Intrusion detection isn’t just software—it means monitoring your network to discover attacks. Sometimes that infiltration comes from places you’d never expect.

Who's Lookin' At You?

Intrusion detection isn’t just software—it means monitoring your network to discover attacks. Sometimes that infiltration comes from places you’d never expect.

The process of monitoring a network with the goal of discovering an attack is called intrusion detection. It involves four basic efforts:

  • Examining packets entering or traveling across your network for known attack patterns.
  • Monitoring or comparing known sensitive areas (system files and registries) to known uncompromised snapshots.
  • Evaluating network systems for evidence of compromised attack, such as promiscuous network cards or the existence of known executable files or services.
  • Examining entry point systems such as mail servers and Web servers for the existence of viral agents, Trojans in email attachments, or Web page scripts.

You may want to install an intrusion detection product or a suite of them. Many products claim to be intrusion detection panaceas, and some are very good. This isn’t a review of them. Instead, I’ll provide an overview of the process of establishing and maintaining an intrusion detection system. Although I recommend that you purchase and install some kind of commercial system, merely doing that isn’t enough. You can’t rely on that system to always detect and stop attacks in progress or to find compromised systems. Intrusion detection systems aren’t products you set up and ignore. You must also respond to alerts, look for evidence of attacks the system failed to recognize, and constantly update it.

Source of Attacks

Where does your network connect to the external world? Through Internet access? Dial-out modems? Direct lines to business partners? Users log off their workstations at night and servers get secured, right? At major choke-points, host-type intrusion detection systems can be used. These systems protect a particular system from common types of attacks. Specialized systems scan email for viruses; monitor Web servers and generic systems; or look for critical file exploits, system file changes, system configuration changes, Trojan horses, buffer overflows, and registry modifications. The point here is to attempt to catch and thwart the attack just as it breaches your defenses. A good place for an intrusion detection system is between your firewall and your network.

Attacks can come from internal or external sources; external attacks may breach perimeter detection. Network intrusion detection systems are designed to look for suspicious activity on your network, including devices such as routers and switches. These systems look for things such as network cards set to promiscuous mode (explained shortly), abnormal amounts of traffic, and, by sampling packets on your network, attack patterns.

Types of Attacks

In addition to complex denial-of-service or penetration strikes (which require a sophisticated understanding of transport protocols at the packet level), consider the prospect of viral and Trojan horse attacks. A virus is code that changes something in your system; a Trojan horse masquerades as something innocent. Both can easily be attached to ordinary email. They rapidly infiltrate the network or arrive in software and, theoretically, attack our systems from Web pages with embedded scripts. Both often infiltrate our systems as a result of a little social engineering—the email attachment that masquerades as a game or the utility disk a friend passes along.

Finding a Compromised Server
Are you running an IIS Web server? The possibility of compromise via vulnerabilities in IIS Web servers that have Microsoft Data Access Components (MDAC) installed has been widely discussed since April 1998. Even so, there have been many reports recently about this type of attack succeeding on commercial Web sites. Web sites have been defaced and attacks identified by a search of the IIS logfiles, which turns up a POST access to the file “/msadc/msadcs.dll.” (Note: If you use Microsoft Remote Data Services or RDS, the post may be legitimate.) Apparently, those responsible for Web servers aren’t listening. For more information on this attack and how to prevent its success (securing or disabling RDS), read the following Microsoft articles:

What to Protect

Primary points of attack in vulnerable systems include mail servers, Web servers, and other access paths to your network. Additional systems that may require scrutiny are servers with sensitive information. Is it realistic to protect every access point? Well, do you have locks on every window in your house? If you allow modems on desktop systems, place some kind of personal intrusion detection system on these workstations.

Cheap Detection Tools
It may seem a daunting task, this process of intrusion detection. Not only do we have to see attacks in progress, but we must be able to find compromised systems on our network. Several new, inexpensive tools are now available to help you.

AntiSniff, available from LØpht  Heavy Industries (www.lOpht.com), can identify systems on your network with network cards operating in promiscuous mode. Normally, operating network cards reject packets not addressed to them or not part of a broadcast. Network cards in promiscuous mode allow the examination of all packets traveling across a network segment. A malicious user could apply this information to attack other systems on your network. By examining these packets, he might be able to find system and service information and passwords. By finding a system with a network card in promiscuous mode, AntiSniff points out a possibly compromised system. You’ll need to access and perhaps shut down and examine the system immediately to prevent further penetration.

To protect your network against BackOrifice attacks, you can use Network Flight Recorder’s (www.nfr.com) BackOfficer. BackOfficer looks like a BackOrifice server to the BackOrifice client. When installed on a system in your network, it attracts BackOrifice clients doing ping sweeps looking for installations of BackOrifice Server. You can thus determine the source of the attack, record the information for possible legal recourse, and send a message to hackers to warn them off. While many BackOffice Server installations are known to the hacker installing them, many aren’t. By installing this listening system, you can detect and protect against BackOrifice attacks.

Another useful tool is Jammer (http://jammer.comset.net/index.html), which detects invasions by BackOrifice and NetBus. It’s a low-level network sniffer that captures all incoming and outgoing network traffic. As a real-time packet analyzer, it seeks a NetBus or BackOrifice client trying to log on to your computer. It can determine a hacker’s BackOrifice password, send a message to the hacker, send a message to the systems administrator, and log the hacker’s IP. At the very least, the hacker’s ISP can be contacted. (Or if it’s an IP on your internal network, you can seek out the source of trouble.) Jammer also monitors ports and will identify connections. It monitors your registry and notifies you of attempts to modify the registry. (Most Trojan programs modify the registry to start themselves at system startup.) 

Finally, a good source of information on BackOrifice attacks—or on cleaning up after one—can be found at www.nwInternet.com/~pchelp/bo.

Set Up and Monitoring

The true value of intrusion detection systems is twofold. First, few of us know about all possible attacks and how to protect against them. A good intrusion detection system helps educate you, giving you a way to protect your systems without being a security guru. Second, the type and number of attacks can change constantly. Let the intrusion detection company be responsible for staying current on that. Choose a product that’s updateable and a company with the resources to constantly be on the lookout for new attack signatures.

This can include inexpensive products available to run on personal systems. Desktop anti-viral products are one such example. If these products are used religiously and updated regularly, they can reliably detect viral intrusions at the desktop level.

While a more sound approach may include some kind of system-level viral protection, such as an email scanner, this may not be possible for many small companies. One of the largest threats to systems administrator sanity in recent months has been the BackOrifice Trojan. Users can be tricked into installing the server side of this product on their machines, thereby allowing anyone with the BackOrifice client to administer the infected machine remotely. Most anti-viral agents can now locate and remove BackOrifice from systems; in addition, other products can act as a BackOrifice server and detect attempted connections to infected machines.

By the way, be sure to obtain training on the use of intrusion detection systems. Proper installation and management is essential. Any system will find false positives on occasion; you’ll need to know how to separate the true from the false.

When to Invite a Trojan Horse In
Hackers and commercial operations alike are making beautiful wooden horses these days and leaving them at our doors. These horses (also known as products) are so wonderful that we gladly roll them into our networks, only to regret it later. Some are malicious programs; others are simply super-utilities that send back private information without our knowledge.

In November, news sources (www.zdnet.com/zdtv/cybercrime/
chaostheory/story/0,3700,2386995,00.html
) carried the story that RealNetworks’ RealJukebox was sending back personal information (number of songs saved, musical tastes, type of MP3 player installed and more) to RealNetworks. Notification of other, similar escapades surfaced. How did they do it? Embedded in their product code was the ability to uniquely identify each user with a Globally Unique ID, or GUID. Each time users ran the product while on the Internet, their system would be scanned and information uploaded to RealNetworks. Once caught, RealNetworks made a patch and a new version of the system available for download.

Recently, reasonably sane and respected individuals wrote in Windows NT Magazine that BackOrifice is, indeed, a useful remote administration tool and can find its place in your network. After all, they say, what’s the difference between this product and other remote administration tools like PCAnywhere or Microsoft’s System Management Server? Come on, they opined, it’s smaller and it’s free.

I’m not going to argue this point, but my strong recommendation against blindly using this product as a remote administration tool is based on the stated objectives of its authors. They widely promote the use of this tool by anyone to control anyone else’s machine. The authors also provide the source code, thus allowing others to mutate it into forms that might be harder to control. In addition, visitors to the BackOrifice Web page are encouraged to develop or use code developed by others as plug-ins to the BackOrifice product.

Visit www.cultdeadcow.com and read the many documents there. You’ll especially love the “Ninja Strike Force—Our Power Cannot Be Contained” credo. While you’re there, examine the “BUTT Plugs” page and read about the third-party add-ons developed by others. There’s “Butt Trumpet,” which emails the IP of the infected system to a specified email address. Saran Wrap and Silk Rope install BackOrifice and then another product. (“Here’s a game for you to play…”) and a link to goodies from Netninja (www.netninja.com). Netninja produces the plug-ins Bored, which allows you to turn the compromised machine into a dumb terminal, and SpeakEasy, which has an embedded IRC plug-in that contacts an IRC server and broadcasts the IP address of the compromised machine.

Of course, just because someone says he’s my friend (commercial software) doesn’t mean he’s not stealing my secrets behind my back (witness what RealAudio did). However, if Dracula appears at my window, I’m not going to invite him in.

Maintaining Vigilance

So your system’s up and you’re ready to respond. What next? I assume you’re taking steps already to protect yourself from attack, and that you’re monitoring alerts from your systems and know what to do. I’m even going to assume that you’re not relying on a single system but are using other tools as well. You’re also educating users on how to avoid manipulation, right? So can you relax now? To ensure the reliability of your intrusion detection system, start with the following steps.

  • Ensure integrity—An intrusion detection system is a great big challenge to any hacker worth his salt. First, he knows you have something to protect. Second, if he can compromise the intrusion detection system, he thinks he’s home free. It’s like snipping the wires for the alarm system on the movie star’s house. Regularly ensure that your intrusion detection software hasn’t been compromised. Audit all critical systems files, especially operating system files, on a regular basis. Look for directory and files changes that can’t be accounted for. Some intrusion detection systems have such audit features.
  • Continue auditing efforts—Regularly inspect all system logs and review notifications from system monitoring mechanisms. Look for unexpected behavior from processes. To do this, you need to understand the normal behavior of processes running on your systems. In a stable system, is a process suddenly creating access violations or shutting down? Is it not performing scheduled activities? Are there unknown processes running? (You should understand all processes running on your systems.)
  • Question the existence of hardware—Was it always there? When was it installed? What’s it doing there? An additional hub where none should be can mean a rogue system. A small black box could be an office UPS system added by office personnel to protect a desktop system—or an unauthorized router connecting intruders or masking intrusions.
  • Look for signs of unauthorized access—Look for things where they shouldn’t be. Suspect workstations that are turned on when employees are absent, especially if sick or on vacation.
  • Review user reports of unusual events—Don’t pass off this good source of information as “stupid user events.” Users may not know intimate details of the system, but they usually know what’s normal activity for their software and hardware.
  • Assume that someone has broken in—The objective of a software test is not to find that the software is flawless, but to find errors. The objective of intrusion detection is to find evidence of a break-in—before any system is compromised, one hopes, but realistically, after the fact. If you assume someone’s already in, you won’t stop in your relentless crusade to throw the bums out. All’s quiet on the intrusion detection system front? Use alternative tools and methodologies to look for evidence of successful attacks.
Intrusion Detection Products:
Product Description More Information

Intruder Alert

Net Prowler

Host-based system. Bundled with NetProwler, consulting services, and training, for $19,195.

 Network-based system

Axent Technologies, Inc.
www.axent.com
Cisco Secure Intrusion Detection System (formerly NetRanger) Sensors (appliances) monitor Cisco routers for policy compliance and/or network traffic for suspicious activity. They report to the Director, a management system. Call company for pricing. Cisco Systems, Inc.
www.cisco.com
Centrax Host- and network-based. Starts at $2,500. CyberSafe Corp.
www.cybersafe.com
RealSecure Host- and network-based, with three modules: Engine ($8,995), Agent ($750, and Manager (call company for pricing).  Internet Security Systems, Inc.
www.iss.net

CyberCop Monitor

CyberCop Sting

WebShield SMTP

Network-based. Monitor and Sting are part of CyberCop Intrusion Protection Suite, which begins at $9,398 for 254 nodes.

Honey Pot. Emulates network on a single machine (NT, Solaris, Cisco routers). Attracts attackers and logs their activity.

Scans email. Contact company for pricing.

Network Associates, Inc.
www.nai.com

NFR Intrusion Detection Appliance (IDA)

NFR BackOfficer Friendly

Enterprise-level management, upgradeable, scriptable. Many attack signatures provide by LØpht Heavy Industries. $3,400.

Detects BackOrifice on your network. Acts as a BO server.

Network Flight Recorder, Inc.
www.nfr.com
BlackICE Pro Single systems or network version. Detects and backtracks intrusions, stops intrusions, and reports suspicious events to ICEcap server for analysis and review. Enterprise ICE Pac, which includes BlackICE Pro, BlackICE Sentry, and ICEcap Management Console, costs $89.50 per node for 1,000 nodes. A single system version of BlackICE is $39.95. Network ICE Corp.
www.networkice.com
Dragon IDS Network anomaly monitoring software. Call company for pricing. Network Security Wizards
www.network-
defense.com
Kane Security Monitor Scans NT event logs in an enterprise looking for unauthorized and suspicious activity. Single server/single workstation pack: $1,495. RSA Security 
www.intrusion.com
Sophos Anti-Virus Network anti-virus. Starts at $595 for 10-user license. Sophos, Inc.
www.sophos.com
ScanMail for Microsoft Exchange Scans email. ScanMail for Exchange with eManager is $6,250 for 250 users. Trend Micro, Inc.
www.antivirus.com

Finding, installing, and setting up good intrusion detection software doesn’t mean you can relax. Intrusion detection means much more. Remember to sniff packets for patterns, keep an eye on sensitive areas like the registry, evaluate network systems for evidence of comprised attacks, and continually monitor entrance points. As with all network security, you’ll need to continue eternal vigilance. Intrusion detection is merely another method of helping you monitor the gates.

Featured