Intrusion Detection/Prevention Systems (IDS/IPS)
In both government and industry Intrusion Detection/ Prevention Systems (IDS/IPS) are common and are standard equipment in many networks. IDS/IPS are software or hardware based systems that automate the process of monitoring events occurring in a system or network; analysing them for indications of security related issues. Typically an IDS/IPS would be installed to check or supplement the security provided by firewalls.
An IDS/IPS is a defensive system, which detects hostile activity in a network. The aim is to detect and possibly prevent activities that may compromise system security such as a hacking attempt in progress. The system produces alerts for the operator when it detects potentially malicious activity such as the reconnaissance, mapping or data collection phases of an attack which may involve activities such as port scanning.
A key feature of intrusion detection and prevention systems is their ability to offer a view of unusual activity and issue alerts notifying administrators and/or block a suspected connection in progress. Generally, attacks can be categorized in two areas:
- Passive: Attempting to gain access to system resources without directly compromising any specific system for example performing network scanning.
- Active: Attempting to exploit a vulnerability or weakness in a specific system such as using an exploit which results in an unauthorized change to a system.
In terms of the relationship between the attacker and the target, attacks can be categorised as:
- Internal: Coming from within the enterprise either from employees or their business partners or customers.
- External: Coming from outside the enterprise, frequently via the Internet.
Attacks can also be identified by the source of the attack, namely those performed from internal systems on the local network, the Internet or from remote dial-in sources.
Intrusion Detection/Prevention System Types
The types of Intrusion Detection/Prevention Systems commonly in use can be placed into three broad categories:
Network Intrusion Detection Systems (NIDS): Network Intrusion Detection Systems typically use information gathered from a passive interface in promiscuous mode to detect attack patterns. NIDS can give a great deal of network coverage and protect many hosts depending on their placement.
Network Intrusion Prevention Systems (NIPS): Some network intrusion detection systems are active as opposed to passive and offer functionality that actively aims to react to perceived attacks as opposed to passively monitoring them.
Host Intrusion Detection System (HIDS): Host Intrusion Detection Systems are comprised of software installed on a host or collection of hosts which attempts to baseline normal activity and report on abnormal conditions such as account password guessing.
Intrusion Detection/Prevention System Triggers
A typical network based IDS/IPS can detect attacks through one of two methods, either signature based matching or anomaly detection. The signature matching methods work similarly to anti-virus scanners, each recognised attack has a signature of how it is performed. When a pattern matching the signature is detected on the network, the IDS/IPS generates an alert. An anomaly based IDS/IPS establishes a baseline of normal network activity and alerts when it detects an abnormal condition. Anomaly based IDS/IPS are not as common as signature based systems.
Host based IDS/IPS are designed to be installed on the servers and workstations that they are to protect. Some host based systems work by monitoring the host for specific files that should not change and providing alerts if they do. They may also watch the network connections and make hashes of files to show changes made to the file system in general.
Intrusion Detection/Prevention System Testing
In spite of the prevalence of Intrusion Detection/Prevention System technology the accuracy, performance and effectiveness of these systems goes largely untested. Systems security staff may benefit from an IDS/IPS security test to allow them to check the output of their system and the resulting alerting patterns when faced with an attack scenario performed from within the control of an authorised security test.
Intrusion Detection/Prevention System testing varies in the depth, scope and focus of the testing, security tests have increased in complexity to incorporate more attack types such as IDS/IPS evasion techniques, packet fragmentation and Denial of Service (DoS) attacks.
Intrusion Detection/Prevention System Alert Characteristics
There are some performance metrics that can be tested when triggered by a planned attack system, such as the following:
Coverage: Identifying the coverage of signature-based systems against a range of likely attack footprints to find if any common attack techniques slip under the radar of the pattern analysis engine used by the IDS/IPS. Examples of test patterns used to find the systems coverage could include network port scanning, exploit execution or account brute forcing.
False Alarms: A normal operating environment may trigger the IDS/IPS and produce a significant number of false alarms depending on how the system is configured and what could be considered as normal network conditions. An example of a potential false positive could be the SNMP probes and responses used by a network management tool.
Bandwidth Capability: The IDS/IPS should be able to inspect the activity on the network regardless of the network saturation; for example assuming the system can detect malicious activity when the network has a low use does the performance of the system suffer when the background network activity is increased, is the system still able to accurately identify the malicious activity.
Directed Attacks: Is the IDS/IPS itself resistant to attack which aim to disrupt the normal working function of the system. An example would be sending a large amount of attack traffic directly to the system with the aim of triggering many signatures and overwhelming the operator of the system with positive events or interfering with the systems display tool or administration functionality.
Attack Detection: The IDS/IPS should be able to accurately identify an attack and label the attack appropriately depending on the attack type and represent the attack vector in an easily understandable format for the operator.
Event Handling: An IDS/IPS that uses distributed sensors should be able to correlate attacks detected by these sensors into a series of meaningful time based incidents for analysis.
Intrusion Detection/Prevention System Evasion
Evasion techniques can be described as change made to typical attack patterns to prevent detection of the attack by an IDS/IPS; almost all evasion techniques modify network based attacks. Most systems detect basic evasion techniques but IDS/IPS evasion is still an active field of research. Some of the evasion techniques which can be used are described below:
Payload Obfuscation: The attack payload can be obfuscated or encoded in such a way that the target system will reverse the payload but an IDS/IPS will not. An example would be polymorphic code which creates unique attack patterns so that the vector can not be attributed to a single detectable signature.
Packet Fragmentation: An attack payload can be split into multiple small packets so that the IDS/IPS must reassemble the packet stream to detect the attack. The packets could be paused to see if the system times-out before the target system or the packets could be sent out of order to see the systems response to dealing with re-ordering the packets.
Denial of Service: By deliberately triggering a large number of alerts the real attack vector could be hidden within the noise generated by the alerts, this will find out if the IDS/IPS is maintaining application protocol context or merely triggering alerts based on signature detection methods.
Protocol Violations: The IDS/IPS may react differently than the target system to packets that have been modified to violate protocol conventions, this may take the form of contradictory protocol flags or other manipulation of the packet header fields.
Encryption: An IDS/IPS needs to be able to inspect the payload of every packet to be effective, encrypted network traffic such as SSL, SSH and IPSec may defeat the inspection engine and allow attack paths to be created using the secure network connection as a transport mechanism for the attack payload.
Indimon Internet Services
Indimon Internet Services will undertake to offer security operations staff a view of the functionality offered by their IDS/IPS deployment in a range of attack scenarios mimicking real world attack patterns. This will give the operators the opportunity to see and understand the IDS/IPS output and event triggering process while under attack from within a controlled security test.