Arnt Brox, Chief Executive Officer of European internet security company Proseq, looks at the pros and cons of methods of intrusion detection.
Intrusion detection has become big business on the internet and, to be honest, it’s not surprising. With the profusion of e-commerce websites, on-line banking and other high-profile applications, it is understandable that organisations should want to avail themselves of the best possible protection against unauthorised entry. After all, they take seriously the threat of physical intrusion, by fitting access control and CCTV devices and employing security guards, so why not take equally seriously computer intrusion’ But, the threat of network intrusion is much wider than those heavily publicised incidents of website defacement would have us believe. In fact, it would be a misnomer to imply that this is an internet-only problem. The threat of network intrusion hangs over any organisation that possesses a network that is open to the outside world. And, in taking this statement on board, we open up the true dangers inherent in virtually every internet protocol network. And this, by definition, is virtually every computer network today – used for everything from process industry control
to internet banking and office automation.
<br><br>
Because the byword of every modern organisation is connectivity, even those companies that have no direct internet presence remain vulnerable to hacker attack and intrusion. Just because you don’t have a website or, equally, because your site doesn’t feature any e-commerce capabilities, doesn’t make you immune to the possibility of someone gaining unauthorised access to your network. Think about it. Most organisations running a network have the capability to allow members of staff and even outside contractors to connect to their systems remotely. This makes it easier for workers to connect from home, or while on the move. It also renders the network susceptible to unauthorised entry by third parties. There’s the rub. Our modern work practices make it essential that we provide a reasonable degree of external connectivity to our networks, regardless of whether we are a bank or financial institution, or even an e-commerce site with sensitive customer data just waiting to be exposed. The fact is, therefore, that virtually every organisation running anything other than a perfectly closed loop network is leaving itself open to possible intruder attack.
<br><br>
What’s the answer? One of the most prevalent solutions is installation of a sophisticated firewall system. Undoubtedly, this can help ‘hide’ major parts of your system from unwanted attention. But, the problem remains that we still need to provide external connectivity, data communications, internet access and maybe even Voice Over IP for the organisation. Inevitably, this means that the firewall will need to be configured to allow access to and dissemination of data and information retained within the organisation. And all this creates a major problem, because it means that the firewall cannot be used simply to pull the shutters down and isolate the network from the outside world. The need to communicate brings us the necessity to search for a second line of
defence. This is where intrusion detection comes in. But, because
there is no universally adopted definition of what it actually is, it’s probably easier to describe the whole concept by reference to more familiar analogies. Think of it as a well-trained guard dog, and you’ll get the general idea. Now imagine that the rooms in your home represent your network, and the perimeter fence represents your firewall. You need to gain access to the outside world and, equally, authorised guests, visitors and invitees need to gain access to your property. After all, how else would you receive your post, your groceries and have your gas and electricity meters read’ Being the prudent householder, you’ll realise that there’s a possibility that some visitors onto your premises may not be welcome. Now, because you have a gate to allow you to mingle with the outside world, and vice versa, this leaves you vulnerable to the attentions of these undesirable individuals – the network equivalent of double glazing salesmen or burglars. And this is where your trusty guard dog makes its presence heard.
<br><br>
Because your guard dog has been trained to sniff out unwanted guests, it sounds a warning whenever it detects the presence of any unauthorised third party coming through the gate. And this is the basis of intrusion detection. Just as firewalls need open gates in them to enable communication, intrusion detection either sits behind the firewall to warn of unauthorised entry into the network, or in front of the firewall to see who is approaching the gate. However, as you can imagine, not all guard dogs are perfectly trained. Some will happily bark at anything or anyone that approaches your gate, and others will sit down and wait to be patted as the burglar walks past. So, we have a problem. While there are many intrusion detection solutions on the market, some are more efficient than others in the elimination of what we term ‘false positives’, as well as in the correct identification of unauthorised traffic. Most intrusion detection systems (IDS) are what is known as signature-based. This means that they operate in much the same way as a virus scanner, by searching for a known identity – or signature – for each specific intrusion event. And, while signature-based IDS is very efficient at sniffing out known styles of attack it does, like anti-virus software, depend on receiving regular signature updates, to keep in touch with variations in hacker technique. In other words, signature-based IDS is only as good as its database of stored signatures. It’s a bit like training our guard dog to watch the front door, but forgetting to tell it to watch the back of the house as well. Because signature based IDS can only ever be as good as the extent of the signature database, two further problems arise. Firstly, it becomes all too easy to fool signature-based solutions by changing and obfuscating the ways in which an attack is made. This technique simply skirts around the signature database stored in the IDS, giving the hacker an opportunity to gain access to the network. Secondly, the more advanced the signature database, the higher the CPU load for the system charged with analysing each signature. Inevitably, this means that beyond the maximum bandwidth packets may be dropped. So, feeds may have to be split and then recombined after analysis, significantly impacting complexity and cost. In addition, it means that the greater the number of signatures searched for, the correspondingly higher the probability of identifying more false positives, especially on smaller and simpler
signatures. Make no mistake, hackers enjoy a challenge, and like to test their software and skills against many of the commercially available IDS on the market. Because an attacker knows that the IDS will trigger an alarm when it detects certain attack signatures, that hacker will tend to evade the IDS by disguising the attack. For example, hackers are aware that signature based IDS traditionally has a problem with the complexities of application interactions. This is compounded by the fact that application protocols have become increasingly complex as they expand to provide support for features like Unicode.
<br><br>
Briefly, Unicode allows uniform computer representation of every character in every language, by providing a unique code point or identifier for each character. Unicode is a standard requirement of well-known computer languages such as Java and XML, making it a feature of many modern operating systems. Because signature-based IDS can miss characters written in Unicode Transformation Format, it becomes relatively easy for an attacker to submit a URL containing an exploit that would allow other programmes to be run and files accessed on the host computer. Of course, this is only symptomatic of a wider issue. Because of the hackers’ tendency to continually test and probe, it is only a matter of time before they discover a way around even the most sophisticated signature-based intrusion detection systems. The fact that many signature based IDS vendors recommend that their customers update their signature databases over the internet only serves to make matters worse. In fact, this gives any hacker that has the ability to sniff your network connection the perfect opportunity to identify that you are using IDS, and even to ascertain what type it is.
<br><br>
Because of these known problems, signature-based IDS is really only suitable for very basic protection. For any organisation wanting to implement a more thorough – and hence safer – solution, I would advocate the use of what we call anomaly-based IDS. By its nature, anomaly-based IDS is a rather more complex creature. In fact, to use our earlier analogy, it’s like our guard dog personally interviewing everyone at the gate before they are let down the drive. In network traffic terms, it captures all the headers of the IP packets running towards the network. From this, it filters out all known and legal traffic, including web traffic to the organisation’s web server, mail traffic to and from its mail server, outgoing web traffic from company employees and DNS traffic to and from its DNS server. Even though this level of filtering significantly narrows down the amount of data to be analysed, anomaly-based IDS can still create large amounts of log data. This is then analysed using database functionality. However, because anomaly IDS sees all the traffic running into the network, there are far fewer places to hide malicious hacker code. There are other equally obvious advantages to using anomaly-based IDS. For example, because it detects any traffic that is new or unusual, the anomaly method is particularly good at identifying sweeps and probes towards network hardware. It can, therefore, give early warnings of potential intrusions, because probes and scans are the predecessors of all attacks. And, the more targeted the probes and scans, the more likely that the hacker is serious about attacking your network. Equally, the technique is ideal for detecting every new piece of hardware installed on the network. And, this applies equally to any new service installed on any item of hardware – for example, Telnet deployed on a network router for maintenance purposes – and forgotten about when the maintenance was finished. This makes anomaly-based IDS perfect for detecting anything from port anomalies and Web anomalies to mis-formed attacks, where the URL is deliberately mis-typed. Some internet security commentators argue that effective anomaly testing isn’t possible. They claim that, because the technique requires trained human resources, as well as sophisticated hardware and software, the procedures involved simply aren’t viable. Admittedly, anomaly testing requires more hardware spread further across the network than required with signature based IDS. This is especially true for larger networks and, with high bandwidth connections, it is therefore necessary to install the anomaly sensors closer to the servers and network that are being monitored. The rationale here is that the amount of data is lessened the closer the sensors are to the application, than if they were located close to or at the network backbone. Placing them too close to the main backbone simply results in too much data being detected. However, none of this detracts from the fact that anomaly testing is a more effective way of detecting possible attacks. In fact, most of the operational criticisms levelled against anomaly-based IDS are equally applicable to signature-based testing. Both methods require tuning, to reduce the numbers of false alerts. This is especially important, as the temptation to tune a system too tightly can often cause loss of some of the events of interest that we are hoping to detect. While anomaly-based IDS requires regular updates of the Legal Traffic Definition files, signature-based IDS needs equally frequent updates of the signature database, together with tuning of variables. Having said that, it is true to say that anomaly-based detection certainly isn’t the straight from the box solution that signature testing purports to be. Ideally, anomaly testing criteria and parameters need to be configured with the organisation’s own engineers – that is with the input of IP services and the corresponding network addresses (computers with the IP services exposed to the network they are connected to). Once properly installed, any anomalies detected need to be analysed by trained human operatives. Some may argue that this makes an anomaly-based solution much more of a ‘hands on’ service than signature IDS. But, looking at the amount of labour involved in nursing a normal signature based IDS, I would argue that this is not the case.
<br><br>
All this makes anomaly testing much more capable of correctly identifying the basis of a hacker attack than straightforward signature-based techniques. What is doesn’t do, however, is explain what can be done once hacker activity has been detected. Again, this is where anomaly testing IDS wins, because trained personnel can use a number of analysis techniques to provide customised queries and reports for both technical and administrative staff. Even the largest enterprises frequently lack the necessary experience for analysing signature and especially anomaly based IDS. This type of security monitoring often requires a connection to a security operation centre. So, because IDS can only operate as a process, these IP security centres of excellence have a constant eye towards to the internet for new and emerging types of attacks. In fact, returning to our analogy, the guard dog has to be constantly retained, as visitors to the gate may carry different packages or simply dress differently to avoid detection. All in all, therefore, although the argument goes that some protection is better than none, signature-based IDS really only scratches the surface of what most organisations need to protect against. Because it relies on spotting a duplication of events or types of attack that have happened before, it is rather like leaving your guard dog in the kennel with the door closed. Anomaly testing, on the other hand, requires trained and skilled personnel, but then so does signature based IDS. And, anomaly testing methods can certainly be guaranteed to provide far more effective protection against hacker incidents. It also means that, because of the involvement of the human element, there is a valuable additional tier of defence between your organisation and the evils of the outside world.
