IDS tools smarten up

Adar Meroz has worked with intrusion-detection systems from leading vendors for the past two years. But the vice president of networking and security for Diskal Systems Group, an Israeli service provider, says he has struggled to get them to work effectively.

Most IDSs rely on signatures, or pieces of code that identify known attacks, to spot attacks that are in progress. That means, for one, that the attack has already started by the time Meroz finds out about it; often, damage has already been done. Second, it's a chore to constantly install new signatures and they are delivered only after a new form of attack is already in the wild - which again is often too late. But perhaps worst of all, Meroz found it difficult to build all the rules that would let the IDS send commands to attached routers and firewalls to actually halt the offensive sessions.

"Very few people know how to build up the rules in the right logical order" to make an IDS work effectively, he says. "Even the smallest mistake, a rule not in the right spot, and you'll get many false positives." Which brings up another IDS bugaboo - if they are not tuned just right, they can generate such a sea of alerts that it becomes nearly impossible to ferret out which alerts relate to actual attacks.

Advertisement:

However, where there is such user pain with a given product category, there also is opportunity for new players. True to form, companies including IntruVert Networks, NFR Security, OneSecure, Recourse Technologies and Vsecure Technologies are emerging with IDSs that, if they use signatures at all, it is only as one of several ways to detect attacks.

Vendors have developed schemes that let their devices identify attacks more by detecting aberrant traffic patterns or anomalies in specific packets than by relying on signatures. Many vendors deliver these wares in an appliance format that makes them easier to deploy than their IDS predecessors. And several have features such as automated signature updates, advanced reporting mechanisms and features that let the IDS thwart an attacker at the door, all of which mean they require fewer people to operate.

They can't be delivered fast enough to suit current IDS users.

"We see a predictable pattern where clients ask a lot about intrusion detection and who has the best products," says John Pescatore, research director for Internet security at Gartner. "Six months later they come back and ask if there's somebody they can outsource to."

Too many positives creates a negative

The biggest pain point, he says, is the false positive issue. Reducing the number of false positives requires users to "tune" the IDS to ignore certain signature patterns that don't apply to their networks. At the simplest level, it might mean not checking for a known Microsoft Internet Information System attack pattern if you use only Apache Web servers.

The problem is, it takes lots of such rules before the IDS is sufficiently tuned to cover all the nuances of any network without generating an inordinate number of false positives. Every time there's a change to the network configuration, the IDS likely will have to be updated accordingly.

"Therein lies the problem," says Joe Krull, vice president of security for Vsecure. "You can't define exactly a static [intrusion-detection system] to work with a dynamic network. So you keep the rules very open, and you start to get a lot of false alarms."

Rebecca Bace, CEO of security consultancy Infidel, serves as lead forum faculty member for the Institute for Applied Network Security, which has hosted a number of forums for IDS users. "The user constituency has spent enough time in the trenches to understand that [signature-based intrusion-detection systems] are not sufficient," she says. "I've heard a lot of users say that when there's a competitive product available, their current [IDS] is out the door."

Competitive products are now available, and a lot more will be coming soon. Bace, who is involved with IntruVert and other security companies in her role as a venture capital consultant with Trident Capital, says there are about 40 venture capital-backed start-ups in the IDS arena.

A new IDS tack

While companies such as IntruVert, NFR, OneSecure, Recourse and Vsecure differ in their exact approach to the intrusion-detection problem, many share similar characteristics. They are easy to deploy, owing to their appliance form factor and their ability to essentially configure themselves.

Each vendor uses anomaly-detection techniques to augment or replace signatures. Depending on the product, these techniques might let the devices detect improper use of communication protocols, attacks meant to take advantage of vulnerabilities in specific applications and changes in traffic patterns that might indicate an attack. Some vendors claim to be able to thwart distributed-denial-of-service attacks by identifying these abnormal traffic patterns.

A number of vendors look for protocol anomalies, which include packets that are too long or contain the wrong data type. The IDSs also might look for state transitions, or tasks performed out of sequence. Most Internet protocols have well-defined handshaking routines that take place before or while data is exchanged. Intruders might try to deliberately perform certain tasks out of sequence in an attempt to exploit a vulnerability of a host or cause a buffer overflow, letting them take over the host.

It's still possible that an IDS trained to look for protocol anomalies will produce false positives, says Fred Kost, vice president of marketing and product development for Recourse, which was acquired by Symantec last month.

"You could pick up something that's a protocol anomaly but it's not malicious, like maybe an old mail sever application that didn't implement [Simple Mail Transfer Protocol] correctly," he says. Users will identify such anomalies soon after installing the IDS and can write scripts to filter them out.

Some of the new IDSs also support automated signature updates, where signatures are pushed out to a server on the user's site, which then delivers them to individual IDS sensors. The products also typically can handle higher speeds than traditional IDSs, particularly IntruVert's IntruShield, which can monitor up to 2G bit/

sec of traffic in full-duplex mode, NFR's Network Intrusion Detection (NID) and Recourse's Manhunt. Finally, if users enable the feature, devices including IntruShield, NID and Vsecure's NetProtect can stop an attack, either by dropping packets or resetting IP connections.

That means users don't necessarily require a security professional to be on the scene at all times, Krull says, which is a reality in many companies. "There's a huge disparity between the level of skills and the complexity of the products, especially with an [intrusion-detection system] product," he says. "In most organizations, the person stuck with security is the junior systems administrator, because nobody wants to be saddled with the responsibility of keeping patches up to date."

Protecting Fishman

Diskal's Meroz confirms Krull's assessment. Since early April, he's used NetProtect in production mode to protect a cluster of a dozen servers that Diskal operates for Fishman Networks, an Israeli retailer. For the first time, he can use an IDS to not just detect an attack, but prevent one.

He's watched the device stop various intrusion attempts and packet floods. "There was a Trojan worm that was supposed to distribute itself, but it was stopped at the [NetProtect] box," he says, noting the same worm got by an antivirus system and firewall on a different network segment.

NetProtect also is simpler to maintain than the three previous brands of firewalls with which Meroz has worked, all from leading vendors. Users attach the device to the network segment they want to protect, then put the box in "learning" mode for a couple of hours. NetProtect detects what network protocols and services are running and assesses what constitutes normal behavior. The device then can be switched to transparent mode, in which it will show the types of attacks that are taking place and the steps it would take to block them. In active mode, the device actually blocks attacks, by dropping packets or resetting connections.

When it does block traffic, it does so only from a specific IP address and only for a few seconds or minutes, depending on the severity of the attack, Meroz says. Once it lifts the block, it continues to monitor that address. "That's a very important feature for us because many of our clients are sitting behind one legal IP address and many attacks use IP address spoofing," he says. So when an attacker is using a legitimate user's IP address, traffic is only disrupted for a short time.

NetProtect doesn't use signatures at all, which eliminates the chore of installing signature updates and tuning the device afterward. "Maintaining this system takes us about one-fourth of the time it took us to maintain the other [IDS]," Meroz says.

Shielding Cal State

Chris DaSilva, network architect and engineer for California State University at Hayward, has had a similar experience during his beta test of IntruVert's IntruShield, which began in late March. He says IntruShield installed in about 15 minutes, after which it learns about its network surroundings and creates a baseline for traffic patterns at various times of day and in different network segments. IntruVert also pushes out signature updates to customers, and provides for an automated update.

That was a big step up for DaSilva from the signature-based IDS the university had. Signatures must be manually downloaded from the vendor and installed on the sensor. But his bigger gripe was that updates were issued only every two or three months. "It's not nearly frequent enough," to keep up with new attacks, he says.

When the Code Red worm hit, DaSilva's group had to write its own signature. The resulting code required the IDS to peer so deep into packets that it was affecting throughput. IntruShield, by contrast, is optimized for speed, he says, and can examine every packet in depth without affecting performance.

DaSilva also likes the reporting capabilities built in to IntruShield, noting that many other IDSs require a separate reporting package. "IntruVert gives you lots of management-type reports, top 10 attackers and such," he says.

That makes it simple to determine what new rules have to be written to thwart attacks, without having to monitor the device all day. "That can be quite time-consuming," he says. "If you have a lot of these deployed, it's a full-time job."

IntruVert also allows for distributed administration, letting different administrators monitor the portions of the network for which they are responsible. DaSilva says that feature will let the eight administrators who are responsible for the different schools and administrative offices within the university each monitor their own network segments.

DaSilva says he also likes IntruShield's ability to drop packets or reset connections on its own. "That's our goal, to let it drop packets," DaSilva says. "We can set what we want to be sensitive to and what we're comfortable with, and let it fly."

Palm's manly defense

Matt Archibald, director of global IT security for Palm in Santa Clara, needed a tool that would provide a high level of risk management, didn't require a lot of staff and could operate at near-gigabit speed. He opted for Manhunt and Mantrap products from Recourse.

Mantrap is essentially a honeypot intended to trap intruders, while Manhunt is an IDS that supports protocol anomaly detection and statistical correlation and analysis. It can support signatures, including those imported from other IDSs. Palm uses both products to detect internal and external threats.

"Manhunt has saved our butts already with some of the newer viruses propagating, Trojans like Nimda and Code Red," Archibald says. Manhunt caught both worms at least 48 hours before other security vendors alerted Palm to them.

Correlation capabilities in Manhunt let it winnow down thousands of events to maybe a couple of dozen that require further investigation, he says. "So you really don't need to tune anything out," as with traditional IDSs. "There's far less to look at."

Manhunt also is able to keep up with Palm's high-speed links, most notably the T-3 lines that connect headquarters and data centers, and the Internet connections for Palm.net, the ISP the company operates for wireless users.

He doesn't miss having to keep up with signature updates, a process he knows well from previous stints as a consultant. Deploying new signatures meant testing them for a few hours first in a staging area, a process he acknowledges most users probably don't go through. He says that is a mistake, even with the new automated update features.

"Never assume that something you automate to grab code for you is doing the right thing," he says. "You need to validate that you're not opening another hole." A word to the wise.

Editor's note: NetScreen announced on Aug. 29 that it plans to buy OneSecure for about $140 million in stock.

Related Links

Apply for your free subscription to Network World. Click here. Or get Network World delivered in PDF each week.

Request a reprint or permission to use this article.