1
Intrusion Detection - The Big Picture - SANS GIAC
© 2000, 2001
1
Intrusion Detection
The Big Picture – Part II
Stephen Northcutt
This page intentionally left blank.
2
Intrusion Detection - The Big Picture - SANS GIAC
© 2000, 2001
2
Introduction
• Introductory Example - Mitnick Attack
• Is There A Business Case For Intrusion
Detection?
• What We Will Cover in This Course
OK, after that brief message to Your Sponsors, let’s look at what we plan to cover in the rest of the
course.
3
Intrusion Detection - The Big Picture - SANS GIAC
© 2000, 2001
3
Intrusion Detection Roadmap
What are the pieces and how they play together
• Host-Based Intrusion Detection
–Unix
– WinNT, Win95, Win98
• Network-Based Intrusion Detection
–Shadow
– ISS RealSecure

–Cisco NetRanger
Before we can understand how intrusion detection fits into the Big Picture, we need to examine it in
more detail. We’ll look at the differences between host-based and network-based intrusion detection
systems, and note their respective strengths and weaknesses. Then we’ll see how popular examples
of both free and commercial ID implement these concepts.
4
Intrusion Detection - The Big Picture - SANS GIAC
© 2000, 2001
4
Intrusion Detection Roadmap (2)
What are the pieces and how they play together
•Honeypots
•Firewalls
– Proxy, State Aware, Filtering Routers
After we’ve examined the active defences of intrusion detection, we’ll look back at more passive
measures, namely firewalls and honeypots.
(They can be called active defences because if you aren’t active in monitoring it’s output, it’s no
defense.) ;)
We’ll look at how intrusion detection systems interact with the different types of firewalls, and how
honeypots and ID play together.
5
Intrusion Detection - The Big Picture - SANS GIAC
© 2000, 2001
5
Intrusion Detection Roadmap (3)
What are the pieces and how they play together
• Vulnerability Scanners
• Response, automated and manual
– Manual Response
• Emergency Action Plan, 7 Deadly Sins

• Evidence preservation - Chain of Custody
• Threat Briefing - Know your enemy
– Ankle Biters
– Journeyman Hackers/ Espionage
– Cyberwar Scenario
We’ll look at vulnerability scanners, and how you can scan your network before the bad guys do it
for you, and get a handle on specific risks.
Then we’ll get into the exciting world of incident response, covering what to do when your intrusion
detection systems detect an attack in progress, or already completed. (Incident response may be
exciting, but it’s seldom fun when it’s for real.)
And to round off the section, we’ll look at the different types of attacker you might find assailing
your network, and finish with a full-blown cyber-wargame.
6
Intrusion Detection - The Big Picture - SANS GIAC
© 2000, 2001
6
Intrusion Detection Roadmap (4)
Using What We Have Learned
• Risk Assessment and Auditing
• Introduction to Risk Management
• Knowledge-Based Risk Assessment
• Online Auditing Tools
• Business Case for Intrusion Detection
– How All These Capabilities Work Together
• Future Directions
– Intrusion Detection in the Network
– Program-Based Intrusion Detection
In our last section, we’ll look at risk assessment, and then combine everything we’ve learned into a
revised business case. Finally, we’ll glance at some of the trends in intrusion detection, and what the
playing field might look in 6 months or so. (We won’t be brave enough to guess further than that).

7
Intrusion Detection - The Big Picture - SANS GIAC
© 2000, 2001
7
Tools
• TCP Wrappers
•Syslog
•Tripwire
• Nuke Nabber
•Tripwire NT
• Firewall-1
•Cisco Router
• ISS RealSecure
•DTK
•Saint
• Nessus
In this course we’re going to examine the various types of security tools and look at particular
examples of them in some detail. We obviously can’t cover all the products out there, as the security
industry is growing rapidly, but we will try to cover the best-known and most popular in each
category.
There is no one product or product suite that solves every problem, so your organization will benefit
from your understanding of how these different components work together, and how to mix and
match them to provide the level of risk reduction you need.
We’ll cover both free and commercial tools and we’ll show you where to get hold of them
(evaluation versions of the commercial tools are normally available) so you can try them yourselves.
8
Intrusion Detection - The Big Picture - SANS GIAC
© 2000, 2001
8
Processes

• 7 Steps to Security
• 5 Deadly Management Mistakes
• 6 Steps to Incident Handling
• Chain of Custody
• Knowledge-Based Risk Assessment
After that list of products, to remind you that security is a process, not a product, here are some of the
processes we’ll cover.
9
Intrusion Detection - The Big Picture - SANS GIAC
© 2000, 2001
9
The Hard Questions
(Why I wrote this
overview
course)
• What are the components of a full court
intrusion detection strategy?
– What do the various components do?
• Many IDS web sites never state what the
infernal things do!
– How do we implement them?
• Where do the components fit in the “big
picture”?
To summarize the course in a single slide ☺, these are the questions we are trying to answer today.
10
Intrusion Detection - The Big Picture - SANS GIAC
© 2000, 2001
10
Introduction
• Introductory Example - Mitnick Attack

• Is There a Business Case for Intrusion
Detection?
• What We Will Cover in This Course
Q
u
e
s
t
i
o
n
s
?
Any questions before we dive in?
11
Intrusion Detection - The Big Picture - SANS GIAC
© 2000, 2001
11
Host- and Network-Based
Intrusion Detection
• Host-Based Intrusion Detection
–Unix
– Windows NT, 95, 98
• Network-Based Intrusion Detection
–Shadow
– ISS RealSecure
–Cisco Netranger
In the second and largest section of the course, we’ll examine intrusion detection in greater depth.
We’ll examine and compare host-based and network-based intrusion detection and their relative pros
and cons.

Vendors of host-based intrusion detection will tell you host-based is the only way to go to handle
high traffic and insider threats, while network-based vendors will claim network-based intrusion
detection is more cost effective. Many vendors’ products now include both host- and network-based
components, and those vendors of course say you need both.
12
Intrusion Detection - The Big Picture - SANS GIAC
© 2000, 2001
12
Host-Based Intrusion
Detection
Host-based intrusion detection could also be called host-specific intrusion detection, in that its
primary purpose is to detect suspicious activity or known attack patterns on the specific host it is
installed on.
Some host-based intrusion detection systems (HIDS) have a number of host detectors reporting to a
central management console that can flag alerts, centralize logs, and update the host detectors’
policies. Other HIDS are stand alone.
The boundaries between HIDS, anti-virus packages, and personal firewalls are blurring.
13
Intrusion Detection - The Big Picture - SANS GIAC
© 2000, 2001
13
Need for Host-Based ID
• Very fast networks
• Switched networks
• Back doors in local network
• Insider on network
• Network-based IDS may miss attack
• Don’t trust corporate security
that much
Speed and the visibility limitation of switched and encrypted networks are network intrusion

detection systems’ biggest limitations. We’ll examine them in a bit more depth in the next two slides.
Host-based intrusion detection can be very valuable in detecting back doors into your network, such
as unsecured modems or links from other organization units or business partners. It’s no good relying
on your network sensors that watch your front door if the back door is wide open.
Another aspect of host-based intrusion detection is that it can catch insider attacks that don’t cross
the network or don’t pass through the instrumented perimeter. Network-based systems can miss
some sophisticated attacks - for example, fragrouter – that HIDS will detect.
Finally, HIDS have a lower cost of entry down to the level of protecting a single person or home PC
for $50, versus the $10,000 or so for commercial network intrusion detection systems (NIDS). They
also do not require a dedicated machine.
14
Intrusion Detection - The Big Picture - SANS GIAC
© 2000, 2001
14
Very Fast Networks
• The current limits for network-based
IDS boxes are about 80 MB/sec fully
loaded
• A 200 MHz Pentium bus would only
partially increase this
• Bandwidth at large sites will probably
always exceed network detection and
processing speed
There will always be a finite limit to the speed a network-based intrusion detection system can
operate, and it will always be possible to engineer a network that confounds network-based intrusion
detection technology. Therefore, host-based ID will be an important player for the long haul.
High bandwidth is a major challenge for NIDS. Be wary of taking that 80Mbps as a solid number,
since it is based on assumptions of packet size and the number and complexity of the filters. Once a
sensor’s bandwidth limit is exceeded, it’s performance tends to degrade rapidly, not just discarding
excess packets, but thrashing from resource exhaustion. Graceful degradation into “statistical

sampling” is desirable.
A response to the bandwidth limits of network sensors is to move the sensors upstream towards the
leaf nodes of your network, trading multiple sensors for less bandwidth per sensor. One can view
HIDS as this trend taken to its logical conclusion but beware that you have traded your bandwidth
problem for a deployment problem.
15
Intrusion Detection - The Big Picture - SANS GIAC
© 2000, 2001
15
Switched Networks
• Network-based intrusion detection
systems rely on
promiscuous mode
for
their NICs; this is not possible with
switched networks
• Intrusion detection in the switch is the
future direction, not really here yet
• Host-based is one reasonable solution
Promiscuous mode allows the network interface adapter to collect all the packets, not just the ones
addressed to the machine. Until switched networks, this was a very efficient way to collect packets.
While switched networks are seen as a win for security in terms of reducing the sniffer threat, they
do greatly reduce the potential for “white hat” sniffing, that is, network intrusion detection. Be aware
that switched networks do not entirely remove the sniffer threat, since there are techniques to kick a
switch into broadcast mode or reroute data streams past the sniffer, for example dsniff’s arpredirect
tool.
16
Intrusion Detection - The Big Picture - SANS GIAC
© 2000, 2001
16

Switched Network
In a switched network, a virtual circuit is created between two
peers across the switch fabric. Each port on the switch only
supports the circuits to that host.
Because of the virtual circuit, a network-based IDS with a promiscuous interface will not detect
much.
Similar to switched networks in terms of the problems they cause for network intrusion detection are
VPNs and other encrypted channels. In this case, the only possible place to put a sensor is at one end
of the encrypted channel, that is a host-based solution (attackers use encrypted channels for precisely
this reason, that is, to hide from network intrusion detection).
17
Intrusion Detection - The Big Picture - SANS GIAC
© 2000, 2001
17
Spanning Port
Switched Networks
Sensors can be placed on a mirroring port, but can usually only
monitor one VLAN at a time. This does not work very well in practice.
S
The are many problems with spanning port as a solution to support network-based IDS. One major
vendor’s switch will only span a single VLAN at a time. Spanning also may affect the performance
of the switch.
The other problem with using a spanning port is that frequent network changes can often disrupt
spanning port settings. This would typically be caused by a network engineer being unaware of the
spanning port’s purpose or the intrusion detection sensor’s presence. Of course, the first you know of
the problem is when you notice that the sensor isn’t reporting any detects. This is a problem with
many current intrusion detection systems, namely that they don’t see “no traffic” as an error
condition worth reporting, but merely fail silently unless connectivity to the management station is
lost.
Switch vendors are becoming more aware of the requirements of intrusion detection and in some

cases are building network intrusion detection capabilities into the switch itself.
18
Intrusion Detection - The Big Picture - SANS GIAC
© 2000, 2001
18
Host-Based Intrusion
Detection Methodology
• Host systems monitor their network
connections and file system status. For this
to work, we have to acquire the aggregate
logs of
ALL
critical systems at a minimum
• Local processing/alerting may be done, but
data is generally sent to a central location for
parsing
• When potential problems are found, alerts
are raised
Deployment and the choice of which systems to monitor is the major decision in your host intrusion
detection plan.
Your core servers, perimeter servers, firewalls, web servers, DNS servers, and mail servers are the
obvious first choice for deployment. While it would be desirable to roll out host intrusion detection to
all systems throughout the organization, the costs are usually prohibitive for commercial intrusion
detection systems. Typical costs range from $50 to $500 per host. This makes the tradeoff ratio
around 20 to 200 host intrusion detection systems for the cost of a single network sensor.
The other issue influencing the deployment decision is that the more frequently a host is
reconfigured, the more false positives the intrusion detection system will generate. Unless
configuration management is one of your tasks, you generally only want to monitor stable servers,
not test or development systems that change frequently.
19

Intrusion Detection - The Big Picture - SANS GIAC
© 2000, 2001
19
Host-Based Intrusion
Detection Methodology
A connects
to B
B logs
connection
and informs
Logserver
Logserver records
A -> B connection,
checks ruleset, A-> B
is OK, waits.
It is a Good Idea™ to write (or copy) the logs on a different computer than the system creating
them. This way, if that system falls, it is harder for the attacker to cover his tracks. In fact, this
attribute of network intrusion detection is often cited as a selling point. This makes it harder for the
attacker to tamper with the evidence of the attack (of course, Unix σψσλογ has been doing this for
years).
Central secure log servers and remote consoles are important features allowing widespread
deployment while retaining central management capability. A sophisticated attack on a server
defended by HIDS would involve a denial of service attack on the log server, so it’s worth
considering having additional measures - such as a single network intrusion detection sensor
watching your log server or having your security management servers behind an internal firewall.
20
Intrusion Detection - The Big Picture - SANS GIAC
© 2000, 2001
20
Unix Host-Based

Intrusion Detection
• TCP Wrappers
•Syslog
•Tripwire
•CMDS
OK, enough theory, let’s look at some of the popular host-based intrusion detection tools. We first
look at Unix tools, before doing Windows.
21
Intrusion Detection - The Big Picture - SANS GIAC
© 2000, 2001
21
TCP Wrappers
• Where to get it
– />• What does it do?
– Without TCP Wrappers
Inetd.conf
21 ftp
23 telnet
21 TCP
With this package you can monitor and filter incoming requests for the SYSTAT, FINGER, FTP,
TELNET, RLOGIN, RSH, EXEC, TFTP, TALK, and other network services. The package provides
tiny daemon wrapper programs that can be installed without any changes to existing software or to
existing configuration files. The wrappers report the name of the client host and of the requested
service; the wrappers do not exchange information with the client or server applications, and impose
no overhead on the actual conversation between the client and server applications.
Wietse Venema’s TCP Wrappers, now in version 7.6, is a first line of defense. It is free and often
included as part of more recent UNIX and Linux versions.
Without TCP Wrappers, all incoming TCP requests are serviced without question. TCP Wrappers
allows your system to be more selective about who connects to it and adds a very valuable logging
service. Many personal firewalls currently on the market have identical functionality, merely ported

to Windows.
22
Intrusion Detection - The Big Picture - SANS GIAC
© 2000, 2001
22
TCP Wrappers
• What does it do?
–With TCP Wrappers
Inetd.conf
21 ftpd
23 telnetd
21 TCP
Log Access
Check ACL
Call Inetd
In this example, an FTP request (which is TCP port 21) comes to our system with host-based
logging. TCP Wrappers first prepares to log that the packet arrived with a time stamp and the
destination host. Then it checks its Access Control List, (ACL pronounced ACK ull), to see if it will
allow the connection. If so, it wakes up the FTP daemon and lets it process the request. If the ACL
doesn’t allow the connection (based on source IP), the connection is dropped and the event is logged.
23
Intrusion Detection - The Big Picture - SANS GIAC
© 2000, 2001
23
Host Deny
• ALL : ALL
• # Deny everything, add back with
/etc/hosts.allow
This is TCP Wrappers’ default setting in the /etc/hosts.deny file, a suitably paranoid “deny
everything not expressly permitted” (this is always a good starting point for a security policy). You

specifically permit allowed services and trusted sources in the /etc/hosts.allow file.
24
Intrusion Detection - The Big Picture - SANS GIAC
© 2000, 2001
24
Host Allow
• ALL: LOCAL, .nnnn.abc.org, 192.168.2,
friend.somewhere.edu
• sshd: sometrustedhost.somewhere.org
In this example, we are saying for ALL services, let nnnn.abc.org, 192.168.2, and
friend.somewhere.edu have access. For the secure shell, we list a specific host that we trust.
Notice that the hosts.allow file takes precedence over the hosts.deny. If hosts.deny has a deny
everything policy, and hosts.allow has an allow everything policy, the system is wide open. Many
security rule sets have these sort of counterintuitive “gotchas”. Remember, configuration errors are a
leading cause of security breaches.
25
Intrusion Detection - The Big Picture - SANS GIAC
© 2000, 2001
25
Brief DNS Review
(TCP Wrappers Paranoid mode)
gethostbyname:
Has name, gets address
$nslookup stephennorthcutt.com
192.186.21.2
gethostbyaddr:
Has IP address, gets name
$nslookup 192.186.21.2
stephennorthcutt.com
The default for wrappers is to do both a forward and reverse lookup and if they do not match, not to

allow the connection. We are often playing games with DNS and get burned by this several times a
year, so it certainly works. ☺
This will pick up DNS transient attacks, like cache poisoning, but won’t detect a social engineering
attack on a registrar who doesn’t correctly authenticate domain changes.