Network Intrusion Detection and Prevention? 264
c0dyd asks: "Lately, computer attacks have gained much popularity in the news; however, it is not often that we hear of new software, hardware or 'appliances' that combat malicious code attacks and data intrusions. Obviously, the need is present. I've searched thoroughly for network intrusion detection and prevention systems, but the choices and technologies seem somewhat limited or proprietary-- Snort appears an obvious open source solution for intrusion detection but many users many find it lacking in intrusion prevention capabilities. What do you, the experienced network admin, use for detecting intrusions on the network and how does your network react to those intrusions?"
ASL (Score:2, Informative)
You can balance FLOSS and proprietary techs with something like Astaro Security Linux [astaro.com]. They do appliances or standalone software.
Don't underestimate just paying attention. (Score:5, Informative)
So, don't underestimate the usefulness of watching your network traffic graphs. With rrdtool it's pretty easy to pull out information and average it. For example, we watch not only our overall 95th %ile utilization, but also rank each user based on their utilization. If use suddenly goes up, increasing their rank, it's probably something we should look at. It's been extremely effective for detecting open HTTP proxies, SMTP relays, and people compromised with various vulneribilities.
Sean
My complaint about intrusion detection devices. (Score:5, Informative)
The one feature I'd look for in an intrusion detection device is that it can quickly escalate a detected intrusion attempt to real people (through email, phone, calls, etc).
For real enterprise needs, companies like counterpane [counterpane.com] not only install the intrusion detection devices; but offer services that monitor them just like the physical alarm companies do.
Bro (Score:4, Informative)
I'd rave more, but bro is watching me and wants me to get back to real work.
IBM Has You Covered (Score:3, Informative)
We use... (Score:3, Informative)
Of course, it's needed some tuning so it wouldn' think that things that should be talking to multiple systems in a short time window don't get blocked...
The great intrusion prevention debate (Score:3, Informative)
http://www.infoworld.com/article/05/05/09/19FEips
plenty of appliances... (Score:1, Informative)
http://www.p-cube.com/indexold.shtml [p-cube.com]
http://www.toplayer.com/ [toplayer.com]
http://www.arbornetworks.com/ [arbornetworks.com]
http://www.riverhead.com/ [riverhead.com]
http://www.sonicwall.com/ [sonicwall.com]
http://www.fortigate.net/ [fortigate.net]
Juniper IDP (Score:3, Informative)
Seriously, though, it's a good system - our sigs are for the most part, open-source - you can see how we detect things, and make a copy and twiddle it yourself. Those few that are closed are generally to protect Intellectual Property concerns.
They're a bit spendy for home use, though. I think the cheapest unit is in the $15-17k range.
Some things also not covered in the question, but imporant issues to raise, are:
1. Ease-of-Use vs. Functionality/Features
2. Performance vs. Security
3. Completeness/Timeliness of Coverage
4. Accuracy
Each IPS vendor has their own angle on these issues, and they're all betting that their angle will be the best - in the end, you as the customer have to decide which of these issues is most important to you, and then find the corresponding vendor.
Juniper has dominant market share, but there are things that other companies do better, but generally at the cost of something we do better at - it's a real mixed bag. See RFC-1925, Section 2, Paragraph 7a for details on this concept.
Juniper IDP is focused on delivering current, feature-rich, accurate detection, generally at the expense of speed and simplicity. Don't get me wrong, though, we're not slugs - our high-end products are currently pushing 2 gig (which in some environments is fast enough). If you want a cheap, 10-gig box with a single "Secure Me" panic button and a single "You Got Owned" idiot light, we're not for you.
Nessus (Score:3, Informative)
As far as "intrusion prevention", there's not a "tool" that does that. You can firewall off unwanted and unneeded traffic; you still need to patch your public services. If you run public services, someone should be responsible for making certain everything you run is up to date and no unpatched vulnerabilities are public (and if the latter is the case, find a workaround or preventative measure until a real patch is out).
Re:intrusion detection (Score:3, Informative)
Ok, that's just silly. Only the crudest of hacks would show up under who. There are plenty of ways to spawn processes in an attack that would show up under something like ps or top, and not under who.
Not to mention the fact that manually running who or ps is not an intrusion detection system. You want something that monitors activity and at the very least e-mails a sys admin when something strange is happening.
Wait, why am I bothering to respond to this obvious troll?
Re:intrusion prevention (Score:2, Informative)
Service is not as good as it used to be, but still decent. They are going through some growing pains and some adjustments after being purchased by 3 Com, but that was to be expected. Their support is still much better than your average vendor.
The rules they use are very conservative, and it affects no other protocols other than IP. It will pass these quite happily, and even the IP traffic that is inspected has low latency. You can write your own rules if you want using a Windows utility with a combination of pcap and regexp syntax. This however is warned against as in most cases the custom rules can wreak havok if not written correctly.
The prevention is done via application level fingerprinting which works much like OS fingerprinting. For instance, it will detect that something looks like an LSASS buffer overflow attempt regardless of the source and destination IPs and ports and act accordingly. With testing that we did between this and other IPS/IDS's, many of them would not detect port hopping even though they claimed to. This becomes more important if you want to do things such as block Kazaa, or allow IRC and IM, but deny the file transfer functionality for the chat protocols. (Yes, it has the ability to do this)
They also released Tomahawk test tool which can be found at http://tomahawk.sourceforge.net/ [sourceforge.net] It's a great tool for stress testing and replaying network traffic.
And while not advertised or offically supported, their management software does have a linux version, if you have multiple boxes. If it's just one box, you'll probably configure it by connecting to it directly via the web browser, which once again, while not officially supported, it works fine with non-IE browsers (at least last time I used it).
And definitely, last but not least, you can on the fly put it in layer 2 fallback, so if that causes any problems you're having to go away, then it is a problem with the filters. An excellent feature that can temporarily fix any latency problems that it might induce until you can get time to do more in depth troubleshooting.
Re:Snort-Inline+IPTables+Scripts = Decent IPS (Score:3, Informative)
s/IPS/DoS/
Any IDS that automatically affects firewall rules is an incredibly dumb idea. Just don't do it. You're putting control of your firewall rules in the hands of an attacker, which makes a DoS attack trivial. I spent a long time convincing management that we didn't want such a system, despite all the vendors' marketing claims that it was an essential part of modern network security. It eventually took a demo where I spoofed an attack from our upstream provider and the system automatically dropped us off the net before they listened[1]. It may seem like a good idea, and indeed with a bit of intelligence in your rules, it can help in some situations. But it's a dangerous game to be playing, and I wouldn't recommend it for any business.
[1] No, not on the production network (although I was tempted).
Modern "Firewalls" (Score:5, Informative)
These devices can scan most TCP protocols for any kind of malicious content, like snort-style IPS sigs, viruses, phishing sigs, spyware (generally ActiveX), etc. And since they are the gateway, they can also block or sanitize the content. Some of the better implementations (I'll stop short of a specific product endorsement) can even scan all generic TCP streams, and do not impose any size or stream concurrency limitations on the the content they can scan.
The thing to be careful about is throughput - even the higher end models fall short of sustaining gig throughputs, so multiple devices might be required for more demanding networks.
I've seen a bunch (Score:3, Informative)
I've seen plenty of appliances out there. Some of your options depends on what kind of equipment you're already running. As far as "best choice", you really should factor in what you already have- if you have Cisco modular equipment at your core or distribution layer, maybe going with the Cisco IDS blade will make more sense than getting a Proventia. Do you have Juniper firewalls? They make an IDS blade that fits in their ISG series.
That being said, I've worked with Cisco IDS and SecureAgent. SA's a real beast- you can expect to spend a long time getting up to speed with it. I've had problems managing the blades themselves- they're basically little RedHat boxes on a blad that plugs into the backplane. CiscoWorks makes it relatively easy to manage but I had a *lot* of problems pushing updates and management info to them, and configuring your modular chassis with the right VLAN stuff can be a bitch unless you're good with Cisco equipment. One issue I hope they fixed was that their email notification sucked and they had to provide a PERL script to generate a useful email alert.
I like Juniper's IDP stuff. Their appliances come with cobber and fibre cards and are a snap to set up. You can set them in in pass-through mode and place them inline between your routers and switches, or just mirror/tap the trunk port. In inline mode you get the ablity to send hard RSTs to both endpoints of an attack. The management software is pretty intuitive and the dashboard give you a very good "at a glance" view. They top out at about 500Mbps/sec so if you're pushing great gobs of data, they might not be sufficient.
I've played around a bit with ISS' Proventia stuff- their appliances are OK, and I think their desktop stuff needs one more development cycle to be good. SiteProtector is decent, but it too needs a little more development in the UI area. The desktop agents are a lot easier to manage than Cisco's SecureAgent.
No quick, easy answer (Score:3, Informative)
Clearly, you don't pay much attention to the glossy ads in Infoworld and CIO magazine. FUD marketing out the wazoo for exactly these types of devices.
This is actually a very hard problem to solve. I've written quite a bit on the subject, but I'll attempt to provide a few quick helpful points.
If you have some form of perimeter security, it becomes easier, but still very resource-intensive (both technology resources and human resources). I'm assuming that you're not at a university, or some other type of organization that has a wide open network, because if you were, you wouldn't care.
For a good list of fun tools, look here:. html [stanford.edu]
http://www.slac.stanford.edu/xorg/nmtf/nmtf-tools
But beyond the rinky-dink stuff, at the most basic level, you want to make two choices right up front:
How important is the real-time interdiction to you?
Do you want signature-based tools, anomaly-based tools, or both?
If you would be content with a good system that doesn't have the ability to mitigate threats in real-time, then that widens your possible solution space quite a bit. In this area, you definitely get what you pay for. FOSS tools that have this capability are way behind commercial tools in ease of maintenance, configuration, and how many types of attacks they work against. So that requirement limits your options considerably.
A similar situation exists when we look at the detection method, signature vs. anomaly. Signature-based systems are a dime a dozen, but they don't cover the really dangerous stuff. Anomaly-based systems are somewhat more useful against the scarier threats, but no FOSS solution comes anywhere close to the commercial offerings. If you choose a FOSS alternative for an anomaly-based IDS/IPS, you will spend so much effort tuning and maintaining that you won't have any time left to respond to issues, and you will still not get adequate results.
I should point out that you have also limited yourself by considering only NIDS/IPS systems. The proper bundle of technologies and tools could give you the real intelligence that you need, whether or not it included NIDS/IPS. Other classes of tools, like SIMS, accounting systems, or deception environments have their uses too.
There are plenty of other aspects to consider, but that would take pages to discuss. All of this could be moot depending on your traffic loads, user demographics, platform constituency, infrastructure design, org chart, geographic distribution, existing IT policies, etc. etc. etc. There's just no universal solution.
This is an active area of CS research (Score:3, Informative)
A lot of people are trying to come up with data mining tools for intrusion detection. Just check out all the forward links to this paper from citeseer [psu.edu]. The problem is that they are currently reliable as bad motion detectors ... too many false positives. Which makes them useless.
Re:Don't underestimate just paying attention. (Score:1, Informative)
Aberrant Behavior Detection in Time Series for Network Monitoring [usenix.org]
Basically comes down to prediction based on exponential smoothing, shouldn't be too far over the head of your average IT geek
Re:Solution Used (Score:3, Informative)
Re:My complaint about intrusion detection devices. (Score:1, Informative)
It's primarilly focused on auditing / eventlog analysis, but there's a snort interface too I think (http://www.intersectalliance.com/snareserver/sam
Defense In Depth (Score:2, Informative)
To truly protect your system(s), you need to do many different things, including keeping the system updated, educating users, using a NAT, installing an IDS, and much more. That said, an IDS is probably one of the last things you should worry about: get your "basics" right first.
Snort supports in-line operation (Score:4, Informative)
Snort supports in-line (intrusion prevention) operation on Linux as of version 2.3.0. There is also the snort-inline project [sourceforge.net] which maintains a different code branch that includes support for divert sockets on FreeBSD as well as some in-line focused mods.
Sourcefire [sourcefire.com] (my company) builds commercial-grade IPS using Snort as the foundation technology and it works well. We're continuing to improve the technology on an ongoing basis as it's central to our IPS offerings. If you want to run an IPS to try out the technology, Snort is certainly suitable today.
QRadar (Score:2, Informative)
Re:Size (Score:3, Informative)
I recommend Kerberos simply because when you want to disable an account, its as simple as nuking it on the kerberos DC. If you have 200 machines, all with local authentication and RSA keys, you'll have to go through all 200 machines.
Its not ideal, of course. You still need some way of managing user accounts. But its a good fit for the auth side of things.
It IS a fucking nightmare to get working properly cross platform though.
I use Snort + Swatch (Score:2, Informative)