Slowly but surely, hardware and software vendors are finding ways to close the holes in their products that allow hackers and virus writers unauthorised access to networks. Nevertheless, the rate of incidences (attacks) on networks is still increasing exponentially.
As more malicious code circulates via the Internet, it is becoming apparent that no perimeter defence can provide complete protection from attacks. Many organisations are now investing in intrusion detection systems (IDSs) to minimise the damage in case the wrong code gets through the door.
If devices like firewalls are designed to be the traffic cop that sits at the front door of the network, the intrusion detection system is the video camera that is watching the whole house. Although firewalls are effective, hackers and virus writers are becoming sophisticated enough to find ways around them. As soon as the network is compromised, new tools are needed to alarm administrators, and, if possible, to act on the problem.
There are several types of attacks that have brought about demand for such tools. Armagan Cetindas, senior network consultant for Enterasys Networks, explains that common attack methods are separated into three groups. The first are reconnaissance attacks - those pings, DNS transfers and indexing of public Web services that attempt to determine where holes and vulnerabilities are in a network. The second type of attack is a Denial of Service (DoS) attack. Attackers flood a network with requests to crash a server or host in order to prevent service. The third type of attack is exploits - those attacks that attempt to gain unauthorised, untraceable access to systems. Such exploit attacks include buffer overflow, where an attacker keeps the system's execution cycle busy with a complicated task, gaining access by executing another separate task that is able to override privileges while the execution cycle is kept busy.
Firewall vendors argue that their products are maturing and are reaching a point where many of these attacks can be thwarted at the edge of the network. But studies from various industry bodies, such as AusCERT, identify that most organisations are seeing attacks that break through the perimeter and cause havoc once inside the network.
The 2002 Australian Computer Crime and Security Survey undertaken by Deloitte Touche Tohmatsu, AusCERT and the NSW Police Service found that over 67 per cent of respondents had been attacked within the last 12 months, up from 33 per cent in 1999. Twenty per cent of respondents claimed their systems were penetrated by an external source, and more than 40 per cent had suffered Denial of Service attacks.
Kim Duffy, managing director of IDS vendor ISS, said organisations are suffering from what he terms "crustacean security". "There is a hard shell on the outside with firewalls and authentication, but on the inside is a nice, soft and chewy centre for hackers to eat at," he said.
Duffy said firewalls serve a valuable purpose in any network, but that such devices are only one line of defence against a growing number of threats. "Relying purely on your firewall is like having a front gate but no fence," he said.
Malicious attacks via Web
ISS' own research suggests that 70 per cent of malicious attacks enter the network through port 80, which is generally kept open for Web traffic. "Firewalls can't stop that," said Duffy.
Intrusion detection systems analyse the data that travels through a network and acts on those events that look suspicious. The process involves the placing of sensors on various locations in a network - usually on a hub, switch or Ethernet tap. These sensors, in conjunction with the firewall, watch traffic for suspect packets. The small, simple components copy the traffic stream and divert the copy off the network to a location where it can be analysed and processed separately so it doesn't affect the performance of the network. The log files from each of these sensors are sent to a centralised system which cuts down the reports (which can involve tens of thousands of files at a time) to those that network administrators should be kept aware of. Generally the system terminates the connection from any source sending a suspect packet. It also acts as an alarm system of sorts, notifying IT staff of any unwanted packets that have penetrated the network.
"An IDS is kind of like a log-reduction system," said Cetindas. "There are many tools out there - firewalls and sniffers and the like, but you need to be able to look at it and make sense of it. You need to grab your SYS log, firewall logs, host application logs and put them all in one central location."
Dr Tim Cranny, senior consulting engineer for managed security provider 90East, said the first intrusion detection systems were signature-based - based on known patterns from previous attacks. But because they are based on known threats, these systems tend to be passive and reactive. They can only ever recognise or act on threats that have been identified in the past and are less effective at protecting against new threats.
In order to create more proactive intrusion detection systems, the cutting edge vendors are now trying to develop anomaly-based systems. These systems look at the traffic on a given network over a period of time in an attempt to work out what is "normal" behaviour on the network. The system then raises an alarm when it notices an event that is abnormal.
Cranny said these anomaly-based systems are still in their infancy, and that there are not many examples of production systems in Australia. The obvious problem with these systems is that often they react to packets that may be new and abnormal, but not dangerous.
The network-based IDS is quite commonly complemented by server or host-based intrusion detection systems. ISS' research indicates that most penetration from attackers is now at the server or host level, an alarming precedent considering the value of the data that is stored in such systems.
Another method administrators can use to minimise the threat is to set up "honeypots", dummy sites set up within a network that are designed specifically to appear vulnerable to attackers. Any subsequent attack on the honeypot is recorded by the IDS, giving administrators time to assess the vulnerability the attack exploited and adjust the perimeter defence to ward off such an attack in the future. But while honeypots are an extremely useful tool for researching attackers and educating oneself, Cranny suggests they should never be seen as an absolute decoy. "No honeypot is so attractive that your real systems can't be targeted," he said.
An IDS allows administrators to engage in deeper analysis of their network without compromising the performance of the network. While the firewall is where most proactive decisions are made with regard to which packets are permitted and not permitted into a network, too much analysis at the firewall can cause traffic headaches. "You could say a firewall is a form of intrusion detection because it decides what form of traffic it will let through and what traffic it will drop," Cranny said. "But the analysis of the packets can only be fairly simple - if the firewall figures a packet is part of an attack it drops it and rings an alarm bell, but its analysis cannot go much deeper than that."
Cranny said there is always a performance issue involved when analysing packets at the firewall. "The danger is that you are dealing with real traffic, not a copy of the traffic," he said. "It's not the collection of data that's challenging, but the chewing on it. If it's done wrong, there is a real potential to slow down your network."
While the pool of attackers coming from outside the network is growing, the "soft, chewy centre" Duffy describes is also often left unprotected from those within the network. The recent AusCERT study showed that 16 per cent of the organisations surveyed had been compromised by insiders who'd gained unauthorised access to information. Cranny believes an IDS is a useful tool for identifying and acting on such misuse of resources. "If a company's employees are aware that the traffic is being monitored, they are less likely to do anything illegal," he said.
The IDS space is still somewhat of a niche industry and the technology is far from being perfected. "It's a rapidly evolving technology," said Enterasys' Cetindas. "It could be five years before we find the perfect product. The problem is that everything is inconsistent. User habits are always changing."
Compared with firewalls, antivirus software and other IT security technologies, intrusion detection systems are expensive. But Duffy suggests that if you value the assets being protected, one could argue that the money is being well spent. "It's less than one per cent of your standard IT budget and that is a lot cheaper than physical security," he said.
There are only a few players competing for the business thus far. Most of them have been startups that were snapped up by networking giants such as Enterasys or Cisco, with the exception of ISS which touts itself as the inventor of today's IDS systems. These major vendors, along with traditional antivirus vendors like Symantec and Network Associates have begun selling such solutions through local channel partners that specialise in integration or security.
As yet, only 53 per cent of AusCERT's survey respondents claim to have implemented intrusion detection systems. The report's authors were surprised by such low figures. "IDSs can be a valuable adjunct to a network security framework by assisting with the detection of computer attacks within a network perimeter, particularly when some attacks are capable of bypassing firewalls. It is surprising that the use of IDSs in Australia is not higher. Only 53 per cent of respondents used such systems in Australia compared to 60 per cent in the US, but in most categories the use of these technologies is very similar," the report stated.
There are plenty of opportunities then for channel companies to point out the risk organisations face if they rely purely on their firewall for IT security. "It's an excellent business for resellers," said Duffy. "The product, in my opinion, is not massively complex. But there is a lot of work in assessing the vulnerability of a customer's network, matching protection systems to those vulnerabilities, and assisting the customer to develop a security policy."
Advocates of IDS suggest it is the holistic process the technology reinforces that is of most value to the organisation. "The thing that needs to be remembered is that the end of the chain needs to involve a human," said Cranny. "You cannot trust these systems alone. For any of these systems, something out of the ordinary can reset the signal and kill the connection - but you don't know whether that was a threat or whether it was somebody wanting to do business with you. It can quite easily turn around and bite you."
The necessary human element has seen managed security providers take the fore with deploying such technology, Cranny said. More IT-savvy organisations are biting the bullet and outsourcing the "nastier" jobs to a third-party organisation that has professionals monitoring such issues 24x7. "The tools are very necessary, but you can't just leave it in a box and walk away," he said. "There needs to be a nicely judged balance of technology and humans."
"It is vital you take a holistic approach to security," said Cetindas. "There is no one product that can do the whole thing. It's not just a firewall or an IDS that matters - it's a thought process you need to have over the whole entity."