Contents

Purpose and Scope...................................................................................................................3

Introduction................................................................................................................................3
Technical Discussion................................................................................................................3
Intrusion Detection................................................................................................................3
Network Intrusion Detection Systems (NIDS)...................................................................................................4

Host Intrusion Detection Systems (HIDS).........................................................................................................6

Signatures vs. Anomalies.....................................................................................................7

Intrusion Prevention..............................................................................................................7
IPS and IDS Incident Response...........................................................................................8
Purpose and Scope

This IT white paper is intended to be an accompaniment to Ohio IT Security Policy ITP-B.12,

“Intrusion Prevention and Detection.” Ohio IT Policy ITP-B.12 describes the state’s overall
requirements regarding the acquisition and implementation of intrusion prevention and detection
systems (IPS/IDS). This IT white paper is designed to provide a deeper understanding of
intrusion prevention and detection principles and assist state of Ohio personnel who may be
responsible for acquiring, implementing or monitoring such systems in understanding the
technology and strategies available.

Introduction

Intrusion Prevention Systems (IPS) are designed to aid in preventing the compromise of
information systems and thus help preserve the basic triad of all security, confidentiality,
Integrity and availability (CIA), not only of information but the infrastructures that store and
transmit it as well.

Intrusion detection systems (IDS) refer to any technology or strategy that allows us to detect the
attempted compromise of our systems and information, and as before, preserve the CIA of the
information and infrastructures.

In many cases these two systems work together and with the networking infrastructure to do their
jobs. As IPS/IDS technology has improved over the last few years, prevention and detection have
been consolidated into one network device, or as it is commonly referred to, one “appliance.” In
other cases the IPS is a separate technology, usually a software package or “agent” that runs on a
desktop or host to detect attempted compromise.

Technical Discussion

Intrusion Detection
Intrusion detection systems can be described in two distinct categories:

• Network-based intrusion detection systems (NIDS)

• Host-based intrusion detection systems (HIDS)
Network Intrusion Detection Systems (NIDS)
As the name implies, NIDS are placed into the Internet Protocol (IP) networking
infrastructure and act as sniffers monitoring the standard IP individual units of data called
packets as they are transmitted across a LAN or WAN. NIDS devices usually consist of a
regular computer or specialized hardware known as an “appliance” with a network interface
card (NIC) through which the device accesses the network, much like any desktop, laptop or
server. Normally, a NIC captures only packets intended for the computer in which it is
installed. In the case of NIDS, however, the NIC is configured to capture and process not
only the packets addressed to it, but all traffic on a network. This is referred to as placing the
NIC in promiscuous mode. In this way, the device examines all of the packets from hosts,
servers, routers, switches and any IP device on the network for suspicious activities.

Examples of this technology include the Enterasys Dragon, Sourcefire’s Snort and
Cisco’s Cisco Secure-IDS.

The NID employs a sophisticated checking algorithm to examine a packet and determine if
it meets the criteria that has been established for “suspicious activity.” If it does not, then the
packet is ignored or “dropped.” If it does meet the pre-defined criteria, then the device will
send an alert message identifying the type of event detected. Usually, the NID marks the
alert with the date, time and other information relevant to it. The NID can be configured to
send the alert to any individual or group, such as system administrators or security
technicians. In some cases alerts are forwarded to another device or application for
compilation with alerts from other network devices to produce a more complete picture of
the network’s security posture. This is referred to as event correlation. Additional
information is available in the IT white paper, Security Incident Response.

Figure B.12-1 illustrates an example of a WAN or perimeter network connection and the
components associated with it. Note that the IPS/IDS, illustrated by the magnifying glass
symbol, is placed in-line between the routers and all back-end equipment. In this example,
the IPS/IDS is installed on the “front” or unprotected side of either of two redundant
firewalls. This configuration allows the IPS/IDS to detect attacks against a firewall and
anything “behind” or protected by it. If your firewall reports on these attacks as part of its
functionality, then the IDS can be placed behind it. Just be sure that all of the traffic can be
“seen” by the IPS/IDS on the protected side of the firewall.
As mentioned earlier, this example illustrates a high-availability configuration with
redundant components and connectivity. The networking components communicate with
each other in the event of an outage or failure by using one of two protocols: either the
Cisco-proprietary hot-standby routing protocol (HSRP) or, for all other manufacturers, the
standards-based virtual routing redundancy protocol (VRRP). Each set of redundant
components, which individually can be thought of as a separate communication pathway, is
being monitored by its own IDS so that in the event of a failure, no security-related incidents
are missed.

Also note in this example that the IDS is placed behind the encryption point, here the
encryption point is the router, so that the packets to be examined are “in the clear” or
unencrypted. The IDS software cannot examine packets that have been encrypted, so this
must always be a consideration when considering HIDS placement. In this illustration also
we see computers running the Syslog process, which logs and date/time stamps information
from all network components. An effective technique to enhance your IDS capability is to
configure these Syslog servers with HIDS software running along with the Syslog process.
This allows you to capture information sent out by switches, routers and other devices that
cannot run host-based software and send it back to the NIDS to be included in the event
correlation process.
 WAN Backbone
(Example)

Wide Area Network Wide Area Network

Fail-over link
Router 1 Router 2
(HSRP/VRRP)

STA TUS STA TUS

Intrusion Prevention/
STA TUS STA TUS

Intrusion Prevention/
Detection Detection
Fail-over link
Firewall (HSRP/VRRP) Firewall

Syslog servers are running

host-based intrusion detection
Sun
SunFire
V440
or an event correlation agent to Sun
SunFire
V440

examine security information

Syslog Server
(Event Correlation Collection Point )
from multiple sources and
forward to a System
Administrator or Security
Operations Center Syslog Server
(Event Correlation Collection Point )

Figure B.12-. Example: High bandwidth network configuration with network intrusion detection

Host Intrusion Detection Systems (HIDS)

HIDS are designed to examine the activities of only one host or computer at a time, which is
the primary difference that sets it apart from NIDS. The HID is a program or “agent” that is
installed on a host computer just like any other software package except that it runs in the
background, concurrently with any other applications or processes that are active at any one
time.

Examples of this technology are Enterasys Dragon HID, Symantec Host Intrusion
Prevention, and Tripwire.

The HIDS can be configured to examine all activities on a computer, from failed log-in
attempts to the recording of individual keystrokes, to build a comprehensive real-time
 picture of an individual’s activities. Like the NID, a host-based system employs a checking
algorithm to determine if a particular packet or activity is “suspicious.”

All network and host-based intrusion detection systems employ one of two methods to determine
whether something is suspicious. The packet or activity will be compared either against a
database of signatures or of anomalies.

Signatures vs. Anomalies

Signature-based system. Signature-based intrusion detection systems examine packets and

compare them against a database of known malicious threats (signatures). This is similar to the
way most anti-virus applications detect malicious code (viruses). About the only drawback with
this type of system is that there is always a time lag between the discovery of a new threat and
the development of a signature for detecting the threat. As with anti-virus software, during this
interval the IDS would be unable to detect the new threat.

Anomaly-based system. An anomaly-based intrusion system monitors packets and activities and
compares them against a baseline of recorded characteristics that are unique to a network, a
user/device combination, or in the case of a server, just the device. The baseline is constructed
over a period of time, this varies with manufacturers, and identifies what is “normal” for that
network or host. Items examined include:

• Protocols used on the network or host

• Ports commonly used on the network or host system
• Bandwidth utilization, also characterized as “interface use”
• MAC and/or IP addresses of devices that connect to each other
• Dates and times of access

The main drawback of an anomaly-based detection system is that while the baseline is being
developed, the computer system can be vulnerable. The IDS software will not know what the
anomalies are until it monitors the system and builds a baseline. This can be overcome partially
by pre-configuring some expected behaviors, but the most effective strategy, especially in
environments where multiple users and multiple networks are present, is to allow the IDS to
build the baseline itself.

As with all IDS technology, these systems will alert system administrators or users when
anomalous traffic is detected, in this case activity that is significantly different from the
developed baseline.

Intrusion Prevention
Intrusion prevention systems seek to prevent a compromise before any real damage can be done.
This is somewhat different from an intrusion detection system, which seeks to examine all the
traffic on a network or system, determine if an attack is in progress, and if so, send an alert to
notify someone of this fact.

As technology has progressed, the lines between intrusion detection and intrusion prevention
have blurred somewhat, because traditional detection systems have incorporated the capability
not only to alert and advise but to take pro-active steps to prevent a compromise. These actions
might include:

• Shutting off affected ports at the host, switch, firewall or router

• Blocking specific IP addresses on the host, switch, firewall or router
• Activating specific access lists on switches, firewalls or routers
• Causing routers to interact with the wide area network or telecommunication carrier
connection to “throttle” or decrease bandwidth in certain attacks.

The capabilities described above are typically associated with an enhanced IDS, sometimes
referred to as an Intrusion Prevention/Detection System (IPS/IDS).

True intrusion prevention systems most often take the form of host-based or software firewalls
like Zone Alarm or BlackICE.

These systems act at the level of individual computers to prevent a compromise, whether it is
external, internal, intentional or accidental. A good prevention system will work not only with
IDS but with the network’s anti-virus infrastructure as well. A malicious code outbreak can be
one of the most time-consuming and costly problems to solve on a network. Since these
preventive applications work at the computer level, an infected host can take steps to prevent the
spread of the infection by several methods, such as automatically closing ports on the computer
or shutting down any network access the device may have.

Like the IDS, these IPS applications are either signature-based or anomaly-based. They either
require updates to maintain their signature database or they must have a period of time to
develop a behavioral baseline to identify accurately “suspicious” or anomalous activities.

IPS and IDS Incident Response

As with almost every other device on a network, IPS and IDS elements report their findings to an
element manager (control console) that not only displays and logs alerts, but allows
configuration and updating of the IPS and IDS as well. The element manager can be configured
to provide a direct notification to a network or security technician at an operations center, or for
smaller IT networks, to send an e-mail to the appropriate personnel and notify them of a IPS/IDS
event.

In larger operations, the element manager may pass its information on to another device or
application, such as an event correlation engine that will collect alerts from all network devices
and use this to create a real-time picture of a network’s security posture. Additional information
on incident response may be found in Ohio IT Policy ITP-B.7, “Security Incident Response,”
and in the IT white paper, Security Incident Response.