Applications and

Tools
Bro Intrusion Detection System
• Bro was developed by Vern Paxson of Lawrence Berkeley National
Labs and the International Computer Science Institute. It is a Unix-
based Network Intrusion Detection System (NIDS).
• Bro also detects intrusion attempts by searching particular patterns in
network traffic. So they both fall into the category of signature-based
NIDS.
• distinguishes itself by offering high speed network capability
• real time, high-volume intrusion detection, Bro uses two network
interfaces
• Bro provides a patched kernel for FreeBSD to reduce CPU load. With
proper hardware and OS tuning, Bro is claimed to be able to keep up
with Gbps network speed and perform real time detection
Prelude Intrusion Detection
System
• Prelude is a Hybrid Intrusion Detection System distributed under GNU
General Public License, primarily developed under Linux. It also
supports BSD and POSIX platforms. Prelude works at both host and
network levels providing a more complete solution
• It also has dedicated plugins in order to enable communication with
several other well known IDSs. The sensors send messages to a
central unit (i.e. Manager) which processes them and is responsible
for event logging
• Besides the Manager, Prelude also includes a module responsible for
graphical feedback to the user
• It relies on signature based detection. Since Prelude analyzes user,
system, and network activities, it targets both the host and network
based intrusions.
Cisco Secure IDS
• made up of the various NIDS and HIDS solutions
• Cisco focuses on four goals in its product line:
• Accuracy
• Enabling Investigation and Response
• Comprehensive Management
• Flexible deployment
• software feature set allows the router to monitor for 59 unique
attacks.
• The IDS feature set allows the router to take real-time action once it
discovers an attack.
• It can take three actions:
• Alarm
• drop packets
• reset a TCP connection.
• Many experts agree that the processes for infrastructure
management and incident response are the most critical success
factors.
Assigning Packet Capture to
Signatures
• Session Sniping is a method of stopping attacks by closing the TCP
session associated with that attack. The Cisco NIDS accomplishes this
by sending a TCP RST (reset) packet from the command and control
interface to the identified attacking host and to the victim or target
host.
• Shunning is the process of applying access control lists (ACLs) to
nearby routers or switches to block individual connections or hosts to
stop attacks. Cisco supports shunning on all IOS devices, the Catalyst
6500 line, and the PIX firewall.
 IDS Best Practice Requirements
Area Componen Intrusion Detection Requirements IDS System Where Cisco's Product
t Characteristics Line Stands
IDS Comprehe Signature-based IDS systems suffer from a Cisco has a
syste nsive set of fundamental flaw. They only identify events that comprehensive set of
m intrusion can be described (in detail) before they take signatures developed
chara signatures place. However, the majority of intrusion by its Cisco
cteris detection systems operate by recognizing Countermeasures
tics signatures of network attacks. These signatures Research Team (C-
can describe the details of violations of network CRT). The C-CRT is
protocols, packets destined for suspicious ports, made up of engineers
the presence of particular byte sequences in the from the WheelGroup
data payload of a packet, suspicious packet acquisition. They
sequences, and so forth. The number and type of develop signatures
signatures available is a key requirement of an IDS based on years of
system. experience in both
commercial and
government roles.
Capability to One might want to identify Cisco provides the
create custom specific events of interest for capability to create
filters which monitoring is required, highly detailed custom
but public-domain activity signatures through a
signatures don't exist. The comprehensive wizard
capability to create custom
filters gives us the capability to
record and analyze these
events.
IDS system Acceptable false- While this rate (ratio of false Cisco's TAME is a
characterist positive and false positives to false negatives) is leading engine
ics negative rates entirely dependent on the based on years of
type of network traffic seen development. In
by the IDS, managing these addition, Cisco
failure rates is essential. The offers
false-negative rate can be customization of all
reduced through a well signatures to
designed engine that increase accuracy.
recognizes a large number of
attack signatures. The false-
positive rate can be reduced
through an engine that
supports threshold tuning
and well defined filters.
Architectu Network-based Network-based IDS places a Cisco offers
re IDS component crucial role in appropriately several options for
covering an environment. network based
Network IDS is best at deployment with
covering aggregated network flexible options
segments, places where for integration
different portions of a into existing
network architecture meet. infrastructure.
Architect Host-based Host-based IDS provide protection of Cisco's acquisition of
ure IDS critical assets. Host-based IDS (HIDS) the Okena product
component takes advantage of the existing line provides best in
processing on each host process, packet, class host based
and data stream, adding a small overhead intrusion prevention
for inspection. Typically, these operate at for Windows, Solaris
the kernel layer of a host, and are given and (soon) Linux.
an excellent vantage point into attempted
operations on a host. Because network-
based IDS must account for the multiple
ways that hosts reconstruct network
traffic, HIDS holds a distinct advantage in
terms of accuracy.
Architectur Distributed The most common (and most Cisco offers a
e architectur effective) design for an IDS is highly scalable
e that of a distributed system, distributed
with remote sensors system for event
deployed throughout the processing from
network, a central data detection to
collection facility, and one or alerting and
more analyst consoles on the response.
analyst's desktop
Architecture Communicati In a “push” communication Cisco has recently
on architecture, the sensors feed switched from a
architecture their data into the analysts push based to a
console as events of interest are pull based
identified. This gives us a near architecture.
real-time intrusion detection
capability. This is in contrast to a
“pull” communication
architecture, in which the
analyst console polls the sensors
periodically for newly identified
events of interest.
Analysis Intrusion The IDS is a tool that will Cisco offers a
support reporting, provide a skilled analyst with comprehensive set
response, and the information needed to of reporting and
recovery identify network intrusion response options.
policies and attempts. The analyst is These are the free
procedures ultimately responsible for Event Viewer and
decisions regarding response Cisco Works VMS.
and recovery. The use of Also, Cisco is
software to automate these automating
steps, however, is attractive in investigation with
some scenarios. To ensure the release of the
these actions are carried out Threat Response
in a manner both consistent software.
and acceptable, specific policy
elements should be
implemented to govern
response and recovery.
Analysis Integrated console and An integrated console and Cisco Works VMS
support database for host- and database provides several 2.2 offers the
network-based advantages to the capability to manage
components intrusion analyst. The events from all Cisco
integrated database gives IDS products,
the analyst the capability including the Cisco
to do thorough event Security Agent and
correlation through the Network IDS
database queries,
reducing the need for
manual correlation. The
integrated console allows
the analyst to identify and
respond to alerts from a
single interface, improving
the efficiency of their
work.
Analysis support Significant drill-down A well-designed IDS Cisco provides drill-down
capability to provide console will provide basic capability all the way to
detailed information on information at first captured packets from
demand glance, and allow the attacks. Views are
analyst to “drill down” to customizable and
important details. On filterable to ensure the
request, the IDS should right data is presented.
give the analyst significant
and complete data for
analysis and classification
of the event.
Analysis Relational An RDB back end can be Cisco uses a MySQL
support database back queried, giving the analyst backend for the
end the capability to mine the IDS Event Viewer with
data for trends, patterns, and export capability.
detailed information about VMS uses an MS SQL
events of interest. A database run time (a.k.a.
back end can also be used for MSDE) back end.
building reports and archiving
data.
Analy Report IDS should give the capability to Cisco provides comprehensive
sis generati create reports. This capability, reporting in both the Event
suppo on directly from the system itself, Viewer and VMS products.
rt capabilit removes the requirement to add These features are maximized
y additional software to the on the Windows version of
solution. The system would the CiscoWorks Monitoring
ideally provide some canned Module. Some areas aren't
reports and should offer the supported on Solaris yet.
capability to create customized There's no support for events
reports. from the Management Center
for Cisco Security Agents,
version 4.0. Also, the Cisco IDS
Network Module for routers
IDS version 4.1 isn't
supported, but IDS 4.0 is
supported. No additional
reports are available for
firewall and Cisco Security
Agents. Also, there's no
Analysis Well-built analyst A well-built analyst The VMS console is
support console console is important. A a mature product
console that isn't reliable with a world-class
and robust can render the software
work done by the sensors. engineering group
Advanced features for developing it. Cisco
distributing administration Works VMS offers
responsibilities and Centralized Role-
required access are also Based Access
important factors in the Control (RBAC)
construction of the
console.
Analysis False- False positives can be a time Cisco offers fully
support positive consuming failure mode for the tunable signatures
management intrusion analyst. To combat and alarm
this problem, the IDS should thresholds.
offer a mechanism for false-
positive management. Common
techniques include adjustable
alarm thresholds and console
enhancements to facilitate
information management.
Analysis support Event correlation Network activity that Network activity that
capability triggers IDS alerts could triggers IDS alerts could
be more than a traffic be more than a traffic
anomaly or a single anomaly or a single
attack. Some of the attack. Some of the
events of interest events of interest
identified by the IDS identified by the IDS
might, in fact, be part of a might, in fact, be part of a
coordinated (possibly coordinated (possibly
distributed) attack. The distributed) attack. The
IDS should offer tools to IDS should offer tools to
identify any correlation in identify any correlation in
these events of interest. If these events of interest. If
the back end is a the back end is a
relational database, then relational database, then
this correlation can be this correlation can be
done through database done through database
queries. If the back end queries. If the back end
isn't a relational database, isn't a relational database,
it might be possible to it might be possible to
Analysis Database The database should store be able Cisco's network IDS
support stores raw to store completed packets. products have the
data because complete packets provide capability to perform
a much more powerful trend packet capture when a
analysis/correlation capability signature fires. This
particularly as new features are means that the entire
added. packet or stream of
packets can be
analyzed at a later
time when required.
Internal Encrypted traffic Because IDS management traffic is the Cisco's RDEP uses
(IDS) between sensor “key to the kingdom,” the capability to SSL/TLS to protect
security and console protect this data is crucial. network
communications.
Internal Hardened agent The IDS is a key component in the Cisco provides the
(IDS) and console hosts defense of the network. If the IDS is capability to use the
security The IDS is a key easily compromised, not only do we lose CSA to protect the VMS
component in the this critical piece of our security station. The network
solution, we run the risk of the IDS IDS line is difficult to
giving up valuable information about attack on the network
the network environment. To mitigate because it doesn't have
this risk, we must protect ourselves an IP address.
from attacks against the IDS itself. An
essential component of this protection
is hardening of the OSs on machines
hosting IDS sensor and console
components. These hosts should be
completely dedicated to their IDS
functions, running nothing other than
that required by the IDS software.
Response and recovery
capabilities
Intrusion
response
An attractive approach to Cisco is adding
capability intrusion response would be the threat
for the IDS to generate a response
real-time “recommended software to
response” to a detected automate
intrusion. This assists the investigations
analyst in quickly responding and speed
to intrusions, but provides response. With
the opportunity to sanity- the highly
check the response to avoid accurate data
disaster. this produces,
response options
are clear.
Snort
• Snort is a rule-based IDS. Snort uses signatures to identify types of
attacks that occur but, unlike a pure signature-based IDS, Snort does
not stop there. It also uses and provides considerable additional
contextual information, including how attacks have transpired and
what the origin of each attack
NFR Security
• NFR Security was founded in 1996 by Marcus Ranum, a pioneer in IDS
technology called Network Flight Recorder
NFR Architecture
• operates in a three-tier environment, consisting of the sensors, a
Central Management System (CMS), and an Administrative Interface
(AI)
Sentivist Sensor
• The Sentivist sensors are passive devices that collect data on the wire.
The sensors provide detection capabilities from <10 MB/s connection
rates through Gig speeds, using multiple network connections per
single sensor .
Sentivist Central Management
System CMS
• The collection point or Central Management System provides a single
collection/aggregation point for data collected by the sensors. The
data spooled on the sensors are pushed into a proprietary data file
store located on the CMS. The Many to one relationship provides for
20 to 30 sensors push of alerts and forensics data to the CMS.
• CMS also provides for a multifaceted Output mechanism. The CMS
can provide data via any scriptable data format (such as shell scripts,
or perl programs) or via the AI.
Administrative Interface (AI)
• The AI is a Windows 32 program that provides a GUI interface to the
alerts, forensics, and controls of the Sentivist environment. The AI
allows you to select and set up the sensors’ detection capabilities, to
monitor alerts and events collected by the sensors in real time, and to
query supporting data collected by the sensors. All management of
the IDS environment can be done via the AI
Sentivist Signatures
• One of the most unique characteristics of the Sentivist system is its
attack signature model. Unlike other systems that rely on either Snort-
based signatures, or closed proprietary signature models, NFR’s
Sentivist provides an open signature format. The signature library
permits true hybrid detection capabilities within the N-Code
language. Much like Perl, N-Code provides the flexibility of a true
lexical language for exploring traffic streams in real time.