Strengthen your network's defenses with a network IDS
When I think about intrusion detection, a modern paraphrase of an old question comes to mind: "If an attack occurs on your network and no one knows about it, did the attack really occur?" Detecting attacks on your network is crucial, but doing so is also difficult. That's where intrusion detection comes in. Intrusion detection is important, especially in a multilayered defense-in-depth strategy. (For information about the defense-in-depth strategy, see the National Security Agency—NSA—paper "Defense in Depth" at http://nsa1.www.conxion.com/support/guides/sd-1.pdf.) I introduce you to network Intrusion Detection Systems (IDSs) and briefly discuss Snort, an excellent open-source network IDS that you can deploy on machines running Windows 2000 Server. I also review some network basics, including the challenge that Virtual LANs (VLANs) present, as a preface to discussing the placement of your network IDS, which is essential to the IDS's success. Finally, I review how to counter some techniques aimed at evading your network's intrusion-detection mechanisms.
Security and Depth: Layers of Protection
In a security context, depth in network protection usually implies a multilayered approach to network defense similar to the many lines of defense with which castles were protected. On the negative side, both castles and networks have some basic vulnerabilities: Both are stationary targets, typically unmovable, easily found by an enemy, and generally unable to attack enemies preemptively. On the positive side, both can successfully combine a variety of defenses to protect their vital systems and their community. Each line of defense is backed up by another line of defense that kicks in if the previous line of defense fails. Enemies might eventually pierce many lines of defense, but those defenses can discourage or delay attackers long enough for defenders to take additional measures.
IDSs are an important component of multilayer network security. When you deploy an IDS correctly, that IDS can act not only as an early warning system but also as a deterrent. For example, you can configure Snort (which I discuss in the next section) to react to traffic in realtime. Snort's flexible response (flexresp) feature lets you close connections that meet certain criteria. Prevention can be even more important than detection.
Network Intrusion Detection
Network IDSs developed or revised since 1999 operate in hybrid signature-anomaly style—that is, they look both for attack signatures and for protocol anomalies. They watch for matches to canned descriptions of known problems (i.e., signatures and other elements that are consistent enough to look for) as well as for traffic-format and protocol-shape irregularities. Most network IDSs specialize in one or more areas of analysis (e.g., Internet Security System's—ISS's—BlackICE Defender uses protocol-analysis more than signature or pattern matching), but all network IDSs typically have some capability in each area so that they provide overall coverage. Analysis that captures oddities in the traffic is typically faster because packet structure and protocol shape are generally well understood and blueprinted in long-standing Internet Engineering Task Force (IETF) Requests for Comments (RFCs). When a packet with an unlikely structure arrives, the IDS should easily flag the packet as anomalous. Because different network IDSs have different strengths, you need to determine which technology best fits your situation. Let's take a look at how one widely used network IDS—Snort—identifies bad traffic.
The Snort network IDS performs realtime traffic analysis and packet logging on IP networks. This IDS can also perform protocol analysis and content searching and matching, and it can detect a variety of attacks and probes, such as buffer overflows, stealth port scans, Common Gateway Interface (CGI) attacks, Server Message Block (SMB) probes, and OS fingerprinting attempts. Snort uses a flexible rules language that's easy to understand to describe traffic that it should collect or pass and a detection engine with a modular plug-in architecture. Snort's realtime alerting capability incorporates alerting mechanisms for syslog, a user-specified file that stores alerts and logs information about the file system, and for UNIX sockets, which can be used individually or in combination, depending on your needs. In addition, using Samba's smbclient, Snort can send WinPopup messages to Windows clients. You can use Snort as a straight packet sniffer, as a packet logger (e.g., for network traffic debugging), or as a complete network IDS.
Snort is compatible with both Win32 and UNIX systems. The rule base for these systems is the same, which provides excellent cross-platform coordination of rules from one source, and the rules (regardless of type) have a standard structure. In this typical alert rule for a protocol anomaly, which you type on a command line without line breaks
alert ip any any 127.0.0.0/8 any
(msg:"BAD TRAFFIC loopback traffic";
classtype: bad-unknown; sid:528; rev:2;)
you can see that the rule specifies an atypical network packet with an address consistent with the loopback address. (This address is a special IP address—127.0.0.1—that's intended as a software loopback interface on a machine; the interface has no hardware associated with it and isn't physically connected to a network.) Finding such a packet on your network is definitely cause for concern because the packet's presence might indicate the use of crafted packets that an intruder has designed for malicious purposes.