This section of our computer security ebook provides a brief overview of Intrusion Detection Systems (IDS), describing in general terms the steps to be taken when deploying IDS in your environment.
Break-ins, intrusions or penetrations to computer systems and networks are increasingly a very serious problem that many individuals and organizations are facing today. The data that resides on these broken into systems become vulnerable to corruption and theft. Systems that are compromised can also be used to further compromise other systems in a WAN, Intranet, or over the Internet.
Penetration testing can use many methods to attempt a system break-in. In addition to using active automated tools as described above, penetration testing can be done "manually." The most useful type of penetration testing is to use methods that might really be used against the system. For hosts on the Internet, this would certainly include automated tools. For many systems, lax procedures or a lack of internal controls on applications are common vulnerabilities that penetration testing can target. Another method is "social engineering," which involves getting users or administrators to divulge information about systems, including their passwords.
Security monitoring is an ongoing activity that looks for vulnerabilities and security problems. Many of the methods are similar to those used for audits, but are done more regularly or, for some automated tools, in real time. A periodic review of system-generated logs can detect security problems, including attempts to exceed access authority or gain system access during unusual hours.
In a recent (2001) survey of 4,500 security professionals conducted by Information Week Research Global Information Security, the primary methods of attack used by intruders were the following (multiple responses allowed):
| Method of Attack | % of Respondents |
| Operating System Vulnerability | 31 |
| Unknown Application | 27 |
| Guessed Passwords | 22 |
| Abused Valid User Account and Permissions | 17 |
| Internal Denial-of-Service Attack | 12 |
| Known Application | 11 |
| External Denial-of-Service Attack | 11 |
| (multiple responses allowed) |
Generally, there are two types of IDS: host based and network based. Host based IDS monitor security within a network component, such as a server or a workstation. Network based ID systems monitor the traffic between network components and networks. Some IDS are strictly network based, whereas others are a combination of network and host based. Most IDS are comprised of two components, sensors and managers. Depending on the IDS type, sensors can be either network based or host based.
The following are steps to be taken when deploying an IDS.
Step 1 - Identify what needs to be protected
To maximize the utilization of IDS, the organization must first determine in order of priority what needs to be protected. For many organizations, the various servers, i.e., application, database, file and domain controllers, contain mission critical resources. Furthermore, depending on the organization, some departments may be more critical than others or must enforce different trust relationships. All of this must be defined in a priority list prior to deploying any IDS.
Step 2 - Determine what types of sensors are required
The types of sensors that are required are dependant on the priority list defined in Step 1. A host sensor would be used to monitor a critical server, whereas a network sensor would be used to monitor network entry points and critical network segments. Another important issue to consider is how many sensors the organization can afford to buy. This number will influence how the sensors are deployed throughout the network, as the number of critical resources must be balanced against how many sensors can be acquired and maintained.
Step 3 - Configure host system securely
Prior to loading any IDS, the host that the IDS will reside on must be configured securely. Often, the vendor of the IDS will supply its own host to run the IDS sensor, in which case, the vendor should supply guidelines on how to secure that host. Otherwise, the IDS typically reside on Unix and Microsoft Windows NT/2000 hosts. The guidelines for securing Unix and Microsoft Windows NT/2000 systems are well documented elsewhere in this document.
Step 4 - Keep signature database current
The majority of IDS that are currently available for use are signature based. Because new vulnerabilities and attacks are being discovered daily, the signature database must be kept current. The respective vendors should supply the latest signatures for their IDS.
Step 5 - Deploy IDS sensors
The final phase is to actually deploy the IDS. The following scenarios are based on how many sensors are available for deployment versus what is deemed critical.
Scenario 1
If the organization can only afford to purchase and monitor one sensor of any type, then it should be a network sensor. As described earlier, a network sensor is much better suited to monitoring large segments of a network, whereas a host sensor is limited to monitoring the system that it resides on. In this scenario, the ideal location to place the sole network sensor is in the DMZ, between the external router and the firewall, as shown in Figure 1. In spite of having only one sensor, this design allows the IDS to be used for maximum effectiveness. By placing the IDS sensor between the external router and the firewall, the sensor can monitor all network traffic going to and coming from the Internet. Furthermore, because the router can filter all incoming traffic from the Internet, the IDS sensor can be tuned to ignore certain types of attacks, thereby allowing the sensor to operate with maximum efficiency.
Figure 1 - Deploying 1 ID system
Scenario 2
In the case where only two sensors of any type can be acquired and maintained, then they should be network sensors. Like the previous scenario, one of the sensors should be placed in the DMZ, between the external router and the firewall. The second sensor should then be placed between firewall and the intranet, as shown in Figure 2. The second sensor can indicate what attack breached the firewall. By strategic placement of these two sensors, all access points from the Internet will be monitored.
Figure 2 - Deploying 2 ID systems
Scenario 3
If more than two sensors of any type can be acquired and maintained, then at least two should be network sensors. Those sensors should be deployed as described in Scenario 2. If a critical LAN within the intranet needs to be protected, then a network sensor should be placed at the entry point to that LAN. The remaining sensors should be host sensors that are loaded onto critical servers, such as domain controllers, file servers, web servers, and mail servers. The order of what is deemed critical is determined by the organization, as directed in Step 1.
Step 6 - Management and Configuration
The other component of IDS, the manager, should be centrally located where dedicated security staff can monitor the health of the systems and network. Many organizations have a Network Operations Centers (NOC) that fulfills the role of a central location to place the manager. IDS sensors could then report all alerts to the NOC, thereby allowing the security staff to respond quickly to attacks and to notify the appropriate authorities, such as CERT technicians.
The other issue to consider is how to configure the sensors. Careful configuration of the sensors can increase the effectiveness of IDS and all unnecessary signatures should be disabled. For example, if the network is entirely composed of Microsoft Windows NT systems, then the sensors can be configured to ignore any attacks that are directed against Unix systems. Therefore, if the organization has a priority list as defined in Step 1, as well as knowing the network intimately, it can benefit greatly from having a properly configured IDS.
No comments:
Post a Comment