We test three software-based intrusion detection systems that can help alert you when you've got barbarians at the gate.
- By Wes Noonan
- January 01, 2005
The intrusion detection system (IDS) is perhaps the most widely misunderstood network security tool. Depending on who you talk to, you could get the impression that an IDS either does everything or nothing at all to help secure your environment. The truth, as is often the case, lies somewhere between those two extreme viewpoints.
First, let's establish a sound
definition of what you can reasonably expect from an IDS. An IDS by itself can not replace your firewall or any other network security device. Instead, you are best off using an IDS in conjunction with your firewall and various other security systems to provide a more thorough, layered security infrastructure.
IDSes are software- or appliance-based systems that give you a view—and an alert message when necessary—of the types of traffic coming into your network. At its most fundamental level, intrusion detection is simply an exhaustive approach to auditing and logging, enabling you to be completely aware of what is occurring on your network so you can remain alert to circumstances that warrant a response. (Intrusion prevention systems (IPSes) take the concept a step further. An IPS provides the means with which to automate a response to hostile or potentially damaging inbound traffic or shut down any traffic that is outside of established thresholds.)
Instead of simply reviewing how fast these IDS software solutions work or how well they perform against each other, I asked myself what kind of scenarios you would likely face when selecting an IDS. What do you want the system to do? That's the frame of reference I took in looking at these software-based intrusion detection systems.
Snort is the most popular open source IDS available. Its flexibility is a major reason for its popularity. You can install Snort on Unix- and Windows-based systems, although there is generally more third-party support for Unix versions. You can also set it up to operate as a host-based or network-based IDS.
Installing Snort on most Unix and Windows systems is relatively simple (especially using the RedHat Linux installation routines), although it only installs the Snort IDS engine. That is the biggest misconception about Snort—that once it's installed you'll be ready to use it as an effective IDS solution.
Without the appropriate add-ons or custom code to augment the Snort engine, Snort will be of little use to most of you. Snort lacks any kind of intuitive management and configuration interface, relying exclusively on command-line syntax and text-based configuration files. This makes Snort all but unintelligible unless you have a deep background as a developer.
The good news is that since Snort is open source, a number of groups have developed add-ons to address many of Snort's deficiencies, providing functions like logging records to a database, e-mail alerting and Web-based management. I recommend (and used for this review) the "Snort, Apache, SSL, PHP, MySQL and Acid Install on Fedora Core 2" document you'll find at www.internetsecurityguru.com.
|In This Roundup:
Free to copy, distribute and modify under terms of GNU General Public License as published by the Free Software Association
Network Sensor licenses start at $3,000, Management Console approximately $10,000, Host Agent Sensors are $100, contact company for specific pricing
Demarc Security Inc.
$159 for monitoring five systems
$249 for monitoring 10 systems
The documentation for Snort is essentially a developer design document that outlines the command-line configuration options and the overall Snort architecture. It does not serve as an effective installation and user guide. The Snort configuration document referenced above should help you with installation and basic configuration.
Even with this document, however, many of you will need outside assistance for initial installation and configuration, which underscores Snort's biggest downside. Because Snort is open source, you're pretty much on your own for technical assistance and troubleshooting. This is definitely the case if you need to implement e-mail based alerting with Snort, which relies on third-party log watching utilities like Swatch. While there is a wealth of information and assistance available online, it is a time-consuming process and there is no certainty you will find the help you need. At some point, you'll find yourself on Google querying for obscure error message and system configuration assistance.
While working with Snort, I found myself wishing I could call technical support many times, but that is simply not an option. This lack of "official" support underscores another important issue. You will certainly save money on software licensing, but you will pay for it in the additional time and effort required to design and implement an effective solution. If you have those skills and expertise, Snort is one of the best solutions out there. However, if you are not a well-versed Unix user with some development skills, in a few months you'll likely find yourself wondering why you decided to make Snort a part of your security environment.
While the fact that Snort is open-source is one of its major drawbacks, it's also one of the biggest benefits, especially when it comes to obtaining new signatures (known in Snort terms as rules), which the IDS uses to detect new and emerging threats. Literally thousands of people are writing new rules for Snort, which makes updating and maintaining your signature files a breeze. In most cases, you can simply download the new rules from www.snort.org, update your Snort configuration and you're in business.
Sentarus is a Snort-based IDS from Demarc Security that addresses most of Snort's shortcomings. Sentarus 5.2.1 consists of three distinct
components: the management
console, the sensor and the host agent. The management console and sensor provide network-based intrusion detection, while you can use the host agents to provide host-based intrusion detection.
Installing Sentarus is straightforward, using a bootable CD to install the management console and sensor over a hardened version of Linux. The text-based installation is easy to follow and uses a wizard-like approach. The only installation "gotcha" is that the management console is also a sensor, so you should install that first.
Because Sentarus uses Snort as the detection engine, you have all of the same options available to you as the rest of the Snort community, including updating rulesets, managing configuration files and so on. The ruleset is updated every hour by default from Demarc's Web site, which helps you keep your management console as up to date as possible.
However, Sentarus overlays this with an intuitive Web-based management interface that is very similar to Demarc's soon-to-be-retired PureSecure IDS. This lets you easily add additional sensors and configure e-mail alerts. Neither of those processes are easy or intuitive using Snort and many other open-source tools. It takes at least half a day to get Snort configured to appropriately monitor and log traffic. With Sentarus, it takes less than an hour to complete basic setup and configuring e-mail alerts.
Customizing and configuring rules is also greatly enhanced by the Sentarus interface, which lets users with little knowledge of Snort build and modify their own rules. However, advanced users can still get in and write custom code from scratch.
Sentarus also integrates with Cisco-based hardware, Cisco PIX Firewalls and CheckPoint firewalls (with support for Netscreen coming in the near future). This lets you configure Sentarus to block offending traffic on any of the supported vendors' hardware. It also lets you specify user groups to whom the blocking actions should apply. For example, you may allow executives to use instant messaging while blocking everyone else.
|Figure 1. Sentarus gives you the functionality of Snort without requiring a deep level of development expertise. (Click image to view larger version.)
You can install the Sentarus host agent on Windows or Linux hosts to provide host-based service and file system integrity monitoring. Between that and the network sensor, Sentarus provides all levels of network and host-based intrusion detection with a single management console from which you can configure, maintain and update all your sensors and agents.
Documentation is Sentarus' major weakness. It does a good job detailing the various screens, but otherwise reads more like a basic "how-to" document, with little explanation of "why" or under which circumstances you would use a certain function.
Fundamental information is not included, such as the hardware requirements or the fact that the management console is also a sensor and should be installed first. Also, the documentation doesn't make it clear that since Sentarus uses the Snort engine, you need to have a working knowledge of Snort if you really want to do heavy customization. To Demarc's credit, however, when you purchase Sentarus, a member of the company's technical support staff will spend one or two hours with you to help with the installation and configuration.
Even with the documentation's shortcomings, Sentarus provides all the functionality of Snort, while addressing the drawbacks and shortcomings of an open source solution. It is an effective IDS solution—especially if you want the performance and features of Snort, but lack the skill set required to customize it accordingly.
VisualLookout functions primarily as an advanced port monitoring application. It gives you a detailed look at the types of connections that are being attempted against your servers. VisualLookout can monitor up to 100 Windows-based agents (but only Windows agents). It queries the remote agents for connection information through SNMP. This is a straightforward process and both the internal documentation and online manual are effective at detailing the necessary steps.
A "sentry" function in VisualLookout lets you add connections you wish to monitor. You can also set alert triggers and alert formats. In the event of suspicious network traffic, you receive one of four types of alerts: a popup window, e-mail, SNMP trap or you can have the system automatically run an application when the appropriate condition on the monitored agent occurs. For example, you can receive an alert when a certain IP address attempts to connect to the server.
|Figure 2. VisualLookout monitors the connections being attempted against your network, providing troubleshooting, auditing and assessment details. (Click image to view larger version.)
VisualLookout is strictly a host-based intrusion detection product. It does not perform network-based intrusion detection, signature or anomaly-based intrusion detection. Since it doesn't examine actual application data, it is difficult to distinguish between legitimate and malicious usage. A floating dashboard gives you traffic metrics, but it relies more on your analysis to determine the threat level. As a result, while I know that an HTTP session has been established, it is unclear whether the session is an actual attack or approved connection.
While VisualLookout provides a significant diagnostic benefit, I felt it did not provide sufficient details on the connection attempts. It only monitors connections made against the server, which means that the server is running the service in question. To test this, I repeatedly attempted to establish a telnet
connection to a monitored server that was not running any telnet services. VisualLookout did not generate any alerts or log the connection attempts.
|Strength in Numbers
You’re not alone when it comes to defending your network against the hackers of the world. An online group called DShield (www.dshield.org) collects, catalogs and summarizes data on the latest global Internet attacks.
DShield.org helped in the early detection of the Code Red, Ramen and SQL Snake worms. The group was founded in November of 2000. Participation is free, as its goal is to raise awareness of Internet attacks with current and accurate information. Check in on them periodically, and they can help you keep your firewall and intrusion detection rules as up to date as possible.
So while it may not be a full-blown IDS to the same extent as Snort or Sentarus, it provides relevant information to anyone needing to
perform system audits or assessments. It reports on Internet access speed and activity levels, including transfer speed both inbound and outbound and the length of the output queue. The connections window gives you a view of all active connections, showing which machine is connected, what service that machine is using, the type of connection, and most importantly from a security perspective, the country of origin and the length of time connected. It also generates troubleshooting and diagnostic feedback. As such, VisualLookout would be a good addition to an administrator's security toolkit for reporting on troubleshooting, auditing and system assessment.
Keepers of the Gate
For an IDS to be a truly effective addition to your security infrastructure, it's critical to understand what it can and can not do. An effective IDS must be able to identify suspicious traffic patterns, log a record of the event and generate alerts that can proactively notify you when a situation is detected.
Because VisualLookout primarily monitors port connections, it is a valuable assessment tool, if not a full IDS. If price is an issue, Snort is an excellent solution since it is free. However, you will spend a significant amount of time and money configuring it to do what you need it to do. Sentarus provides all the capabilities of Snort, while adding host-based monitoring and intrusion prevention, wrapped up in an intuitive and easy to navigate GUI—an excellent choice for a highly functional intrusion detection and prevention system without requiring the skills to build one from scratch (ala Snort).
(Editor's note: Symantec Corp. and Cisco Systems Inc. declined to participate in this review.)