Slashdot Mirror

← Back to Stories (view on slashdot.org)

Patrolling Networks For Insecurities

Posted by Hemos on from the keeping-an-eye-on-things dept.

Mojo Jojo writes "There's a story on developerWorks about DARPA-funded work being done at Stanford Research Institute (aka SRI International) to develop soemthing called Event Monitoring Enabling Responses to Anomalous Live Disturbances (EMERALD) -- software components that are capable of providing anomaly and misuse detection for networks. EMERALD components monitor local activity, then work in conjunction with analysis engines for visualization, response, correlation, and data logging to provide a global picture of what's occurring throughout the network. Sort of like having beat cops and police call boxes throughout your network (or something)."

10 of 47 comments (clear)

  1. Such Old "News" by tqbf · · Score: 5
    We really need to be able to moderate story headlines. This is far beyond old news, and even when it WAS news, it wasn't interesting news.

    EMERALD is not an evil government plot, nor is it interesting new technology that will change anyone's life. It's simply another research intrusion detection system, and it's been around for years. The people working on it are smart (I met and talked to Philip Porras at a Common Intrusion Detection Format meeting), but the project itself is less far-reaching than any of the commercial systems already on the market.

    EMERALD is interesting primarily as a framework for building intrusion detection systems. It's component-based and designed to allow different "event generators" to be combined for analysis. This is a goal of a large number of research projects. The reason EMERALD comes up alot is that it has a relatively well-defined and powerful rule-based analysis engine to process events.

    This framework differs from commercial systems like ISS RealSecure in that the sensors, which collect information from the network (or logs, or whatever) don't do the bulk of the analysis work. Unlike RealSecure, in which the raw network sniffing code is also responsible for knowing about almost every vulnerability the system detects, EMERALD allows the sniffer system to forward low-level "events" to an analysis engine that can detect attacks.

    The two basic advantages to this approach is that you can more scaleably detect simple attacks and you can detect a wider range of intrusion scenarios. The system scales better because it splits the load of event generation (sniffing) and analysis (attack detection) into two components, instead of coupling them into one component like RealSecure. The system can detect more interesting attacks because it offloads analysis into a rule-based engine (basically, an "intrusion detection programming language"), so it can flexibly do things like statefully correlate different events from different event generators.

    This is all nice and good, but the fact is that EMERALD is (at least, until recently) a research project with very little real-world usage. It's a nicer architecture than RealSecure, but in terms of real-world impact, RealSecure is more important; RealSecure has a fairly mature "sniffing" engine, a large database of attack signatures, and an interface that makes it easy for network operators to violate your privacy.

    Anyone (the NSA, your ISP, your mother) can buy RealSecure if they have the cash. It's been available for years and years. You can deploy a RealSecure system to do everything EMERALD can currently do. And most of the interesting new capabilities EMERALD promise IMPROVE the privacy aspects of the system. You can't get a whole lot more intrusive than the "snoop every packet" semantics RealSecure already has.

    So, what's the news here?

  2. Re:Hmmm... Sounds a little like 'Carnivore'... by KenSeymour · · Score: 3

    So TCP/IP and the Internet were originally DARPA funded.
    So by your logic, they are also in the DOD, FBI, and NSA's best interest.

    The tcpdump utility uses the libpcap, which was developed at Laurence Berkeley NATIONAL LABORATORY!

    I suppose you will just have to balance the risk of being cracked by non-government individuals versus the risk of using US government developed network monitoring tools to protect yourself.

    --
    "We can't solve problems by using the same kind of thinking we used when we created them." -- Albert Einstein
  3. Nice but cumbersome, by Ih8sG8s · · Score: 4
    The idea is good, but I can see where this would get very cumbersome on switched networks. By definition, switched networks hamper one's ability to monitor unicast frames. Most layer two bridges use 802.1d (Spanning tree Protocol and Algorithm), which directs unicast frames only through ports required to form a single path A B connectivity. This raises issues with monitoring unicast traffic, as frames not destined for the monitor are not forwarded to the port that the monitor resides on. There's a few things you can do to overcome this:

    1. Place multiple hosts into a single collision domain for monitoring of unicast traffic. This has serious performance ramifications.

    2. Use an inline monitor in each collision domain where you want to monitor unicast frames.

    This can be very expensive, and would get cumbersome to maintain if you have a dozen or more servers to watch.

    3. Use Tap ports (available on some switches) to direct all unicast frames to a designated switch monitoring port.

    This also has issues, as the tap ports are generally a low priority process in the swithcing engine, and often a simple DOS can cause the switching engine to drop packets rather than forward them to the tap port. I have also done some testing and have found that many (most) tap port services on switches are broken or selective in what traffic they forward to the tap. I can't speak for them all, but I have tested several top vendor products. I ahve a multi-homed (8) interface box that I have designed and abandoned in developing (no time) which runs linux. It's basically an 8 interface sniffer so that I can sniff up to 8 segments at a time. Even this sort of approach is really limited. Maybe they should look at a way to piggy-back patch panels in the comms room, and run a split back to an agregator so they can sniff 'everything at once' without having to deploy many, many monitors. Hey, that's a cool idea.

  4. Hmmm... Sounds a little like 'Carnivore'... by Bonker · · Score: 4

    ...but with a little better spin. Surely, I'm not the first paranoid to realize that government controlled or funded monitoring utilities, be they hardware-based like Carnivore, or software based like this guy, are a little scary.

    EMERALD (They must have *really* worked to put this acronym together) seems on the surface to be quite a bit less scary than Carnivore. It monitors your network and reports back to you, but the project *is* DARPA funded, and ultimately serves the DOD's (and therefore the FBI and NSA's) best interests. This is the line that has me really concerned:

    Plus, with resolver, an additional EMERALD software component, alerts are consolidated across multiple network domains within a single reporting console.

    Does this mean that there are ways built into the software to monitor one firewalled network from another? They had better release the source for all components for reveiw, or I ain't touchin' it with a ten-foot pole. If there are backdoors in Windows, then it's just too-too easy to put a DOD or NSA back-door into something like this.


    --
    The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
  5. general network monitoring by Pimpbot5000 · · Score: 4

    Emerald fits into a subset of the network monitoring that is coming of age as we speak. The IETF has already begun to try and standardize protocols for use in this area...check out the Intrusion Detection Working Group for more info (the results produced by the IDWG would standardize the transfer from producers to consumers mentioned in the article).

    -Greg
  6. Decrypting SSL? by Ranalou · · Score: 4

    I have got to be misinterpreting this passage:

    EMERALD security components can also help users analyze communications traffic, collecting Simple Mail Transfer Protocol (SMTP), File Transfer Protocol (FTP) and Web server data directly from the Transmission Control Protocol (TCP) traffic stream. "For Web traffic where we deal with Secure Socket Layer (SSL) and cryptography, we've created an embedded component to decrypt Apache Web server traffic, and we're extending it over to Netscape's Web server," Porras said.

    Are they really saying that, for the purposes of intrusion detection, they will be decrypting SSL traffic off the wire and on the fly? More to the point, they're saying that this can be (relatively) easily done?

    Or, is it that they're talking about an Apache module which will examine the traffic on the other side of the tunnel? The wording is a little confusing.

  7. some stuff available by Alien54 · · Score: 3
    Looks like some components of the beast are available for download already (Sun/Solaris only, however)
    SRI plans to gradually release selected EMERALD components to the public domain. One such component, eXpert-BSM, is currently available for download from SRI's Web site (see Resources). eXpert-BSM, a small, host-based sensor that acts as a security daemon, is "particularly good for detecting misuse on Solaris operating systems," Porras said. Since SRI is a nonprofit research institute, the components made available on its Web site are released without charge to the public domain. "If we don't make certain components available on the Internet, we will still make them available to [government organizations] and to the entire DoD research community," Porras remarked.
    The download is available here.

    At Least someone with some brains and experience will be able to look at it and give it a thumbs up or thumbs down.

    --
    "It is a greater offense to steal men's labor, than their clothes"
  8. Networks have insecurities just like all of us by brianvan · · Score: 3

    I think this is a good thing. If networks start to feel bad about themselves, we do need to figure that out and give them some counseling. They need to have self-esteem and a sense of self-worth. Otherwise, they become more prone to symptoms of depression and self-destructive behavior - such as not communicating well with their peers, carelessly dispatching backhoes to construction projects near backbone lines, etc. We need to teach them to get over their fears and self doubt, and support them so that they feel more comfortable in the presence of others. If we would just pay more attention to the warning signs of such bad feelings, we might be able to help networks before it's too late.

    Have you hugged your network today?

  9. Clearly by WinDoze · · Score: 3

    This is step one towards SKYnet. Eventually it will become self-aware and kill us all. Or even worse, become self-aware filtering software.

  10. just an IDS by matman · · Score: 3

    How is this different from any good intrusion detection system? There are already companies making software like this (although I'm not aware of any open source ones)... ISS Realsecure, Axent NetProwler, NFR, Intellitactics NSM to name a few.

    Maybe the big thing is that they're trying to replace the intrusion detection analyst with software... which might not be such a great idea since all (unless broken :) intrusion detection systems can generate false positives and often do.