• Home

  • Documents

  • Intrusion detections systems – an outmoded network protection model
3
NETWORK INTRUSION June 2009 Network Security 17 Intrusion detections systems – an outmoded network protection model NIDS – an idea whose time has been and gone Network intrusion detection systems (NIDS) can seem like a good idea. Systems monitor traffic looking for sus- picious patterns of traffic and then log the event – usually in a central logging server. This then generates alerts should a given series of events occur. They were designed years ago when firewall technology was focused on state- ful packet inspection technology, and when there was very poor visibility of what was going on in the network at the application layer. Things have moved on, but many network security systems still base their defences on this earlier version of technology. NIDS in action – indeci- pherable signatures and unabated noise Network intrusion detection systems (NIDS) try to detect malicious activ- ity such as denial of service attacks, port scans or even attempts to crack into com- puters by monitoring network traffic. NIDS do this by reading all the incoming packets and trying to identify suspicious patterns. If, for example, a large number of TCP connection requests to a very large number of differ- ent ports are observed, that could indi- cate that someone is conducting a port scan of some or all of the computers in the network. There are two methods that an IDS system can use to identify rogue traffic: signatures and baselines. Signatures are very much like antivirus signatures and are distributed to clients. Once received and applied, systems are then protected against that virus. So with IDS systems a signature protects against a particular vector of attack, and the IDS looks for traffic and behaviour that matches the patterns of known attacks. Their effectiveness is dependent on the signature database, which must be kept up to date. The other method is by establishing a baseline – often created by running the IDS in a learning mode, watching the traffic that traverses a network over a period of time, and monitoring the background noise to establish what is thought to be good and normal traf- fic. When a different pattern of traffic is detected, it can be highlighted as a potential threat. However, both signature and baseline IDS systems have flaws. With signatures, the biggest problem is that they fail to catch new attacks for which the software does not have a defined signature in its database. It is therefore a rearguard bat- tle to ensure that systems are up to date and it is never possible to defend against a zero-day attack. A zero day attack is one that has never been seen before – i.e. a mecha- nism to penetrate a system has been discovered and is being exploited before a way of defending against the attack has been developed. The time from attack vector discovery to its widespread use in the wild is con- stantly shrinking and the number of zero-day exploits is increasing. Baseline protection that monitors background noise suffers from two dif- ferent, but potentially fatal flaws. No one can have a 100% understand- ing of what is appropriate and expected network traffic for their environment. They may have an approximate idea with expectations based on an under- standing of what applications are per- mitted. However no one I have ever encountered (including security special- ists in banking, corporations and the military) has seen only the traffic that they expect to see when reviewing their networks. Just because you have not seen the traffic pattern before does not make it malicious. As a result, it can be impossible to distinguish between benign and malicious traffic. Secondly, and even more importantly, how can you be sure that when you install, configure and turn on a learning IDS system that your network is not already compromised? The noise that is thought to be normal and benign, may already contain malicious traffic that can become embedded in your apparently safe system. In practice, an IDS that is learning- based will produce a lot of false positives and will also produce false negatives. The latter is a far greater concern because it Ben Rexworthy Ben Rexworthy, BCS registered recurity specialist, Securinet UK Ltd. Intrusion detection systems have become almost a standard element of most modern computer network defence in-depth solutions, but are they really worth their weight in bureaucracy?

Intrusion detections systems – an outmoded network protection model

Embed Size (px)

Citation preview

Page 1: Intrusion detections systems – an outmoded network protection model

NETWORK INTRUSION

June 2009 Network Security17

Intrusion detections systems – an outmoded network protection model

NIDS – an idea whose time has been and goneNetwork intrusion detection systems (NIDS) can seem like a good idea. Systems monitor traffic looking for sus-picious patterns of traffic and then log the event – usually in a central logging server. This then generates alerts should a given series of events occur.

They were designed years ago when firewall technology was focused on state-ful packet inspection technology, and when there was very poor visibility of what was going on in the network at the application layer. Things have moved on, but many network security systems still base their defences on this earlier version of technology.

NIDS in action – indeci-pherable signatures and unabated noise

Network intrusion detection systems (NIDS) try to detect malicious activ-ity such as denial of service attacks, port scans or even attempts to crack into com-puters by monitoring network traffic.

NIDS do this by reading all the incoming packets and trying to identify suspicious patterns. If, for example, a large number of TCP connection requests to a very large number of differ-ent ports are observed, that could indi-

cate that someone is conducting a port scan of some or all of the computers in the network.

There are two methods that an IDS system can use to identify rogue traffic: signatures and baselines.

Signatures are very much like antivirus signatures and are distributed to clients. Once received and applied, systems are then protected against that virus. So with IDS systems a signature protects against a particular vector of attack, and the IDS looks for traffic and behaviour that matches the patterns of known attacks. Their effectiveness is dependent on the signature database, which must be kept up to date.

The other method is by establishing a baseline – often created by running the IDS in a learning mode, watching the traffic that traverses a network over a period of time, and monitoring the background noise to establish what is thought to be good and normal traf-fic. When a different pattern of traffic is detected, it can be highlighted as a potential threat.

However, both signature and baseline IDS systems have flaws. With signatures, the biggest problem is that they fail to catch new attacks for which the software does not have a defined signature in its database. It is therefore a rearguard bat-tle to ensure that systems are up to date and it is never possible to defend against a zero-day attack.

A zero day attack is one that has never been seen before – i.e. a mecha-nism to penetrate a system has been discovered and is being exploited before a way of defending against the attack has been developed. The time from attack vector discovery to its widespread use in the wild is con-stantly shrinking and the number of zero-day exploits is increasing.

Baseline protection that monitors background noise suffers from two dif-ferent, but potentially fatal flaws.

No one can have a 100% understand-ing of what is appropriate and expected network traffic for their environment. They may have an approximate idea with expectations based on an under-standing of what applications are per-mitted. However no one I have ever encountered (including security special-ists in banking, corporations and the military) has seen only the traffic that they expect to see when reviewing their networks. Just because you have not seen the traffic pattern before does not make it malicious. As a result, it can be impossible to distinguish between benign and malicious traffic.

Secondly, and even more importantly, how can you be sure that when you install, configure and turn on a learning IDS system that your network is not already compromised? The noise that is thought to be normal and benign, may already contain malicious traffic that can become embedded in your apparently safe system.

In practice, an IDS that is learning-based will produce a lot of false positives and will also produce false negatives. The latter is a far greater concern because it

Ben Rexworthy

Ben Rexworthy, BCS registered recurity specialist, Securinet UK Ltd.

Intrusion detection systems have become almost a standard element of most modern computer network defence in-depth solutions, but are they really worth their weight in bureaucracy?

Page 2: Intrusion detections systems – an outmoded network protection model

NETWORK INTRUSION

is believing that rogue network traffic is normal and authorised. This is hardly the most attractive scenario on which to try to maintain a secure system.

Sensor placement – the choice of the damned

In a modern network there will be a number of isolated network segments. There will be the external (or dirty) network (the WAN), usually a ‘demili-tarised zone’ (DMZ), the internal ‘Local Area Network’ (LAN), possibly a separate wireless network (WLAN), and often others, each providing a

layer of security isolation and control. However herein lies a problem:

where is the optimum location for an IDS? Should it be placed outside the network to identify and raise an alert about possible attacks as early as pos-sible? Or should it be placed on the DMZ where customer-facing applica-tions are hosted? Or on the internal network where the most precious data is stored? Or on a vulnerable wireless network?

Most would agree that placing an IDS node (the entity that sees the network traffic) on the WAN (external network) is of little value. Any prolonged monitor-ing of your external connection would

reveal many hits an hour from various sources across the internet trying to access services and applications that you do not own, host or advertise anywhere. These will be worms, viruses, script kid-dies and, although quite rare, skilled malicious hackers and crackers probing for systems to compromise.

Most sensible solutions place IDS nodes on the DMZ, LAN and any other controlled network (ie excluding the WAN) and collect the logs into a com-mon database for log correlation.

Even if the IDS product is free, there is still a cost in installing, managing, and running it. The total cost of ownership is therefore quite different from the cost of the product and that cost multiplies with the number of sensors deployed.

First cost – installation and con-figurationSnort is an open source IDS system and is regarded by many as the de facto stand-ard for intrusion protection systems. But although it is free, its installation and configuration is not – and it is complex enough to require experienced help.

Second cost – logs

For an IDS to work, it has to see all the network traffic. Therefore in a distributed network, each isolated network segment must have its own IDS sensor. In a mod-ern, busy network it will see gigabytes of data each hour, and it will be logging events – a lot of them! This data moun-tain can only grow with an increase in IDS sensors that are deployed. The larger or more complicated the network (with the best practice of network segregation), the number of log entries multiplies accordingly. To store these logs and corre-late them to identify patterns and gener-ate alerts over time can entail a huge cost.

Third cost – manpower

Installing and configuring a network defence system is going to be pointless if staff don’t know how to use it, so they will need training. The logs of an IDS system are useless unless interpreted by a human. There can be a certain amount of benefit in automatic log-parsing applications, but to be effective human intervention is required.

18Network Security June 2009

Figure 1: The hidden costs of ownership of an IDS.

Page 3: Intrusion detections systems – an outmoded network protection model

NETWORK INTRUSION

In larger environments (and it is typi-cally larger environments that mandate IDS as required and necessary) there are people employed solely as IDS engineers. The daily role of these engineers is to run, monitor and respond to alerts. If one person is employed to do this job, then to cater for staffing issues (holiday, sickness, etc) probably another three people need to be trained and ready to perform the role (although the metrics improve as the team grows).

Merging technologies and moves from detec-tion to prevention

So, IDS systems are costly to set up, are cumbersome and expensive to run, and invariably produce a lot of false positives – further liquidating their value. So is there an alternative?

Since IDS systems were conceived, the state of firewall technology has moved on quite dramatically. Ten years ago fire-walls did not have the processing power to look at the application layer of pack-ets traversing them.

What we are seeing now is the merg-ing of two different technologies – appli-cation proxies and stateful firewalls.

The main benefit of application layer proxies is that they understand the appli-cation layer and can therefore ensure that the contents of network packets are as they should be. However, typically they have been much slower to operate, and they only understand application layer content by having a specific proxy written for them. A further issue is that by doing something on your behalf, a proxy server effectively breaks the client–server relationship.

Firewalling speeds have been increas-ing dramatically over the past decade – in line with Moore’s law – and we now have deep packet inspection firewalls

that bring together the benefit of fast firewalling with visibility of the applica-tion layer.

A large number of firewall vendors have now started to implement intrusion prevention technology in deep inspection firewalls. This has the benefit of being able to identify rogue or malicious traffic at the application layer and to stop it in its tracks before entering the network.

Rather than operating on a baseline basis, they look for known signatures of attacks and hence deliver very low false positives. They are updated very fre-quently, but, most importantly, they are actively protecting and stopping attacks to the infrastructure from the moment that they are installed. In addition, they have much more information at their disposal: the firewall’s own information about the state of network traffic can be combined with the IPS engine’s visibil-ity at the application layer

ConclusionThere is no such thing as a 100% secure network – with or without IDS systems. The role of the information security officer is to balance the best possible level of security against the cost of the asset that they are protect-ing – and hence the setting of a budget for protecting that asset. Or to put it another way: why spend £50 000 defending an asset with a value of £25 000?

IDS systems are too costly, cumber-some and reactive, and struggle to provide any real return on investment. Staff are left hunting for the proverbial needle in the haystack, because the one log event that warns of a potential attack which will nestle in the midst of the mire of false-positives.

In contrast, the deployment of Intrusion Protection Systems (IPS) can generate a good return on investment.

Training costs for IPS are low partly because staff are likely to have been trained on the system firewall and as the IPS engine is built in, they need minimal supplementary training.

Logs are much lower as there are far fewer false-positives, thus saving stor-age and human resources. IPS systems actually perform defensive actions auto-matically while IDS systems are merely informative about suspicious activity that has already occurred.

IPS systems are also more accurate because they are able to see the context and direction of the traffic while actively protecting the network.

If the purpose of passing an audit is to provide assurance about the effectiveness of security, it makes little sense to implement cumbersome, expensive and out-dated technology that is clearly ineffective.

Ill-informed bureaucracy must be removed from the equation. Ticking boxes that are out-dated and irrelevant may simply instil a false sense of security and a degree of complacency. TJX appar-ently passed its PCI DSS audit and it was still penetrated over a period of 18 months, losing more than 94 million card details, the largest card theft ever recorded.

About the authorBen Rexworthy is founder and managing director of Securinet UK Limited, a man-aged security provider. He has worked in IT and information security for two dec-ades for all sizes of organisation from SMEs to multinationals, including Smithkline Beecham (now GSK), Roche Products and Airtours plc. He is a chartered member of the British Computer Society, a Certified Information Systems Security Professional (CISSP), a member of the UK White Hats group and has undertaken security audits for parts of the UK Government’s critical national infrastructure.

June 2009 Network Security19


Video-based algorithms for accident detections

Video-based algorithms for accident detections

Documents
Intrusion Tolerance Mete GELEŞ. Overview Definitions(Fault, intrusion) Dependability Intrusion tolerance concepts Intrusion detection, masking,

Intrusion Tolerance Mete GELEŞ. Overview Definitions(Fault, intrusion) Dependability Intrusion tolerance concepts Intrusion detection, masking,

Documents
Incident Reaction Based on Intrusion Detections’ Alert ... · Apart from the prevention, the detection by Intrusion Detection Systems (IDS), either signature-based or anomaly-based,

Incident Reaction Based on Intrusion Detections’ Alert ... · Apart from the prevention, the detection by Intrusion Detection Systems (IDS), either signature-based or anomaly-based,

Documents
Intrusion Prevention Intrusion Prevention for for Service

Intrusion Prevention Intrusion Prevention for for Service

Documents
Detections - University of California, Davis

Detections - University of California, Davis

Documents
Intrusion Investigation and Post-Intrusion Computer ... · PDF fileINTRUSION INVESTIGATION AND POST-INTRUSION ... detection, and response and ... Intrusion Investigation and Post-Intrusion

Intrusion Investigation and Post-Intrusion Computer ... · PDF fileINTRUSION INVESTIGATION AND POST-INTRUSION ... detection, and response and ... Intrusion Investigation and Post-Intrusion

Documents
Is AROMATICITY OUTMODED ? Alexandru T. Balaban AROMATICITY OUTMODED ? Alexandru T. Balaban ... Dewar's insight of the tropolone structure. ... Discovers benzene in whale oil gas condensatePublished

Is AROMATICITY OUTMODED ? Alexandru T. Balaban AROMATICITY OUTMODED ? Alexandru T. Balaban ... Dewar's insight of the tropolone structure. ... Discovers benzene in whale oil gas condensatePublished

Documents
A SURVEY OF INTRUSION DETECTION WITH HIGHER MALICIOUS … · 2017. 10. 27. · network security services such as access control, authentication, malicious node detections and secure

A SURVEY OF INTRUSION DETECTION WITH HIGHER MALICIOUS … · 2017. 10. 27. · network security services such as access control, authentication, malicious node detections and secure

Documents
Building Anomaly Detections Systems

Building Anomaly Detections Systems

Technology
Infrasound and seismic detections associated with the 7 ... · Infrasound and seismic detections associated with the 7 September 2015 Bangkok ... meteroid’s velocity and density

Infrasound and seismic detections associated with the 7 ... · Infrasound and seismic detections associated with the 7 September 2015 Bangkok ... meteroid’s velocity and density

Documents
INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION

INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION

Documents
NYESCO ENERGY SERVICE LTD2.Gas detections, heat detections, air quality monitoring devices and flammable detections equipment; this includes single sensor gas detector, multigas detector,

NYESCO ENERGY SERVICE LTD2.Gas detections, heat detections, air quality monitoring devices and flammable detections equipment; this includes single sensor gas detector, multigas detector,

Documents
saprEMo: a simplified algorithm for predicting detections

saprEMo: a simplified algorithm for predicting detections

Documents
Is AROMATICITY OUTMODED ? Alexandru T. Balaban Department

Is AROMATICITY OUTMODED ? Alexandru T. Balaban Department

Documents
The first interferometric detections of FRBs with …aspen17.phys.wvu.edu/Caleb.pdfManisha Caleb, FRB conference, Aspen 2017 The first interferometric detections of FRBs with the

The first interferometric detections of FRBs with …aspen17.phys.wvu.edu/Caleb.pdfManisha Caleb, FRB conference, Aspen 2017 The first interferometric detections of FRBs with the

Documents
1. INTRUSION Intrusion Detection system Intrusion Preventation system 2

1. INTRUSION Intrusion Detection system Intrusion Preventation system 2

Documents
Intrusion Detection Bosch Security Systems Inc. - Anixter Security... · Intrusion Detection Bosch Security Systems Inc. ... •Alarm retransmission Detectors;Intrusion/3096 ... Intrusion

Intrusion Detection Bosch Security Systems Inc. - Anixter Security... · Intrusion Detection Bosch Security Systems Inc. ... •Alarm retransmission Detectors;Intrusion/3096 ... Intrusion

Documents
Satellite SAR ship detections from PMAR in support of ...publications.jrc.ec.europa.eu/repository/bitstream/... · Satellite SAR ship detections from PMAR in support of Cutlass Express

Satellite SAR ship detections from PMAR in support of ...publications.jrc.ec.europa.eu/repository/bitstream/... · Satellite SAR ship detections from PMAR in support of Cutlass Express

Documents
Intrusion Dection System and Intrusion Remedies

Intrusion Dection System and Intrusion Remedies

Documents
Tracking Vehicles using Multiple Detections from a

Tracking Vehicles using Multiple Detections from a

Documents
Testing Heuristic Detections

Testing Heuristic Detections

Economy & Finance
Featured Viewpoint: Another Tradition Outmoded? …1).pdf · Featured Viewpoint: Is Another Tradition Outmoded? Charging Fees for Taxonomic Services Reprinted with permission from

Featured Viewpoint: Another Tradition Outmoded? …1).pdf · Featured Viewpoint: Is Another Tradition Outmoded? Charging Fees for Taxonomic Services Reprinted with permission from

Documents
Comparison of Intrusion Detection Systems/Intrusion

Comparison of Intrusion Detection Systems/Intrusion

Documents
Lab Detections of Fats, Proteins, And Carbohydrates

Lab Detections of Fats, Proteins, And Carbohydrates

Documents
Avian influenza detections and management in Bulgaria

Avian influenza detections and management in Bulgaria

Health & Medicine
Respiratory Virus Detections in Canada

Respiratory Virus Detections in Canada

Documents
Radio detections of southern ultracool dwarfsauthors.library.caltech.edu/67039/2/Lynch,Cetal.pdf · 2016. 5. 12. · Radio detections of southern ultracool dwarfs 1225 can be periodic

Radio detections of southern ultracool dwarfsauthors.library.caltech.edu/67039/2/Lynch,Cetal.pdf · 2016. 5. 12. · Radio detections of southern ultracool dwarfs 1225 can be periodic

Documents
Wireless multimedia sensor network for rape disease detections

Wireless multimedia sensor network for rape disease detections

Documents
Dr Kenneth Geers The Role of Malware in Chief Research ... · Comodo Malware Detections. Sentosa Island. June 20-21 Virus Detections. Oct 2 s Oct 18 Exploit Detections Backdoor Detections

Dr Kenneth Geers The Role of Malware in Chief Research ... · Comodo Malware Detections. Sentosa Island. June 20-21 Virus Detections. Oct 2 s Oct 18 Exploit Detections Backdoor Detections

Documents
Dark matter Topics Galactic detections Cluster detections X-ray gas Results from gravitational lenses Dark matter interactions with visible matter Proposed

Dark matter Topics Galactic detections Cluster detections X-ray gas Results from gravitational lenses Dark matter interactions with visible matter Proposed

Documents