Contact:http://www.packetnexus.com
How Computer Criminals Defeat Intrusion Detection Systems by Carolyn Meinel We covered "The ABCs of Intrusion Detection Systems (IDSs)" in a previous column. Now we get to the really, truly, scary part: how computer criminals defeat IDSs, and how to fight back. The wily attacker may be able to slip undetected into your network via the following techniques: Incomplete IDS coverage Lost or unknown network elements An overwhelmed IDS Excessive false positives (crying "wolf" too many times) Unicode protocols disguising signatures Fragmented packets The 0-day problem Highly switched networks Compromise of the IDS itself An improperly configured IDS The unique challenges of the middleware environment Incomplete IDS Coverage One IDS sitting on top of your connection to the Internet is going to miss internal attacks. It also may not detect attacks against systems it is not designed to defend. You probably will need to use products from more than one vendor, and use both a network IDS (NIDS) and a host-based IDS (HIDS). There also may be portions of attacks that no IDS can monitor, except by observing traffic once it enters the more standard portions of your network. This vulnerability may be a blessing in disguise if it motivates management to modernize your network. In the meantime, any decent IDS in a middleware environment will require products from many vendors. So how do you coordinate the output from these systems? "Let me give you the honest answer," offers Marcus J. Ranum of Network Flight Recorder (NFR). "There's not a lot of cooperation in the security products industry. Most vendors would rather have their customers use only one product than support gateways between two products. "Right now," he continues, "most IDS users that have several systems make them all e-mail their alerts to one place, and then they process the alerts together. There is a market evolving for systems to do alert correlation. I predict that market will grow rapidly soon. NFR's actually looking to break that model with some very unique stuff. I can't talk about it, sorry, but pay attention around April." The Intrusion.com NIDS is expected to soon include the ability to aggregate input from Netranger, RealSecure and Firewall-1. And according to the hacker known as Talisker on the Networkintrusion.com Web site: "The fact that they are from differing vendors is immaterial; they have such different roles. From experience, I don't like HIDS [hybrid IDS] and NIDS output on the same console, the only exception being possibly router output with the NIDS. There is very little correlation between the two--98 percent of the HIDS traffic is by trusted internal users doing things they shouldn't. NIDS output is cluttered with false positives, but when you get a real bite, it's usually a good one." Lost or Unknown Network Elements You can't fully protect what you don't know exists. Large, complex systems often change every day, sometimes in unexpected ways. One company recently discovered that modem abuse was consuming the equivalent of several T3s of bandwidth on its PBX. It discovered employees sneaking in external modems to evade firewall bans on Napster, porn, stock trading and sports sites. (To learn more about the hazards of modems, see "It's 2 a.m.: Do You Know Where Your Modems Are?" Computer criminals also look for orphan computers. A busy sysadmin (and most are always too busy) may set up a test server and then leave it on the wire. Once forgotten, it doesn't receive critical security updates. To make sure your IDS covers e