Advertisment
Business Technologies

Catching them Red-Handed

author-image
DQI Bureau
New Update

One fine day, an active bank was operating as per its daily schedule when

suddenly the banking database was found to be showing all the wrong records

after which the security management task force was immediately alerted. The

organization was making use of firewalls that did not survey the inbound traffic’s

malicious data that prolonged the process of tracking the virus and alerting the

network. Instead, IDS would have effectively saved the network from damage owing

to its ability to scan not only the outbound traffic as well as the inbound

traffic in a network.

Advertisment

What

is IDS
IDS

acts like a burglar alarm for the network. Intrusion detection is

the process of monitoring the events occurring in an IT system and

analyzing them for signs of intrusions. Next, it alerts the network

users about the attack detected and immediately logs the users off

the network to protect the terminals from further damage, also

sometimes managing to trace the hacker down using technologies like

protocol anomaly detection and signature-based detection.

Sophisticated viruses like Code Red, Nimda, Code Red II have managed to crack

networks and hamper valuable database information. The sectors that have

undergone these experiences have primarily been banking sectors and corporate

houses with large database. The story has always been that a virus suddenly hits

the network and by the time the company security software has tracked it, the

damage intended by the hacker is already and very successfully done. Thus arose

a need for more sophisticated technology that would be able to track the virus

on the network spontaneously after an attack and also promptly trace the hacker

down to evade further attacks. For several years now, there have been various

changes being incorporated in the network security infrastructure with

implementation ranging from firewalls and their upgrade versions, router

security techniques, host system security, auditing, incident response plan and

intrusion detection systems (IDS).

Though all these technologies have their own complexities and loopholes, IDS

deployment has been more successful as a technology for securing information in

corporate sectors. The sole purpose and advantage of using IDS is its ability to

track the inbound traffic and alert the network users against hacker attacks

which is not possible with a firewall that sniffs only the outbound traffic. IDS

acts like a burglar alarm for the network. Intrusion detection is the process of

monitoring the events occurring in an IT system and analyzing them for signs of

intrusions. These intrusions are defined as attempts to compromise

confidentiality, integrity, or availability, or to bypass the security

mechanisms of an IT system. These intrusions are caused by attackers accessing

systems from the Internet, authorized users of the systems who attempt to gain

additional privileges for which they are not authorized, and authorized users

who misuse the privileges given them. The IDS obtains event information from one

or more information sources, performs a pre-configured analysis of the event

data, and then generates specified responses, ranging from reports to active

intervention when intrusions are detected.

Advertisment

The goal for deploying IDS is to detect, identify, and monitor unauthorized

use, misuse, and abuse of IT systems by both internal network users and external

attackers. These intrusions can be broken down into two main types. Misuse

intrusions, well-defined attacks on known weak points of an IT system, can be

detected by signature analysis or watching for certain actions being performed

on certain objects. Anomaly intrusions, based on observations of deviations from

normal IT system usage patterns, can be detected by pattern analysis or building

up a profile of the IT system being monitored, and noting significant deviations

from this profile. Two states —passive system and active system are the states

where the IDS technologies are deployed. In the passive state or system, the IDS

detects a potential security breach, immediately logs the required information

and signals an alert. In a reactive system, the IDS reacts to any suspicious

activity by disconnecting the user from the network or by reprogramming the

firewall to block network traffic from the suspected malicious source. In that

sense, they are the first line of defense for the computer network. In its basic

philosophy, IDS inspects all inbound and outbound network activity to identify

suspicious patterns in the traffic and catch the intruder at any of the seven

layers of the network. Though Symantec uses honeypots like Manhunt to be able to track the hackers intruding their systems, Network Associates believes that honeypots are an unrequired feature for IDS as long as they are defending the customer's systems from virus attacks and also providing patches to it successfully. 

"We do not use honeypots as we consider it a diversification to business, instead we have a learning engine with a sophisticated algorithm that logs files immediately in case of unprecedented attacks and also alerts the network", says Viren Mantri, Regional Technical Manager,

NAI.

Trap at the application layer



Most of the IDS' are structured around a large signature database system

that attempts to compare every packet to every signature in the database. Though

this system is effective to a huge extent, it suffers drawbacks when network

speeds increase and the resources that the IDS sensor uses to track packets

decreases, causing some packets to be discarded and therefore have relevant

attacks undetected. Most IDS sensors can only operate effectively up to about 60

MB per second. Many companies today fully utilize 10/100 on up to 1 GB per

second on their network backbone, where most of their mission critical servers

reside. In the signature-based systems it is the time it takes for the IDS

vendor to identify new attacks, create a signature, and then release an update.

A more successful methodology as mentioned hitherto is the ‘protocol anomaly

detection’ technology that is performed at the application protocol layer. Its

efficiency lies in the fact that it focuses on the structure and content of the

communications occurring in a network. When protocol rules are modeled directly

in the sensors it is easier to identify traffic that violates the rules such as

unexpected data and extra or invalid characters. As soon as the IDS

distinguishes it as a violation of the protocol, it alerts the system

administrator.

Advertisment

Will it last forever?



Though IDS in general talks about a detection system using technology, it is

practically a converged solution handling process in a system involving not only

technology but also people deploying it. Says Raghu Raman, Head- Information

Security, Mahindra Consulting, "Lot of products put in place are not going

to work for a simple reason that an alert has to be looked at by somebody."

Types

of IDS
The

various technologies deployed by IDS are signature detection,

behavioral anomaly detection and the recently established protocol

anomaly detection.
n The

traditional host-based IDS (HIDS) is a type of IDS that watches for

processes inside the host and monitors log files and data for

suspicious activity. As with most host-based solutions, platform

availability and coverage makes this a difficult solution to manage

and allows systems to be open to network attack due to the lack of

packet inspection capabilities.
n The

Network IDS is a commonly used type of IDS that works better than

host-based IDS solution in terms of critical packet inspection

capabilities, consists of one or more sensors and a console to

aggregate and analyze data from the sensors. However, some NIDS miss

attacks owing to huge volume of network traffic and/or generating an

unmanageable number of alerts due to false positives.
n HIDS

or hybrid IDS is a combination of host-based IDS and network IDS

technologies. Hybrid intrusion detection is system-based and

provides attack recognition on the network packets flowing to or

from a single host. Again, platform availability and deployment

problems are an issue and hybrids are traditionally system resource

intensive, yet they are less susceptible to false positives than

network-based IDS.
n Decoy

systems, or "honeypots" as they are more commonly known,

provide an additional level of security within the network

infrastructure. A decoy intrusion detection system’s data is

usually more valuable due to the reduction of both false positives

and false negatives. They simplify the data capture and analysis

process providing valuable information on the motives of an

attacker.

There have been several issues where the technology of IDS has functioned

effectively and yet not contributed significantly in saving a network from an

attack owing to the lack of spontaneity from the manual workforce detecting the

attack. Says Raghu Raman "We have faced circumstances where our IDS

deployed managed to strike an alarm about an invading virus at the right time,

however which failed to be effective owing to the disinterest and delay in

taking a spontaneous action by the task force allotted for network security and

maintenance."

Advertisment

For IDS to work productively, it is a dire necessity that the people in

maintenance who detect the alarm set by the intrusion detection system act on

the same with immediate effect, also signaling everyone else connected to the

network. Joy Ghosh, country manager, Symantec says, "Companies need to

recognize the urgency of their security upgrade. There are companies with

technology officers who are least bothered about the security of their company’s

data, it is only the COOs who showed concern as they are at the risk of losing

their jobs with any unprecedented breach of their security infrastructure."

Standardizing technology seems almost impossible with the ever evolving and

the growing strength and sophistication of hacker skills. Even IDS in its latest

technique of deployment cannot guarantee any optimum level of security. Claims

Sachin More, manager-IT security and projects, Mahindra & Mahindra

"Although the number of false positives have reduced with IDS, they have

not completely been eliminated and it still involves a lengthy process in

identifying and reacting to a critical and authentic attack." All in all,

IDS has definitely leveraged network security, however users need to constantly

guard against new unpredictable breaches by professional attackers.

TEAM DQ

Advertisment