Network Security-Intrusion Detection System - Essay Example

Network Security-Intrusion Detection System Faculty Table of Contents Keywords I. Introduction II. Intrusion Detection (ID) III. Intrusion Detection Systems (IDS) Host Based Intrusion Detection Systems Network Based Intrusion Detection Systems IV. Need of Intrusion Detection System in Organizations V. Guidelines for IDS Deployment, Operation and Maintenance VI. Conclusion Reference Appendix Comparative Analysis of HIDS vs. NIDS Abstract Today safeguarding of any computer system or network becomes very difficult. Less technical ability is required for the novice attacker, because of proven past methods are easily accessed through the Web by the attacker. There have been number of cases reported when major attacks on various sites, computer systems and networks have encountered. Some of the recent major attacks cases are attacks on the Pentagon, the White House, NATO, the U.S. Defence Department, and yahoo.com. Considering such attacks on computer systems and network, there is a need of a system which can safeguards computer systems and network from outside and inside attacks. The Intrusion Detection systems are developed in response to these major attacks on various sites and networks. It is basically a type of security management system which gathers and analyzes information from various areas within a computer or a network to identify possible security breaches. Any Intrusion Detection system follows two step process. Host based, which includes; inspection of the systems configuration files to detect inadvisable settings; inspection of the password files to detect inadvisable passwords; and inspection of other system areas to detect policy violations. Network based, mechanisms are set in place to reenact known methods of attack and to record system responses. This paper will try to look on the two process Host based and Network based Intrusion Detection Systems, how effective these two approaches for Intrusion Detection system for any organization and will also cover various guidelines for Intrusion Detection Systems deployment, operation and maintenance. Keywords: Intrusion, Intrusion Detection (ID), Intrusion Detection System (IDS), Denial of Service (Dos), Trojan Horse, Malware, Host Based Intrusion Detection System (HIDS), Network Based Intrusion Detection System (NIDS). I. Introduction "The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards and even then I have my doubts." (Spafford E. H., n.d.) Today safeguarding of any computer system or network becomes very difficult. Less technical ability is required for the novice attacker, because of proven past methods are easily accessed through the Web by the attacker. There have been number of cases reported when major attacks on various sites, computer systems and networks have encountered. Some of the recent major attacks cases are attacks on the Pentagon, the White House, NATO, the U.S. Defence Department, and yahoo.com. Considering such attacks on computer systems and network, there is a need of a system which can safeguards computer systems and network from outside and inside attacks. The Intrusion Detection systems are developed in response to these major attacks on various sites and networks. It is basically a type of security management system which gathers and analyzes information from various areas within a computer or a network to identify possible security breaches. Any Intrusion Detection system follows two step processes. Host based, which includes; inspection of the systems configuration files to detect inadvisable settings; inspection of the password files to detect inadvisable passwords; and inspection of other system areas to detect policy violations. Network based, mechanisms are set in place to reenact known methods of attack and to record system responses. This paper will try to look on the two process Host based and Network based Intrusion Detection Systems, how effective these two approaches for Intrusion Detection system for any organization and will also cover various guidelines for Intrusion Detection Systems deployment, operation and maintenance. II. Intrusion Detection (ID) Intrusion in general refers for an inappropriate or unwelcome addition or an illegal entry upon or appropriation of the property of another. But in computer technology it is an unauthorized access to a computer system or network. It is basically performed by an intruder who is an attacker that gains, or tries to gain, unauthorized access to a system. Some definitions of the intrusion that is given below: “A set of actions that attempt to compromise the integrity, confidentiality, or availability of computer resources by causing a DoS, creating a backdoor (Trojan Horse), Planting viruses and exploiting software vulnerabilities” . (Anderson, J.P., 1980) “An intrusion is a violation of the security policy of a system”. (Kumar, S., 1995) “An intrusion is unauthorized access to, and/or activities in, an information system”. (NSTAC, 1997) Tulloch, M. (2003) had said that, Intrusions are attempts by malicious individuals to dis­cover and exploit vulnerabilities that may be used to com­promise network security. Any suspicious network traffic that falls outside of normal or legitimate traffic patterns may be classified as an intrusion. The results of intrusion can take different forms, including the following: Destruction or theft of data Denial of service (DoS) to legitimate network users Hijacking of systems and communication sessions The Intrusion can be categorized mainly in four categories. They are: Protocol related attacks Remote access attacks Malware Denial of Service (DoS) The definition of the Intrusion Detection: Intrusion detection is a type of security management system for computers and networks. An Intrusion detection system gathers and analyzes information from various areas within a computer or a network to identify possible security breaches. The security breaches include both intrusions from outside the organization and misuse from within the organization. Intrusion detection uses ‘vulnerability assessment’ a technology developed to assess the security of a computer system or network. Below are some definition of intrusion detection is given: According to Amoroso, E. G. (1999), “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking resources.” “The process of identifying that an intrusion has been attempted, is occurring, or has occurred” (NSTAC, 1997) Intrusion detection can be performed by two ways, manually or automatically. Manual intrusion detection is done by examining log files or other evidence for signs of intrusions, including network traffic. A system that is used for performing automated intrusion detection is called an Intrusion Detection System (IDS). III. Intrusion Detection Systems (IDS) Intrusion detection system is basically a device or set of devices, application that are used for identifying suspicious network activity on any network. Intrusion detection system inspects inbound and outbound traffic on any host or network and then analyzes it for looking any evidence of intrusion attempts. (Tulloch, M., 2003) Figure 1.1 Intrusion Detection System (Ways in which intrusion can be detected)1 The main function of any Intrusion Detection System includes: Monitoring and analyzing user and system activities Analyzing system configurations and vulnerabilities Assessing system and file integrity Ability to recognize patterns typical of attacks Analysis of abnormal activity patterns Tracking user policy violations Any Intrusion Detection system follows two step processes. Host based, which includes; inspection of the systems configuration files to detect inadvisable settings; inspection of the password files to detect inadvisable passwords; and inspection of other system areas to detect policy violations. Network based, mechanisms are set in place to reenact known methods of attack and to record system responses. Host Based Intrusion Detection Systems: In case of host based intrusion detection system various activity of an individual network host is monitored for evidence of attempted intrusion. Host based intrusion detection system are usually placed on critical servers such as firewalls, mail servers, and Web servers exposed to the Internet. Host based intrusion detection system can be installed on many different types of machines namely servers, workstations and notebook computers. Host based intrusion detection system are installed locally on host machines making it a very versatile system compared to network based intrusion detection system.  Traffic transmitted to the host is analyzed and passed onto the host if there are not potentially malicious packets within the data transmission. Host based intrusion detection system are more focused on the local machines changing aspect compared to the network based intrusion detection system. (Host-Based IDS vs Network-Based IDS, para. 13) Any Host based intrusion system can be divided in four types:2 File System Monitors: This type of Host Based Intrusion Detection system checks the integrity of files and directories. Log File Analyzers: Log files are analyzed for patterns indicating suspicious activity by these types of Host Based Intrusion Detection system. Connection Analyzers: Connection attempts to and from a host are monitored in this type of Host Based Intrusion Detection system. Kernel Based Intrusion Detection Systems: Malicious activity on a kernel level is detected by the host based intrusion detection system. Figure 1.2-Host based Intrusion Detection System3 There are three ways by that Host based intrusion detection system detects the intrusion or attacks on the systems: System Integrity Verification (SIV): in this case three types of activities are performed, they are Snapshot of the system (baseline) taken, Cryptographic Check Sums is done and Comparison of current state and baseline is performed. Automated log files analysis: On each operating system diverse log files are available. In case of Windows Application logs, System logs and Security logs, Solaris Basic Security Module (BSM), Linux (Last log) and Application logs (Web Server). Web Server logs: Three types of logs files are monitored; they are Access log, Error log and Last log. Advantages of Host Based Intrusion Detection Systems:4 Host-based intrusion detection systems, with their ability to monitor events local to a host, can detect attacks that cannot be seen by a network-based intrusion detection system. Host-based intrusion detection systems can often operate in an environment in which network traffic is encrypted, when the host-based information sources are generated before data is encrypted and/or after the data is decrypted at the destination host. Host-based intrusion detection systems are unaffected by switched networks. When Host-based intrusion detection systems operate on operating system audit trails, they can help detect Trojan Horse or other attacks that involve software integrity breaches. These appear as inconsistencies in process execution. Disadvantages Host Based Intrusion Detection Systems: 5 Host-based intrusion detection systems are harder to manage, as information must be configured and managed for every host monitored. The information sources for Host-based intrusion detection systems reside on the host targeted by attacks; the intrusion detection systems may be attacked and disabled as part of the attack. Host-based intrusion detection systems are not well suited for detecting network scans or other such surveillance that targets an entire network, because the intrusion detection systems only sees those network packets received by its host. Host-based intrusion detection systems can be disabled by certain denial-of-service attacks. Host-based intrusion detection systems use operating system audit trails as an information source, the amount of information can be immense, requiring additional local storage on the system. Host-based intrusion detection systems use the computing resources of the hosts they are monitoring, therefore inflicting a performance cost on the monitored systems. Network Based Intrusion Detection Systems: All traffic flowing through the network is analyzed for evidence of attempted intrusion. Network based intrusion detection systems usually reside at a choke point on the perimeter of the network or on critical network segments where the servers reside. A limitation of a Network based intrusion detection systems is that it is difficult to implement in switched networks. Some Ethernet switch vendors are starting to incorporate embedded intrusion detection systems within switches and provide monitoring ports for connecting a NIDS to the switch’s backplane. A Network based intrusion detection systems should best is describes as a standalone appliances that have network intrusion detection capabilities.  A  Network based intrusion detection systems can also be  a software package that you install on dedicated workstation that is connected to your network or a device that has the software embedded and is also connected to your network. The Network based intrusion detection systems then scans any traffic that is transmitted over that segment of your network; the Network based intrusion detection systems functions in very much the same way as high-end antivirus applications and it makes use of signature or pattern file method comparing each transmitted packet for patterns that may occur within the signature file.   The intrusion detection systems functions in a very conform way in order to increase packet throughput as inspecting every packet can slow traffic considerably. An intrusion detection system then uses the firewall approach when inspecting the packet by letting through the packets that are not potentially dangerous. This processing is done by the IDS’s preprocessing filters that arranges that data that is scanned. (Host-Based IDS vs Network-Based IDS, para. 12) Figure 1.3-Network based Intrusion Detection System Figure 1.4-Network based Intrusion Detection System6 Advantages of Network Based Intrusion Detection Systems: 7 A few well-placed network-based IDSs can monitor a large network. The deployment of network-based IDSs has little impact upon an existing network. Network-based IDSs are usually passive devices that listen on a network wire without interfering with the normal operation of a network. Thus, it is usually easy to retrofit a network to include network-based IDSs with minimal effort. Network-based IDSs can be made very secure against attack and even made invisible to many attackers. Disadvantages of Network Based Intrusion Detection Systems:8 Network based intrusion detection systems may have difficulty processing all packets in a large or busy network and, therefore, may fail to recognize an attack launched during periods of high traffic. Many of the advantages of Network based intrusion detection systems don’t apply to more modern switch-based networks. Switches subdivide networks into many small segments and provide dedicated links between hosts serviced by the same switch. Most switches do not provide universal monitoring ports and this limits the monitoring range of a Network based intrusion detection systems sensor to a single host. Even when switches provide such monitoring ports, often the single port cannot mirror all traffic traversing the switch. Network based intrusion detection systems cannot analyze encrypted information. This problem is increasing as more organizations (and attackers) use virtual private networks. Most Network based intrusion detection systems cannot tell whether or not an attack was successful; they can only discern that an attack was initiated. This means that after Network based intrusion detection systems detects an attack, administrators must manually investigate each attacked host to determine whether it was indeed penetrated. Some Network based intrusion detection systems have problems dealing with network-based attacks that involve fragmenting packets. These malformed packets cause the intrusion detection systems to become unstable and crash. IV. Need of Intrusion Detection System in Organizations These days intrusion detection system is an integral part of any organization. Various industry, organization and government sector had adopted and integrated intrusion detection systems or they are in process of deploying, intrusion detection systems in their network or systems. The need for intrusion detection systems can be summed up by a simple principle of network security that is defense in depth. Defense in depth is a layered approach to protecting an organization’s information systems and communications network from malicious attacks and unauthorized access to sensitive information and data. This method involves multiple, overlapping controls that assist organizations in preventing, detecting, and responding to suspected intrusions. (Managing Intrusion Detection Systems in Large Organizations, para. 2) In an organization heavy reliance is placed on protection and prevention using controls such as routers, firewalls, public key infrastructures, virtual private networks, and virus scanners. But in any organization critical detection and response functions such as those provided by intrusion detection systems are often overlooked. There are no mechanisms available in organization to detect and respond to intrusion attempts that evade the first lines of defense. In any organization intrusion detection systems act as video cameras within the network and aid in deterrence, detection, damage assessment, and prosecution support. Without an IDS facility in place to monitor network and host activity in an organization both attempted and successful intrusion attempts may go unnoticed, possibly resulting in irreparable damage to an organization’s network. Intrusion detection systems form a necessary layer of a defense in-depth strategy and play a critical role in a comprehensive information protection program. (Managing Intrusion Detection Systems in Large Organizations, para. 2) Why Intrusion Detection Systems should be used in any organization? 9 Intrusion detection allows organizations to protect their systems from the threats that come with increasing network connectivity and reliance on information systems. Given the level and nature of modern network security threats, the question for security professionals should not be whether to use intrusion detection, but which intrusion detection features and capabilities to use. Intrusion detection systems have gained acceptance as a necessary addition to every organization’s security infrastructure. Despite the documented contributions intrusion detection technologies make to system security, one must still justify the acquisition of Intrusion detection systems. Several reasons for that Intrusion detection system can be used. They are: Intrusion detection system can be used to prevent problem behaviors by increasing the perceived risk of discovery and punishment for those who would attack or otherwise abuse the system. Intrusion detection system can be used to detect attacks and other security violations that are not prevented by other security measures. Intrusion detection system can be used to detect and deal with the preambles to attacks. Intrusion detection system can be used to document the existing threat to an organization. Intrusion detection system can be used to act as quality control for security design and administration, especially of large and complex enterprises. Intrusion detection system can be used to provide useful information about intrusions that do take place, allowing improved diagnosis, recovery, and correction of causative factors. V. Guidelines for IDS Deployment, Operation and Maintenance Intrusion detection System selection: When selecting intrusion detection systems, organizations need to consider few things:10 The level of privacy needed. How much the organization can afford to spend? Whether there are internal constraints on the types of software the organization can use. Other important topics include specifics about IDS capabilities, such as detection and response characteristics, use of signature and/or anomaly-based approaches, accuracy of diagnosis, ease of use, and effectiveness of the user interface. The majority of IDSs provide good capabilities for enhanced network monitoring rather than for intrusion detection. In many cases, determining which features are most important to an organization will be the deciding factor. Although an IDS is an important element in an organization’s overall security plan, it is only effective if it has support from management. They must ensure that the IDS is properly deployed and maintained. (Carnegie Mellon University, para. 5, 6, and 7) Intrusion detection System Deployment: After selecting intrusion detection system, a number of decisions will determine whether it is deployed effectively or not. They are:11 Ddecisions about how to protect the organization’s most critical assets. Configuring the intrusion detection system, so that it can reflect the organization’s security policies, Procedures that can be followed in case of an attack to preserve evidence for possible prosecutions. Organizations must also decide how to handle alerts from the intrusion detection and how these alerts will be correlated with other information such as system or application logs. Intrusion detection system does not prevent attacks. If attackers realize that the network they are attacking has an intrusion detection system, than they may attack the intrusion detection system first to disable it or force it to provide false information that distracts security personnel from the actual attack. Many intrusion detection tools have security weaknesses that could include failing to encrypt log files, omitting access control, and failing to perform integrity checks on intrusion detection system files. (Carnegie Mellon University, para. 9) Intrusion detection System Maintenance: Intrusion detection system must be constantly monitored after it is deployed. Procedures must be developed for responding to alerts; these procedures will determine how staff members analyze and act on alerts, and how staff monitors the outcomes of both manual and automatic responses. In addition, as upgrades become available, they should be installed to keep the intrusion detection system as current and secure as possible. Technology alone cannot maintain network security; trained technical staffs are needed to operate and maintain the technology. Unfortunately, the demand for qualified intrusion analysts and system/network administrators who are knowledgeable about and experienced in computer security is increasing more rapidly than the supply. When an intrusion detection system is properly maintained, it can provide warnings about when a system is being attacked, even if the system is not vulnerable to the specific attack. The information from these warnings can be used to further increase the system’s resistance to attacks. An IDS can also confirm whether other security mechanisms, such as firewalls, are secure. If the necessary time and effort is spent on intrusion detection system through its life cycle, its capabilities will make it a useful and effective component of an overall security plan. (Carnegie Mellon University, para. 10, 11, and 12)   VI. Conclusion In conclusion it can be said that any system can not be made secure unless the whole implementation and management team work in synchronization. In this paper definition and description of intrusion, intrusion detection and intrusion detection system are covered. Also various types of intrusion detection system, mainly Host and Network based intrusion detection system covered in this paper. Various types of advantages and disadvantages for these systems are also covered. At last, need and selection, deployment, and maintenance points about intrusion detection discussed. Reference: Tulloch, M. (2003). Microsoft Encyclopaedia of Security. USA: Microsoft Press publication. Anderson, J. P. (1980). Computer Security Threat Monitoring and Surveillance. Fort Washington: James P. Anderson Co. Kumar, S. (1995). Classification and Detection of Computer Intrusions, PhD thesis, Dept. of Computer Science, Purdue University. Amoroso, E. G. (1999).Intrusion Detection: An Introduction to Internet Surveillance, Correlation, Trace Back, Traps, and Response, Intrusions.Net Books. NSTAC Intrusion Detection Subgroup Report, Dec. 1997 Spafford, E. H. Computer Security. Retrieved October 16, 2006 from http://en.wikipedia.org/wiki/Computer_Security. Magalhaes, R. M. (2006). Host-Based IDS vs Network-Based IDS (Part 1). Retrieved October 16, 2006 from http://www.windowsecurity.com:80/articles/Hids_vs_Nids_Part1.html? Innela, P., Mcmillan, O., Trout, D. & Bace, R. (2002). Managing Intrusion Detection Systems in Large Organizations, Part One. Retrieved October 16, 2006 from http://www.securityfocus.com/infocus/1564. Boer, P.D. & Pels, M. (2005). Host based intrusion detection System. Retrieved October 16, 2006 from http://staff.science.uva.nl/~delaat/snb-2004-2005/p19/report.pdf. Bace, R. & Mell, P. (2001). Intrusion Detection, NIST Special Publication on Intrusion Detection System. Retrieved October 16, 2006 from http://csrc.nist.gov/publications/nistpubs/800-31/sp800-31.pdf Carnegie Mellon University, (2001). Intrusion Detection Systems, Volume-4. Retrieved October 16, 2006 from http://www.sei.cmu.edu/news-at-sei/features/2001/1q01/feature-3-1q01.htm Appendix: Comparative Analysis of HIDS vs. NIDS. ( Magalhaes, R. M. 2006). Function HIDS NIDS Comments Protection on LAN **** **** Both systems protect you on your LAN Protection off LAN **** - Only HIDS protects you when you are off the LAN Ease of Administration **** **** The admin of NIDS and HIDS is equal from a central admin perspective. Versatility **** ** HIDS are more versatile systems. Price *** * HIDS are more affordable systems if the right product is chosen. Ease of Implementation **** **** Both NIDS and HIDS are equal form a central control perspective Little Training required **** ** HIDS requires less training than NIDS Total cost of ownership *** ** HIDS cost you less to own in the long run Bandwidth requirements on (LAN) 0 2 NIDS uses up LAN bandwidth. HIDS does not. Network overhead 1 2 The NIDS has double the total network bandwidth requirements from any LAN Bandwidth requirements (internet) ** ** Both IDS need internet bandwidth to keep the pattern files current Spanning port switching requirements - **** NIDS requires that port spanning be enabled to ensure that your LAN traffic is scanned. Update frequency to clients **** - HIDS updates all of the clients with a central pattern file. Cross platform compatibility ** **** NIDS are more adaptable to cross platform environments. Local machine registry scans **** - Only HIDS can do these types of scans. Logging *** *** Both systems have logging functionality Alarm functions *** *** Both systems alarm the individual and the administrator. PAN scan **** - Only HIDS scan you personal area networks. (unless you have the $ to get a NIDS for your home) Packet rejection - **** Only NIDS functions in this mode. Specialist knowledge *** **** More knowledge is required when installing and understanding how to use NIDS from a network security perspective. Central management ** *** NIDS are more centrally managed. Disable risk factor * **** NIDS failure rate is much higher than HIDS failure rate. NIDS has one point of failure. Upgrade potential *** *** It is easier to upgrade software than hardware. HIDS can be upgraded through a centralized script. NIDS is typically flashed onto the flash memory and has low overhead. Multiple LAN detection nodes **** ** HIDS is a more comprehensive multiple segment detection IDS than NIDS Read More