Contact:http://www.packetnexus.com
The ABCs of IDSs (Intrusion Detection Systems) by Carolyn Meinel You have the world's best firewall, your Windows computers update their antivirus software regularly and your Information Security staffers enforce your policies with an iron fist. Does this mean you're safe? Maybe not. In 1998, a news story asserted that the firewall for the New York Times was one of the best. Yet at 7:08 a.m. on Sunday, Sept. 13, 1998, someone on the paper's network e-mailed reporters: ...COM3 V1S1T HTTP://WWW.NYTIMES.COM AND S33 0UR LAT3ST P13C3 0F ART. 1F 1T D0ESN'T L0AD, JUST H1T 'REL0AD' A F3W T1MES. CL3V3R ADMINZ HAD S0M3 W3IRD CR0NTABZ OR S0METHING. 0H. W3 0WN YOU. Y0U JUST HAV3NT N0T1C3D US 0N Y3R N3TW0RK Y3T. UNT1L THE N3XT T1M3... No one at the Times had noticed weeks worth of the Hacking for Girliez gang on their network. The intruders finally chose to go public by defacing the opening page of their Web site—on the day the Times expected millions of visitors to view the Monica Lewinsky transcripts. Instead, visitors encountered soft porn and an ad for Lewinsky-scented cigars. Thanks to a cron job (that is, a Unix job that schedules events), several attempts to eliminate the offensive index page failed, exposing yet more thousands of patrons to the Girliez' exploit. It took almost two weeks to eradicate the intruders' back doors from the New York Times' network. Damage was estimated at $1.5 million, and a grand jury is currently hearing testimony in the case. All this might have been avoided had the Times been running a good enough intrusion detection system (IDS). What Is an Intrusion Detection System? Intrusions fall into two major classes. Misuse intrusions are attacks on known weak points of a system. An IDS looks for this type of attack by comparing network traffic with signatures of known attacks. The second class, anomaly intrusions, consists of unknown attacks and other anomalous activity. This may include detection of an intruder who is already inside a network. Anomaly detection is hardly a plug-and-play function. It requires an intimate knowledge of one's network and patterns of user behavior, and an IDS with powerful scripting options. The basic function of an IDS is to record signs of intruders at work inside and to give alerts. Depending on the product, how it is deployed and its network configuration, an IDS may only scan for attacks coming from outside one's network or it may also monitor activities inside the network. Some also look for anomaly intrusions. This requires an IDS that can be extensively configured by the user to match the peculiarities of the network to be defended. When Susie the systems administrator is at work at 2 a.m., this may be her normal behavior. But when Artie the administrative assistant logs on to his workstation at 2 a.m., that is most likely an anomaly. An IDS that detects anomalies must be scripted to tell the difference between the two log-ons. In the New York Times case, the intruders installed a number of "root kits" to hide themselves and open back doors. An installation process like this may be detected as an anomaly—if one can set up an IDS to tell the difference between installing a root kit and a legitimate program. An IDS may include a feature to take automatic action when certain conditions occur, for example to page the systems administrator on call. Many IDSs are flexible enough that one can configure them to launch automatic attacks against suspected intruders, such as denial-of-service attacks. In many situations, this is illegal and inadvi