS analyses each packet that it picks up to check for known attacks. For example a common web attack might contain the string '/system32/cmd.exe?' in the URL. The IDS will have a match for this in the database and will alert the administrator.

Newer IDS' support active prevention of attacks - instead of just alerting an administrator, the IDS can dynamically update the firewall rules to disallow traffic from the attacking IP address for some amount of time. Or the IDS can use 'session sniping' to fool both sides of the connection into closing down so that the attack cannot be completed.

Unfortunately IDS systems generate a lot of false positives (a false positive is basically a false alarm, where the IDS sees legitimate traffic and for some reason matches it against an attack pattern) this tempts a lot of administrators into turning them off or even worse -- not bothering to read the logs. This may result in an actual attack being missed.

IDS evasion is also not all that difficult for an experienced attacker. The signature is based on some unique feature of the attack, and so the attacker can modify the attack so that the signature is not matched. For example, the above attack string '/system32/cmd.exe?' could be rewritten in hexadecimal to look something like the following:

Which might be totally missed by the IDS. Furthermore, an attacker could split the attack into many packets by fragmenting the packets. This means that each packet would only contain a small part of the attack and the signature would not match. Even if the IDS is able to reassemble fragmented packets, this creates a time overhead and since IDS' have to run at near real-time status, they tend to drop packets while they are processing. IDS evasion is a topic for a paper on its own.

The advantage of a network based IDS is that it is very difficult for an attacker to detect. The IDS itself does not need to generate any traffic, and in fact many of them have a broken TCP/IP stack so they don't have an IP address. Thus the attacker does not know whether the network segment is being monitored or not.

Patching and Updating

It is embarassing and sad that this has to be listed as a security measure. Despite being one of the most effective ways to stop an attack, there is a tremendously laid back attitude to regulary patching systems. There is no excuse for not doing this, and yet the level of patching remains woefully inadequate. Take for example the MSblaster worm that spread havoc recently. The exploit was known almost a month in advance, and a patch had been released, still millions of users and businesses were infected. While admins know that having to patch 500 machines is a laborious task, the way I look at it is I would rather be updating my systems on a regular basis than waiting for disaster to strike and then running around trying to patch and clean up those 500 systems.

For the home user, its a simple matter of running the automatic update software that every worthwhile OS comes with. In the enterprise there is no 'easy' way to patch large numbers of machines, but there are patch deployment mechanisms that take a lot of the burden away. Frankly, it is part of an admin's job to do this, and when a network is horribly fouled up by the latest worm it just means someone, somewhere didn't do his job well enough.

Click here to read Part 2 of 'Introduction to Network Security'