Toivo Talikka

Total Data Pty Ltd

Computer system installation, support and IT management consultancy

Forestville NSW Australia        tel 0410 532 923       email toivo@totaldata.biz

 

MANAGEMENT OF NETWORK-BASED INTRUSION DETECTION SYSTEMS (NIDS)

0 EXECUTIVE SUMMARY

[This research paper was produced as part of requirements of the postgraduate course "Management Issues in Telecommunications" at the Faculty of Business, University of Southern Queensland on 16/11/2001.]

The paper is an overview of the management options of current network-based intrusion detection systems (NIDS) and an analysis of the integration of NIDS with network management systems. The discussion of the management of NIDS and network management applications covers general functionality, available from research publications and the web sites of software manufacturers. 

Since 1999, standardisation has taken place in the intrusion detection message formats.   In addition to standardised intrusion event messages, the SNMP network management protocol has provided the framework for a successful prototype using a central console of a network management system.  The Tivoli Enterprise Console (TEC) is connected via an aggregation and correlation component (ACC) to NIDS systems or 'probes' from two different manufacturers. Techniques like filtering and correlation based on similarity of events make the alerts and reporting presented to a network administrator and security officer more meaningful.

The recent standards are also behind the considerable integration capability of the new  Intrusion Vision 'Meta-IDS' product from Motorola.  Intrusion Vision supports integrated reporting from five different intrusion detection systems.   The CITRA project has shown great promise in their architecture for automatic response to Distributed Denial of Service attacks.

Future research work is recommended in the area of performance improvements in the link between NIDS and the network management system.  Another research area is the interoperability of NIDS systems with central intrusion detection organisations so that a coordinated, timely response to large scale attacks can be automated.

TABLE OF CONTENTS

0 EXECUTIVE SUMMARY

1 INTRODUCTION

2 BACKGROUND AND SIGNIFICANCE

3 RESEARCH OBJECTIVES AND METHODOLOGY

4 CHALLENGES AND OPPORTUNITIES

4.1 Recommendations in 1999

4.2 Certification of Intrusion Detection Systems

5 NIDS AND NETWORK MANAGEMENT

5.1 Categories and Components of IDS

5.2 Network-Based IDS

5.3 Security of Network-Based IDS

5.4 Network Management Products

5.5 Meta-IDS

5.6 Management of Network-Based IDS

5.7 Managed Security Services

6 RECENT DIRECTIONS IN RESEARCH

6.1 Defence against Denial of Service

6.2 Intrusion Tolerant Systems

6.3 IDS And Network Management Systems

7 CONCLUSION AND RECOMMENDATIONS

8 GLOSSARY OF ABBREVIATIONS

9 REFERENCES

APPENDIX 1 SecureNet Pro Overview

APPENDIX 2 Cisco Product Line

APPENDIX 3 NetSTAT

APPENDIX 4 Tivoli and IDS

APPENDIX 5 Microsoft Security Tools

APPENDIX 6 Motorola Intrusion Vision

1 INTRODUCTION

Intrusion attempts and attacks from the Internet are a reality.  Last year a statement by representatives of a number of security companies and U.S. universities, all involved in research on computer security, highlighted several worldwide trends in the Internet and factors leading to attacks against Web sites and corporate networks.  The main reasons are the availability of attack tools in the open source environment and the production of insecure software applications leading to the installation of large numbers of systems with weak security.  Because servers with weak security and hardly any protection are connected to the Internet, they can be compromised and made agents or handlers in large-scale hacker attacks against corporate servers and networks.  The average level of the technical competence of system administrators in companies has decreased.  At the same time, the number of 'directly connected homes, schools, libraries and other venues without trained system administration and security staff has increased, allowing hackers to set up their Distributed Denial of Service clusters of masters and Trojan horse agents largely undisturbed.  Because of lack of support from the international law, the hacker is often not at risk of getting caught (Pethia et al. 2000). 

Companies are well advised to deploy anti-virus and firewall systems and implement tight security policies.  However, the fact that a company has security policies in place and a firewall installed to protect the network from attacks from the Internet is no guarantee for security.  Intrusion, Inc. claims in their white paper that 'The majority of damaging attacks on the enterprise […] comply with the enterprise security policy.  These attacks succeed by simply exploiting loopholes in the current policy' (Intrusion, Inc. 2001, p.2).  Therefore the network and the computers exposed to the Internet need to be constantly monitored by using an Intrusion Detection System  (IDS).

In spite of the automation, the management must make sure that the IT professionals protecting the company's network and server assets from intrusion attacks are educating themselves continually in the evolving security disciplines and also maintaining their practical hands-on specialist skills. 

2 BACKGROUND AND SIGNIFICANCE

This paper provides an overview of the management options of current network-based intrusion detection systems (NIDS) and discusses the integration of NIDS with network management systems, based on a number of recent academic reports on intrusion detection systems and their management. The emphasis is on the general architecture and available functions for the management of the Network-based IDS, based on information from the Web sites of software manufacturers.    The selection process of NIDS, the management of IDS as part of the IT function, related risk and cost analysis, management of actual security policies and incident responses are beyond the scope of this paper.

Only a few years ago the network management systems and related standards were at early stages.  Cikoski and Whitehill (1993, p. 41) stated the following:

The ideal of true single-point integrated network management is as practical as any other proposed single-point solution to a complex combinatorial problem: it is unrealistic at best, impossible at worst.

In a coordinated Distributed Denial-of-Service (DDoS) attack a network can be targeted from dozens, hundreds or even thousands of computers sending packets to a network, meant to incapacitate servers and shut down the network's protection systems.  If the state of the art in network management was very much in doubt in 1993, has the more complex amalgamation of network and security technology of today - or the future - any chances to protect businesses against the ingenuity of the hacker community, the 'bad apples' of IT?  The purpose of this paper is to provide the answer.

3 RESEARCH OBJECTIVES AND METHODOLOGY

In 1999, Allen, Christie and others at the Software Engineering Institute of Carnegie-Mellon University produced a report on the state of the intrusion detection systems.  This report expresses concern that intrusion detection tools are deployed before they are fully understood:  'Over-reliance on ID technologies can create a false sense of confidence about the degree to which tools are detecting intrusions against an organization's critical assets' (Allen et al. 1999, p. vii).  This is especially true when protecting local area and wide area networks, connected to the Internet, rather than just individual host computers.   Full understanding in Intrusion Detection means understanding the function of network protocols and operating systems, the nature of intrusions, how Intrusion Detection systems are detecting and processing possible intrusion attacks and how the reporting from Intrusion Detection applications should happen in the network environment.  Corporate networks provide people in geographically dispersed offices not just with connectivity to distribute information, but the business depends on the networks as a critical resource. An important part of the mission of an effective IT department is to protect the corporate network from intrusions and Denial-of-Service attacks.

The purpose of the research into the management of network-based intrusion detection systems in this paper is to gain an understanding into the level of functionality already achieved and the future potential in the integration of network-based intrusion detection systems and network management systems.   Internet security is a highly specialised and constantly expanding area of Information Technology, covering communication protocols and operating systems.  The same can be said about networking in general and network management in specific.  Bringing these two closely related areas of specialisation together into an integrated application architecture presents a particularly challenging task for any academic or IT development team.

The recommendations presented in the comprehensive report by Allen et al. (1999) are the starting point of the discussion in this paper. 

4 CHALLENGES AND OPPORTUNITIES

4.1 Recommendations in 1999

One of the failures of IDS in the past has been the large number of false positives, or unnecessary alarms.  Allen et al. not only reprimands commercial vendors for slack testing of the IDS, but also recommends further research and development. 'ID systems research has most recently focused on architectural issues, autonomous response, and other "advanced" issues at the expense of addressing how to more accurately detect and diagnose attacks"(Allen et al. 1999, pp. 103-4). 

Allen et al. recommends a number of actions to the systems and network administrators. The NIDS should be placed both outside and inside the firewall. The signatures deployed should be tailored so that they are relevant to the organisation, reducing the chance of false positives.  It is recommended that trends be inspected first, before individual alerts.  The IDS should highlight the trends in a graphical form. (p. 105-6).

Recommendations for vendors include more cooperation in creating and supporting open source signatures, based on the example of the two products, NFR (Network Flight Recorder) and Snort.  Disclosure of signatures would also encourage more meaningful 'white box' testing.  The signatures and the attacks they detect should be categorised by the level of confidence they are meant to report the particular intrusion.

It also recommended that the data sources in network intrusion detection, in addition to pattern matching, be integrated.  The integration of both network- and host-based products, even products from different vendors was also promoted:

In summary, the future of ID technology is not in new, broad-spectrum sensor development but in more rigorous testing of signatures, reducing false alarm rates, developing lightweight sensors targeted at specific threats, providing improved management and user interface capabilities, and effectively integrating the results of network- and host-based ID sensors within a single vendor tool suite and among tools from different vendors.

      

Allen et al. 1999, p. 109

The report recommended the research community to develop better methods of generating test data.  It was also important that the human analysis of ID data is supported and the way humans analyse intrusion be built into the IDS (Allen et al. 1999, p.110).

4.2 Certification of Intrusion Detection Systems

The report by Allen, Christie and others (1999) pointed out that commercial ID systems had not been comprehensively tested.  They recommended that an independent third party organisation be set up to test new products or upgrades to existing products (Allen et al. 1999, p. 103).  The same report compared the ID industry to the relatively mature anti-virus industry where anomalies are also detected based on 'signatures' in different operating environment (p. 107).

Already for several years ICSA Labs laboratories, part of the TruSecure Corporation, had tested and certified anti-virus products and more recently also firewall systems.  ICSA established an IDS vendor's consortium IDSC in 1998. The purpose of the consortium is to promote standards and vendor co-operation. 

ICSA published an IDS buyer's guide at the end of 1999.   The ICSA buyer's guide contains advice about incident responses, including legal requirements (ICSA 1999, pp. 8-12).   ICSA expands the concept of intrusion detection system, with emphasis not only on 'intrusion detection' but also on 'system', by including in its classification, in addition to Network-based IDS and Host-based IDS, also components like File Integrity Checker, Network Vulnerability Scanner and Host Vulnerability Scanner. The ICSA guide is very helpful for a non-expert organisation because it contains decision tree diagrams to assisting in selecting the right type of a system (ICSA 1999, pp. 28-30).

ICSA has started testing intrusion detection systems in August 2001.    The certification program will test the performance of the IDS in the following key areas:

    - Detection of events which are meaningful at the present time

    - Restriction of false-positive alarm events to a reasonable threshold

    - Logging of events in a consistent and useful manner

    - Performance in voluminous traffic environments

                                (ICSA 2001)

It will be interesting to see how the commercial IDS systems measure up once the first test results from intrusion detection systems have been published. 

5 NIDS AND NETWORK MANAGEMENT

5.1 Categories and Components of IDS

A white paper published by a software manufacturer, Intrusion, Inc., categorises intrusion detection systems (IDS), based on the scope of the monitoring:

- Network-based Intrusion Detection Systems (NIDS) monitor all network traffic

- Host-based Intrusion Detection Systems (HIDS) monitor files, logs and the registry of a host server, based on the security policy set for the host.  HIDS includes a variant Centralised-host-based Intrusion Detection Systems (CHIDS), where the analysis is not done on the host but on a specialised workstation.  This increases security but uses more network bandwidth.

- Hybrid Intrusion Detection Systems, monitoring the network traffic to and from one computer.

The components of the NIDS architecture are

- Sensor - or probe, a dedicated PC or appliance, collects information from the network traffic and reports findings to a central manager

- Agent - software running on host computers, detects breaches of security policy from file access and security logs and reports to a central manager

- Hybrid agent - a combination of sensor and agent, collects information from network traffic addressed to a particular host

- Collector - a dumb application collecting log, registry and file information and forwarding it on to a central manager, in a centralised host-based intrusion detection system

- Manager - application accepting the input from the sensors, agents and collectors, runs in a secure environment and provides a GUI console interface

                                                                                    (Intrusion, Inc. 2001c, pp.3-4)

5.2 Network-Based IDS

A network-based intrusion detection system (NIDS) monitors network traffic from a separate device.   The architecture of a NIDS solution depends on how many hosts it is designed to monitor.  In small networks a stand-alone appliance 'pizza box' is sufficient, while larger networks rely on separate agents and one or more management consoles in a network operating centre (NOC).  The agent devices are connected the networks in different geographical locations in a wide area network (WAN).

The architecture of the NetStat system is an example of how the agents or probes are placed at the periphery of the network, recording traffic from the Internet, and in different network segments inside the network (Appendix 3).  The central system collects information from the agents and compares the traffic to its database of attack signatures.  This database consists of patterns of packets and their contents.

Difficulty of tracking transactions in a fast network with encrypted traffic has in the past led into the development of a hybrid system of IDS.   The white paper from Intrusion, Inc. refers to the problem caused by encryption of traffic and mentions about a system where network administrators are able to check the traffic in spite of encryption: 'Best-of-class NIDS track conversations, called state-based inspections, and fully decode protocols to expose network datagrams […]'.  The same paper also refers to future networks where all traffic will be encrypted but the security professionals will have a 'master key' to do auditing and intrusion detection (Intrusion, Inc. 2001, pp.4-5).

The paper by Sterne and others (2001, p. 134) presented in October 2001 at the Fourth International Symposium on Recent Advances in Intrusion Detection states that, in spite of a couple of exceptions,

[…]the current state of practice relies primarily on expert-labor-intensive manual procedures by network administrators.  These procedures consist primarily of two activities:

The paper goes on to describe how the network administrators contact the administrator of the upstream network, usually the Internet Service Provider (ISP), who will then go through the same operations and escalate the problem until 'either 1) the flood source is identified and extinguished, or  2) no further upstream cooperation can be obtained'.

5.3 Security of Network-Based IDS

A critical application like NIDS must be free from tampering at all times. Several techniques can be used, including maintaining the signature database on a read-only media like CD-ROM and checking the operating system and the application for file checksum signatures regularly.  An effective strategy to protect the NIDS is to make sure that the NIDS server does not participate in the network traffic of the system on its own, i.e. hiding the NIDS server from the rest of the network. 

Ng proposes a receive-only UTP cable connection to achieve invisibility in the network, while the IDS device is monitoring the network traffic.   The NIDS server cannot send any packets to the network and therefore it is invisible to the rest of the network devices (Ng 2001).   However, normally it is necessary to connect the NIDS device to a secondary, protected network so that the NIDS devices can exchange information with the management console application.   Network switches and routers allow configurations where secondary networks are configured so that the traffic is not visible to the main network. 

In any network, especially in high security environments, it is important that access to the administration functions of the switches and routers is strictly limited.  Cisco switches can limit the administrator access to certain physical ports only.  The administrator access includes the Command Line Interface (CLI) through a Telnet session and attaching a PC as the system console to the device.  Cisco switches can send network alerts and other messages as a part of an SNMP community in the network.

It is important that the IDS does not accept commands to alter its mode of operation or configuration, e.g. shutdown, without authenticating the user (Bace 1999, p.30).  Smartcards provide extra security when used with authentication systems, instead of just passwords on their own. The intrusion detection and network management systems are often targets for intrusion attacks.  The security of the communication channels used by IDS is therefore critical. If anyone is monitoring the network traffic, SNMP messages can provide an important source of information about the computers in the network, if they are in readable format. Version 3 of the SNMP protocol encrypts the traffic used for user authentication and network management and therefore gives further protection to the NIDS.

5.4 Network Management Products

The purpose of a network management product is to consolidate the information and alert messages in the system to the network operations centre (NOC), where specialist network administrators can monitor the network, its devices, servers and workstations and take appropriate action when something goes wrong.

An integrated network management system (INMS) uses an element management system (EMS), where a specialised application monitors one function, e.g. a router.  A collection of EMS modules passes their information and alert messages, 'event message stream', to a presentation module (Cikoski and Whitehill 1993, p. 41). Filtering, applied to the event message stream, reduces clutter on the operator screen and reports.  A number of techniques can be used in the INMS to make the information more meaningful to the operator.  For example, recurring events from the same source are condensed to a single record with an attached count of occurrences.  Related events can be collapsed to one informative event, or disparate events can be correlated to allow either collapsing or further refinement of the event reporting (Cikoski & Whitehill 1993, p. 44).

5.5 Meta-IDS

Loshin presents the concept of Meta-IDS, 'a security console capable of keeping up with the reams of alert data flowing from host- and network-intrusion sensors' (Loshin 2001). The Meta-IDS is able to receive data from devices from different vendors and provide timely alerts to network management staff.  The IETF intrusion detection standards will allow the exchange of information between IDS systems and the IDS system and the management console (IETF 2001).

Motorola's Intrusion Vision (IV) product has been released in the middle of this year.  It supports the following IDS applications:

The IV product has a distinctive circular graphic in the screen, where the severity of the attack determines the location in one of the concentric circles (Appendix 6).   Drill-down functions are provided to find out more about event history and analyse the raw data, if required.  A GUI allows the security officer to define the system to respond to combinations of alerts, and this allows the handling of the lower level of security incidents by 'less experienced staff' (Motorola 2001).

5.6 Management of Network-Based IDS

Before looking at the management options of NIDS, the pre-requisites for effective management of intrusion detection in a corporate network need to be in place.   An intrusion detection system cannot be effective unless the company's security policies and procedures are defined and followed in practice.   An important part of the security policies is the maintenance of the company's network devices and servers at the latest software release and patch levels.

According to Higgins (1999, pp. 218-20), the security policy of the company will need to cover the gateway to the Internet, the internal network and the company's data files.  Higgins recommends that the policy is developed at the Board of Directors and department levels and that strategic security objectives are considered, and that 'In many cases, the policy should include a forensic plan, and thresholds of loss or crime that would trigger a call to law enforcement'.  Standard policies of separation of duties, management of users' privileges and monitoring of event and security logs should be followed. 

Higgins recommends regular testing of firewalls, regular updates to security products, routine audits and 'break-through trials […] using known hacking techniques to determine the network's vulnerabilities'. There are a number of products in the market capable of non-destructive scanning of open ports through the firewall. 

The recent high profile incidents, where tens of thousands of web servers became infected with intrusion agent software, were made possible because in a large number of Web server installations the system administrators had not done the security patches published by Microsoft. Higgins suggests running Web scanner applications to assess the vulnerability of the Web server and the operating system implementations.  There are also products to check for vulnerabilities in the Web server and other servers and workstations inside the network.   Cisco Secure Scanner is one of these products (Cisco 2001b). Microsoft has released a number of free tools to assist system administrators in closing loopholes in Windows-based Web and other servers in the last three months (Appendix 4).

5.7 Managed Security Services

A managed security service usually consists of a managed firewall service, which can also include a level of redundancy:  two firewall devices can be interlinked so that an automatic fail-over happens, should the main firewall fail.  Intrusion detection provided by a managed solution is complemented by remote scanning, anti virus and web filtering functions (Internet Systems Security 2001).

The benefits of managed services are round-the-clock coverage and access to qualified staff to attend to emergencies, compared to practices and level of staff in an average small to medium size enterprise.  Managed Security Service Provides (MSSP) provide the installation of the hardware and the software, monitoring and administration of the incidents possible forensic analysis (Lopez-Wilkin 2001).

Sterne et al. (2001, p. 147) mention two service providers, Arbor Networks and ManHunt, who offer a managed service to monitor router traffic for symptoms of DDOS.  When run in an ISP environment, these systems recommend actions like packet filtering or rate limiting rules to the administrator of the router to reduce the severity of the attack or stop it completely.  The solutions mentioned by Sterne et al. are proprietary, which limits their usability.

6 RECENT DIRECTIONS IN RESEARCH

6.1 Defence against Denial of Service

Last year the SANS Institute, in co-operation with the CERT/CC of Carnegie-Mellon University and Purdue University, published a paper outlining strategies of defence against Distributed Denial of Service (DDoS) attacks.    They gave a number of recommendations for directions of research.  Some of the recommendations involve a number of parties and requires close cooperation and standardisation between them:

(Pethia, Paller & Spafford 2000, p.1)

Already in 1999, Allen et al. recommended more co-operation and standardisation between vendors of IDS.   IETF has a working group IDWG (Intrusion Detection Working Group) that has defined a standard format, Intrusion Detection Message Exchange Format (IDMEF).   This format is based on Extensible Markup Language (XML), to enable communication between intrusion detection systems and between intrusion detection systems and management systems.  (IETF 2001).  The IDWG formats were used and refined for the working group in the project of  Debar and Wespi (2001, pp. 88, 93).   Their project allowed the connection of IDS applications from two different manufacturers to an integrated reporting and alerting system.

Sterne and others describe their project, Cooperative Intrusion Traceback and Response Architecture (CITRA), developed as response to DDOS hacker toolkits available from early 2000.    These toolkits automated some of the hacking functions that had previously been manual and time consuming and made the planning of coordinated DDOS attacks possible.  CITRA has appropriately defined an Intruder Detection and Isolation protocol (IDIP) as the infrastructure to allow 'intrusion detection systems (IDS), firewalls, routers, and other components to cooperatively trace and block network intrusions as close to their sources as possible' (Sterne et al. 2001, p. 135).   The CITRA project implemented a rate limiting function on Linux routers as an intrusion response.  CITRA policy mechanisms also direct CITRA-enabled firewalls or routers to block all packets from the intrusion source for a period of time.  These autonomous responses are designed to last a limited time, to allow legitimate network traffic (pp. 137-8).    Trials conducted in a test environment have been encouraging but still preliminary (p. 145).  The CITRA architecture is being developed further to support 'cooperation among multiple CITRA communities according to business relationships' (p. 136).

6.2 Intrusion Tolerant Systems

Traditionally the management of security has meant prevention of intrusion attempts.  The ITTC (Intrusion Tolerance via Threshold Cryptography) project at Stanford University took a different approach: 'the ITTC system ensures that the compromise of a few system components does not compromise sensitive security information' (Wu et al. 1999, p.1).  This project is limited to the important but limited area of protecting cryptographic keys by splitting keys into components and storing the parts in three different servers.  The key can still be used without reconstructing it in a single location.  Therefore a possible Trojan horse program, planted by a hacker, will not be able to capture the private key of Certification Authority or a Web server, unless all three servers have been compromised.

The area where intrusion tolerant systems like ITTC can be applied is very specialised and the technology may not be applicable elsewhere without a considerable development effort.

 

6.3 IDS And Network Management Systems

Debar and Wespi connected network-based intrusion detection systems to IBM's Tivoli Enterprise Console, part of a network management system.   The purpose of their work was to address weaknesses in intrusion detection, firstly to achieve a reduction in the number of messages 'that flood an intrusion-detection system with unrelated alerts, carrying an effective denial-of-service attack against the operator […]'.  Secondly, systems need to support the operators in logically grouping related incidents.  Thirdly, false alerts need to be avoided, if possible.  This includes both false positives and false negatives.  Last, the concept of deploying a large-scale NIDS needed a new architecture  (Debar & Wespi 2001, pp. 85-6)

The architecture of Debar and Wespi's system in Appendix 4 shows how different software applications and network devices, probes, have been integrated into a NIDS, working under a network management system.  Non-Tivoli aware probes can be connected to the system by using probe-specific pre-adapters.  The probes need to be synchronised because unified time is needed for alerts. (p.96).

IDS-based intrusion detection probes feed information into aggregation and correlation components (ACC). A number of ACC applications can work together in a tree structure. 

 'The purpose of the ACC is to correlate the output of several probes and give the operator a condensed view of the reported security issues' (Debar & Wespi 2001, p. 86).  Alerts to the ACC are sent in the standard IDWG message exchange format (IETF 2001).

According to Debar and Wespi, their ACC can detect authorised security scans, assuming that these scans are done from the same machine.  As far as other intrusion attacks are concerned, their ACC 'has the potential and the mechanisms to enable automatic countermeasures'.  However, they also warn about the danger of triggering denial-of-service attacks (Debar & Wespi 2001, pp.100, 90).

A common problem in managing the alerts generated by NIDS is the flooding of the console with messages of secondary importance.  Debar and Wespi define aggregated intrusion-detection events as 'situations' - 'a set of alerts that have certain characteristics in common' (Debar & Wespi 2001, p. 99).  Valdes and Skinner (2001) have developed a mathematical system to correlate alerts so that the reports and screen summaries presented to the security officer are meaningful.

It is important that the performance of an intrusion detection and management system is aligned with the perceived risk to the business of the system being flooded with transactions.  The network management systems are handling hundreds of alerts per second, but the ACC performs at the alert rate of one alert per second (Debar & Wespi, p. 91).  This rate may not be adequate for high risk environments, depending on the level of consolidation performed at the IDS probe level.

7 CONCLUSION AND RECOMMENDATIONS

A number of tools, some of them freely available from the open source communities, have become available to assist IT departments of companies to improve the security of their networks.  These tools also assist in tightening the security of Web servers and protecting them from intrusion attempts from the Internet, outside the network.  However, these tools do not make it less important to secure the perimeter of the network with a firewall and deploy detection tools to monitor the type and frequency of intrusion attempts.

During the last two years the integration of intrusion detection functions into network management has made real progress in both the research forum and the commercial arena.   Intrusion detection systems are approaching maturity, in the same way as the anti virus products have been in the last few years.    Both marketplaces experienced a number of takeovers and consolidation of the application products into a few selected specialist companies like Symantec and Network Associates.  Similarly, testing and certification of products by reputable institutions, known from their previous involvement with anti virus applications, is now also starting in the IDS industry.

Intrusion detection applications are increasingly relying on support from the components of the network infrastructure like routers and switches.  Intrusion Detection products are designed to work in large networks, securing network segments and reporting to a centralised monitoring and alerting system.  System administrators, network administrators and security officers can get a sophisticated Intrusion Detection management system to block access selectively to identified sources of intrusion attempts.  Access policies can quickly be distributed to routers and switches, albeit of the same brand (Appendix 2). 

Interoperability between NIDS, firewalls and network equipment is currently in most cases limited to offerings from the same manufacturer like Cisco (Appendix 2), but a standardisation process has started.  The existing networking management standard SNMP and developing IDS standards will allow integration of NIDS products, networking equipment and network management systems of different brands.

Reporting by exception and aggregation of alert messages from NIDS in the network management console like Tivoli or HP OpenView allows the network security administrators to observe filtered, consolidated intrusion event reports and concentrate on the central management of the network.  A network management system allows the security officer to quickly block packets originating from suspected sources of intrusion attempts from entering the network.  The combination of NIDS and an integrated network management system makes the network security administrator's job easier. Entry-level network management jobs can be augmented by providing automated analysis tools like IDS or network management consoles.  These tools will assist but they do not trivialise the protection of large networks or replace expertise and experience in a crisis situation.

From the corporate viewpoint, high level skills in both networking and proactive security are still needed in maintaining security in local and wide area networks connected to the Internet.

The research in the management functions of NIDS should concentrate on providing enough information from the current Internet infrastructure in suitable format to both ISPs and organisations dealing with intrusion attacks.   Another important area of research is improving the performance of the NIDS event handling and reporting and aggregation functions in the network management reporting systems.  Once the theory behind the current techniques has been proven in practice, so that false negatives and false positives are adequately covered, the research community will be ready to embark on the important area of intrusion detection and response (IDR) systems.   Debar and Wespi's continuing work with IBM's Tivoli Enterprise Console will undoubtedly provide fresh input to more research in this area.  The availability of Meta-IDS products like Motorola's Intrusion Vision will also increase research in practical interoperability of IDS applications and devices in the network infrastructure.   Both approaches, a network management system like Tivoli and a Meta-IDS like Intrusion Vision, have the potential to be developed into an active part of the network defence, ultimately capable of automatically initiating the blocking of an identified source of an intrusion attack from the network.

In the future, advances in the pattern matching technology will allow the management functions of NIDS to send reports of new attack types to a central authority or an intrusion detection institution.  Increasing co-operation between ISPs and security service providers will see central reporting extended to provide real-time information about the status of particular large scale attacks on the Internet (SANS 2000).

When effective reporting structures are in place to centrally analyse concurrent attack patterns from a large population of networks effectively, enough organisations will join the reporting scheme to make it an effective defence mechanism. The exchange of information about attack patterns will allow individual companies to protect their networks against new types of attacks by feeding the information about attack patterns into their network management system so that the sources of intrusion attacks can be quickly starved of targets and blocked.


8 GLOSSARY OF ABBREVIATIONS

ACC                - Aggregation and Correlation Component

CHIDS            - Centralised-host-based Intrusion Detection System

CITRA - Cooperative Intrusion Traceback and Response Architecture

DDoS              - Distributed Denial of Service

DOS                - Denial of Service

EMS                - Element Management System

GUI                 - Graphical User Interface

HIDS               - Host-based Intrusion Detection System

IBM                 - International Business Machines Corporation

IDIP                 - Intruder Detection and Isolation protocol       

IDMEF            - Intrusion Detection Message Exchange Format

IDS                  - Intrusion Detection System

IDR                  - Intrusion Detection and Response

IDWG              - Intrusion Detection Working Group (of IETF)

IETF                - Internet Engineering Task Force

INMS              - Integrated Network Management System

ISP                  - Internet Service Provider

NIDS               - Network-based Intrusion Detection System

NOC               - Network Operating Centre

TEC                 - Tivoli Enterprise Console

VPN                - Virtual Private Networking

XML                - Extensible Markup Language

9 REFERENCES

Allen, J., Christie, A., Fithen, W., McHugh, A., Pickel, J. & Stoner, E. 1999, State of the

  Practice of Intrusion Detection Technologies [Online], Available:

  http://www.sei.cmu.edu/publications/documents/99.reports/99tr028/99tr028abstract.html

 , [Accessed 23 Oct 2001]

Bace, R. 1999, An Introduction to Intrusion Detection & Assessment [Online], Available:

  http://www.icsalabs.com/html/communities/ids/whitepaper/index.shtml, [Accessed 10

  Nov 2001]

Cikoski, T. & Whitehill, J. 1995, 'Integrated Network Management Systems:

  Understanding the Basics', Telecommunications, Americas edn, vol. 27, no. 6, Jun., pp.

  41-2, 44-5.

Cisco 2001, Cisco IDS Host Sensor Web Application Protection [Online], Available:

  http://www.cisco.com/warp/public/cc/pd/sqsw/sqidsz/prodlit/wdsi_ds.htm, [Accessed

 10 Nov 2001]

____2001a, Cisco Secure Intrusion Detection Director for Unix [Online], Available:

  http://www.cisco.com/warp/public/cc/pd/sqsw/sqidsz/prodlit/idsd_ds.htm, [Accessed 10

  Nov 2001]

____2001b, Cisco Secure Scanner [Online], Available:

  http://www.cisco.com/warp/public/cc/pd/sqsw/nesn/, [Accessed 11 Nov 2001]

Debar, H. & Wespi, A. 2001, 'Aggregation and Correlation of Intrusion-Detection

  Alerts', Proceedings of RAID 2001 Fourth International Symposium on Recent

 Advances in Intrusion Detection, Davis, CA, USA, pp. 85-103 -- [Online], Available: 

 http://www.docshow.net, [Accessed 11 Nov 2001]

Higgins, H. 1999, 'Corporate system security: towards an integrated management

  approach', Information Management & Computer Security, 7/5, pp. 217-22

Houle, K. & Weaver, G. 2001, Trends in Denial of Service Attack Technology [Online],

  Available: http://www.cert.org, [Accessed 4 Nov 2001]

HP 2001, HP OpenView Express [Online], Available:

  http://managementsoftware.hp.com/products/express/, [Accessed 11 Nov 2001]

ICSA 1999, Intrusion Detection System Buyer's Guide [Online], Available:

  http://www.icsalabs.com/html/communities/ids/buyers_guide/index.shtml, [Accessed 10

  Nov 2001]

ICSA 2001, Certification Program for Network Intrusion Detection Systems [Online],

  Available: http://www.icsalabs.com/html/communities/ids/certification.shtml,

  [Accessed 10 Nov 2001]

IETF 2001, Intrusion Detection Exchange Format (idwg) [Online], Available:

  http://www.ietf.org/html.charters/idwg-charter.html, [Accessed 11 Nov 2001]

Intrusion, Inc.  2001, Applying Network Intrusion Detection Under HIPAA [Online],

  Available: http://www.intrusion.com/, [Accessed 10 Nov 2001]

____________2001a, SecureNet Series Network Intrusion Detection System [Online],

  Available: https://www.intrusion.com/products/downloads/nids_01-0716.pdf, [Accessed

  10 Nov 2001]

____________2001b, Deploying and Tuning NIDS [Online], Available:

  https://www.intrusion.com/products/downloads/vpn-fw_po101801.pdf, [Accessed 10

  Nov 2001]

____________2001c, Maximizing the Value of Intrusion Detection [Online], Available:

  https://www.intrusion.com/products/downloads/MaximizingValueIDS.pdf, [Accessed

  10 Nov 2001]

Internet Security Systems 2001, Managed Security Services - Service Descriptions

  [Online],Available: http://www.iss.net/securing_e-   business/sec_management_sol/managed_sec_serv/sd.php, [Accessed 10 Nov 2001]

Lopez-Wilkin, E. 2001, Managed Security Services: an IDS Solution [Online], Available:

  http://www.sans.org/infosecFAQ/intrusion/mss.htm, [Accessed 11 Nov 2001]

Loshin, P. 2001, "Meta" Detection [Online], Available:

   http://www.docshow.net/ids/NEW-DIRECTIONS-IN-IDS.htm [Accessed 11 Nov

  2001]

Microsoft 2001, URLScan Security Tool [Online], Available:   http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/URLscan.asp, [Accessed 11 Nov 2001]

_______2001a, Microsoft Personal Security Advisor [Online], Available:

  http://www.microsoft.com/technet/mpsa/start.asp, [Accessed 11 Nov 2001]

_______2001b, Microsoft Network Security Hotfix Checker [Online], Available:

  http://support.microsoft.com/support/kb/articles/q303/2/15.asp?id=303215&sd=tech,

  [Accessed 11 Nov 2001]

Motorola 2001, Intrusion Vision [Online], Available:

   http://www.gd-decisionsystems.com/intrusionvision, [Accessed 17 Nov 2001]

NFR, NFR Network Intrusion Detection [Online], Available:

  http://www.nfr.com/products/NID/features.html, [Accessed 21 Oct 2001]

Ng, S. 2001, How to make a sniffing (receive only) UTP cable [Online], Available:

  http://personal.ie.cuhk.edu.hk/~msng0/sniffing_cable/index.htm, [Accessed 11 Nov

  2001]

Pethia, R., Paller, R. & Spafford, G. 2000, Consensus Roadmap for Defeating Distributed

  Denial of Service Attacks [Online], Available: http://www.sans.org/ddos_roadmap.htm,

  [Accessed 11 Nov 2001]

Sterne, D., Djahandari, K., Wilson, B., Babson, B., Schnackenberg, D., Holliday, H. & Reid, T. 2001, 'Autonomic Response to Distributed Denial of Service Attacks', Proceedings of RAID 2001 Fourth International Symposium on Recent

 Advances in Intrusion Detection, Davis, CA, USA, pp. 134-49  - - [Online], Available: 

 http://www.docshow.net, [Accessed 11 Nov 2001]

 

Shavlik, M. 2001, Computing Safely - Securing Your Systems From the Inside Out

  [Online], Available: http://www.shavlik.com/Documentation/Computing%20Safely.pdf,

  [Accessed 11 Nov 2001]

Vigna, G. & Kemmerer, R. 1999, NetSTAT - A Network-Based Intrusion Detection

  System [Online], Available: http://www.cs.ucsb.edu/~rsg/papers.html, [Accessed 11

  Nov 2001]

Wu, T., Malkin, M. & Boneh, D. 1999, Building Intrusion Tolerant Applications

  [Online], Available: http://crypto.stanford.edu/~dabo/papers/ittc.pdf, [Accessed 11 Nov

  2001]


  

APPENDIX 1                SecureNet Pro Overview

The following information has been extracted from Intrusion, Inc.'s web site www.intrusion.com.

SecureNet Pro manages over 400 signatures are context analysis scripts.  It contains a customisable scripting system and an option to create 'string matching (network grep) signatures'.  (Intrusion Inc 2001a)

Intrusion, Inc. claims that the SecureNet Pro software handles 100% packet reassembly and TCP/IP reconstruction.  The system is said to handle network traffic up to 700Mbps with 98% attack detection rate 'with randomly sized synthetic traffic, from 64 to 1500 bytes'.

The system runs on a hardened (where vulnerable services have been removed) RedHat Linux 6.2 operating system, and on a variety of rack-mountable appliances.  The Gig model of the system connects through a fibre optic connector to a Gigabit backbone.   It has also a 10/100 Mb connection from the sensors and the manager console inside the network.  The PDS 5000 and 2000 models cover the 100Mbps networks.

For security reasons the appliances do not usually have keyboard, video or mouse (KVM). The SecureNet Pro system supports notification by email or pager through SMTP messages, and SNMP alerting.

SecureNet Provider is a three-tier architecture for centralised monitoring and reporting, as shown on the following page:

                        Client workstations in the Network Management Centre

                        Manager, including Microsoft SQL 2000 database

Sensors (SecureNet PDS Gig/5000/2000 or SecureNet Pro software)


 

                                                            (www.intrusion.com)


APPENDIX 2      Cisco Product Line

Cisco IDS Host Sensor Web Server Edition

The system protects the web host by evaluating requests to the Web server and the application, the application programming interface (API) and the operating system.  On one hand, the server application and its resources, including the server configuration and the data, are shielded from alterations.  On the other hand, all HTTP requests are checked for validity before they are forwarded to the web server.

The central management console handles the signature, code and rules updates and reporting.  Otherwise the agents are self-contained and independent from the console.

The signature database can be customised, to eliminate false positives.

All the communication between the server agents and the Console is Triple-DES encrypted.

Security events generate email and pager messages.  The system provides SMTP data for integration with network management systems.

                                                            (Cisco 2001)

Cisco Secure Intrusion Detection Director for Unix

The system can provide a user defined response to an attack.  The options are:

The Director running under the Solaris 2.8 operating system communicates securely with the agents.  The Director can maintain a database and it links with the HP OpenView network management system.

                                                            (Cisco 2001a)

Cisco Secure Policy Manager

Cisco Secure Policy Manager (CSPM) runs in a central location in the network and distributes the security policies to different devices in the network, including Cisco routers, firewalls, VPN devices and IDS.

The same high level policies, defined using a visual interface, can be distributed to multiple devices.  The system provides event notification, monitoring and Web-based reporting.

Cisco Catalyst 6000 Intrusion Detection System Module

Rather than using the Switched Port Analyzer (SPAN) ports connected to external sensors for monitoring the switched traffic, it is possible to add a specialised IDS module into a slot in the Cisco 6000 switch.  The device does not affect the processing speed or path of the switch because it works independently using a copy of the actual packets.

The device monitors a 100Mbps switch, processing 'approximately 47,000 packets per second, with a new flow arrival rate of 1000 per second'.

The product integrates with the Cisco Secure Policy Manager and the Cisco Secure Intrusion Detection Director.


APPENDIX 3                NetSTAT


                                                (Vigna & Kemmerer 1999, p. 8)



APPENDIX 4                Tivoli and IDS








                                                (Debar & Wespi 2001, p. 87, 92)

APPENDIX 5                Microsoft Security Tools

Microsoft has released the following tools as part of their security push after the Nimda and Code Red incidents:

URLScan - validates each request made to a Web server (Microsoft 2001)

Microsoft Personal Security Advisor (MPSA) - scans a Windows NT or Windows 2000 computer remotely for vulnerabilities (Microsoft 2001a)

Microsoft Network Security Hotfix Checker (Hfnetchk)  - checks the installation status of the Windows server and produces a list of software patches to be applied (Microsoft 2001b). 

Both MPSA and Hfnetchk have been produced for Microsoft by Shavlik Technologies, a company specialising in computer security products.  Shavlik Technologies markets the advanced versions of these products (Shavlik 2001).


APPENDIX 6                Motorola Intrusion Vision

 

            3          2                      1                     


 

                        4                    5                                                6                      7

Explanations                                                                                       (Motorola 2001) 

1 - Ring Display , number, types and severity of alerts, most severe in the outer ring

2 - Selected Alert Area

3 - Alert Type Descriptions

4 - Sensor Type(s):     

Supported:       ISS RealSecure 5.0,  NFR 5.0,  Shadow

                                    Kane Secure Enterprise,  Snort 1.7

           

To be released:

 Cisco Secure, NetProwler, NID, JIDS           

5 - Relation Criteria and Table of Related Events

6 - Alert Types

7 - Event History