Intrusion Detection System - Essay Example

Intrusion Detection System Intrusion Detection System (IDS) checks the network and its activities. It identifies any different activity and informs the administrator. Working of the system in a network and the network traffic are monitored by the Intrusion Detection system. Systems that create traffic among the network are identified and blocked. Intrusion Detection is used to manage the system and the network in a secured manner. Intrusion may occur from various sources. (Endorf 2004).IDS must be capable of identifying the security threats and prevent them from affecting the system or network. These detection systems make use of various scanning technologies to know whether a network is secured or not. An IDS has the responsibility of analyzing the network and system configuration. In a network, integration of system is the major component. Intrusion Detection systems have to assess the integrity of the systems within a network. Security threats may occur at anytime. Detection systems must be alert to identify and report the threats to the administrator. Several activities take place within a network. Any abnormal activity has to be analyzed by the detection system. A user will have certain limitations in accessing a network. A user policy is maintained by the organization. Each of the user's activity is recorded by the system. It tracks the user's activities and sends a report if the user violates the policy. Security threats and attacks can be in any form and can occur even in a highly secured network. Since the number of threats and attacks are increasing, an effective IDS is necessary. Network attacks are easier than intruding into a standalone system. As the systems are connected over the web, the task becomes easier. IDS is selected based on the network's complexity.(Base, Mall 2006). Most common attacks target on the system's confidentiality, system's control and the network's integrity. An IDS can identify various types of attacks. They monitor attacks like scanning, penetration attacks and denial of service. The activities of the IDS are defined by the network administrator. Threats may arise from a system within the network or from any external source. (Bradley 2005). Intrusion Detection systems are classified into two types. Network Based system and Host based intrusion detection systems are the widely used. Network IDS (NIDS) IDS that serve in a network are kept at specific places within a network. This will detect the problems in the network traffic. The traffic between the systems in that network is monitored. IDS used in a network must be efficient to handle heavy traffic inside a network. Inbound traffic and outbound traffic are monitored by the detection systems. (Cukic 2008).The traffic is analyzed from time to time. The flow of packets are regularly assessed and analyzed. Host IDS (HIDS) These systems are used in separate system in a network. It will alert any suspicious act within that system. Host based IDS analyze the packet flow and flow pertaining to that host system. HIDS has a limited control over the total network. It concentrates only on a particular host. It is difficult for these systems to handle the traffic of the entire network. Every system in a network must be installed with separate HIDS if they are not monitored by a NIDS. Though these two are the common types of IDS, there are other types that can be used. Signature Based IDS This system makes use of predefined conditions to monitor the intrusions. It can easily handle previously documented attacks. A database is maintained to store the attack signatures. Every time an attack is identified, the signature is compared with the existing values in the database. It can identify the attacks that are already known. Database has to be updated regularly to be aware of the new attacks. (Cukic 2008).Failure to do so will lead to severe consequences. If a system is confronted with several attacks at the same time, the performance decreases. The system has to check with the database whenever an attack is detected. Lags may occur frequently due to the time taken to detect the signature from the database. This may delay the processing of the system. Each signature must be defined and stored in the database. Anomaly Based IDS This system monitors the traffic and the activity to identify the threats by finding out the anomalies. Any intrusion access will be different from a normal access. Anomaly based IDS detects the threat using this concept. The administrator specifies the normal accessing method. He defines the network traffic and the size of packet that flow through the network. Anomaly based IDS identify the difference in the behavior of normal and threat attacks. Stack Based IDS It is one of the latest technologies in Intrusion Detection systems. Packets travel through the OSI layer and their activities are monitored. This is achieved by using the TCP/IP. If any threat is detected, the IDS removes the packet from the stack. (Cukic 2008).Network is maintained in a more secured way. Strengths of IDS An IDS can be included in any part of the network. The detection occurs at real time. IDS have various strengths. It monitors the actions of the system and identifies the user's actions. The configuration of the system and its security is tested by the IDS. The administrator defines a baseline and the IDS track the modifications. (Brown 2005).IDS manage the functions of operating system, its mechanism. It alerts the administrator whenever a threat is identified. It provides the relevant security policy to the network. There are several IDS that can be used to protect and monitor the systems on a network. One among them is snort. Snort Snort is one of the intrusion detection systems. It is an open source intrusion detection system. Snort is the combination of protocol inspection and signature based inspection. Real-time analysis of the network and its operations is possible using Snort. In an IP network, the packet flow and logging can be monitored with the help of Snort. It is designed by Source fire. It is one of the widely used IDS. Snort systems use various methods to detect the intrusion. It implements anomaly and heuristic approach to identify the intrusion. Snort came into existence in 1998. (Rehman 2003).It is composed of a rule based language with the combined operation of anomaly and signature IDS. It is popular due to its speed and performance. Snort can analyze the protocol from which the data is transferred. This IDS can also work as a normal sniffer or a tool for packet logging. Intrusion Detection System with Snort. The above diagram shows a complete network with Snort IDS. (Rehman 2003). Advantages Developing a system is easier as snort is an open source detection system. Any improvement to the existing system or network is possible. Snort identifies any type of security threat. It is powerful when compared to other IDS. The below diagram shows the Architecture of the Snort IDS.(Jiang2007). Snort Architecture Snort is made up of several components. Components of Snort The system or network which implements Snort must be highly capable. Snort is made of various components. Components combine together to identify an attack. Required alert and report are generated by the system. (Jiang 2007).The major components of Snort are: Packet decoder, Preprocessors, Detection Engine, Logging and Alerting System and Output modules. This diagram depicts the various components of Snort. (Rehman 2003). Components of Snort Every packet that enters the network goes through all these components. This ensures that the packet is free from threats and attacks. Packet Decoder Network Interface allocates the packets to the Packet Decoder. Packet decoder decodes the packet to perform preprocessing. The packets may be sent directly to the detection engine. A network interface can be either Ethernet or PPP. Preprocessor Preprocessor is used to alter the packets of data and sends it to the detection engine. It identifies the anomalies available in the packets and alerts the administrator. It is the important component which prepares the packets to be detected by the engine. When a large amount of data enters into a system, they are fragmented into smaller parts. Fragmentation helps in easy flow of data over the network. Before it enters the detection engine, it has to be fragmented. Preprocessor defragments all the parts and brings it as a complete packet. (Garside 2007). Hackers change the URI which look the same as a normal web server. Preprocessors detect these attacks and decode the URI. In some situation it has the additional work of re-assembling the streams. Detection Engine The work of detection engine is to identify the intrusive activity in the packet that is sent by the preprocessor. This is achieved by the rules. Internal structures are fed with the rules. They are compared with the incoming packets. If the rule matches with the packet, it is sent to the next component. Even if there is a small difference among them, the packet id discarded. An alert is sent to the administrator regarding the dropped packet. (Koziol 2003).The time taken to perform this process depends on the system's performance. It also depends on the number of rules defined in the system. There is a chance of packets being dropped due to heavy network traffic. The detection engine' performance is based on the speed of the snort system. If the network's load is high, detection engine takes more time to process. A detection algorithm is used to compare the rules. Rules are either applied on the entire packet or on the fragmented parts. Rules are applicable to the IP header, transport and application layer. There are three types of rules namely alert, pass and log rules. The performance of the detection engine differs in each version of the IDS. In some versions of Snort, the packet is compared only with the first rule in the system. If it matches, the packet is sent to the logging system. The packet is not checked with the other rules. This may create problems once the packet leaves the detection engine. In the recent version, the work of detection engine is different. The packet is compared with all the rules existing in the system. If it satisfies all the rules, the packet is sent to the next component. If not, an alert is raised. The efficiency of the detection engine is improved. Logging and Alerting System The operation of log and alerting system depends on the result from the detection engine. If the rules are matched, the activity is logged. (Garside 2007).An alert is generated by the system if the rules do not match. Text files are used to store the log information. These files are stored in the snort folder. Command lines are used to modify or alter the detail of the logging and alerting system. Output Modules Output modules generate the output depending on the result from the log and alerting system. Log and alerting system may generate different output at different instances. These outputs are controlled by the output module. The function of output module depends on the system's configuration. Output module performs various operations. It intimates the system log facility. It helps in retrieving information from the database. Output module can even alter the router configuration. It is a picture of the IDS Snort installed in a network. This picture shows the attacks that have occurred in a network. It clearly exhibits the attacks and the time it intruded into the network. Screen that shows the security attack and its details. Though an IDS protects the network from attacks and security threats, an IDS itself is be prone to problems. Hence to protect an IDS two mechanisms are used. How to Protect IDS itself The system on which this software runs should be protected and this task happens to be the most challenging issue. On compromising the security of the system, either no alarms will be generated or fake alarms may be produced. Before attacking the system, the IDS could be disabled by the intruder. The system can be saved from attacks by adopting various measures. The first option in protecting the IDS is to ensure that no service runs on the system as they are more likely to be exploited by the servers. Then threats, if any are found out and released. This process of finding threats is almost never-ending. While running Snort, either netfilter or iptable should be used to avoid the unwanted data. IDS should be used only for intrusion detection and not for any other purposes. There are two techniques which are used to protect Snort from attacks. Snort on Stealth Interface Snort can be run on a stealth interface. The interface listens only to the traffic that is entering but will not let out the data packets. Snort on Stealth Interface The above diagram shows the Snort sensor with two interfaces.(Rehman 2003). Snort with no IP Address Interface Snort can also be used on interface which does not have any IP address assigned to it. The main advantage here is the Snort cannot be accessed by anybody if it does not have IP address. There are certain interfaces which can be used without binding them with the TCP/IP. Thus IP address will not be assigned to that interface. While adopting this method, rest of the protocols should be disabled. Certain methods can be adopted in such situations. The TCP/IP can be used on the network while implementing the stealth system ignoring the rest that are not TCP/IP. The DHCP client should be given preference while DHCP service is neglected. This will ensure that the interface is not assigned any address though it is attached to TCP/IP.(Cox, Gerg 2004). Before implementing any IDS in a network, one has to decide the location of the IDS and its tap. Snort tap placement The location of taps is an important consideration while working with Snorts. Analyzing the traffic becomes very difficult if it is not monitored. The snort can be placed at various locations. Natural choke points In these areas, the topology of the network is in such a way that it results in a single traffic path (Garside 2007).Firewalls is an ideal placement for the taps. Validating and checking the firewall policy is possible if we use anIDS precedes and follows a firewall. IDS that are outside the firewall may cause much more false alerts when compared to those that are inside the firewall. Artificial choke points The existence of such choke points is mainly attributed to the logical network topology. Placing IDS in such locations will give rise to false alerts than those inside the firewall. But it helps to find out the strange and unique behavior in a network. These choke points can also be created by making use of hubs. Intranet Trust / Untrust zone These are a variant of natural choke points with the difference that these are intra-network. An IDS placed at such a location is used to indicate the machines which do not traverse out of the network. These are the various places where a tap can be placed. Many other factors have to be considered before installing an IDS in the network. IDS cannot be directly installed. Instead there are some prerequisites like having a proper database and compatible operating system. Installation Scenario There are many prerequisites to install a snort. The installation depends on the user's configuration. MySQL is used by Snort to store the log information and the alert information. External consoles can also be added to the Snort. PHP is required to use a console with Snort. To use MySQL with Snort, mysql-server, devel and bench are needed. Once MySQL is installed, the server can be started. Only after installing all these requisites, the Snort can be installed. Snort is of two types, one is source and other is binary. It can be installed directly from the source fire and then compilation can be done. Both the types can be installed from RPM packages. Snort can also be installed from the source code. Snort can be installed using many methods. One such method is using source code from UNIX platform for installation. The next method is downloading snort from RPM and compiling it on Linux. The final method involves installation of snort using the Windows .exe. In case of UNIX platform, Snort can be compiled using the source code. Library files are needed while installing Snort from UNIX platform. These library files should be present in the system before installing the Snort. Configuring Snort Once snort is downloaded, it is expanded to a directory from where it can be easily accessed. After installing Snort in the system, the next step is to run the installation file. This can be done by enabling the primary user. IDS is used to protect the system and the entire network from any security attacks and threats. An efficient IDS like Snort is preferred due to its capability and performance. It has many advantages when compared to the other IDS. It prevents the security attacks as it performs continuous monitoring. The various components work in the specified order and protect the network. Proper installation and configuration will definitely prevent the security attacks. When an attack is identified, a number of operations are done by the IDs simultaneously. Print screen function can be performed while the programme is working. Whenever an attack is detected, the IDS tries to stop the threat from reaching the other systems. Reference Endorf,C., (2004).Intrusion Detection and Prevention. California: McGrawHill. Pp 234-236. Bace, R & Mall, P., 2006. Intrusion Detection Systems. [Online]. Available at: http://www.21cfrpart11.com/files/library/government/intrusion_detection_systems_0201_draft.pdf [Accessed 20 December 2009]. Brown, K., 2005. Dynamic Server: IDS Strengths. [Online]. Available at: http://www.ubuntu.com/system/files/u35/Informix_Final.pdf [Accessed 20 December 2009]. Bradley, T., 2005. Introduction to Intrusion Detection Systems(IDS). [Online]. Available at: http://netsecurity.about.com/cs/hackertools/a/aa030504.htm [Accessed 20 December 2009]. Rehman, R.,(2003). Intrusion Detection System with Snort: advanced IDS Techniques Using Snort. New Jersey: Pearson Educaiton. Pp 6-10. Cukic, B., 2008. IDS and Types of IDs. [Online]. Available at: http://advanced-network-security.blogspot.com/2008/04/three-major-types-of-ids.html [Accessed 20 December 2009]. Jiang, Y., 2007. Snort- an Network Intrusion Prevention and Detection System. [Online]. Available at: www.csee.wvu.edu/cukic/CS665/Snort.ppt [Accessed 20 December 2009]. Garside, A., 2007. Intrusion Detection With Snort. [Online]. Available at: http://www.nciips.cc.nc.us/fallconferencepresentations/snort.pdf [Accessed 20 December 2009]. Koziol, J., (2003). Intrusion Detection With snort. U.S: Sams Publishing. Pp 23-25. Cox, K & Gerg, H., (2004). Managing Security with Snort and IDS Tools. U.S.A: O'Reilly Media Inc. pp 9-10. Read More