Security in a computing world.

September 11, 2000

Western Union Web site was hacked. Hackers made off with 15,700 credit and debit card numbers. [10]

As Figure 2.1 shows, the sophistication of the attacks and attack tools has grown very much in complexity. And these attack tools has also been automated, so the skill needed to use these attack tools and to launch attacks has been reduced. [67]

Figure 2.1 - The evolution of attack sophistication [67]

Attacks on the security of a computer system or network are best characterized by viewing the function of the computer system as providing information. In general, there is a flow of information from a source, such as a file or a region of main memory, to a destination, such as another file or a user. This normal flow is depicted in figure 2.2 the remaining parts of the figure show the following four categories of a attack.

* Interruption: An asset of the system is destroyed or becomes unavailable or unusable. This is an attack on availability.

* Interception: An unauthorized party gains access to an asset. This is an attack on confidentiality. The unauthorized party could be a person, a program, or a computer.

* Modification: An unauthorized party gains not only gains access to but tempers with an asset. This is an attack on integrity.

* Fabrication: An unauthorized party inserts counterfeit objects into the system. This is an attack on authenticity. [70]

Figure 2.2 Security Threats [70]

2.1 Interruption

Any attack that causes the interruption between two or more computer communication comes under this category called Interruption. Attacker could launch this kind of attack to make the system resources and services unavailable to the legitimate user.

2.1.1 Denial of Service

"The prevention of authorized access to a system resource or the delaying of system operations and functions". [65]

A DoS attack can be described as an attack designed to render a computer or network incapable of providing normal services. A DoS attack is considered to take place only when access to a computer or network resource is intentionally blocked or degraded as a result of malicious action taken by another user. These attacks don't necessarily damage data directly or permanently, but they intentionally compromise the availability of the resources.

The most common DoS attacks target the computer networks bandwidth or connectivity.

Bandwidth attacks flood the network with such a high volume of traffic that all available network resources are consumed and legitimate user requests cannot get through, resulting in degraded productivity. Connectivity attacks flood a computer with such a high volume of connection requests, that all available operating system resources are consumed and the computer can no longer process legitimate user requests [18].

Today we have many kind of DoS attack taking place causing damage to our networks and computer, some of which are Ping of Death, Teardrop, Land Attack, SYN Flood, Smurf Attack and DDoS Attack. I will be discussing each attack briefly to give some understanding on how these attack works.

Ping of Death

"An attack that sends an improperly large ICMP echo request packet (a "ping") with the intent of overflowing the input buffers of the destination machine and causing it to crash". [65]

Ping of Death and variants such as "Teardrop", "Bonk", "Nestea", and similar attacks exploit bugs in the TCP/IP implementations of various computer and host systems. Ping of Death attacks exploit weaknesses in the reassembly of IP packet fragments. As data is transmitted through a network, IP packets are often broken up into smaller chunks. Each fragment looks like the original IP packet except that it contains an offset field that says, for instance, "This fragment is carrying bytes 200 through 400 of the original (non fragmented) IP packet." The Ping of Death program creates a series of IP fragments with overlapping offset fields. When these fragments are reassembled at the destination, some systems will crash, hang, or reboot [19].

Land Attack

In a LAND Attack, hackers send one or more SYN packets into the network with a spoofed source IP address of the targeted system. This makes it appear as if the host computer sent the packets to itself, making the system unavailable while the target system tries to respond to itself [19].

TCP SYN Flood

"A denial of service attack that sends a host more TCP SYN packets (request to synchronize sequence numbers, used when opening a connection) than the protocol implementation can handle". [65]

When a normal TCP connection starts, a destination host receives a SYN

(synchronize/start) packet from a source host and sends back a SYN ACK (synchronize acknowledge). The destination host must then hear an ACK (acknowledge) of the SYN

ACK before the connection is established. This is referred to as the "TCP three-way handshake." While waiting for the ACK to the SYN ACK, a connection queue of finite size on the destination host keeps track of connections waiting to be completed. This queue typically empties quickly since the ACK is expected to arrive a few milliseconds after the SYN ACK.

The TCP SYN flood attack exploits this design by having an attacking source host generate TCP SYN packets with random source addresses toward a victim host. The victim destination host sends a SYN ACK back to the random source address and adds an entry to the connection queue. Since the SYN ACK is destined for an incorrect or nonexistent host, the last part of the "three-way handshake" is never completed and the entry remains in the connection queue until a timer expires, typically for about one minute. By generating phony TCP SYN packets from random IP addresses at a rapid rate, it is possible to fill up the connection queue and deny TCP services such as e-mail, file transfer, or WWW to legitimate users. There is no easy way to trace the originator of the attack because the IP address of the source is forged [20].

Figure 2.3 - TCP SYN Flood [17]

Smurf Attack

SMURF attack is one example of DoS attack, which exploits the router incapability to limit or prevent the router from performing IP broadcast and becoming an amplifier. A perpetrator sends a large amount of ICMP echo (ping) traffic at IP broadcast addresses, all of it having a spoofed source address of a victim. The traffic (echo request) will be broadcasted to the network, and most hosts within the network will reply - multiplying the responses to the spoofed source address (the victim). "Fraggle", which uses UDP echo packets in the same fashion as the ICMP echo packets, is a re-write of "SMURF" [19].

Figure 2.4 - Smurf Attack

DDoS Attack

There are several steps in preparing and conducting a DDoS attack:

* Recruitment: The attacker chooses one or several machines in the internet that will perform the attack. Those machines, usually called agents, agent machines need to have some vulnerability that the attacker will use to gain access to them.

* Compromise: The attacker gains access (usually as a root) to agent machines by exploiting security holes and plants the attack code. He further takes steps to protect the code from discovery.

* Communication: Agents report their readiness to the attacker via handlers, compromised machines that will be used to control the attack. In the early DDoS days, the IP addresses of handlers were hard coded in the attack code, and handlers stored the encrypted information about available agents in the file. Thus the discovery of a single machine in a DDoS network revealed all other participants. Recently the Internet Relay Chat (IRC) channels started being used for communication. The IRC server tracks the addresses of connected agents and handlers and facilitates communication between them. The discovery of the single participant leads to discovery of the communication channel, but other participants' identities are protected.

* Attack: The attackers usually command the onset of attacks via handlers and communication channels to the agents. The target, duration and features of the attack packets such as type, length, TTL, port numbers, etc., can be customized [21].

Figure 2.5 - Architecture of DDoS Attack [18]

Tools: Trin00, TFN, Stacheldraht, Shaft, TFN2K, Trinity v3 are some of the automated tools available freely on internet.

2.1.2 Viruses, Trojan and Worm

Viruses, worms, and Trojan horses are types of malicious computer programs designed to do damage to individual computers and/or entire networks or to use that computer in an unauthorized way. There are many forms of malicious software like viruses, Worms and Trojans [27].

Viruses

"A hidden, self-replicating section of computer software, usually malicious logic, that propagates by infecting--i.e., inserting a copy of itself into and becoming part of another program. A virus cannot run by itself; it requires that its host program be run to make the virus active". [65]

A computer virus is a small computer program that is embedded in a larger, legitimate program. The virus is designed so that when a user executes the legitimate program, the virus executes first, and when it's finished doing whatever it was put together to do, the original program runs, without the user ever being aware that a virus was put into play. A virus's primary task is to make a copy of itself by infecting another program, but viruses often perform other tasks, from displaying obnoxious messages to damaging or destroying information on the computer's storage media.

Trojan horse

"A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program".[65]

A Trojan horse is "a seemingly useful computer program that contains concealed instructions which when activated performs an illicit or malicious action (as destroying data files); also: the concealed instructions of such a program." Trojan horses have no means of replicating themselves automatically. They rely on people choosing to install them, or they can be installed by intruders who have gained unauthorized access to a computer or network by other means. An intruder who is attempting to subvert a system by using a Trojan horse relies on other people inadvertently running the Trojan horse [28].

Worms

"A computer program that can run independently, can propagate a complete working version of itself onto other hosts on a network, and may consume computer resources destructively". [65]

A worm is defined as "a usually small self-contained computer program that invades computers on a network and usually performs a malicious action." A copy of the worm scans the network for another computer that has a specific security hole. It copies itself to the new computer using the security hole, and then starts replicating from there as well. A worm can expand from a single copy incredibly quickly. Worms can be more insidious than viruses because they rely less (or not at all) upon human behavior in order to spread themselves from one computer to others. This means that computer worms spread much more rapidly than computer viruses [28].

2.2 Interception

A threat action whereby an unauthorized entity directly accesses sensitive data traveling between authorized sources and destinations. This includes:

Theft: Gaining access to sensitive data by stealing a shipment of a physical medium, such as a magnetic tape or disk, that holds the data.

Wiretapping: Monitoring and recording of data that is flowing between two points in a communication system.

Emanations analysis: Gaining direct knowledge of communicated data by monitoring and resolving a signal that is emitted by a system and that contains the data but is not intended to communicate the data. [65]

2.2.1 Sniffing

A sniffer is program or a device that eavesdrops on the network traffic by grabbing information traveling over a network. Sniffers basically are "Data Interception" technology [12]. Sniffer could be attached to your network anywhere, just monitoring packets as they travel in and out of your network. Packet sniffers are a simple but invaluable tool for anyone for wishing to gather information about a network or computer. For the attacker, packet sniffers provide a way to glean information about the host or person they wish to attack, and even gain access to unauthorized information.

Traditional packet sniffers work by putting the attacker's Ethernet card into promiscuous mode. An Ethernet card in promiscuous mode accepts all traffic from the network, even when a packet is not addresses to it. This means the attacker can gain access to any packet that is traversing on the network they are on. By gathering enough of the right packets the attacker can gain information such as login names and passwords.

Figure 2.6 - Sniffing Attack

Other information can also be gathered, such as MAC and IP addresses and what services and operating systems are being run on specific hosts. This form of attack is very passive. The attacker is not sending any packets out, they are only listening to packets on the network. The obvious solution to the problem with plaintext protocols is to change to encrypted protocol.

There are few attacks which can be done through sniffing which are ARP cache poisoning, CAM table flooding, and switch port stealing. Each attack will be explained briefly.

ARP Cache Poisoning

This attack uses Address Resolution Protocol (ARP) spoofing to sniff traffic between hosts. ARP spoofing is possible because of the exploitation of gratuitous ARP. Gratuitous ARP is when an ARP reply is sent without first receiving an ARP request. The attacks starts by having the attacker send a forged gratuitous ARP packet with host B's IP address and the attackers MAC address to host A. The attacker also sends a forged gratuitous ARP packet with host A's IP address and the attackers MAC address to host B. Now, all of host A and host B's traffic will go to the attacker, where it can be sniffed, instead of directly to each other.

CAM table Flooding

This attack uses MAC flooding to sniff traffic on the local area network. It is done by flooding the Content Addressable Memory (CAM) table. CAM tables store information like MAC addresses, and switch port, along with their VLAN information. CAM tables have fixed sizes, so they can only store a certain number of entries. The user wanting to sniff the traffic floods the switch with MAC addresses until the CAM table is full, at which point the switch starts to broadcast the traffic.

The attack starts by having the attacker flood the network with forged gratuitous ARP packets that each contains unique source MAC addresses. This causes some switches to go into a hub-like mode forwarding all traffic to all ports. What happens is that once the CAM table is full, the traffic without a CAM entry floods on the local VLAN. The already existing traffic with existing entries in the CAM table will not be forwarded out on all of the ports. Now, with the traffic being broadcasted to everyone, there will be no trouble sniffing it.

Stealing port

The attack starts by having the attacker flood the switch with forged gratuitous ARP packets with the source MAC address being that of the target hist and the destination MAC address being that of the attacker. The flooding process described here is different than the flooding process used in CAM table flooding. Since the destination MAC address of each flooding packet is the attacker MAC address, the switch will not forward these packets to other ports, meaning they will not be seen by other hosts on the network. Now, a race condition exists because the target host will send packets too. The switch will see packets with the same source MAC address on two different ports and will constantly change the binding of the MAC address to the port. Remember that the switch binds a MAC address to a single port. If the attacker is fast enough, packets intended for the target host will be sent to the attacker's switch port and not the target host. The attacker has now stolen the target hosts' switch port. When a packet arrives to the attacker, the attacker performs an ARP request asking for the target hosts' IP address. Next, the attacker stops the flooding and waits for the ARP reply. When the attacker receives the reply, it means that the target hosts' switch port has been restored to its original binding. Now, the attacker can sniff the packet, and then forward it to the target host and restart the flooding process waiting for new packets [13].

Tools: Dsniff, Ettercap, TCPDump are some of UNIX based sniffer. Sniffer basic, BUTTsniff, WinDump are some of Windows based sniffer.

2.3 Modification

This happens when attacker change the data in between as it travels through to the destination providing wrong information to compromise the system.

2.3.1 Hijacking

Hijacking is based on a marriage of sniffing and spoofing. When a user has an established interactive login session with a machine, using telnet, rlogin, FTP, and so on, an attacker can use a session hijacking tool to steal the session from the user. When most hijack victim's notice that their login session disappear, they often just assume it is network trouble. The users will likely just try to login again, unaware that their session wasn't dropped; it was stolen [6].

Attack which can be carried out in hijacking is called TCP session hijacking. Where attacker try to stole established session from the user and then impersonating as him or her. This type of attack is also known as Man in the Middle attack.

TCP Session Hijacking

It is necessary for the attacker to sit in between the two hosts who is having conversation, so attacker can easily obtain the correct sequence number by sniffing the packet. All the attacker has to do is to insert their commands into the spoofed TCP data segment. The server will reassemble the TCP segments into command strings which will then be executed as though the legitimate user had typed them. The only evidence of this attack is that the legitimate user's Telnet session hangs because it never receives conformation of the segments it sends, and will simply continue to resend them. After a few seconds the user will probably attribute the inactivity to "Murphy's Law" and begin a new session. Below figure gives more broad view how this attack can be done. [17].

Figure 2.7 - TCP Hijacking

Tools: Hunt, Juggernaut, IP Watcher, TTYWatcher, TTYSnoop are most popular tool fro hijacking the TCP session.

2.4 Fabrication

Fabrication attack takes place when attacker creates some data themselves to exploit the services of the computer.

2.4.1 Spoofing

In a spoofing attack, the intruder sends messages to a computer indicating that the message has come from a trusted system. To be successful, the intruder must first determine the IP address of a trusted system, and then modify the packet headers to that it appears that the packet are coming from the trusted system [14].

Spoofing is all about impersonating someone else who is trusted user. It can be done in many form like IP spoofing, DNS spoofing, web spoofing and ARP spoofing. ARP spoofing is already discussed in this chapter so I will keep my discussion on other spoofing methods.

IP Spoofing

IP spoofing is the creation of IP packets using somebody else's IP source addresses. Again we take an example of Alice and Bob. Alice and Bob trust each other completely and both are allowed to communicate without any authentication. Bob is the ultimate target and Attacker wants to interact with Bob pretending to be Alice. Attacker starts the attack by opening a connection with Bob by sending the first part of the three-way handshake, a TCP SYN packet, to Bob, with a source address of Alice. As Attacker sends TCP SYN packet to Bob, attacker will also launches a denial-of-service attack against Alice, such as SYN flood or smurf attack. Alice is now dead for a period of time. This prevents Alice from sending RESET packet and dropping our spoofed TCP connection. After receiving spoofed SYN packet Bob will respond to it by sending ACK and SYN+1 packet to the Alice who is dead because of DoS attack and cannot respond. Now Attacker will predict the ISN that will be used to send to Bob to complete the three-way handshake and open connection between them.

Figure 2.8 - IP Spoofing Attack [16]

DNS Spoofing

DNS spoofing is best described as a DNS name server making use of false information received from a host that is not the authority for that information. DNS spoofing can allow attackers to access a site's e-mail, it can cause user to be redirected to the wrong web sites. For instance, www.abc.com is an online bank and user want to surf the site. Attacker could setup fake DNS which redirect the user to his machine (www.xyz.com) where attacker has set-up same look like interface like legitimate bank web site. This way attacker could get user ID and password and other useful information [15]. Below figure shows complete process how DNS spoofing can be done.

Figure 2.9 - DNS Spoofing Attack

Web Spoofing

As with the other forms of spoofing Web or Hyperlink spoofing provides victims with false information. Web Spoofing is an attack that allows someone to view and modify all web pages sent to a victim's machine. They are able to observe any information that is entered into forms by the victim. This can be of particular danger due to the nature of information entered into forms, such as addresses, credit card numbers, bank account numbers, and the passwords that access these accounts [16].

The attack can be implemented using JavaScript and Web server plug-ins, and works in two parts. First, the attacker causes a browser window to be created on the victim's machine, with some of the normal status and menu information replaced by identical-looking components supplied by the attacker. Then, the attacker causes all Web pages destined for the victim's machine to be routed through the attacker's server. On the attacker's server, the pages are rewritten in such a way that their appearance does not change at all, but any actions taken by the victim (such as clicking on link or filling up the form) would be logged by the attacker [16].

Figure 2.10 - Web Spoofing Attack [68]

Tools: Dsniff, Hunt for UNIX.

2.4.2 War Dialing

War Dialer is "A computer program that automatically dials a series of telephone numbers to find lines connected to computer systems, and catalogs those numbers so that a cracker can try to break into the systems". [65]

This is an old hacking technique where a hacker breaks into a network by calling phone numbers in the hopes of hitting an unsecured modem the target has accidentally left active or forgotten. Automated programs enable hackers to dial thousands of numbers in a matter of moments. The technique almost always works and is one of the tests ethical hackers run that usually turns up an intrusion alert. [22]

Tools: PhoneSweep from Sandstorm and the popular choice for the hackers are ToneLoc and THC-Scan.

2.4.3 Social Engineering

A euphemism for non-technical or low-technology means--such as lies, impersonation, tricks, bribes, blackmail, and threats-used to attack information systems". [65]

The basic goals of social engineering are the same as hacking in general: to gain unauthorized access to systems or information in order to commit fraud, network intrusion, industrial espionage, identity theft, or simply to disrupt the system or network. Typical targets include telephone companies and answering services, big-name corporations and financial institutions, military and government agencies, and hospitals [23].

Human nature is the social engineer's greatest exploit. As part of human nature, people generally trust easily and get satisfaction out of helping those in need.

Social engineers often use a direct approach to gain the information they need for an attack by simply calling and asking for information. Often the attacker will use a series of calls to multiple individuals to gather the information and/or access needed to cause damage [24].

For example, the attacker impersonates a person with authority, He places a call to the help desk, and pretends to be a senior Manager, and says that he has forgotten his password and needs to get it reset right away. The help desk person resets the password and gives the new password to the person waiting at the other end of the phone. At the very least, the individual can now access the Personnel systems as if he were the manager, and obtain the social Security numbers and other confidential/private information of several employees. He could of course do more damage to the network itself since he now has access to it [25].

2.4.4 Brute force

"A cryptanalysis technique or other kind of attack method involving an exhaustive procedure that tries all possibilities, one-by-one". [65]

Brute force (also known as brute force cracking) is a trial and error method used by application programs to decode encrypted data such as passwords or Data Encryption Standard (DES) keys, through exhaustive effort (using brute force) rather than employing intellectual strategies. Just as a criminal might break into, or "crack" a safe by trying many possible combinations, a brute force cracking application proceeds through all possible combinations of legal characters in sequence. Brute force is considered to be an infallible, although time-consuming, approach [26].

Tools: L0phtcrack from L0pht Heavy Industries, John the ripper, brutus and so on.

2.4.5 Buffer Overflow

Most of the exploits based on buffer overflows aim at forcing the execution of malicious code, mainly in order to provide a root shell to the user. The principle is quite simple: malicious instructions are stored in a buffer, which is overflowed to allow an unexpected use of the process, by altering various memory sections [29]. Buffer overflow could be exploited by stack overflow or heap overflow.

Stack Overflow

A buffer overflow attack takes advantage of poorly implemented program functions that move data to and from system memory addresses. The most common type of buffer overflow attack exploits insufficient boundary checking around data input or manipulation within a program. Without proper boundary checking within a program, attackers can create strings that are longer than the intended input length and redirect the program's response so it returns to a specific memory address where the attacker's own program instructions have been placed.

Think of a memory buffer as being similar to water in a bucket. A bucket can hold water, but if you pour too much water in, it will spill out of the bucket and onto the floor.

Much like a bucket of water, a buffer in memory is designed to hold only a certain amount of information. If you try to place more characters in the buffer than what was originally intended, the extra information will spill over into other buffers in memory. This process of overflowing memory buffers has been called "smashing the stack" [30].

Figure 2.11 - Stack Overflow [30]

Heap Overflow

A heap is memory that has been dynamically allocated. This memory is logically separate from the memory allocated for the stack and code. Heaps are generally used because the size of memory needed by the program is not known ahead of time, or is larger than the stack.

"Heap-smashing" overflow is exploiting the area in memory that is dynamically allocated by the application. The data section initialized at compile-time. During a stack buffer overflow, you do this by overwriting the return address. However, in a heap buffer overflow, there is no return address. Malloc [malloc()] returns a pointer to a specific memory size the caller requests and stores information right before the data is returned to the caller regarding where the next free block [which free() uses]. Therefore, by "overflowing" the free space, we are than able to run arbitrary shell code, thus giving us access. [31].

Figure 2.12 - Heap Overflow [31]

Tools: There are many sites on Internet from where anyone could download buffer overflow exploits for any operating system and program.

2.5 Summary

Several possible attacks can be deployed to compromise your network or system. Sniffing is a common attack technique that gathers information from the local LAN, which could include userIDs, passwords, e-mail etc. Passive sniffers gather traffic from the LAN without trying to manipulate the flow of data on the network. Active sniffing involves injecting traffic into the network to redirect packets to the sniffing machine through ARP spoofing, injecting spurious DNS responses into network.

IP address spoofing allows attackers to send traffic that appears to come from a machine with another IP address. This type of attack is useful in creating decoys, bypassing filtering, and gaining access to systems that use IP addresses for authentication. Attacker can impersonate as a legitimate user and can do damage to the victim machine.

Session hijacking techniques allow an attacker to grab an active session, such as FTP or telnet, from a legitimate user. The attacker steals the session, and can enter commands and view the results. Session hijacking techniques can be employed across the network or at individual host.

Denial of Service (DoS) attacks do not let an attacker gain access to a system, they let an attacker prevent legitimate users from accessing the system. Attacker could prevent user from accessing the service they need by either crashing the service or system or by exhausting resources. There are many kind of DoS attack which can be launched to stop the services like SYN flooding, Smurf attack, DDoS etc.

Unsecured modems are one of the easiest ways into a target network. To locate such modems, attackers will employ war dialing, a technique that dials telephone number after telephone number looking for modem carrier tones. After discovering modems, attackers look for systems without passwords, or machine with easily guessed passwords.

Password attacks are also very common. Attackers often try to guess default passwords for system to gain access, by hand or through automated scripts. Password cracking involves taking the encrypted/hashed passwords from a system and using an automated tool to determine the original passwords.

Attackers make viruses, worms and Trojans to help them in their evil purpose either to crash the system or network or to gain and maintain the access to which they are not authorized for. They use Trojans, backdoors, and RootKits to achieve their goals.

Stack based buffer overflows are among the most common and damaging of attacks today. They exploit software that is poorly written, allowing an attacker to enter data into programs to execute arbitrary commands on a target machine. When a program does not check the length of input supplied by a user before entering the input into memory space on the stack, a buffer overflow could result.

INTRUSION DETECTION SYSTEM

When most people think of network security, they think "Firewall". Firewall act as an access control device by permitting specific protocols such as HTTP, DNS, SMTP to pass between a set of source and destination addresses. In general, they do not inspect the entire content of the packet and can't detect or thwart malicious code embedded within normal traffic. Where as IDS inspect the entire content of every packet traversing the network to detect malicious activity. Intrusion detection systems are effective when sophisticated attacks are embedded in familiar protocols, such as HTTP session, which would normally pass undetected by a firewall.[32] Intrusion Detection systems (IDS) are becoming more and more widely deployed to supplement the security provided by firewalls. IDS functions in the digital world much the same way as a burglar alarm does in the physical world. [33]

Intrusion is the act of using a computer system or computer resources without the requisite privileges, causing willful or incidental damage. Intrusion detection involves identifying individuals or machines that perform or attempt intrusion. Intrusion Detection Systems (IDS) are computer programs that attempt to perform intrusion detection by studying the behavior of intruding processes, preferably in real-time. [34]

We can divide IDS into three categories

* Network-based Intrusion Detection System (NIDS)

* Host-based Intrusion Detection System (HIDS)

* Hybrid Intrusion Detection System

3.1 Network Intrusion Detection (NIDS)

Network Intrusion Detection Systems use information gathered from a passive interface in promiscuous mode to detect attack patterns. NIDS, depending on placement within a network, can provide a great deal of network visibility and protect a substantial number of hosts with a single device and configuration. [33] This monitors all network traffic passing on the segment where the sensor is installed, reacting to suspicious anomaly or signature-based activity. They analyze every packet for attack signature, though under heavy network load many will start to drop packet. [35]

A NIDS can detect attacks through one of two methods, either signature matching or abnormality detection. The signature matching method works very similarly to today's virus scanners. Each attack has a signature of how it is carried out. When that signature is witnessed on the network the NIDS generates an alarm. With abnormality detection NIDS establish a baseline of the network traffic that is considered normal. It then alarms when conditions are not normal. Abnormality detection NIDS are not as commonly deployed as signature based because of the large amount of time needed to establish the baseline and their initial high rate of false positives. [33] A False Positive occurs when the IDS alerts appropriate personnel about network traffic that is not malicious.

Architecture

Network-based intrusion detection systems consist of sensors deployed throughout a network that report to a central console. Sensors are usually self-contained detection engines that obtain network packets, search for pattern of misuse, and then report alarms to a central command console. There are two types of architectures: traditional sensor architecture and distributed network node. Traditional sensor-based architectures are also known as promiscuous mode network intrusion detection systems, or network taps.

Network-node systems place an agent on each computer in the network to monitor traffic bound only for the individual target. Sensor-based system monitor whole network segment. Sensor-based system are not widely distributed because there are relatively few segments to monitor, while network-node systems are widely distributed onto every mission critical target. [36]

Traditional Sensor-Based Architecture

A sensor, usually an Ethernet chip set to promiscuous mode, is used to "sniff" packets off the network where they are fed into a detection engine, typically on the sensor machine itself. Taps are distributed to the various mission critical segments of the network, usually one per segment. A central console is used to correlate alarms from multiple sensors. We can follow the lifecycle of a network through the system shown in figure below.

. A network packet is born. This takes place when one computer communicates with another computer.

2. The packet is read in real-time off the network through a sensor that lies on a network segment somewhere between the two communicating computers. The sensor is usually a stand-alone machine or network device.

3. A sensor-resident detection engine is used to identify predefined patterns of misuse. When a pattern is detected an alert is generated and forwarded to the central console.

Figure 3.1 - A Standard Network Intrusion Detection Architecture [36]

4. The security officer is notified. This can be done through audible, visual, pager, e-mail, SNMP, or any other number of different methods.

5. A response is generated. The response subsystem matches alerts to predefined responses or can take direction from the security officer to execute a response. Responses include actions such as reconfiguring the router or firewall to refuse traffic from a particular source address.

6. The alert is stored for later review and correlation.

7. Reports are generated summarizing alert activity.

8. Data forensics is used to look for long-term trends. Some systems allow archiving of the original traffic to reply sessions.

Distributed Network-Node Architecture

In network-node architecture intrusion detection each sensor is concerned only with packets directed at the target on which it resides. The sensors then communicate with each other and the main console to aggregate and correlate alarms. An agent is used to read packets off the TCP/IP stack at a layer where the packets have been reassembled. The packet is fed into a detection engine located on the target machine. Network-node agents communicate with each other on the network to correlate alarms at the console.

Figure 3.2 - A Distributed Network-Based/Host Resident Intrusion Detection Architecture [36]

. A network packet is born.

2. The packet is read in real-time off the network through a sensor resident on the destination machine.

3. A detection engine is used to identify predefined patterns of misuse. When a pattern is detected an alert is generated and forwarded to a central console or to other sensors in the network.

4. The security officer is notified.

5. A response is generated.

6. The alert is stored for later review and correlation.

7. Reports are generated summarizing alert activity.

8. Data forensics is used to look for long-term trends.

Advantages:

* One NIDS should be enough to monitor a network for medium and small sized network for bigger network they might want to deploy two or more NIDS.

* Real time detection and alerting. Since many hackers follow a pattern to attack your network, you might be able to detect and stop the alert in real time.

* NIDS won't consume your precious system resources if you have dedicated system for NIDS.

* NIDS function at the network layer and because of that they are able to detect low level attacks such as ARP spoofing. [42]

Disadvantages:

* Some NIDS do not make sense of higher level protocols such as HTTP. They are greatly however challenged by encryption.

* Trend to produce higher false alerts than HIDS.

* Some network card do not support promiscuous mode.

* Most current NIDS do not function well under high speed networks such as Gigabyte Ethernet. [42]

Tools: RealSecure from Internet Security Systems (www.iss.net), Cisco NetRanger, Snort (www.snort.org)

3.2 Host Intrusion Detection System (HIDS)

This kind of IDS monitors sys/event logs from multiple sources for suspicious activity. Host-based IDSs are best placed to detect computer misuse from trusted insiders and those who have infiltrated your network evading traditional methods of detection. [35] Host Intrusion Detection Systems are software installed on the local system. Typical HIDS are very similar to virus protection software. They look for activity that matches a known attack signature and either allows the activity or prevents it. Some HIDS depend on abnormality detection; where current traffic is compared against baseline traffic, with anything that is not part of the baseline causing an alert. HIDS are designed to be installed on individual servers and workstations that you wish to protect. The HIDS software can be implemented a various levels. Some work by monitoring the host for critical files that should not change and alerting appropriate personnel if they change. Other HIDS monitor the network connections, general input strings and system memory for signatures, similar to signature-based NIDS, but only for the machine on which they are installed. [33]

Host based IDS have grown to include other technologies. One popular method for detecting intrusions checks key system files and executables via checksums at regular intervals for unexpected changes. [37]

Architecture

Host-based intrusion detection systems are usually agent based. Agents are small executables that run on the target system and communicate with a central control computer, also known as the command console. Properly managed, these agents will not cause significant performance degradation on the targets, but they do have attendant problems with deployment and support because they are massively distributed. HIDS can be deployed into two forms as centralized host-based and distributed host-based. The difference between the two is that the raw data is forwarded to a central location before it is analyzed and in distributed host-based raw data is analyzed in real-time on the target first and only alerts are forwarded to the command console.

Centralized Host-Based

In the centralized architecture, data is forwarded to an analysis engine running on a machine different from the target. We can follow an event record through its lifecycle in this type of architecture using figure below.

Figure 3.3 - A Centralized Host-based Intrusion Detection Architecture [36]

. An event record is created. This occur when an action takes place, such as a file open or program execution. The record is written into a file that is usually, and preferably, protected by the operating trusted computing base (TCB).

2. The target agent centralizes the file to the command console. This happens at predetermined time intervals over a secure communications link.

3. The detection engine, configured to match pattern of misuse, processes the file. Data records are parsed in their raw, or original, format.

4. A log is created that acts as a data archive for all the raw data used in a prosecution.

5. An alert is generated. When a predefined pattern is observed, such as access to mission-critical file, an alert is forwarded to a number of different subsystems for notification, response and storage.

6. The security officer is notified.

7. A response is generated.

8. The alert is stored. The storage is usually a relational database. Some systems store statistical data as well as alerts.

9. The raw data is moved to a raw data archive. This archive is rolled over periodically to reduce the amount of disk space used.

0. Reports are generated. Reports can be generated summarizing alert activity. These reports can have a user, target, or enterprise perspective for data forensics.

Distributed Real-time Host- based

The lifecycle of an event through a distributed real-time architecture is similar except that the record itself is discarded after the target resident detection engine analyzes it.

. An event is born.

2. The file is read in real-time and processed through a target resident detection engine. The range of detection is limited to a single target in this architecture.

3. The security officer is notified.

4. A response is generated. The response may be generated from the target or console depending on the architecture.

5. An alert is generated and sent to a central console.

6. The alert is stored. Statistical behavioral data outside alert are not usually available in this architecture.

7. Data forensics is used to look for long-term trends. However, there is no raw data archive and usually no statistical data so this capability is usually very limited.

8. Reports are generated.

Figure 3.4 - A Distributed Real-Time Host-Based Intrusion Detection Architecture [36]

Advantages:

* Could cost less than NIDS as HIDS does not require any dedicated hardware.

* Logs could offer more detail about the attack. HIDS records every action the attacker takes on the system. HIDS like honeypots even log the attacker's keystrokes.

* Produces less false negatives. HIDS could detect attacks that might appear to be normal to a NIDS.

* Can handle encrypted attacks.

* Detects what happens to your system after the attack.

* Works well with mobile devices such as laptops. [42]

Disadvantages:

* Only detects attacks after they have occurred.

* Could be disabled by a talented attacker. If the attacker hacks your system, he might be able to disable or alter the logs so the HIDS would lead in becoming untrustworthy.

* Produces some CPU overhead, this is troublesome if you need every bit of your CPU processes.

* HIDS is not available for every OS. Because of the way they work, HIDS tend to be OS specific especially in the Log monitoring HIDS.

* Each system that you need to monitor must have HIDS installed on it. This might lead to higher cost on large network.

* If the IDS has no centralized logging capability monitoring it would lead to an administrator's nightmare.

* HIDS can not log attacks if it is turned off. If an attacker uses a denial of service (DoS) attack against your system and it goes down instantly then the HIDS might not be able to detect anything. [42]

Tools: Tripwire is a file integrity assessment tool (www.tripwire.com)

3.3 Hybrid Intrusion Detection System

Modern switched networks have created a problem for intrusion detection operators. In a switched network, the NIC may be running in promiscuous mode, however the traffic may not be visible to the NIC. Some switches will not allow it at all, making the installation of a traditional network IDS difficult. Furthermore, high network speeds mean that many of the packets could be dropped by a NIDS. A solution has arisen in the form of Hybrid IDSs, which takes delegation of IDS to a host one stage further, combining Network IDS and Host IDS in a network. [35]

Both network and host-based IDS solutions have unique strengths and benefits that complement each other. Combining these two technologies will greatly improve network resistance to attacks and misuse, enhance the enforcement of security policy and introduce greater flexibility in deployment options. The graphic below illustrates how network and host-based intrusion detection techniques interact to create a more powerful network defense. Some events are detectable by network means only. Others that is detectable only at the host. Several require both types of intrusion detection to function properly. [37]

Figure 3.5 - Hybrid based [37]

3.4 ID System Components

The functionality of an IDS can be logically distributed into three components: sensors, analyzers, and a user interface.

Sensors

Sensors are responsible for collecting data. The input for a censor may be any part of a system that could contain evidence of an intrusion. Example types of input to a sensor are network packets, log files, and system call traces. Sensors collect and forward this information to the analyzer.

Analyzers

Analyzers receive input from one or more sensors or from other analyzers. The analyzer is responsible for determining if an intrusion has occurred. The output of this component is an indication that an intrusion has occurred. The output may include evidence supporting the conclusion that an intrusion occurred. The analyzer may provide guidance about what actions to take as a result of the intrusion.

User Interface

The user interface to an IDS enables a user to view output from the system or control the behavior of the system. In some systems, the user interface may equate to a "manager", "director", or "console" component. [66]

3.5 Intrusion Detection Methodology and Techniques

IDS use several methods to prevent the attack from happening. With the help of those method IDS recognizes the attack and alarm.

* Signatures

* Anomaly Behavior

* Anomaly Protocol

3.5.1 Signature/Pattern Matching

Hackers often attack networks through tried and tested methods from previously successful assaults. These attacks have been analyzed by network security vendors and a detailed profile, or attack signature, has been created. Signature detection techniques identify network assaults by looking for the attack "fingerprint" within network traffic and matching against an internal database of known threats. Once an attack signature is identified, the security system delivers an attack response, in most cases a simple alarm or alert. Success in preventing these attacks depends on an up-to-the-minute database of attack signatures, compiled from previous strikes. The drawback to systems that rely mainly, or only, on signature detection is clear: they can only detect attacks for which there is a released signature. [32]

For signature-based IDS to detect attacks, it must possess an attack description that can be matched to sensed attack manifestations. This can be as simple as specific pattern that matches a portion of a network packet or as complex as a state machine or neural network description that maps multiple sensor outputs to abstract attack representations. If an appropriate abstraction can be found, signature-based systems can identify previously unseen attacks that are abstractly equivalent to known patterns. They are inherently unable to detect truly novel attacks and suffer from false alarms when signatures match both intrusive and non intrusive sensor outputs. Signature can be developed in a variety of ways, from hand translation of attack manifestations to automatic training or learning using labeled sensor data. Because a given signature is associated with known attack abstraction, it is relatively easy for a signature based detector to assign names such as Smurf or Ping-of-death to attacks. [38]

Advantages:

* They are fast, if implemented correctly, they are able to detect intrusions faster than any other analyzing method.

* Highly customizable. With some IDSs you will be able to make your own rules and you could delete those you do not know.

* The signature files are released often. [42]

Disadvantages:

* False positive: Signature files tend to be general about the attack, this is due to the fact that if an attacker could change some option or a variant of the attack then the signature files will not match and the IDS will not detect it.

* False negative: if an attack has no written signature for your IDS and you did not bother to make one then you have two options. 1) Forget about it and follow the method of "Security by obscurity" or 2) Make an IDS signature for your IDS yourself.

* Do not make sense of encrypted packets.

* Needs updating. If you do not constantly update you signature files then variations or new attacks will not be detected by your IDS.

* Prone to Denial of Service attacks. [42]

3.5.2 Anomaly Behavior

One of the main approaches of IDS, namely anomaly detection is based on the assumption that an attack on a computer system will be noticeably different from normal system activity, and intruder will exhibit a pattern of behavior different from that of a normal user, this is also called Statistical anomaly detection. Statistical anomaly detection is an IDS approach that looks for deviations from statistical measures to detect unusual behavior. A set of variable is defined for subjects and objects such as users, groups, workstations, servers, files, network adapters, and other resources. The baseline is established for each variable by looking at historical data or by declaring expected values. As system activities occur, a list of variable is maintained and updates for each subject or object of interest. For example, the IDS can keep track of the number of files read by an individual user over a given period of time. Variables often are combined mathematically with a weighting function to give a consolidated measure. In addition, the IDS watch for individual threshold conditions, such as three or more failed attempts to root. An intrusion is defined as any unacceptable deviation from expected values. [39]

Advantages:

* Could detect never before seen attack.

* Because they do not use signature they are difficult to evade.[42]

Disadvantage:

* Anomaly based detection assumes that every attack starts with scanning; this is not true because an attack could just try the most recent exploit on you.

* Configuring what is normal and what is not requires great knowledge about your network. It is also possible that if you miss-configure your IDS it would result in a great amount of false positive and false negatives. [42]

3.5.3 Anomaly Protocol/Protocol Analysis

Protocol anomaly detection, which is sometimes called protocol analysis, is the ability to analyze packet flows to identify irregularities in the generally accepted Internet rules of communication. These rules are defined by open-protocols and published standards RFC's as well as vendor defined specifications for communication between networked devices. Through this technique intrusion detection systems can detect attack if traffic violates the relevant standard of protocol. This is very effective in detecting suspicious activity, such as a buffer-overflow attack. It can detect unknown and new attacks, based on the fact that these attacks deviate from protocol standards. [40]

Advantages:

* This method minimizes the chance for false positives if the protocol is well defined and enforced.

* This method can allow for direct correlation of an exploit.

* This method can be more broad and general to allow catching variations on a theme.

* This method reliably alerts on the violation of the protocol rules as defined.

Disadvantages:

* This method can lead to high false positive rates if the RFC is ambiguous and allows developers the discretion to interpret and implement as they see fit. These gray area protocol violations are very common.

* This method requires longer development times to properly implement the protocol parser.[75]

3.6 Summary

Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of intrusions, defined as attempts to compromise the confidentiality, integrity, availability, or to bypass the security mechanism of a computer or network. [41]

Network intrusion detection is effective at detecting outsiders attempting to penetrate your network defenses. The benefits include outsider deterrence, detection, and automated response. There are two network intrusion detection architectures: distributed and traditional sensor. The traditional sensor architecture is easy to deploy and operate but is limited by high-speed, switched, or encrypted networks. The distributed architecture addresses these issues but is significantly harder to deploy and mange.

Host-based intrusion detection systems are distributed systems that gather and process event logs and other data from computers in an enterprise. The data may be processed locally at the target or centralized and then processed. The benefits of host-based intrusion detection include insider deterrence, detection, response, damage assessment, attack anticipation, and prosecution support.

We have several techniques available for IDS to detect the attack which include, signature, anomaly behavior and anomaly protocol.

SNORT

Snort is a network IDS that was developed by Marty Rosech in 1998, since then it has gained tremendous popularity (more than half a million Snort sensors are deployed world wide). Its popularity is due to several reasons, mainly because it is licensed under the GPL, it is a robust sniffer, and it could function as a sniffer, packet logger, or IDS. Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis and content searching/matching in order to detect a variety attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. Snort uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes modular plug-in architecture. [43]

Figure 4.1 - Overview of the basic working of Snort [44]

Snort Dataflow

First, traffic is acquired from the network link via libpcap. Packets are passed through a series of decoder routines that first fill out the Packet structure for link level protocols then are further decoded for things like TCP and UDP ports.

Packets are then sent through the registered set of preprocessors. Each preprocessor check to see if this packet is something it should look at.

Packets are then sent through the detection engine. The detection engine checks each packet against the various options listed in the snort rules files. Each of the keyword options is a plug-in. This allows this to be easily extensible. [72]

4.1 Architecture of SNORT

Snort's architecture is focused on performance, simplicity, and flexibility. Its architecture consists of three main parts: the packet decoder, the detection engine, and the logging and alerting subsystem. The packet decoder interacts with the protocol stack at layers 2 to 4, mainly marking packets for subsequent analysis. The detection engine inspects the packet in two stages. First, it matches the packet header to a sequence of patterns, containing IP endpoints information (src/dest IP and port). Each pattern has an associated chain of rules. The rule chain associated with the first endpoint pair that matches the packet header is activated. The rules in each rule chain match such characteristics of the packet as TCP flags, payload sizes and actual content. Rules are searched in order and the first one matching triggers the action specified in it. These actions are carried out by the logging and alerting subsystem and comprise mainly of saving the offending packet information (at a configurable level of granularity) into a log file and sending an instant message to a set of workstations. The knowledge Snort needs to recognize attacks is available online in the form of rules and the developer community behind Snort boasts of instances where this information was published more expeditiously than the respective updates for commercial products. [45]

There are three primary subsystems that make up SNORT:

* Packet decoder

* Detection engine

* Logging and alerting subsystem

These subsystems ride on top of the libpcap promiscuous packet-sniffing library. Program configuration, rules parsing, and data structure generation takes place before the sniffer section is initialized, keeping the amount of per packet processing to the minimum required to achieve the base program functionality.

4.1.1 Libpcap

The Libpcap was originally written for a program called TCPDump. It captures layer 2 packets and then passes them to Snort for analysis. Because the libpcap library is portable, so is Snort.

4.1.2 The packet decoder

The decode engine is organized around the layers of the protocol stack present in the supported data-link and TCP/IP protocol definitions. The decoding routines are called in order through the protocol stack, from the data link layer up through the transport layer, finally ending at the application layer. Speed is emphasized in this section, and the majority of the functionality of the decoder consists of setting pointers into the packet data for later analysis by the detection engine. SNORT provides decoding capabilities for Ethernet, SLIP, and raw (PPP) data-link protocols. [46]

4.1.3 Preprocessor

The Preprocessor is the last place the packet will go to before going through the detection engine. They consist of plugins that function in a variety of ways from HTTPURL string normalization to assembling fragmented packets. Let's look at some of the more popular preprocessors in use:

) Frag2: Assembles fragmented packets before sending them to the detection engine. It is also used to block evasion techniques discussed in section 3.

2) Stream4: Used to keep the state of the packets, so port scanning such as NMap's SYN scans will be detected, it will also block IDS DoS tools such as Snot and Stick.

3) HTTP_Decode: because of HTTP's wide use, rarely do you see a server that would just accept those rules, for example IIS will accept unicode, it is up to the HTTP_Decode to normalize those requests so no false negatives will occur.

4) Portscan2: Detects portscans. [43]

Figure 4.2 - Snort Architecture [47]

4.1.4 The detection engine

Snort maintains its detection rules in a two dimensional linked list of what are termed Chain Headers and Chain Options. These are lists of rules that have been condensed down to a list of common attributes in the Chain Headers, with the detection modifier options contained in the Chain Options. For example, if forty five CGI-BIN probes detection rules are specified in a given Snort detection library file, they generally all share common source and destination IP addresses and ports. To speed the detection processing, these commonalities are condensed into a single Chain Header and then individual detection signatures are kept in Chain Option structures. These rule chains are searched recursively for each packet in both directions. The detection engine checks only those chain options which have been set by the rules parser at run-time. The first rule that matches a decoded packet in the detection engine triggers the action specified in the rule definition and returns.

A major overhaul of the detection engine is currently in the planning and development stage. The next version of the engine will include the capability for users to write and distribute plug-in modules and bind them to keywords for the detection engine rules language. This will allow anyone with an appropriate plug-in module to add significant detection functionality to Snort and customize the program for specific jobs. [48]

4.1.5 The logging/alerting subsystem

The alerting and logging subsystem is selected at runtime with command line switches. The logging options can be set to log packets in their decoded, human readable format to an IP-based directory structure, or in tcpdump binary format to a single log file. Logging can also be turned off completely; leaving alerts enabled for even greater performance improvements. Alerts may be either sent to syslog, logged to an alert text file in two different formats, or sent as WinPopup messages using the Samba smbclient program. There are two options for sending the alerts to a plain text file; full and fast alerting. Full alerting writes the alert message and the packet header information through the transport layer protocol. The fast alert option writes a condensed subset of the header information to the alert file, allowing greater performance under load than full mode. [46]

4.2 Network Placement

In order to monitor something, you must have access to it. NIDS is based on a promiscuous network interface card that listens to all packets on a single physical cable. If you want to monitor traffic going to multiple web servers with one sensor, you'll need to place that sensor on a length of cable that all the packets will travel through.

[ Internet ] -------(1) ------- [ Router ] -------(2) ------- [ LAN ]

Figure 4.3 - NIDS placement 1

On a simple LAN with no DMZ (see figure 4.3) there are two optimal places to locate your sensor, between the router and the internet, and between the router and LAN. The first configuration, denoted with a (1), will detect all attacks against the network, but will not show you which attacks actually get through the router and into the LAN. The second configuration, denoted with a (2), will show you which attacks enter the LAN.

On a network with a DMZ (and bastion hosts) there are three probable locations for your sensor (see figure 2.)

[Internet] ------ (1) ------ [Router 1] --- (2) ----+--- [Router 2] ------ (3) ------ [LAN]

|

[Bastion Hosts]

Figure 4.4 - NIDS placement 2

This situation is more complex. These bastion hosts can offer varying types of services and run different operating systems. If a sensor is placed in location 1 it will detect all attacks against your network. A sensor placed at location 2 will detect all attacks that make it through your exterior router. If you're looking to detect attacks against your bastion hosts this is where you'll want your sensor to be placed. This location will also detect attacks targeted at your LAN, but not give you a hint of whether the attack was successful or not.

Location 3 will detect attacks that reach your LAN, but not attacks targeting your bastion hosts. You may have decided that location 1 sensors don't do a lot, and when all your router does is route, that may be true. If the router at location 1 is a firewall, or does any sort of packet filtering, a sensor at location 1 can be compared to a second sensor at location 2 to gauge how well of a job the exterior firewall is doing.

Determine your networks layout, what you want to monitor, and where the sensor(s) should be placed. Remember, the sensor will detect all traffic on the physical wire. A standard hub repeats everything from one port to all its other ports. A switch will look for the MAC address of the destination and switch the packet to the proper port. I suggest the following setup for and connection between a router and a LAN:

[Router 1]------+----------- [Switch] ------------------ [Router 2]--+---- (LAN)

| | |

| (DMZ/Bastions) |

[Hub] [Hub]

Figure 4.5 - NIDS placement 3

Most well designed networks make use of a switch to connect a router to a LAN or bastion hosts. This is done to reduce broadcast traffic on the wire. By placing a hub between the router and the switch you create a node that will allow you to easily move your sensor and accommodate security analysts. [49]

4.2.1 Where's a good place to physically put a Snort sensor?

This is going to be heavily influenced by your organizations policy, and what you want to detect. One way of looking at it is determining if you want to place it inside or outside your firewall. Placing an IDS outside of your firewall will allow you monitor all attacks directed at your network, regardless of whether or not they are stopped at the firewall. This almost certainly means that the IDS will pick up on more events than an IDS inside the firewall, and hence more logs will be generated. Place an IDS inside your firewall if you are only interested in monitoring traffic that your firewall let pass. If resources permit, it may be best to place one IDS outside and one IDS inside of your firewall. This way you can watch for everything directed at your network, and anything that made its way in.

In ``front'' of the firewall(s):

Pro: Higher state of alert you know what attacks you are facing.

Con: Wall to Wall of data, boring? If your firewall has NAT turned on, tracking the sources originating from your internal network is difficult.

``Behind'' the firewall(s):

Pro: Only what gets through the firewall gets monitored? Less load on the IDS analyst. You get to see what hosts are sending traffic to the internet.

Con: Less idea of the state of the environment, false sense of safety.

4.2.2 Expert Says:

* MARCUS RANUM from NFR Security: "I'd put mine inside. Why should I care if someone is attacking the outside of my firewall? I care only if they succeed, which my IDS on the inside would ideally detect. Placing the IDS on the outside is going to quickly lull the administrator into complacency. I used to have a highly instrumented firewall that alerted me whenever someone attacked it. Two weeks later I was deleting its alert messages without reading them. Another important factor arguing for putting it inside is that not all intrusions come from the outside or the firewall. An IDS on the inside might detect new network links appearing, or attackers that got in via another avenue such as a dial-in bank.''

* CURRY from IBM: ``The IDS should be placed where it will be able to see as much of the network traffic you're concerned about as possible. For example, if you're concerned about attacks from the Internet, it makes the most sense to put the IDS outside the firewall. This gives it an "unobstructed" view of everything that's coming in. If you put the IDS inside the firewall, then you're not seeing all the traffic the bad guys are sending at you, and this may impact your ability to detect intrusions.''

* SUTTERFIELD from Wheel Group: ``IDS ideally plays an important role both inside and outside a firewall. Outside a firewall, IDS watches legitimate traffic going to public machines such as e-mail and Web servers. More importantly IDS outside a firewall will see traffic that would typically be blocked by a firewall and would remain undetected by an internal system. This is especially important in detecting network sweeping which can be a first indication of attack. External systems will also give you the benefit of monitoring those services that firewalls determine are legitimate. Putting an IDS inside the firewall offers the added benefit of being able to watch traffic internal to the protected network. This adds an important element of protection against insider threats. The major drawback of IDS inside a firewall is that it cannot see a good deal of important traffic coming from untrusted networks and may fail to alert on obvious signals of an impending attack.''

* CHRIS KLAUS from ISS: ``Outside the firewall is almost always a good idea-it protects the DMZ devices from attack and dedicates an additional processor to protecting the internal network. Just inside the firewall is also useful-it detects attempts to exploit the tunnels that exist through the firewall and provides an excellent source of data for how well your firewall is working. Throughout your intranet may be the best place for IDS deployment, however. Everyone agrees that attacks aren't the only things we're worried about-there's internal mischief, fraud, espionage, theft, and general network misuse. Intrusion detection systems are just as effective inside the network as outside, especially if they're unobtrusive and easy to deploy.''

* GENE SPAFFORD: ``The IDS must be inside any firewalls to be able to detect insider abuse and certain kinds of attacks through the firewall. IDS outside the firewall may be useful if you want to monitor attacks on the firewall, and to sample traffic that the firewall doesn't let through However, a true IDS system is likely to be wasted there unless you have some follow-through on what you see.''

4.3 Writing SNORT Rules

SNORT rules are simple to write, yet powerful enough to detect a wide variety of hostile or merely suspicious network traffic. There are three base action directives that SNORT can use when a packet matches a specified rule pattern: pass, log, or alert.

* Pass rules simply drop the packet.

* Log rules write full packet to the logging routine that was user selected at run-time.

* Alert rules generate an event notification using the method specified by the user at the command line, and then log the full packet using the selected logging mechanism to enable later analysis.

Each SNORT rule has a rule header and rule options.

4.3.1 Rule Header

The rule header contains the rule action, the protocol, source and destination IP addresses and netmasks, and source and destination ports. The rule options are predicates on packet fields, or the text of messages to be logged/displayed for matching packets, or response/reaction directives. Option fields are available for all rule types and may be used to generate complex behaviors from the program. The general form of a SNORT rule header is:

'action protocol left IP left port direction right IP right port'.

The action is one of alert, log, pass, activate, or dynamic. The first generates an alert, the second generates a log record, and the third causes the packet to be passed with no alerts or log records. The last two provide a simple form of rule linking: an activate rule is like an alert rule that also activates a corresponding dynamic rule. The dynamic rule is like a log rule with a counter.

A direction operator between the left address and port and the right address and port specifies whether traffic matches in one direction or both directions. Singledirection matching is specified with "->" or "<-", and bidirectional matching with "<>". All the other fields are self-explanatory. [Amruta Inamdar, "Intrusion Detection Systems and a Case Study of SNORT, 2003]

4.3.2 Rule Options

Rule options are enclosed in parentheses and each option is terminated by a semicolon:

'(' option ';' . . . ')'

Rule options are either predicates on packet fields, or they are related to logging or responding to a match.Each option is of the form: option-name ':' option-value

There are more than 40 different options. Some of the important ones are given below:

*?Msg: tells the logging and alerting engine the message to print along with a packet dump or to an alert.

*?Logto: tells Snort to log all packets that trigger this rule to a special output log file.

*?TTL: used to set a specific time-to-live value to test against. The test it performs is only successful on an exact match.

*?TOS: allows to heck the IP header TOS field for a specific value. The test it performs is only successful on an exact match.

*?FragBits: inspects the fragment and reserved bits in the IP header.

*?Offset: used as a modifier to rules using the content option keyword. This keyword modifies the starting search position for the pattern match function from the beginning of the packet payload.

*?Depth: It sets the maximum search depth for the content pattern match function to search from the beginning of its search region. It is useful for limiting the pattern match function from performing inefficient searches once the possible search region for a given set of content has been exceeded.

*?Session: is used to extract the user data from TCP sessions. It is extremely useful for seeing what users are typing in telnet, rlogin, ftp, or even web sessions. There are two available argument keywords for the session rule option, printable or all. The printable keyword only prints out data that the user would normally see or be able to type. The all keyword substitutes non-printable characters with their hexadecimal equivalents.

*?Content: The content keyword is one of the more important features of SNORT. It allows the user to set rules that search for specific content in the packet payload and trigger response based on that data. Whenever a content option pattern match is performed, the Boyer-Moore pattern match function is called and the (rather computationally expensive) test is performed against the packet contents.

These options may be combined in any manner to detect and classify packets of interest. The rule options are processed using a logical AND between them; all of the testing options in a rule must be true in order for the rule to generate a "found" response and have the program perform the rule action. [Amruta Inamdar, "Intrusion Detection Systems and a Case Study of SNORT, 2003]

4.4 Understanding Rule:

Below is the one of the snort rule.

Alert tcp ![192.168.1.0/24,10.1.1.0/24] any -> [192.168.1.0/24,10.1.1.0/24] 111 (content: "|00 01 86 15|"; msg: "external mountd access")

The first word (alert) is an action keyword, which tells the rule how to react when it finds a matching packet. In this instance an alert will be generated using the user defined alert method and the packet will also be logged. The next word (tcp) is the protocol to look for. The next section containing the CIDR address block is the source of the packet. In this case the ! negates the defined source or states NOT from this source address. The "any" keyword means any IP address in the specified CIDR block. After the -> is the target IP address or CIDR block followed by a port number. The port number has many options as well such as "any" or a range of ports. The next section, in parenthesis, is the rule options. It starts off with an option keyword then the argument. More than one option may be used in a rule. The above rule has two options. The first is "content" which simply looks for specific content in the packet and forces a response to that content being matched. The content can be plain text or binary data which can be quite complex. In this case the content match causes a message signified by the keyword "msg" which specifies a message to print to the logs in addition to the packet capture information. Lets examine one more rule:

Alert tcp any any -> 192.168.1.0/24 80 (content: "cgi-bin/phf"; flags: PA; msg: "CGI-PHF probe";)

This rule tells snort to alert and log tcp packet from any IP address and any port going to the 192.168.1.0/24 CIDR block of addresses on port 80 containing text "cgi-bin/phf" in the packet payload and flags Push or Ack in the TCP header. Finally, if it matches the rule write the message "CGI-PHP probe" to the logs with the packet capture dump. [50]

Advantages:

* Snort is passive, which leads it to monitor any system on your network with no configuration to the target computer.

* Portable and Fast.

* Capable to log to numerous databases, Oracle, Microsoft SQL Server, MySQL and PostGre SQl.

* Flexible and simple, Snort uses plugins for all of its functions so you could drop plugins and remove them as you wish.

* Snort rile file (Signature) are easy to write and are effective.

* Snort is ported to every major operating system. [43]

Summary

Installing and Deploying Snort and Detecting Attack

As now we all know how important is to know the attack to stop them from happening and cause damage to our critical mission system. Deploying IDS is crucial to every network now making enterprise to review and set strong policies against the attacks. Snort is small yet very powerful NIDS available to us absolutely free with snort we could keep an eye on the entire traffic passing from the wire where sensor is deployed.

I have chosen snort to be my NIDS as it is free not hard to install either on UNIX or Windows system. Top of all we also could make and add new rules to it which make snort more powerful and diverse. Deploying sensor on the network is most important decision you need to made, make sure you deploy there where you could see all or maximum traffic coming into you network and going out to your network.

Before I discuss, where I have deploy the snort sensor I would like to go through the installation process of snort and other software needed to support snort.

5.1 Tools

To deploy the snort sensor properly it is necessary to choose good hardware specification for smooth running. It is recommended one should use dedicated machine for sensor to analysis the packet more efficiently. With the help of some other programs snort can be managed easily which are briefly defined.

Hardware Used:

Below is the specification of my hardware used to deploy snort sensor.

* Intel Pentium 2

* CPU speed 400 MHZ

* 384 MB RAM

* Network Card

* 3 GB Hard Disk

* 15 inch Compaq Monitor

To provide better running of sensor, the following hardware should be considered and recommended.

* Dual processor motherboard

* Two Intel 1.2 Ghz processor

* 1000MB or 1GB of DDRAM minimum with 512MB SDRAM

* 10 GB of Hard Disk

* 17" or 19" monitor with 1280x1024 screen resolution

Software Used:

Below are the software which is been used in successful deployment of the snort sensor.

* Linux Red Hat 8 (Operating System)

* Snort 2.1 (Open Network Security Intrusion Detection System)

* Apache (Industry Open Standard Web Server)

* MySQL (Open Database System)

* ADOBE (Open Database Tools)

* ACID (Open Intrusion Analysis Tools)

5.2 Installation:

I have installed Linux Red Hat 8 on my machine as my dedicated machine for Network Intrusion Detection. It is a good to have a separate dedicated machine for network intrusion detection so it can process intrusion quickly and efficiently. To save the time of installing all the packages one by one, I have installed a package called Easy IDS from Argus Network Security Services Inc. [51] which have all the packages in one and comes pre-configured, this mean I don't have to waste my time on installing and configuring the snort and on other software. All I did is run below command as su (Super User/Root) in a shell.

tar xzvf easy-ids-ver2.0.0-rh8.0.tar

then I changed ownership and permission of the file install.sh.

chmod 700 install.sh

And after that I ran the installation script.

./install.sh

To start the installed IDS I just used the following command.

/etc/init.d/argus start

Use the following command to stop it.

/etc/init.d/argus stop

To use ACID (Analysis Console for Intrusion Databases) open web browser and put the following URL:

http://localhost or http://ip-address [52]

5.3 Sensor Placement

The device may be placed outside an organization's firewall between the firewall and the external untrusted network. This allows snort to detect not only the attacks that may make it through the firewall, but also those that are blocked by the firewall. [53]

We have two type of interface single and dual.

Single Interface

The easiest configuration is a box with a single interface. The same interface that listens to the network traffic is the same one from which administration is done.

Figure 5.1 - Single Interface [54]

This will be the typical configuration for home network users and administrators monitoring internal networks.

Dual Interface

In a dual-interface configuration, one interface is used to listen to network traffic in promiscuous mode while the other is used for remote administration. This type of configuration is used in environments where it is not possible to administrate the box from the same interface that is listening to the network traffic.

In this configuration, the external interface should be well-protected and the box designed explicitly for this purpose. The box should not be offering any network services except for ssh on the internal interface only.

Figure 5.2 - Dual Interface [54]

I choose single interface to deploy sensor which is putting sensor and controlling it from single machine. Most NIDS would be configured with two NICs, one for management and one for detection. The NIC that is configured for detection usually does not have an IP address assigned to it, making it a "stealth" interface. Since it does not have an IP address assigned to it no one can send packets to it or cause the NIDS to reply using that interface. [55] In my case I have a one NIC doing both task which is monitoring and managing.

5.4 Snort Configuration

Snort.conf is the configuration file that tells Snort what to do when it starts up. There are four sections to the Snort.conf file. The four sections are: Network Variables for your network, Preprocessors, Output plug-ins, and Rule set customization. This file can be configured to monitor a specific IP, a set of IPs or a Network range. $HOME_NET is used for most of the Network Variables, but putting in the specific IP address could be beneficial. Putting in a specific IP Addresses is useful if you have a small network and know every Web Server, SMTP Server and/or SQL Server that you own and monitor. This will help form the snort rules more towards your specific network setup and will generate less false positives. [56]

Before running snort it is extremely necessary to setup Snort.conf file to get better detection and to avoid false positive. To configure the file I have used following information.

IP Address

61.76.97.97

Subnet Mask

255.255.248.0

Gateway

61.76.80.13

DNS Server

61.76.80.13

Table 5.1 - Info used to run Snort

Network Variable

The Network Variable section defines the home address range, external address range, Web Servers, Mail Servers and DNS Servers.

Home Address Range

Home Address range will look like this in an unmodified Snort.conf:

var HOME_NET any (var is the keyword for variable)

"This setting will monitor your entire network by default." To monitor a single host with an IP Address of x.x.x.1, change the any to x.x.x.1/32. The /32 represents how many bits are in the subnet mask. Because this is monitoring the localhost, the subnet is 255.255.255.255. If you are not getting any alerts, you may want to check this section to be sure that the subnet mask is correct.

var HOME_NET x.x.x.1/32

To monitor the entire network x.x.x.0 with a subnet mask of 255.255.255.0 (24 bits) configure the HOME_NET section of the Snort.conf like so:

var HOME_NET x.x.x.0/24

NOTE: The IP Address x.x.x.1 and range x.x.x.0 would be actual IP Addresses and ranges; the x's were for example purposes only. For a better understanding of IP

Addressing and Subnetting http://www.mcsefreak.com/subnetting.htm has a very educational guide.

External Address range

Change var EXTERNAL_NET any to var EXTERNAL_NET !$HOME_NET

This tells Snort that any IP Address other than those specified as HOME_NET, which has already been defined, are external. "!" means "not".

SMTP Servers

Configure the SMTP section to var SMTP $HOME_NET

Setting specific IP Addresses for your mail servers in this section will reduce the number of false alerts, but setting it to $HOME_NET will set it to monitor what is specified in the $HOME_NET section

Web Servers

To configure your Web Servers set the variable to

var HTTP_SERVERS $HOME_NET for a large Network.

Again if you set this to be the IP Addresses of your Web Servers, the number of false alerts will be minimized, but you can set it to $HOME_NET as well. It may not be practical to type in the IP Addresses of 100 Web servers.

SQL Servers

Configure the SQL Server section to be var SQL_SERVERS $HOME_NET

This works the same as the Web and SMTP server configuration. You can specify the servers or just leave it as $HOME_NET

DNS Servers

Configure the DNS Server Section to be

var DNS_SERVERS [10.20.30.100/24,10.20.30.101/24]

Configuring this section will prevent false DNS related scan alarms. At the bottom of the Network Variable section is a line that specifies where the RULE files are located. Be sure to configure the entire path as shown or Snort may not start correctly:

var RULE_PATH E:\Snort\Rules

Configure Preprocessors

"Preprocessors provide for complex functions, such as TCP stream reassembly, IP defragging, or HTTP request normalization. Preprocessors are only called once per packet, can directly manipulate packet data, and even call the detection engine directly with their modified data." The Snort.conf file does a very good job at explaining the different preprocessors. Martin Roesch also has good documentation on the preprocessors in Chapter 2 of the Snort User's Manual found here:

http://www.snort.org/docs/writing_rules/chap2.html. Preprocessors are great for catching specific alerts but can be very processor intensive in some cases. The following preprocessors are enabled by default in the Snort.conf:

preprocessor frag2: This preprocessor provides IP deframentation and detects fragmentation attacks.

preprocessor stream4: detect_scans: This preprocessor generates alerts on detection of stealth portscans.

preprocessor stream4_reassemble: This preprocessor reassembles traffic on specific ports and alerts on bad streams. The default port list is 21, 23, 25, 53, 80, 143, 110, 513 and so on. You can change this preprocessor to reassemble all ports by setting the port options with "all". This could be very processor intensive depending on the amount of traffic and the performance of the Snort computer.

preprocessor http_decode: 80 -unicode -cginull: 'This preprocessor normalizes the HTTP requests by converting Unicode representations of characters into their ASCII equivalent and then passes them on to Snort to matching against the rules. The -unicode and -cginull will prevent false alerts such as CGI Null Byte attacks and IIS Unicode attacks that are sometimes triggered by sites that use muiltbye characters.'

preprocessor rpc_decode: 111: This preprocessor normalizes RPC traffic on a given port numbers that RPC services are running on. The 111 is the RPC service used by protocols for lookup.

preprocessor bo: -nobrute: This preprocessor detects Back Orifice traffic. The -nobrute turns off the brute forcing of the key space of the protocol to find the Back Orifice traffic. Performance can be severely impacted by turning on brute force.

preprocessor telnet_decode: This preprocessor normalizes telnet and FTP traffic by reassembling the traffic into data that can be matched against the rules.

preprocessor portscan-ignorehosts: 0.0.0.0: You should uncomment this preprocessor line and configure it with the IP Addresses of the DNS Servers to prevent false DNS alerts. Put any IP Addresses or networks in this section that port scans should be ignored.

Note: To uncomment simply remove the '#' in front of preprocessor

Running snort with a Rule set

The real power of snort lies in its ability to read in a rule set, observe the traffic going across the wire, and detect if any of the traffic matches any of the rules. Rules can be created that watch for pings, scans, backdoor attempts, cgi-attempts, and many other common methods attackers use to gain control of a target machine. Alerts can be logged to a file specified from the command line or even sent through syslog and appended to your system messages. This can all be run as a background process.

Rule sets can be written by hand. Often people use one of the freely available rule sets available on the snort homepage at http://www.snort.org/snort-files.htm. A custom interface is able to create rules to suit your taste "on the fly" at http://www.snort.org/Database/rules.asp. [57]

Currently there are two different rulesets that people use. A ruleset developed by Jim Forster can be downloaded from http://www.snort.org/snort-files.htm#Rules

Another ruleset, developed as part of Max Vision's ArachNIDS work, is available from http://dev.whitehats.com/ids/vision.conf and updated hourly.

The Max Vision rule set is particularly nice because it follows the Common Vulnerabilities and Exposures (CVE) database, allowing people to refer to a particular vulnerability using a consistent name. [53]

5.5 Summary

To prevent attack it is recommended to know it and this only can be achieve with intrusion detection system which are available commercially and some of them are free like snort. Snort detects the attacks by analyzing the packet passing through it. By reviewing the alerts one could easily prevent those attack from happening by configuring the firewall and modifying the security policies within organization.

Snort is easy to configure, install and manageable. With snort we not only could download latest signatures created by security professionals but we could also write them for our own convenience to detect new threats to the network as they are very easy to write and configure.

Preventing Attack with other Tools and Techniques

As we all know how important role IDS has in detection in order to prevent from attacks. In order to detect most attack we need to make sure we adopt proper tools and techniques. The best technique I have found is to deploy Network Intrusion Detection System (NIDS) and Host Intrusion Detection System (HIDS) both on the critical network this techniques is called Hybrid Intrusion Detection System which have best of the both.

Some experts say Intrusion Detection System is dead and Intrusion Prevention System (IPS) what we need today in this insecure networked world. IPS not only detects the attacks but also try them to stop by terminating the session or destroying the packet. Firewall still remains the first option of prevention from attack and it can't be replaced with any new technologies available today. To make our network more secure and free from threats of attack we need to deploy some extra techniques like Hybrid Intrusion Detection System architecture and Intrusion Prevention System. Below are the some techniques could be handy in detection and prevention of attacks.

6.1 Hybrid IDS

A Hybrid IDS is a combination of host-based IDS and network IDS technologies. Hybrid intrusion detection is system-based and provides attack recognition on the network packets flowing to or from a single host. Hybrid systems do not inspect every packet that goes by (unlike a network-based IDS) so it does elevate some of the performance degradation issues of traffic analysis. Hybrid IDS provide additional protection by monitoring a system's events, data, directory, and registry. Again, platform availability and deployment problems are an issue and hybrids are traditionally system resource intensive, yet they are less susceptible to false positives than network-based IDS. [9]

Prelude Hybrid IDS is on of the tool freely available and can be downloaded from following site http://www.prelude-ids.org/rubrique.php3?id_rubrique=13. Figure 6.1 shows the Hybrid IDS deployment in a network.

Figure 6.1 - Deployment of Hybrid IDS Sensors and Management Console in a network [69]

6.2 Detection vs. Prevention

On the surface, intrusion detection and intrusion prevention solutions appear competitive. After all, they share a long list of similar functions, like packet inspection, stateful analysis, fragment reassembly, TCP segment reassembly, deep packet inspection, protocol validation, and signature matching. But these capabilities take a backseat to the starkly different purposes for which they are deployed. An IPS operates like a security guard at the gate of a private community, allowing and denying access based on credentials and some predefined rule set, or policy. An IDS works like a patrol car within the community, monitoring activities and looking for abnormal situations. No matter how strong the security at the gate is, the patrols continue to operate in a system that provides its own checks and balances. [58]

IDS

IPS

* Provides monitoring, auditing, forensics, and reporting of network activity.

* Known attacks via signatures and rules.

* Variations in traffic volume and direction using complex rules and statistical analysis.

* Communication traffic pattern variations using flow analysis.

* Anomalistic activity detection using baseline deviation analysis.

* Suspicious activity detection using heuristics, flow analysis, statistical techniques, and anomaly detection.

* Some attacks are just plain hard to detect with any degree of certainty, and most can only be detected by methods that are non-deterministic in nature. That is, they are not suitable for a policy-driven blocking decision

* Undesired applications and active Trojan horse attacks against private networks and applications, by using deterministic rules and access control lists.

* Attack packets like those from LAND and WinNuke by using high-speed packet filters.

* Protocol abuse and evasive actions - network protocol manipulations like Fragroute and TCP overlap exploits - by using intelligent reassembly.

* Denial of service (DOS/DDOS) attacks such as SYN and ICMP floods by using threshold-based filtering algorithms

* Application abuse and protocol manipulations - known and unknown attacks against HTTP, FTP, DNS, SMTP etc. - by using application protocol rules and signatures.

* Application overload or abuse attacks by using threshold-based resource consumption limits.

Table 6.1 - IDS vs. IPS

6.3 Intrusion Prevention

The aim of Intrusion Prevention is to stop an attacker cold, before any malicious activity can be performed. Using rules, usage models and correlation engines, IPS systems can help ensure appropriate network usage by automatically preventing unauthorized use from occurring. [59]

Intrusion prevention solutions are intended to provide protection for assets, resources, data, and networks. The primary expectation is that they will reduce the threat of attack by eliminating the harmful and/or malicious network traffic while continuing to allow legitimate activity to continue. The goal is a perfect system - no false positives that reduce end user productivity and no false negatives that create undue risk within the environment. Perhaps a more crucial role is the need to be reliable; to perform in the expected manner under any conditions. In order to accomplish this goal, IPS solutions must be deterministic in nature. Deterministic capabilities imbue the confidence required for a "hard" decision.

The difference between IDS and IPS ends up being determinism. That is, IDS can (and should) use non-deterministic methods to divine any sort of threat, or potential threat, from existing and historical traffic. This includes performing statistical analysis of traffic volume, traffic patterns, and anomalous activities. It is not for the faint of heart, nor should it be - it is for individuals who truly want to "know" what is happening on their networks.

IPS, on the other hand, must be deterministic - correct - in all of its decisions in order to perform its function of scrubbing traffic. An IPS device is not supposed to take chances or react with some technical version of "gut instinct." It is supposed to work all of the time, and make access control decisions on the network. Firewalls provided the first deterministic approach to access control on the network, providing basic IPS capability. IPS devices add next-generation capability to these firewalls - still operating inline and providing the type of deterministic comfort required of an inline device that is making access control decisions. [58]

The benefits of such technology are obvious. If an organization can not only detect suspicious activity, but also automatically prevent that activity from penetrating the network's defenses, they can more effectively safeguard their information resources against malicious attacks and ensure continued confidentiality, integrity and availability of those resources.

An effective IPS also provides a great deal of efficiency by significantly reducing response time. With automated security analysis and response, an IPS can quickly prevent unauthorized activity from taking place and take measures to provide information on the nature of the attack itself, i.e.: the source of the activity and its intent. This information can then be used to track the attack to a specific individual, or be used in a legal response. While it may take several minutes (or longer) for a professional security analyst to be alerted to a potential attack, and formulate a response, an Intrusion Prevention System could perform the same actions immediately. The quick response time of an IPS will greatly reduce the risk of damage to the network and company information. [60]

IPS Advantages

Speedy end to intrusions. As discussed earlier, an intrusion event begins a process of harm to

an organization's computing resources - not to mention potential legal liabilities. By stepping in at the moment of detection, an IPS rapidly ends the intrusion and minimizes the overall time before the network is back to normal.

Accurate and reliable detection. By using multiple detection methods, and utilizing its position in the line of network traffic, the IPS can detect attacks and intrusions more accurately and reliably. By relying less on signatures and more on intelligent methods of detection, the IPS generates far fewer false alarms. This focuses the organization's time and effort on only the true threats.

Active prevention. Whereas a NIDS simply announces the presence of suspicious or anomalous traffic, an IPS can instigate a variety of response mechanisms as described earlier.This reduces the costs of administering network security, and reduces the risk of the organization suffering damage or loss due to cyber attacks. [61]

6.4 Honeynet

A non-profit organization called The Honeynet Project [62] has dedicated them selves to find out more about intruders behavior and how they work. They are a security-research group that are dedicated to learn about the tools that are used for attacks, motives and tactics used and the sharing any knowledge they have learned. The group gathers information by deploying networks, called honeynets, which are designed to be compromised. These networks are real networks with all the hardware that are needed. These honeynets lures the hackers to a system and then analyze their activities. The intent is for attackers to break into the system and have every action captured and controlled without them knowing it. [63] Each computer in the Honeynet is called a Honeypot.

The concept of honeynets is pretty simple. A network without any activity or production is set up. This means that if there is any interaction with the network, it is most likely a probe, scan or attack. Inbound connections have valuable information because they are most likely probes, scans or attacks. Outbound connections are even more important, because this may indicate that the system has been attacked and the attacker initiates the outgoing traffic.

Figure 6.2 - Honeynet [74]

Honeynets have two critical requirements [63]:

• Data control: To ensure that once an attacker breaks into the honeynet system, the compromised system cannot be used to attack or harm other systems.

• Data capture: To ensure that all the attackers' activities, even if they are obfuscated or encrypted, are detected and captured.

Honeynets are not a security component that will protect a system against an attack, but they can be used with other components to learn new attacks, and to see where the attacker comes from. With distributed honeynets information can be collected on a global scale. This is the real potential of honeynets, because it can be used to check for example how fast worms are working through the Internet.

The use of a honeynet can be very useful for a medium to large company. They could use the honeynet to tune their own system. By watching what kind of attacks, when they are attacked and how the attackers work, they could use this information in for example an Intrusion Detection System. These extra parameters could be considered when for example a neural network is used in the Intrusion Detection System. The honeynet can also be used to track the attacker's attention away from critical systems other places in the local network.

A variety of products or solutions allow you to create your own honeypot. Such options include:

* Fred Cohen's Deception Toolkit (http://www.all.net/dtk/index.html)

* Cybercop Sting (http://www.pgp.com/products/cybercop-sting/default.asp)

* Recourse Mantrap (http://www.recourse.com/products/mantrap/trap.html)

Advantages of a Honeynet

A honeynet has several advantages over a single honeypot. First, a honeynet has different targets, such as switches, routers, and different operating systems. By having different systems, you can detect/capture black-hats that are looking for different vulnerabilities. Second, you have redundant sources of information. If one source fails, you have other sources to refer to. Also, combining information from several sources provides greater detail. Third, a honeynet can better detect patterns, such as vulnerability scanning or how the black-hat progresses from system to another.

Combined, these advantages provide more reliable and greater information then compared to a standalone honeypot. [64]

Recommended Architecture

Below figure is a perfect architecture for any LAN to protect their critical mission server from intruder with the help of IDS and Honeynet administrator and network manager always can review their security policy and rectify against the information obtained.

Firewall, IDS and Honeynet protecting a LAN

Summary

Intrusion Prevention Systems represent a new and promising technology in network security. Network intrusion prevention devices can automatically take action to stop attacks and intrusions. IPS offers protection that NIDS cannot.

To keep away attackers away from your LAN it is good practice to deploy firewall, hybrid intrusion detection system, Intrusion Prevention System with Anti-virus to have maximum security.

CRITICAL ANALYSIS, EVALUATION AND CONCLUSION

My research project has given me so much knowledge not only about attacks and intrusion and their detection but also on how to search and research about anything I want to learn. Here I would say person need to have the power of research to conquer knowledge but knowledge is something that doesn't have limits.

Critical Analysis

Material presented in this thesis could be more highly technical an advanced since I want to keep it simple and understandable yet keeping professionals attitude. Several of sources has been used to research technical article and read hundred of whitepaper to produce a thesis caliber of master level.

Critical Evaluation

As my research project is on how Intrusion Detection system (IDS) detects the attack, to prove this I have done practical by deploying the IDS and logging the alert created by the snort that has been used as my Network Intrusion Detection System (NIDS). I have also made some attack to find out if snort catches them or let them go without detection. I wasn't able to make most of the attack as it is not that easy to launch. And the major hurdle was I have to setup many packages on my computer like, web server, DNS server, databases, FTP, Telnet and etc before I actually launch attack against them, they were time consuming so I decided not to go that beyond. I still manage to log lot of attacks launched by other people from the network and internet as they passes through the network line IDS catches them and make an alert and logs it

Conclusion

Attacker are getting knowledgeable day by day and developing easy to use tool to attack on the system which are easily available on internet, script kiddies could download them and exploit vulnerable computer without knowing what that tool do and making companies to loss millions of money. Security team works hard to defeat the attackers and their attacks. Companies deploy several techniques on the network to strengthen their security and to keep crackers away from their critical mission system. To read attacker mind one has to think same as them. For the better understanding how attack could be detected and then prevented it is good to have some idea how it is done at first place. We have learned how different attack could compromise the system.

Intrusion can only be prevented if they are detected, so we need a system that detects the intrusion and create some sort of logs for later review. With this network manager and administrator can modify the security policies and configure the firewall and critical mission server according to available information. Intrusion Detection System (IDS) are the program intends to detect intrusion, misuse and abnormal behavior. By deploying them at proper place we can detect most of the attack and can take appropriate action against it.

Snort is a public domain program available freely to everyone. Snort uses signature to detect the packet and also do protocol analysis to detect new attack. Signatures are updated and created almost daily as new attack born every night and day. Detection is not enough as they take time by administrator and manager to prevent them by configuring firewall.

Intrusion Prevention System (IPS) is those who not only detect the attack but also prevent them by denying them. Now these system are getting more popular as they are automatically take care of intrusion without the help of administrator. Research is going on more expert and intelligent system so they could recognize the attack immediately and response them what is best and safe.

References

[1] Computer Emergency Response Team (CERT) http://www.cert.org/stats/cert_stats.html Saturday, March 5, 2004. 3:00 PM.

[2] J.Postel, "Transmission Control Protocol (TCP) - DARPA Internet Program Protocol Specification" RFC 793, USC/Information Sciences Institute, September 1981

http://www.faqs.org/rfcs/rfc793.html

[3] Cisco "Protocol Brief: TCP/IP", January 20, 1995

http://www.cisco.com/warp/public/cc/techno/protocol/iprout/tech/tcpip_pc.htm

[4] T.Socolofsky, C.Kale "A TCP/IP Tutorial" RFC 1180 January 1991

http://www.faqs.org/rfcs/rfc1180.html

[5] Martin R. Arick "The TCP/IP Companion A Guide for the Common User"

[6] Ed Skoudis, "Counter Hack A step by step guide to computer attacks and effective defenses", Prentice Hall PTR, 2002.

[7] J.Postel, "Internet Protocol - DARPA Internet Program Protocol Specification"RFC 791, USC/Information Sciences Institute, September 1981.

http://www.faqs.org/rfcs/rfc791.html

[8] Joel Scambray, Stuart McClure "Hacking Exposed Windows 2000: Network Security Secrets & Solution" Osborne/McGraw-Hill 2001

[9] Symantec Enterprise Security "Intrusion Detection Systems: Reducing network security risk", 2003

www.igov.com/vendor/symantec/IDS_risk.pdf

[10] Michael T.Raggo, VeriSign "Hacking and Network Defense"

www.atapusa.org/downloads/hacking.pdf

[11] Marco de Vivo, Gabriela O. de Vivo, Roberto Koeneke, Germinal "Internet Vulnerabilities related to TCP/IP and T/TCP"

www.acm.org/sigcomm/ccr/archive/ 1999/jan99/ccr-9901-devivo.pdf

[12] Sumit Dhar, "Sniffers: Basics and Detection (version 1.0-1)", Information Security Management Team

www.rootshell.be/~dhar/downloads/Sniffers.pdf

[13] Ryan Spangler, "Packet Sniffing on Layer 2 Switched Local Area Networks", Packetwatch Research, December 2003.

http://www.packetwatch.net

[14] Victor Velasco, "Introduction to IP Spoofing", SANS Institute, 2003

http://www.sans.org/rr/catindex.php?cat_id=60

[15] Doug Sax, "DNS Spoofing (Malicious Cache Poisiong)", SANS Institute, 2002.

www.giac.org/practical/gsec/Doug_Sax_GSEC.pdf

[16] Neil B.Riser, "Spoofing: An overview of some the Current Spoofing Threats", SANS Institute, 2001.

http://www.sans.org/rr/catindex.php?cat_id=60

[17] B. Harris, R. Hunt, "TCP/IP security threats and attack methods", Computer Communications, 1999.

http://ibm.tju.edu.cn/resource/nids/group4/resource/TCPIPsecuritythreatandattacks.pdf

[18] Christos Douligeris, Aikaterini Mitrokotsa, "DDoS attacks and defense mechanisms: classification and state-of-the-art", Computer Networks, 2003

www.sciencedirect.com

[19] SonicWall, Inc. "Denial of Service Attacks: An Emerging Vulnerability for the "Connected" Network

http://www.uktsupport.co.uk/reference/dos_attacks.pdf

[20] Paul J. Criscuolo, "Distributed Denial of Service: Trin00, Tribe Flood Network, Tribe Flood Network 2000, And Stacheldraht", Depart of Energy, Computer Incident Advisory Capability (CIAC), 2000.

http://www.ciac.org/ciac/documents/CIAC-2319_Distributed_Denial_of_Service.pdf

[21] Jelena Mirkovic, "D-WARD: DDos Network Attack Recognition and Defense", Ph.D. Dissertation Prospectus, 2002.

http://www.lasr.cs.ucla.edu/ddos/

[22] Bill Coffin, "It Takes a Thief: Ethical Hackers Test Your Defenses", Risk Management Magazine, 2003.

www.rmmag.com

[23] Sarah Grangner, "Social Engineering Fundamentals, Part I: Hacker Tactics", 2001

www.securityfocus.com/infocus/1527

[24] Aaron Dolan, "Social Engineering", GSEC option 1 version 1.4b, SANS Institute, 2004.

http://www.giac.org/practical/GSEC/Aaron_Dolan_GSEC.pdf

[25] Radha Gulati, "The Threat of Social Engineering and Your Defense Against It", GIAC Security Essentials (GSEC) Certification Practical Assignment, Version 1.4b - Option 1, SANS Institute, 2003.

http://www.sans.org/rr/catindex.php?cat_id=51

[26] www.searchSecurity.com 10, March 2004.

[27] "I-LOVE-YOU: Viruses, Trojan Horses and Worms"

http://www.mpip-mainz.mpg.de/~bluemler/extra/teaching/virus.pdf

[28] "Protect Your Computer from Viruses, Worms & Trojan Horses", New York University, Information Technology Services, 2004.

http://www.nyu.edu/its/

[29] Pierre Alain Fayolle, Vincent Glaume, "A Buffer Overflow Study: Attacks & Defenses",

http://www.linuxsecurity.com/articles/projects_article-4688.html

[30] Michael Legary, "Understanding Technical Vulnerabilities: Buffer Overflow Attacks", Seccuris, 2003.

http://www.seccuris.com

[31] Kelvin Wong, "Implementing Security: Introduction to Hacking Methods and Ways of Counter-Measure", Written specifically for Swinburne University TAFE, Technical User & Support lecture, 2001.

http://www.security.iia.net.au/downloads/new-lec.pdf

[32] Dr Fengmin Gong "Next Generation Intrusion Detection Systems (IDS), McAfee Network Security Technologies Group November 2003

http://www.axial.co.uk/mcafee/wp_intruvertnextgenerationids.pdf

[33] Corbin Del Carlo "Intrusion detection evasion: How attackers get past the burglar alarm" SANS Institute 2003

www.sans.org/rr/papers/30/1284.pdf

[34] Qi Zhang, Ramaprabhi Janakiraman "Indra: A Distributed Approach to Network Intrusion Detection and Prevention"

cse.seas.wustl.edu/techreportfiles/getreport.asp?24

[35] Andy Cuff "Intrusion Detection Terminology (Part Two)" September 24, 2003

http://www.securityfocus.com/infocus/1733

[36] Paul E. Proctor, "Practical Intrusion Detection Handbook", Prentice Hall PTR, 2001.

[37] ISS (Internet Security Systems), "Network vs. Host-based Intrusion Detection: A Guide to Intrusion Detection Technology" 2 October 1998

http://www.isskk.co.jp/customer_care/resource_center/whitepapers/nvh_ids.pdf

[38] John McHugh, Alan Christie, and Julia Allen "Defending Yourself: The Role of Intrusion Detection System" CERT Coordination Center September/October 2000

www.cert.org/archive/pdf/IEEE_IDS.pdf

[39] Terry Escamilla, "Intrusion Detection: Network Security Beyond the Firewall", John Wiley & Sons, Inc. 1998.

[40] NetScreen Technologies Inc. "Intrusion Detection and Prevention: Protecting Your Network from Attacks" 2002

http://www.sss.co.nz/pdfs/netscreen/netscreen_intrusion_detection_prevention.pdf

[41] Rebecca Bace and Peter Mell, "Intrusion Detection Systems" NIST Special Publication on Intrusion Detection System, 2001.

http://www.securityfocus.com/library/3535

[42] Q.o.D, "A look into IDS/Snort: part 1" January, 2004

http://www.antionline.com/showthread.php?s=&threadid=252880

[43] Q.o.D, "A look into IDS/Snort: part 2" January, 2004

[44] Roberto Nibali, "Introduction to network-Based Intrusion Detection Systems Using Snort"

http://www.dsinet.org/textfiles/ids/network_ids_with_snort.html

[45] Tomas Singliar, "Learning to Detect Intrusions" 2004.

[46] Amruta Inamdar, "Intrusion Detection Systems and a Case Study of SNORT" 2003

[47] Sourcefire Inc. http://www.sourcefire.com/ 10 April, 2004.

[48] Martin Roesch, "Snort - Lightweight Intrusion Detection for Networks" Stanford telecommunications, Inc.

[49] Jon Bull, "Snort's Place in a Windows 2000 Environment", May, 2001

[50] James Kipp, "Using Snort as an IDS and Network Monitor in Linux" version 1.2 e.

[51] Argus Network Security Services Inc. http://www.argusnetsec.com 15 April, 2004.

[52] Frank Neugebauer, "Argus - a completely working Snort IDSsystem with Mandrake 9.1 or Red Hat 9.0 in less than 5 minutes" October, 2003. http://www.linux-tip.net

[53] Dave Wreski, Christopher pallack, "Network Intrusion Detection Using Snort," June, 2000.

http://www.linuxsecurity.com/feature_stories/feature_story-49.html

[54] Network Flight Recorder www.nfr.com 20 April, 2004.

[55] Neil Desai, "Intrusion Prevention system: the next step in the evolution of IDS" Security Focus, Feb, 2003.

http://www.securityfocus.com/infocus/1670

[56] Christina Neal, "Snort Install on win2000/XP with ACID, and MySQL", Version 1.3 GSEC, SANS Institute 2002.

[57] Dale Coddington, "Snort Installation and basic Usage Part One", July 2000.

[58] Pete Lindstrom, "Intrusion Prevention systems: Next generation Firewalls", A Spire Research Report - March 2004. www.spiresecurity.com

[59] Vijayan, Jaikumar. "Intrusion prevention touted over detection"

[60] Tom Ginn, "Intrusion Prevention: Taking IDS to the Next Step" SANS GIAC GSAE Assignmnet # 1 Option # 1, SANS Institiute, August, 2003.

[61] Top Layer, "Beyond IDS: Essentials of network Intrusion Prevention", November 2002. www.TopLayer.com

[62] The Honeynet Project, http://www.honeynet.org, accessed 15.May, 2004

[63] L. Spitzner, "The Honeynet Project: Trapping the Hackers", Security & Privacy - IEEE Computer Magazine, Vol. 1, pp. 15-23, March/April

[64] Lance Spitzner, "To Build A Honeynet", March, 2000 http://www.first.org/events/progconf/2000/D3-09.pdf

[65] R. Shirey, "Internet Security Glossary", RFC 2828, GTE/BBN Technologies, May 2000.

http://www.ietf.org/rfc/rfc2828.txt?number=2828

[66] Julia Allen, Alan Christie, William Fithen, John McHugh, Jed Pickel, Ed Stoner, "State of the Practice of Intrusion Detection Technologies" Carnegie Mellon, Software Engineering Institute, Pittsburg, January 2000.

[67] J. McHugh, "Intrusion and Intrusion Detection", International Journey of Information Security, Vol. 1, Is. 1, pp. 14-35, 2001

[68] Edward W. Felten, Dirk Balfanz, Drew Dean, and Dan S. Wallach, "Web Spoofing: An Internet Con Game", Technical Report 540-96 (revised Feb. 1997)

Department of Computer Science, Princeton University

[69] Anonymous, "Intrusion Detection System: Definition, Need and Challenges", SANS Institute 2001.

http://www.sans.org/rr/papers/30/343.pdf

[70] William Stallings, "Cryptography and Network Security: Principles and Practice", second edition, Prentice Hall International, Inc.

[71] Martin W. Murhammer, Orcun Atakan, Stefan Bretz, Larry R. Pugh, Kazunari Suzuki, David H. Wood, "TCP/IP Tutorial and Technical Overview", IBM Corporation, International Technical Support Organization, October 1998.

http://www.redbooks.ibm.com

[72] Anonymous, "Snort Users Manual 2.1.1", February 2004.

[73] Snort, the open source network intrusion detection system, http://www.snort.org.

[74] Kecia Gubbels, "Hands in the Honeypot", GSEC, November, 2002.

[75] Cisco, "The Science of Intrusion Detection System Attack Identification", Cisco System, Inc. 2003.

[76] http://www.gnu.org/software/wget/wget.html

[77] http://www.tenmax.com/teleport/home.htm

[78] InterNic www.internic.net/whois.html

[79] RIPE NCC at www.ripe.net

[80] APNIC at www.apnic.net

[81] spade www.samspade.org

[82] Netscan tools http://www.netscantools.com

[83] VisualRoute http://www.visualroute.com

[84] NeoTrace http://www.neotrace.com

[85] Cheops www.marko.net/cheops

Role of IDS (Intrusion Detection System) in Detection and Prevention from Computer and Network Attack

Faisal Khalid 0222493

Msc Internet Engineering