Network Intrusion Detection Best of Breed Protection with Snort by qpv40869


									     Network Intrusion Detection
           Best of Breed Protection with Snort                                                                by Jerry Askew, Associate Member of ILTA

       C     hange is the only constant, and this           While no security system can provide            switch trunks/uplinks. In campus area
            adage is nowhere better exemplified             absolute protection, a well-designed system     and larger networks, the concentration
     than in the area of network security.                  can prevent all but the most sophisticated      points are likely to be geographically
     While security exploits are increasing in              attacks. Such a system will also serve to       distributed. To accommodate this, a
     number at a mind-boggling rate, their                  limit damage and liability in those incidents   NIDS necessarily operates in a
     level of sophistication is increasing at an            that cannot be prevented.                       distributed fashion, with nodes at each
     even more alarming rate. Even as the                                                                   physical location.
     outside environment of cyberspace                      An IDS is an important component of
     becomes increasingly hostile, traditional              your security system. Other technologies        What Is Snort?
     perimeter defenses are being weakened by               do not provide the means to detect a            Snort is the leading Network IDS. Snort
     VPNs, wireless technologies, remote                    successful, let alone an attempted,             was named “Best Intrusion Solution” of
     access and mobile clients. Unfettered by               intrusion. An intrusion that goes               2005 by Secure Computing Magazine.
     the confluence of risks, business                      undetected for a period of time is certainly    Snort is open-source and runs on a
     continues its relentless march toward                  the most damaging security risk that a          multitude of platforms including Linux,
     increased reliance on technology — and                 business can face, especially a business        Windows, *NIX, and Mac OS X. Snort is
     it is your job to keep it all secure.                  charged with a legal duty to maintain the       in widespread use, averaging over 70,000
                                                            confidentiality of client information.          downloads per month. Commercial
     Why You Need an IDS                                                                                    support is available through Sourcefire
     Businesses are faced with a wide variety               IDS Backgrounder                                (Snort’s sponsor) as well as virtually any
     of technological risks. Some types of                  The term “Intrusion Detection System”           network security consultancy.
     risks are directly related to your                     refers to a broad range of technologies,
     technology or data assets such as                      whose purpose is to (surprise) detect           Snort’s basic function is to monitor
     unauthorized access, vandalism and                     intrusions. These systems typically fall        traffic on all connected network
     resource theft. Other risks are                        into one of the following classes.              interfaces and compare that traffic
     secondary to your technology assets,                                                                   against a set of attack profiles or rules.
     such as the liability created by                         Host-Based IDS (HIDS) – Systems               When a match occurs, Snort reports the
     infringement of copyrights or the storage                that run on a target machine and              alert information via any one of a
     or transmission of offensive material. No                monitor various types of activity on          number of user configurable output
     matter the form, these all boil down to                  that machine. Typical HIDS                    mechanisms. Output modules included
     one thing — risk to your business.                       include log parsing/reporting                 in the distribution provide for logging to
                                                              applications, file integrity checkers         a SQL database, e-mail notifications,
     Just as risks come in a variety of forms,                and protocol stack scanners.                  logging to a file and the generation of
     the technology to mitigate these risks                                                                 SNMP events.
                                                              Network IDS (NIDS) – Systems
     also takes various forms. An effective
                                                              that monitor network traffic,
     security configuration includes multiple                                                               Snort on the Lookout
                                                              potentially correlated from multiple
     technologies. No single tool or strategy                                                               Let’s get back to our network model
                                                              sites, looking for unusual traffic
     by itself can provide effective, or even                                                               where Snort is the watchdog. In Snort
                                                              patterns, signatures and behavior
     reasonable, protection against the                                                                     terminology, each node is known as a
                                                              patterns of known exploits and
     technological risks faced by your                                                                      sensor. A sensor may contain multiple
                                                              other indications of an intrusion or
     organization. Several common risks are                                                                 network interfaces and can monitor a
                                                              attempted intrusion.
     shown in the table below, which                                                                        corresponding number of network
     illustrates the effectiveness of various                                                               segments. On small- to medium-sized
                                                            Network IDS Basics
     tools in addressing these risks.                                                                       networks, a single sensor may be all that
                                                            Network IDSs work by scanning network
                   Tools Anti-Virus        Web        IDS                                                   is needed. For larger multi-location
     Risks                               Monitoring         traffic for suspicious activity. In order to
                                                                                                            networks, multiple sensors are likely to
     Virus                  ***                             be effective, a NIDS must be positioned
     Worms                  ***                       **                                                    be deployed.
     Malware                ***                       **    strategically within your network
     Spyware                  *              *              topology. In a perfect world, a NIDS
     Browser Hijack           *              *                                                              A sensor may be connected to the
     Offensive Content                       **             would monitor all network traffic;
                                                                                                            network either by utilizing specially
     P2P                                     **        **   however this is not feasible in modern
     Scripted Intrusion                               ***                                                   designed physical taps or by using the
                                                            switched network environments. A
     Targeted Intrusion                               ***                                                   port mirroring (aka SPAN) feature of
     Internal Hacking                                 ***   reasonable and effective compromise is
     Legend:                                                                                                your network switch to duplicate traffic
     *** Provides effective protection                      to monitor specific traffic concentration
     ** Provides reasonable protection                                                                      from an “interesting” port to your IDS.
     * Provides minimal protection                          points, such as router interfaces and                                                                                                                           May 2005
     On high-utilization full-duplex links, a           number of tools for analyzing the alert       About our author . . .
     tap is recommended since mirrored ports            data generated across your network.
     may be subject to saturation and packet                                                          Jerry Askew is an Associate Member of
     loss. The use of hubs is discouraged               ACID can summarize the alert data from        ILTA. He was formerly the Chief Information
     because they introduce an additional               all of your sensors and provide statistics    Officer for Loeb & Loeb LLP. Jerry is an
     point of failure and will significantly            and graphs based on any number of             active member of ILTA’s Open Source
     limit throughput on full-duplex links.             factors including: location, source,          Software Peer Group. He can be reached at
                                                        destination, time of day, day of week,
     Management, Analysis and Reporting                 protocol, event type and more. For ease
     A Snort-based NIDS is typically                    of use, ACID can be integrated within
     constructed from a number of independent           SnortCenter.                                  This article was first published in ILTA's May,
     applications. Snort itself provides                                                              2005 issue of Peer to Peer and is reprinted here
     monitoring, detection and alerting                 Operating Considerations                      with permission. For more information about
     functions. In order to provide a complete          When implementing any system, it is           ILTA, visit their website at
     solution, especially for large installations, it   important to consider and allocate the
     is necessary to add components that can            resources necessary for ongoing operation.
     manage all of the Snort sensors on the             This is especially true for an IDS — an
     network. In addition, a system is needed           IDS is not a “set and forget” type of
     to aggregate all of the alert data and             system. An unmonitored IDS serves no
     perform analysis and reporting.                    purpose other than to lull you into a false   Snort is the leading Network IDS.
                                                        sense of security. NIDSs require signature
                                                                                                      Snort was named “Best Intrusion
     Snort is complemented by a number of               updates, similar to antivirus applications,
     applications that provide the                      in order to detect the latest exploits.       Solution” of 2005 by Secure
     aforementioned functions and more. A               Personnel must constantly review alert        Computing Magazine.
     significant advantage of the open-source           data and make adjustments to rules to
     model, particularly with respect to Snort,         compensate for changing network
     is that you are free to choose from a              conditions. Recognizing these needs and
     variety of supporting applications to build        planning accordingly is the single most
     a solution that uniquely addresses your            important thing you can do to ensure an
     particular needs. If you cannot find the           effective solution.
     perfect combination, you can modify any
     part of the system to make it “just right.”        Conclusion
                                                                                                      ILTA’s Values:
                                                        An intrusion detection system is a
                                                                                                         Maximize the value of technology in
     Management via SnortCenter                         necessary part of your security                  support of the legal profession
     A popular application for managing Snort           infrastructure. Snort is recognized as the
     sensors is SnortCenter. SnortCenter is a           leading Network IDS and can be easily            Provide quality, independent, unbiased and
     Web-based management console that                  deployed. Being open-source, Snort               accurate information to our members
                                                                                                         about technology and the practice of law
     provides for centralized monitoring and            requires little or no capital investment
     configuration of an arbitrary number of            and can be modified to suit your exact           Maintain vendor independence
     Snort sensors. From the console, you can           needs. The ongoing operating costs and           Provide quality educational opportunities
     quickly see the status of all of the sensors       time requirements of Snort are                   for our members and ongoing learning for
     on your network. Sensors can be                    comparable to those of vendor-supplied           navigating through change
     stopped, started and configured via                IDSs. If the security of your network is
                                                                                                         Foster, rely on and celebrate volunteers for
     SnortCenter’s straightforward interface.           important to your business, Snort is an
                                                                                                         their real world experience and their value
                                                        excellent choice for intrusion detection.        as a resource for colleagues
     Reporting via ACID
     Snort generates alert data whenever                Due to space limitations, the details for        Recruit and retain the highest caliber of
     suspicious traffic is detected. In a typical       implementing Snort are presented in a            professional staff
     system, alerts occur frequently and create         companion article available on ILTA’s            Act as a vehicle for meaningful peer
     voluminous amounts of data. While                  website at from the              networking
     certain events may be interesting in and           Communications tab on the navigation bar.        Respect our colleagues
     of themselves, intrusion detection is more
     often about analyzing traffic patterns and                                                          Commit to the highest standard of
     trends. The Analysis Console for
     Intrusion Databases (ACID) provides a                                                               Maintain a financially sound organization
                                                                                                         that provides full value for the members’
                                                                                                         investments                                                                                                                            May 2005

To top