The old saw “an ounce of prevention is worth a pound of cure” can certainly be applied to all aspects of computer security. To protect our computer networks from the endless stream of attacks by hackers and malicious code, we employ preventive measures that may include sound security policies, well-designed system architecture, properly configured firewalls and strong authentication programs. While these tools are helpful, they may not be enough for today’s breed of sophisticated attacks.
A misconception of some network administrators is that firewalls first recognize attacks, then block them. In actuality a firewall is more like a fence around your home or business with a couple of gates as entry points. The fence has no ability to determine if somebody coming through a gate should be permitted entry. It simply restricts all access through entry points or gates. Enter intrusion detection systems (IDSs). An intrusion detection system will act as a burglar alarm, alerting you to potential external break-ins or internal misuse of the system(s) being monitored. Network intrusion detection and prevention systems are software programs and/or hardware-based devices designed to detect unauthorized attacks on a computer network system. An intrusion detection system is a system designed to detect attempts to compromise the confidentiality, integrity or availability of the protected network or associated computer systems.
One fundamental objective of computer security management is to affect the behavior of individual users in a way that protects information systems from security problems. Intrusion detection systems help organizations accomplish this goal by increasing the perceived risk of discovery and punishment of attackers. This serves as a significant deterrent to those who would violate security policy. IDSs examine patterns of computer activity instead of just individual files, thereby giving them further-ranging protective abilities than ordinary antivirus software. Of the two basic IDS types, the most versatile are HIDS (host intrusion detection systems), as they are installed locally on host machines. From this local installation, HIDS are able to ascertain where attacks are affecting a particular host or system (which processes and what users). Since they can directly access and keep track of data files and OS system processes that may be marked by an attack, HIDS can see the outcome of an attempted breach. NIDS, or network-based intrusion detection systems, identify breaches by monitoring and capturing network traffic. In an NIDS, the software or hardware is a part of the system (dedicated software/hardware) and examines network packets. NIDSs can be comprised of a set of single-purpose sensors situated at different sites on a network. At these sites, network traffic is monitored, including local analysis of the traffic as well as reporting of attacks to a centrally located console.
As with firewall and antivirus products, there is no shortage of vendors for the IDS market. Since IDS products are notorious for producing false positives, a high-quality (albeit more expensive) security appliance product is recommended for network intrusion detection. Three industrial-strength (and popular) IDS appliances are:
- Real-Time Network Awareness by Sourcefire (www.sourcefire.com).
- RealSecure by Internet Security Systems (www.iss.net).
- Cisco IDS (www.cisco.com).
These products help make intrusion detection systems more efficient and as such are valuable in enterprise networks.
For those looking for a no-cost software-based IDS solution, Snort may be just the product to fit the bill. According to Snort.org, “Snort is a lightweight network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts and much more.” A compelling Snort feature is that it has been ported to work with many different operating systems, including Mac OS X. For more information or to download a free copy of Snort, visit www.snort.org. Additional information on configuring Snort can be found at www.winsnort.com. At this Web site the novice as well as the expert will find tips and useful information on the installation and configuration of Snort (IDS) in a Windows, Solaris 9 (beta) or Red Hat 9 environment.
Figure 1: GFI LANguard S.E.L.M. 4 Monitor
Some network managers mistakenly assume that unauthorized access is largely attempted by external parties. According to GFI, “the majority of corporate security threats stem from internal sources, against which a firewall offers no protection. GFI LANguard Security Event Log Monitor (S.E.L.M.) monitors the security event logs of all your Windows NT/2000/XP/2003 servers and workstations and alerts you to possible intrusions/attacks in real time, giving you peace of mind.” (See Figure 1.) GFI LANguard S.E.L.M. ships with a security event analysis engine which takes into account the type of security event, security level of each computer, when the event occurred (outside or during operating hours), the role of the computer and its operating system (workstation, member server or domain controller). Based on this information, GFI LANguard S.E.L.M. can decide whether the security event is critical, high, medium or low (see Figure 2). For more information and pricing, visit www.gfi.com. GFI also provides a freeware version of the GFI LANguard S.E.L.M. that performs event-log-based intrusion detection and network-wide event log management for one server and up to five workstations.
Figure 2: GFI LANguard S.E.L.M 5.0 Configuration
Douglas Schweitzer, A+, Network+, i-Net+, CIW, is an Internet security specialist and the author of “Securing the Network from Malicious Code” and “Incident Response: Computer Forensics Toolkit.” He can be reached at firstname.lastname@example.org.