Host-Based Intrusion Detection Systems

Host-based intrusion detection systems (HIDSs) are applications that operate on information collected from individual computer systems. This vantage point allows an HIDS to analyze activities on the host it monitors at a high level of detail; it can often determine which processes and/or users are involved in malicious activities. Furthermore, unlike NIDSs, HIDSs are privy to the outcome of an attempted attack since they can directly access and monitor the data files and system processes targeted by these attacks.

Tripwire (the reference model for many of the follow-on HIDSs). Tripwire operates on MD5 hashes of critical system files, as defined by the system administrator. It is one model for host-based intrusion detection—like the secret agent trick of putting a hair on the doorknob, it lets you know if somebody’s been changing things inside your system—but only after this occurs.

Alternatively, HIDSs can utilize information sources of two types, operating system audit trails, and system logs. Operating system audit trails are usually generated at the innermost (kernel) level of the operating system, and are therefore more detailed and better protected than system logs. System logs are much less obtuse and much smaller than audit trails, and are normally far easier to comprehend.

Most HIDS software, like Tripwire, establishes a “digital inventory” of files and their attributes in a known state, and uses that inventory as a baseline for monitoring any system changes. The “inventory” is usually a file containing MD5 checksums for individual files and directories. This must be stored offline on a secured, read-only medium that is not available to an attacker. On a server with no read-only media (a blade server, for example), one method to accomplish this is to store the statically compiled intrusion detection application and its data files on a remote computer. When you wish to run an HIDS report, SCP (secure copy) the remote files to /tmp (or its equivalent) on the target server and run them from there. When you modify any files on the server, rerun the application, and make a new data set, which should be stored on the remote computer.

HIDS surveillance is especially important on VoIP media, proxy, and registration servers and should be considered as part of the initial install package. Indeed, vendors such as Cisco are even making this part of the default installation. For instance, the Cisco Security Agent (CSA) comes with every Call Manager license, and Avaya Media Servers ship with a Web-enabled version of Tripwire installed and preconfigured.

The downside to HIDS use is that clever attackers who compromise a host can attack and subvert host-based HIDSs as well. HIDS can not prevent DoS attacks. Most significantly, a host-based IDS consumes processing time, storage, memory, and other resources on the hosts where such systems operate. HIDSs that operate in a client-server mode (most of them) can also add to network traffic congestion.

NIDS Limitations

NIDSs that rely upon signatures must constantly update the signature database. Obviously, pure signature matching NIDSs will not alert on attacks for which they have no signature. If signature definitions are too specific, signature-based IDSs may miss variations on known attacks. (A common technique for creating new attacks is to modify existing attacks.) Signature-based NIDSs can also impose noticeable performance problems on systems when numerous attack signatures are matched concurrently. Additionally, signature-based NIDS inspection can be evaded. Secure Networks showed in 1998 that attacks which exploit funda-mental TCP/IP problems—insertion, evasion, and Denial-of-Service attacks—are able to elude NIDS detection. Dan Kaminsky recently showed he could send a series of fragmented packets to a NIDS that, based on the time and the operating system platform that they arrive at, reassemble into an attack for that platform that is not recognized by the NIDS.

Honeypots and Honeynets

A honeypot is a computer system that is shielded from the Internet by a router or firewall that is transparent to an attacker. The honeypot masquerades as a normal undefended system, yet it logs every action taken against it and every operation that is performed on it. The goal of a honeypot operator is to lure an attacker into hacking the system in hopes of learning all of the details of the attack. A honeypot is a system designed to illustrate the methods used by black-hats to probe for, and exploit, a system. Honeynets are networks that contain at least one honeypot. Typically, honeynets present a virtual network complete with virtual services and applications that look to an attacker like a real network.

Honeypots and honeynets are learning tools, and can also be useful as canaries (canaries were used in mines to provide an early warning to miners if air conditions turned sour). Unlike NIDSs and HIDSs, where false positives are a common nuisance, honeypots and honeynets, if configured correctly, do not have a measurable false positive rate. Honeynets are often configured so that their IP space resides within unoccupied IP space in an organization’s internal network. In this configuration, anything that hits the honeynet is either an attack or a precursor to an attack since this IP space is supposedly unused. In its canary role, a honeynet can provide an early warning of a virus or worm attack.

Important NIDS Features

Let’s now discuss the important features of an NIDS.

Maintenance

Most NIDS systems support centralized installation, configuration, and updating since in an enterprise network a security administrator cannot physically access each sensor. In addition, most vendors support the automated download of signatures and software updates. Distribution and customization of the signature libraries and policies should be possible on a per-sensor basis and on a per-group basis (these groups should be defined by the security administrator) so the group signatures and policies do not have to be pushed to each sensor individually.

Communication between the IDS components (sensors and management console) should be encrypted using strong authentication (via key exchange or challenge). And as mentioned earlier, NIDS Ethernet interfaces should be stealthy Transmission of data via the sensing interface is prohibited, unless it is configured intentionally (TCP resets, which we discuss later in this chapter, may be an exception).

Alerting

The management console should be configurable to support alerting via a variety of mechanisms, including SNMP traps, e-mail alerts, pager messages, syslog messages, SMS (short message service), IM, and console alerts.

Logging

All alerts and header and payload data should be automatically stored in a central event database that is backed up regularly via SCP or other secure means.

Extensibility

The NIDS should support simple integration of additional vulnerability assessment tools such as Nmap or Nessus, and should provide support the correlation of data from other IDSs (for example, NIDS and HIDS).

Response

Some NIDS are able to actively respond to attacks or misuse by interfering with the particular message stream that generated the alert. This is normally accomplished via targeted TCP resets that eventually tear down the connection, or by dynamically altering firewall rules or Access Control Lists to block the connection. These active-response NIDSs are often referred to as intrusion prevention systems (IPSs).

Most administrators do not activate these features because of the risk of blocking normal traffic. Imagine that this functionality was enabled on a system directly connected to the Internet. A clever attacker could send traffic to an IPS with the source address spoofed to that of an upstream router, and designed to trigger the IDS. The resultant blocking of the upstream router could effectively remove the organization from the Internet. In a VoIP environment where availability is a key metric, IPSs are not recommended because of this potential to obstruct voice traffic.

Network Intrusion Detection Systems Placement

NIDSs should be located where they can most effectively monitor critical traffic. This doesn’t necessarily mean that NIDSs should be placed where they can monitor the mosttraffic. In Figure 1, an example network is diagrammed. This network consists of a single Internet connection, a DMZ (demilitarized zone), and three internal VLANs, configured for voice users, workstations, and servers. The circular network symbols signify routers or layer 3 switches, while the square network symbols signify layer 2 switches. The five NIDSs are shown as arrowed rectangular boxes.

 
Figure 1: NIDS Locations

In this figure, an NIDS is located on the external side of the firewall to monitor all inbound and outbound Internet traffic. NIDSs are located on internal layer 2 switches in the voice and server VLANs, and on the layer 3 switch that is used to truck these connections. An additional NIDS is situated in the DMZ. In this architecture, the NIDSs will have access to all the network traffic, but are they all really necessary?

Frankly, no. Several of the NIDSs are either redundant or will report so many events as to be meaningless. The external NIDS is unnecessary since it is exposed to the Internet. Even those of you with broadband connections realize that your single IP address is constantly bombarded with exploit probes and port scans. The following is a sample from 30 minutes of scans against a typical home system.

- # tail -f /var/log/messages | egrep -v "repeated"
Oct  3 00:27:33 nsl /kernel: Connection attempt to TCP 192.168.20.20:135 from
24.193.208.77:2258 flags : 0x02
Oct  3 00:30:26 nsl /kernel: Connection attempt to TCP 192.168.20.20:901 from
211.172.40.72:4896 flags : 0x02 swat
Oct  3 00:30:27 nsl /kernel: Connection attempt to TCP 192.168.20.20:901 from
211.172.40.72:4896 flags : 0x02 swat
Oct  3 00:30:58 nsl /kernel: Connection attempt to TCP 192.168.20.20:445 from
83.37.160.160:3400 flags : 0x02
Oct  3 00:31:00 nsl /kernel: Connection attempt to TCP 192.168.20.20:135 from
24.199.122.40:3829 flags : 0x02
Oct  3 00:31:01 nsl /kernel: Connection attempt to TCP 192.168.20.20:135 from
24.199.122.40:3829 flags:0x02,
Oct  3 00:31:01 nsl /kernel: Connection attempt to TCP 192.168.20.20:445 from
83.37.160.160:3400 flags : 0x02
Oct  3 00:31:01 nsl /kernel: Connection attempt to TCP 192.168.20.20:135 from
24.199.122.40:3829 flags : 0x02
Oct  3 00:31:43 nsl /kernel: Connection attempt to UDP 192.168.20.20:137 from
66.63.173.19:1316           netbios-ns
Oct  3 00:31:47 nsl /kernel: Connection attempt to UDP 192.168.20.20:137 from
66.63 .173.19:1316
Oct  3 00:31:54 nsl /kernel: Connection attempt to TCP 192.168.20.20:1433 from
212.33.102.36:2784 flags:0x02 mssql/slammer
Oct  3 00:32:03 nsl /kernel: Connection attempt to UDP 192.168.20.20:137 from
66.63.173.19:1316
Oct  3 00:32:27 nsl /kernel: Connection attempt to UDP 192.168.20.20:137 from
66.63.173.19:1316
Oct  3 00:33:01 nsl /kernel: Connection attempt to UDP 192.168.20.20:137 from
66.63.173.19:1316
Oct  3 00:43:18 nsl /kernel: Connection attempt to TCP 192.168.20.20:445 from
24.199.80.94:1831 flags : 0x02
Oct  3 00:47:55 nsl /kernel: Connection attempt to TCP 192.168.20.20:5000 from
24.84.67.76:4593 flags:0x02 UPnP backdoor
Oct  3 00:47:58 nsl /kernel: Connection attempt to TCP 192.168.20.20:135 from
24.84.67.76:3254 flags : 0x02
Oct  3 00:48:50 nsl /kernel: Connection attempt to TCP 192.168.20.20:4899 from
69.60.111.98:1361 flags:0x02 Radmin exploit
Oct  3 00:49:26 nsl /kernel: Connection attempt to TCP 192.168.20.20:135 from
24.199.105.227:3192 flags : 0x02
Oct  3 00:52:19 nsl /kernel: Connection attempt to TCP 192.168.20.20:5000 from
24.199.230.130:4456 flags : 0x02
Oct  3 00:52:22 nsl /kernel: Connection attempt to TCP 192.168.20.20:135 from
24.199.230.130:4276 flags : 0x02
Oct  3 00:52:22 nsl /kernel: Connection attempt to TCP 192.168.20.20:135 from
24.199.230.130:4276 flags : 0x02
Oct  3 00:55:37 nsl /kernel: Connection attempt to UDP 192.168.20.20:1029 from
203.21.20.30:30065 ICQNuke98
Oct  3 00:55:42 nsl /kernel: Connection attempt to TCP 192.168.20.20:135 from
24.199.105.227:4103 flags : 0x02
Oct  3 00:56:17 nsl /kernel: Connection attempt to TCP 192.168.20.20:135 from
24.167.27.37:2995 flags : 0x02

As you can see, most of this traffic is the result of automated scanning by worms and viruses, or by simple automated scanning tools. In an enterprise environment, where IDS and log data accumulates in copious amounts, these external data can be ignored. It is more important to focus on the events that occur within the firewall perimeter.

The NIDS situated on the layer 2 switches can also be eliminated since this traffic can be monitored at the central layer 3 switch. In addition, the management connection passes through the firewall and may allow an attacker to piggyback into the network if the sensor is compromised. Although there are no hard and fast rules for deploying NIDS, most system administrators deploy them on uplinks and at devices where many VLANs are trunked so that the fewest number of NIDSs can monitor the most traffic. In our sample network, two NIDSs are suitable to monitor most of the network traffic—one NIDS in the DMZ, and one on the central layer 3 switch.

Note that on the layer 3 switch, there are two interesting and separate traffic flows—one on the uplink between the switch and the firewall, and one port that trunks inter VLAN traffic. The choice of how to monitor both traffic flows depends on how the switch-NIDS connection is configured. Two common methods for allowing NIDS access to network traffic are port mirroring (spanning) and the insertion of a tap (we recommend NetOptics taps because they have two power connections and a wide choice of physical interfaces; check them out at www.netoptics.com). Port mirroring, depending upon its configuration, can enable the NIDS to inspect all of the traffic traversing the switch, and is an inexpensive option. However, some vendor’s switches or OS revisions break when port mirroring is enabled. Be sure to check this with your vendor before connecting an NIDS. The second option, a network tap, is more expensive but offloads the mirroring to a separate device. In this simple example network setting, two network taps would have to be used to visualize all of the traffic—one on the uplink, and one on an inter VLAN port.