Slashdot Mirror
Network Intrusion Detection and Prevention?
c0dyd asks: "Lately, computer attacks have gained much popularity in the news; however, it is not often that we hear of new software, hardware or 'appliances' that combat malicious code attacks and data intrusions. Obviously, the need is present. I've searched thoroughly for network intrusion detection and prevention systems, but the choices and technologies seem somewhat limited or proprietary-- Snort appears an obvious open source solution for intrusion detection but many users many find it lacking in intrusion prevention capabilities. What do you, the experienced network admin, use for detecting intrusions on the network and how does your network react to those intrusions?"
I've searched thoroughly for network intrusion detection and prevention systems, but the choices and technologies seem somewhat limited or proprietary-- Snort appears an obvious open source solution for intrusion detection but many users many find it lacking in intrusion prevention capabilities.
You can balance FLOSS and proprietary techs with something like Astaro Security Linux. They do appliances or standalone software.
Bullish Machine Tzar
So, don't underestimate the usefulness of watching your network traffic graphs. With rrdtool it's pretty easy to pull out information and average it. For example, we watch not only our overall 95th %ile utilization, but also rank each user based on their utilization. If use suddenly goes up, increasing their rank, it's probably something we should look at. It's been extremely effective for detecting open HTTP proxies, SMTP relays, and people compromised with various vulneribilities.
Sean
If you use Snort-Inline along with IPTables and some scripts in Linux, you can come up with a pretty decent IPS.
Ask Slashdot: I've been wondering how to do my job. I figure other people out there have jobs too, and know how to do them. Maybe they can share their experiences, or even do my job for me!
pooptruck
This was funny the first time.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Not all OS's have distributions you know... Or free UNIX-like OS's for that matter.
I have no idea if this help or not, but NVidia has a technology called ActiveArmor that may be of interest. In a nutshell, it's a Gigabit hardware firewall solution that is built into many inexpesive boards. Supposedly it can be used in both incoming and outgoing directions, allowing you to know immediately if a penetrator attempts to access improper network resources. Here's the schpiel:
ActiveArmor Firewall supports stateless and stateful inspection, Web-based management, pre-defined security profiles, port block filtering, remote administration, and provides an easy-to-use set-up wizard. In addition, ActiveArmor Firewall has anti-hacking features such as anti-IP-spoofing, anti-sniffing, anti-ARP-cache-poisoning, and anti-DHCP server-important security controls for corporate network environments. In a corporate setting, an end-point firewall (such as a desktop firewall) with anti-hacking capabilities can reduce the internally originated security breaches, and can inhibit desktops from generating unauthorized traffic. The result is improved overall security, with reduced requirements from the IT staff.
Again, I'm not sure if it's what you're looking for, but it's at least a very interesting product.
Javascript + Nintendo DSi = DSiCade
How about AIDE?
n dbook.xml?style=printable&full=1#book_part1_chap13
http://www.gentoo.org/doc/en/security/security-ha
Is pretty good...
What about good old fashion time-outs, .htaccess, and traditional methods? Nothing seems to work for keeping a secure system secure than no connection to the outside world.
turn your system off, then it will be secure.
As soon as any Ethereal activity occurs I have shell script flash the screen red where a trained monkey pulls out the cat-5 cable.
Is there anything better than clicking through Microsoft ads on Slashdot?
The one feature I'd look for in an intrusion detection device is that it can quickly escalate a detected intrusion attempt to real people (through email, phone, calls, etc).
For real enterprise needs, companies like counterpane not only install the intrusion detection devices; but offer services that monitor them just like the physical alarm companies do.
Snort can act as an IPS. It has been able to do this for a while. It integrates with IPTables and can inline drop/reset connections based on rules.
When I find an attacker getting into my company's network I start pulling my hair out and run around screaming "Aww! Aww! The crackers are taking over my network! Aww! Aww!"
By the way, I just got laid off, does anyone need a Sys Admin?
bro-ids.org
I'd rave more, but bro is watching me and wants me to get back to real work.
Which who command would that be? The one that was on your system originally or the "new and improved" version I just put on there?
BTW nice pr0n collection, your space lego photo series in particular is very kinky.
- Toby
There shouldn't be *anything* incoming that you don't already know about. Dedicated firewalls are a great boon to security. There are several linux and BSD based distros that are specifically for this purpose. Corperate environments, or those well heeled, have even more options.
A true DMZ is also a good thing to have, seperated by another firewall, if you have enough infrastructure to justify an (n)tiered network.
Firewalls aren't the end-all-be-all, but They do make compromises much less likely.
As to other other combative techniques, I'm shure there's a way to have a daemon monitor the Snort (or other IDS) log and if you get x connections on y port in x time frame, you can add the IP to your firewall. A daemon to clean up said firewall would be good as well...
EveryDNS. Use it. It works.
AC's need not reply
Are you in the coalition as well? :)
Point of interest. Offering to shoot us might not work so well as an incentive as you might imagine.
I find the most effective solution to be an army of trained monkeys (similar to the trunk monkey (www.trunkmonkey.com)) who monitor my snort alerts and subsequently fling fecal matter at the would be attackers. This may not stop the initial attack, but it generally prevents an attacker from coming back.
I recall that there was a patch for snort that was specifically designed to prevent people from breaking into other systems from a compromised honeypot machine. It did some good stuff like replacing NOP-slides with breakpoints etc. I don't have the URL handy, but this might help you with your intrusion prevention...
I've found IPS (formerly ip audit) in Cisco's IOS, while programmed by monkeys who don't pay much attention to what they're typing, does a pretty good job of cutting off a host of attacks at the router. Of course, it'll only look at what it's configured to watch and only knows about a select number of things -- the more it's told to watch for, the more memory and time it takes.
I have it watching web traffic and it's knocking down just about every script kiddie's IIS probe. (I don't run ISS, btw.)
I think the best way to prevent intrusions is to design a personalized login system (and have the system install updates regularly). Just about everyone uses the same system (username then password), so changing the login program to do something funky is enough to screw up any script. Ex:
Please enter todays date (MM/DD/YY):
Please enter your username:
Please enter a valid email address:
Please enter your password:
Just randomize the questions (or have a bunch of questions and randomly ask a few of them) and unless someone is really dedicated to get into your system they're just going to choose another target rather than go after your weird setup.
Obviously Norton Internet Security!
Norton Internet Security provides a COMPLETE security solution for your machine by promptly blocking all programs on your machine from having any internet access, AT ALL! Buy it today!
Don't take life so seriously. No one makes it out alive.
IBM Tivoli Risk Manager provides intrusion detection and automated remediation based on correlated input gathered from numerous sensors in your network. These include network intrusion detection systems (NIDS), host IDS, webserver logs, Windows Event Logs, *nix syslogs, firewall events, SNMP traps, and just about any other device, appliance, or application that writes a log event or generates an SNMP message. The correlation engine at the center is smart enough to take hundreds of thousands of individual input events and display or respond to a handful of meaningful alarms. Read on... http://www-306.ibm.com/software/tivoli/products/ri sk-mgr/
Astaro http://www.astaro.ca/ offers a good all -in-one appliance.
One ring to bind them - should probably have more fiber and less rings in their diet.
Why not start with a real operating system that already comes with both features? VMS (also known as OpenVMS) version 8.2 was released a few months ago and runs on VAX, Alpha and Itanium. You should be able to find a fairly cheap VMS machine at sites like eBay. For hobbyists and educational purposes the VMS license is available at no charge. Have a look at http://www.hp.com/go/openvms/ http://www.openvmshobbyist.com/ http://www.openvmsedu.com/ news:comp.os.vms
Linux, AIDE, IPTables, Snort, tough passwords, and disabling all unused services.
The biggest problem facing anyone looking at implementing an IDS into an existing system is the size of the network.
... :)
:)
If you're doing 500mbit/sec+ of traffic, it requires a somewhat beefy snort box just to process that data let alone do something about anything that looks like an attack.
Snort CAN do it, it just takes a lot of effort to pair down the ruleset to the point where it can handle your traffic. But, pairing down the ruleset has some drawback
Or, if you can segregate your network, that can help a lot too. But unfortunately, a lot of networks suffer from a lack of design and you end up with huge VLANs that span thousands of hosts, and other nightmares.
IMHO If you're worried about intrusion, start with host security. If you have a huge farm of linux boxes, then great. Use iptables and keep everything up to date. If you MUST have sun boxes, try not to put them on the edge of your network - NAT specific ports via linux NAT firewalls. Same goes for windows machines. Don't bare them to the internet for any reason.
Have some aggressive ACLs on your border routers. Don't allow SSH into all your machines directly. Use jumphosts. Consider using token based authentication, like SecurID. Consider Kerberos to replace the use of public key auth in your ssh infrastructure.
once you have that down, putting in an IDS can wait
There are a lot of factors when deciding on a solution. How big is the network? What are the throughput requirements? How much money do you have?
We just picked up a couple Juniper Netscreen ISG2000 boxes with IDP blades in them. 2Gb/sec throughput with full IDP implemented in hardware. Granted, those bad boys will set ya back almost as much as a house.
Trained monkeys are overrated. They will have an uprising and retaliate. You must use wild monkeys.
what I'd really like is a network intrusion product that not only detects "bad guys" but also automatically retaliates, i.e. deluges said bad guy with ping floods, winnukes (yes I know, it's old), tries to root the bad guy's box and wipe the hard disk, or install backorifice, etc...
:-)
I reckon if the majority of network admins did that, perhaps intruders would think twice about playing that game. Not to mention the feeling of satisfaction when (if) the intruder's box is trashes in real-time before his eyes
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Just like the best way to prevent pregnancy is abstinence, the best way to prevent intrusion is to eliminate the avenue that they get in. While it is not feasible to simply deny your users access to the internet and email, you can prevent them from installing material which otherwise might cause a hacker to gain remote access. A conbination of whitelisting sites and denying certain address blocks from sending you email goes a long way.
In short, comprehensive intrusion detection and prevention is only needed on an open network.
Feed the need: Digitaladdiction.net
What I mean to say is this. Once you have your standard security suite in place (firewalls, ip-chains, standard configs locked down, etc.), all that is left is to simply monitor the activity logs. That is all that CAN be done, since there will always be new security holes found and exploits created. Having a well planned and documented monitoring process involving going through the log files on a daily/constant basis is the best that you can do. Yes, this is time consuming and arduous redundant process. There are products out there to help minimize the task, but they can only help to a point. You simple just have to look at the logs being generated from your firewall, routers, and all your local systems. With seting up services that scan the default system configurations and monitor critical file changes, as well as watching your firewall logs, you can catch and stop most attacks as they are occuring, before major damage can be done. But again, most places will not do this because it is time consuming to actually look at all the log files. This is why months pass sometimes before someone finally sees the log which shows a change to the password file which added a new user...
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
All you need is the who command.
Ex-fucking-cuse me?
Choosing an operating system, distribution, and version that releases security patches quickly is a key part of preventing an intrusion.
Hoping to be ahead of any security hole at any given time is plain stupid. Why did you reply at all if you have nothing to say?
lol, without reading either of those, my post included monkeys too. Maybe this is a computing trend. Fuck, I am too lazy to find some free polling thingy as my DNS is down.
Is there anything better than clicking through Microsoft ads on Slashdot?
Of course, it's needed some tuning so it wouldn' think that things that should be talking to multiple systems in a short time window don't get blocked...
- "History shows again and again how nature points out the folly of men" -- Blue Oyster Cult, 'Godzilla'
Why isn't there a 'bad advice' mod category?
How about giving us some details about your application, your network and budget? Are you sysadmin at the corner store or a Fortune 500 multinational? Is your budget $0 or $250k? Are you on a 100 meg ethernet with a DSL or a gigabit core network across the country with 40 egress points to the Internet? Are you likely to be the target of worms, viruses, script kiddies - or highly paid professional hackers trying to break into your network?
There are a multitude of products but your question gives us almost zero context - hence the glut of meaningless answers, like telling you to run a certain distribution or OSS product.
it is not often that we hear of new software, hardware or 'appliances' that combat malicious code attacks and data intrusions.
Instead of thinking of defense as adding extra code to stop malicious code, think of it as changing the system so that the attack isn't even possible to begin with. Fundamentally a computer system does nothing but allow things; nothing happens without it being made possible via software.
Real prevention is a double edged sword. To really prevent an attack, your device needs to sit in line - or it reacts too late. As such you introduce latency, and the more sophisticated you get, the more the time spent on analysis before the traffic is allowed through. NIDS and HIDS analyse after the fact, so they have the luxury of time since they aren't in line with your traffic. If you have good event correlation, you can raise alerts to appropriate support personnel. But all these don't directly prevent attacks - they just let you know to respond to an attack.
Companies like Tipping Point have devices that claim to do intrusion prevention with low latency - I'd test that claim before purchase, but the demo I saw seemed to indicate it was worth checking out.
http://sourceforge.net/projects/sentrytools/
What more do you need?
Oh well, what the hell...
No security topic generates more spirited debate than intrusion prevention. Deployed on the edge -- and increasingly, deep inside -- the network, IPSes (intrusion prevention systems) purport to identify and stop attacks before they start based on constantly updated threat profiles. In this Point/Counterpoint, we've pitted Marc Willebeek-LeMair, CTO and Chief Strategy Officer of 3Com's (Profile, Products, Articles) security division, TippingPoint, against Martin Roesch, CTO and founder of Sourcefire (and the inventor of Snort). TippingPoint's Willebeek-LeMair is bullish on the supreme effectiveness of his IPS approach; Sourcefire's Roesch positions IPSes, which his company also sells, as just one component of an integrated network defense system. The clash of these two partisans reveals much about the state of network protection and the rivalry between hardware and software security vendors.
i ds_1.html
http://www.infoworld.com/article/05/05/09/19FEips
www.astaro.com for super easy snort integration via a gui in about 5 minutes. im never going back.
http://www.allot.com/
http://www.p-cube.com/indexold.shtml
http://www.toplayer.com/
http://www.arbornetworks.com/
http://www.riverhead.com/
http://www.sonicwall.com/
http://www.fortigate.net/
I use a Juniper IDP, and love it. Then again, I have to, since I work there. :)
Seriously, though, it's a good system - our sigs are for the most part, open-source - you can see how we detect things, and make a copy and twiddle it yourself. Those few that are closed are generally to protect Intellectual Property concerns.
They're a bit spendy for home use, though. I think the cheapest unit is in the $15-17k range.
Some things also not covered in the question, but imporant issues to raise, are:
1. Ease-of-Use vs. Functionality/Features
2. Performance vs. Security
3. Completeness/Timeliness of Coverage
4. Accuracy
Each IPS vendor has their own angle on these issues, and they're all betting that their angle will be the best - in the end, you as the customer have to decide which of these issues is most important to you, and then find the corresponding vendor.
Juniper has dominant market share, but there are things that other companies do better, but generally at the cost of something we do better at - it's a real mixed bag. See RFC-1925, Section 2, Paragraph 7a for details on this concept.
Juniper IDP is focused on delivering current, feature-rich, accurate detection, generally at the expense of speed and simplicity. Don't get me wrong, though, we're not slugs - our high-end products are currently pushing 2 gig (which in some environments is fast enough). If you want a cheap, 10-gig box with a single "Secure Me" panic button and a single "You Got Owned" idiot light, we're not for you.
I'm an IDS engineer by trade and I could go on for days about this topic. Yes, snort is great. No, it's not anywhere near enough by itself. That's why you take a varied approach. Snort is probably one of the best signature based IDSes available. The user community behind it is very strong and produces some great sigs, usually same day as the vulnerability is announced. But the downside is no protection against 0 day attacks. Therefore you have to have some behavioral systems in place as well. Problem with those is tuning out the false positives can be very difficult and time-consuming. Add a Honey pot/IPS with blocking capabilities like activescout to the mix and you're starting to get there. Add a SIM (security information management) product that can correlate data from all of your sensors and issue blocks to your firewalls and you're well on your way.
1: Write your own OS
2: Design a proprietary (revolutionary) TCP/IP stack replacement
3: Install it on two identical machines that you designed and manufactured yourself
4: DO NOT CONNECT THEM!!
5: Watch closely for anyone to come near them.. very, very closely.
/. spaztech
Snort isn't designed as a vulnerability scanner; Nessus is. And don't forget than nmap is pretty useful in the hands of someone who knows what they're doing.
As far as "intrusion prevention", there's not a "tool" that does that. You can firewall off unwanted and unneeded traffic; you still need to patch your public services. If you run public services, someone should be responsible for making certain everything you run is up to date and no unpatched vulnerabilities are public (and if the latter is the case, find a workaround or preventative measure until a real patch is out).
there are perfectly good softwar firewalls for windows. I use BlackIce, personally, but there are other perfectly good ones, not to mention the one built-in to Windows XP sp2.
And most decent cheap home routers provide prefectly usable hardware firewall services as well.
No reason for windows users to claim they don't have solutions available.
I have tested Astaro Linux and Sonicwall. The Sonicwall TZ 150 or 170 is the best SOHO security gateway with IPS, gateway antivirus, gatewaye antispam, content filtering, email filter, and ViewPoint comprehensive logging application.
ASL is slow and IPS is unreliable (5.2xx). Sonicwall is always fast and small. It's rock solid. I got mine from www.firewalls.com with security suite (1-year subscription to Antivirus, antispyware, IPS signature, Basic content filering update and support).
I have to say Sonicwall has the best support system. Forget ASL, support also sucks and pricy licensing, damn pricy. Can;t believe they use Linux and overcharge us.
Tipping Point is the way to go. I work for a reseller of Tipping Point products and am the lead engineer for TP support in our company. The Tipping Point boxes can go up to 2GB/s throughput, with a 5GB/s box coming soon. Updates are released every few days, with automatic updates available. Tipping Point also provided much of the info used by SANS for compiling their @RISK Vuln report every week. Check those reports out if you never have....
SNORT is a old technology that is for the most part worthless today. What do I care if I notice after the fact that an intruder r00ted one of my boxen? Too late....already 0wned. With Tipping Point inline, the malicious data is stopped before it even hits my firewall. (Yes, TP can be installed outside the firewall...)
http://lcamtuf.coredump.cx/p0f.shtml
"anti-DHCP server"
"Hey, Bob.. maybe it's this new motherboard we put in to the DHCP server that's causing the problems."
Just wait, it'll take out the DNS server next and maybe a mail server, just to show you who's boss.
I am fortunate enough to own a US Robotics 9105 adsl router which runs a busybox mini Linux distro. I wrote some simple c code that watches the snort alert file, and when alerts are triggered it logs into the router and adds iptables rules to filter traffic from the host that triggered the alert. These rules are then automatically removed after a given time period. I could extend this much further if i could be bothered but essentially it does a good job of reducing the noise on my adsl line.
It takes a while to perfect the rules but once done becomes very effective. Naturally I have safeguards against filtering local network hosts and trusted networks.
All you need is the who command
Ok, that's just silly. Only the crudest of hacks would show up under who. There are plenty of ways to spawn processes in an attack that would show up under something like ps or top, and not under who.
Not to mention the fact that manually running who or ps is not an intrusion detection system. You want something that monitors activity and at the very least e-mails a sys admin when something strange is happening.
Wait, why am I bothering to respond to this obvious troll?
Got Apathy?
Depends on where you are. Here, $410,000 is the median price for condo.
;)
:)
A house in Montana? A house in Egypt?
C'mon, tell us.. how much do those boxes cost?
if (intrusion_attempt) {
firewall();
} else {
allsgood();
}
void firewall () {
if (still_happening) {
firewall();
} elseif (not_working) {
unplugcable();
findnewjob();
} else {
return;
}
}
-- Brought to you by Carl's JR
Have you had a look at any commercial firewall products lately (SonicWALL, Juniper/Netscreen, Cisco, Fortinet)? The past year has brought about the evolution of yesterday's packet filtering, stateful packet inspection, limited application layer gateways into full-blown "deep packet inspection unified threat management" devices (as the industry prefers to call them now). It's not really accurate to refer to them as firewalls anymore.
These devices can scan most TCP protocols for any kind of malicious content, like snort-style IPS sigs, viruses, phishing sigs, spyware (generally ActiveX), etc. And since they are the gateway, they can also block or sanitize the content. Some of the better implementations (I'll stop short of a specific product endorsement) can even scan all generic TCP streams, and do not impose any size or stream concurrency limitations on the the content they can scan.
The thing to be careful about is throughput - even the higher end models fall short of sustaining gig throughputs, so multiple devices might be required for more demanding networks.
I'm a big fan of Snort, but it's really not good for the enterprise, especially at the core. It's a decent backup or sensor on the cheap near the edge. Multple sensor management and speed really limits Snort's usefulness.
I've seen plenty of appliances out there. Some of your options depends on what kind of equipment you're already running. As far as "best choice", you really should factor in what you already have- if you have Cisco modular equipment at your core or distribution layer, maybe going with the Cisco IDS blade will make more sense than getting a Proventia. Do you have Juniper firewalls? They make an IDS blade that fits in their ISG series.
That being said, I've worked with Cisco IDS and SecureAgent. SA's a real beast- you can expect to spend a long time getting up to speed with it. I've had problems managing the blades themselves- they're basically little RedHat boxes on a blad that plugs into the backplane. CiscoWorks makes it relatively easy to manage but I had a *lot* of problems pushing updates and management info to them, and configuring your modular chassis with the right VLAN stuff can be a bitch unless you're good with Cisco equipment. One issue I hope they fixed was that their email notification sucked and they had to provide a PERL script to generate a useful email alert.
I like Juniper's IDP stuff. Their appliances come with cobber and fibre cards and are a snap to set up. You can set them in in pass-through mode and place them inline between your routers and switches, or just mirror/tap the trunk port. In inline mode you get the ablity to send hard RSTs to both endpoints of an attack. The management software is pretty intuitive and the dashboard give you a very good "at a glance" view. They top out at about 500Mbps/sec so if you're pushing great gobs of data, they might not be sufficient.
I've played around a bit with ISS' Proventia stuff- their appliances are OK, and I think their desktop stuff needs one more development cycle to be good. SiteProtector is decent, but it too needs a little more development in the UI area. The desktop agents are a lot easier to manage than Cisco's SecureAgent.
Clearly, you don't pay much attention to the glossy ads in Infoworld and CIO magazine. FUD marketing out the wazoo for exactly these types of devices.
This is actually a very hard problem to solve. I've written quite a bit on the subject, but I'll attempt to provide a few quick helpful points.
If you have some form of perimeter security, it becomes easier, but still very resource-intensive (both technology resources and human resources). I'm assuming that you're not at a university, or some other type of organization that has a wide open network, because if you were, you wouldn't care.
For a good list of fun tools, look here:. html
http://www.slac.stanford.edu/xorg/nmtf/nmtf-tools
But beyond the rinky-dink stuff, at the most basic level, you want to make two choices right up front:
How important is the real-time interdiction to you?
Do you want signature-based tools, anomaly-based tools, or both?
If you would be content with a good system that doesn't have the ability to mitigate threats in real-time, then that widens your possible solution space quite a bit. In this area, you definitely get what you pay for. FOSS tools that have this capability are way behind commercial tools in ease of maintenance, configuration, and how many types of attacks they work against. So that requirement limits your options considerably.
A similar situation exists when we look at the detection method, signature vs. anomaly. Signature-based systems are a dime a dozen, but they don't cover the really dangerous stuff. Anomaly-based systems are somewhat more useful against the scarier threats, but no FOSS solution comes anywhere close to the commercial offerings. If you choose a FOSS alternative for an anomaly-based IDS/IPS, you will spend so much effort tuning and maintaining that you won't have any time left to respond to issues, and you will still not get adequate results.
I should point out that you have also limited yourself by considering only NIDS/IPS systems. The proper bundle of technologies and tools could give you the real intelligence that you need, whether or not it included NIDS/IPS. Other classes of tools, like SIMS, accounting systems, or deception environments have their uses too.
There are plenty of other aspects to consider, but that would take pages to discuss. All of this could be moot depending on your traffic loads, user demographics, platform constituency, infrastructure design, org chart, geographic distribution, existing IT policies, etc. etc. etc. There's just no universal solution.
When looking for a decent IPS/IDS/NBAD solution, I would suggest sorting it into the following highlights, or main features if I may:
Now, after these main issues have been solved, one can start adding additional features to the solution, and may even consider self-defending networks or similiar.
But all in all - with a link to firewalls and or with IPS functionality with switches, having the ability to define what's network critical and should never be blocked, and what's not is not just a good idea, it could save you a few phone calls asking where the domain controller went.
My two cents.
A lot of people are trying to come up with data mining tools for intrusion detection. Just check out all the forward links to this paper from citeseer. The problem is that they are currently reliable as bad motion detectors ... too many false positives. Which makes them useless.
You need to develop a strategy that includes network monitoring, penetration testing, and watching the security lists or sites.
For a network monitor, Nagios (http://www.nagios.org/ is popular, but I like Mon (http://www.kernel.org/pub/software/admin/mon), because of its simplicity.
Once you start watching, you realize that you get attacked so much that you quickly scale back the sensitivity. In the end, the monitor becomes a forensics tool, or a way of verifying that it's not an attack that's causing whatever problem you're having.
Acquire skill with Nmap (http://insecure.org./ Learn how to know what the bad guys know about you. Google yourself and your network, to see what dangerous information is out there about you and your network. Try to render that information obsolete.
Read up at http://sans.org/ or maybe a CERT advisory list.
You can spend minimal time on any of this or all of your waking hours.
But it's great getting paged that a server is offline before anyone else (like the client) knows about it.
Raise your children as if you were teaching them to raise your grandchildren, because you are.
You'll probably want to look into the Internet Security Systems products for IDS and IPS.
RealSecure Network Sensor and the Proventia A appliance are passive IDS.
The Proventia G is a transparent inline IPS.
The Proventia M is an inline firewall with IPS built-in, along with lots of other modules.
Check out http://www.iss.net/
--
Rob
I have developed an open-source IDS load balancer. I'm puting in the final touches into the HOWTO, expect in the next few weeks. It can scale to multi-gbps! We use it in our DCs.
I work for a security firm that resells just about everything under the sun, and the two I like the best are McAfee's IntruShield and Juniper's IDP.
Both have a fairly intuitive interface, but I like Juniper's interface better. The juniper interface works like a firewall, where you create policies linked to attacks, and choose whether or not to allow them to pass. Updates come out weekly or whenever something major comes out. However, their interface is not web based, so you need to run a client on either a windows or linux machine. And, as far as I know, they still have not release their hardware accelerated version yet, so you are limited to monitoring something like a couple hundred megs/sec.
McAfee's solution requires a console box to control all of the devices. The interface is web based, and it feels bloated and slow because of all of the java they are using. However, once you get the hang of it, it's fairly easy to configure and use. The McAfee solution feels more like a purpose built device, and until Juniper releases the blade for the ISG2000 or the hardware accelerated device, the McAfee device is what I'm going to go with. McAfee has several different models, their smallest costs $15k and will monitor something like 200Mbit/sec of traffic. Their largest does 2 or 4 gig.
I've used stuff from ISS also, and it sucks to configure and get running. It's complicated, and feels bloated. I've played with just about everything else on the market, and nothing really compares to the McAfee and Juniper solutions.
However, Top Layer came in and did a presentation recently, and their stuff looks awesome. However, I haven't had a chance to play with it yet, and word on the street is that it's about 2-3 times more moola than anyone elses.
Need Free Juniper/NetScreen Support? JuniperForum
The problem with using snort for intrusion detection is that it has a long history of nasty vulnerabilities. If you decide to use snort near any system that you care about, ISOLATE IT!
/ipfw/pf mods.
In other words, I'd separate snort from any production server(s) AND the firewall machine(s). Place it in a separate DMZ from your public machines. Script so that snort's conclusions are sent thru the DMZ firewall, to another system that formulates the iptables
So that, if the snort analysis machine becomes 0wn3d or compromised, it will at least have only one connection to another machine, through a firewall that only allows snort's conclusions to be forwarded, and that's it.
I start my new job here on Monday. You can help keep me employed by buying one of these:
http://www.tippingpoint.com/
... how does your network react to those intrusions?
but my network immediately electrocutes the intruder.
The higher the technology, the sharper that two-edged sword.
There are several choices out there. The one I typically like to install is the Checkpoint Interspect. It does a lot of the nice IDS logging and analysis, while also being able to stop the attacks as they occur. Instead of sitting on a span port, it is an actual gig capable bridge. Most people deploy them between lan segments and core switchs to prevent worms from spreading accross their lan. ISS also has the RealSecure products, along with the Proventia line of appliances. Check them out.
God, Root, Whats the difference?
When it comes to a complex software product with a thousand and nine knobs, what you should really be looking for is not an open source solution(regardless of how great it is) but a dedicated support team and ease of use. Yet, there are too many vendors who slam snort onto appliances, put a company logo on the front, provide a cool web interface and sell it to you for more than it's worth while they can only be as fast as snort(maybe 6 months behind in the best case) in adapting to new security threats.
Given this, you should go for one of the thriving proprietary solutions(Juniper/McAfee/Tipping Point/Cisco). Proprietary is not necessarily bad especially when support matters a lot.
Smack me and I'll smack ya back!
The only problem is: 'When good Self-Defending Firewalls go bad', ya know.
the only permanence in existence, is the impermanence of existence.
I think everyone's stumped, the defenders keep bolting down the furniture, chaining up the TV and generally fastening down all these individual objects.
What's needed is a BOUNCER.
Lock the damn door [doggie door too].
I'M WITH THE BAND! shouldn't get them backstage.
Stamp their hand at the entrance and watch them so they don't try to feel up your sister.
You get the idea.
These guys have a handle on this approach, I only wish I had enough money to get it.
Hell, I'd even by a wintel box to run the damn thing (and that's drastic)
http://www.forescout.com/activescout.html
~hylas
Here is a solution that I've seen around:
Script monitors ports, ips, etc and baselines their activity. If the threshold for activity is exceeded the port,ip is blocked and an email is sent with an unblock link for the admin. Merging an IDS log into a script like that should be straight forward.
-=[ Who Is John Galt? ]=-
You can have the best software in the world, but it means little if you don't have the manpower to monitor it. A major challenge of small to medium-sized companies is that they don't have the resources to take on a community of hackers that never sleeps. If you're serious about protecting your network but don't have a dedicated IT Security staff that works 24x7, look at complimenting whatever you choose with a security service like SecurePipe. And no, I don't work for them, but I've seen their work. Good luck!
First post!
:)
Im using IPtables and are blocking IPadresses that I see have tryed somthing stupid. But that is after they've tried.. Prevention.. hmm seems like a good idea
Instead of screwing around with the authentication protocols, approach the problem by restricting its use.
:)
Including a significant delay in any authentication system seriously reduces the effectiveness of bruteforce attacks. The delay is only noticed once by regular users and although it might be a headache for those that forget their passwords, an attacker would have to be very patient.
Another approach is to limit the number of login attempts per connection.
Your example may require its users to remember multiple 'passwords' (what constitutes a "valid email address" in your writeup?) and may also inadvertantly cause problems (questions like "what time/day is it?" have formatting issues and answers may vary due to geography or local environment).
These extra questions require known correct responses, and perhaps database management (that "valid email address" type of question again). More overhead than is necessary IMO since the more complicated the result, the more likely errors will be introduced each step of the way.
That is, unless the point was just to make the users jump through hoops - but I'm guessing that wasn't the intended goal.
This is not my sig.
Well, you can always pipe your firewall log into Festival and make it talk to you...
/var/log/messages |festival --tts
tail -f
Oh well, what the hell...
Watching netflow data is definately the best way to watch for DDoS. IDS' aren't well geared for the task.
Check out Cisco's DDoS appliances (formerly Riverhead Guard/Detector) if you need a stout DDoS appliance. They go above and beyond basic netflow analysis (ala Arbor). To that point, the Guards + Arbor are a killer combo.
Try this...
http://hogwash.sourceforge.net/oldindex.html
AirSnare is a useful tool for detecting "unfriendly" MAC addresses (any MAC addresses that you have not specified as "friendly").
It can be set to email the admin in cases of unauthorized access, and it works in conjunction with Ethereal and AirHorn as well.
Oh, and it's free (as in beer).
I have become increasingly impressed with the use of 802.1x for authentication of equipment on hardwired systems. Physical port security I think is still one of the big issues with most networks. While most NT networks will not allow a computer to utilize network resources if it does not authenticate to the domain, many networks will still allow a computer brought in off the street and plugged into a port formerly occupied by an authorized machine and the DHCP server will happily hand over an IP address to use for internet connectivity. I know that basic port security can be configured, but most times it is far to an administrative burden to be used. 802.1x however shuts off access at the switch port, no matter where on a network the machine is plugged in, until authentication information is confirmed with a domain controller for instance. Only the 802.1x authentication protocol can be transmitted. An Ideal solution would be to have some time of automated IDS detect a trend and have it automatically suspend switch port access until it can be looked at.
This probably wraps up what various people have said in other ways, but I'll say it again. (and I'm being general on purpose -- I'm not trying to make specific reccomendations). The real answer here is a Defense In Depth Security policy.
To truly protect your system(s), you need to do many different things, including keeping the system updated, educating users, using a NAT, installing an IDS, and much more. That said, an IDS is probably one of the last things you should worry about: get your "basics" right first.
~i = an imaginary being~
I have to admit that I'm just not a big IDS/IPS fan. FAR too few people have the time (at least in my experience) to use them well. It doesn't matter what the product is.
/that/. And then seeing if an IDS is of any additional use.
What is generally lacking is a policy (which, sadly, security is mostly about) and a concrete idea of what to do when an 'attack' is detected.
And people then buy an expensive new IDS, or spend time to implement one, or whatever. Think it's exciting for a while. And then I come back 3 months later and it's turned off in the corner.
And in the meantime people aren't exploiting the information they already have. Not just the bandwidth graphs but firewall logs, system logs, etc. I personally would recommend finding an event correlation system (anyone know of a good open source one?) along the lines of Netforensics or the former Protego and implementing
IPS -- I haven't had enough personal experience with an in-line IDS to make even a remotely intelligent comment. I like the idea of such a platform but it (as MJR frequently points out) falls foul of being an 'allow everything not specifically denied' platform and thus limited. This is not an outright condemnation, since otherwise you run into best being the enemy of good, but it's something to be considered...
there are perfectly good softwar firewalls for windows. I use BlackIce, personally, but there are other perfectly good ones, not to mention the one built-in to Windows XP sp2.
Hehhehheh!!! Mod parent funny!
[wiping tears from eyes]
Anyone out there using HANK?
Signature or behavior based IPS systems are pretty useless against new code based attacks. It is better to harden the systems the code is running on. Implement the NIAP configuration guides http://niap.nist.gov/config_guide.html and use a host based solution like Securecore or Solidcore. Sana Entercept is also useful for an added layer of protection.
Covelight
... good for me! We use it ... if they were bigger, maybe I'd have to wait for product?
wish they had better marketing, though, it's a well-kept secret
Maybe I should have kept my mouth shut.
Solutions that require continous monitoring (like mrtg or rrdtool) may be too sl ow to respond to modern DOS attacks a.k.a botnets and worms. Some interesting so lutions are out there that try to anticipate/understand attacks based on traffic patterns ... and try to mitigate them.
I can think of a couple like RiverHead Networks (now cisco) and netZentry
we have been looking for a good solution as well snort might work in our case we have alot of password hacks for our content since we run more of adult type sites.. we have use proxy pass software to deter password sharing, leaks, or proxy attacks. but as far as the script kiddies you never know what they are up to and they prob are watching the boards for the latest hacks and using google to find unsuspecting webmasters and pray on them. I would also like to hear about other options from sw to hardware for any type of intrusion detection.. is there any ones with a nice gui system ?
Pocket Girls. Mobile Adult Mini Mags for your Phone.
Snort supports in-line (intrusion prevention) operation on Linux as of version 2.3.0. There is also the snort-inline project which maintains a different code branch that includes support for divert sockets on FreeBSD as well as some in-line focused mods.
Sourcefire (my company) builds commercial-grade IPS using Snort as the foundation technology and it works well. We're continuing to improve the technology on an ongoing basis as it's central to our IPS offerings. If you want to run an IPS to try out the technology, Snort is certainly suitable today.
They're cheap, they're easy to obtain, you don't need expensive upgrades every time a new threat comes out. Just cut the cable and watch the hacking attempts falter.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
I use a combo of HIDS(host-based) and NIDS(network-based) to detect malicious activity. Our core switches (cisco 6509s)each have an IDSM blade that pops right in. Cisco VMS for the management interface is pretty crappy. Servers get Cisco HIDS just to make sure nothing fishy is going down.
Check out Q1Labs. (Disclaimer: I'm an employee)
how about an appliance that doesn't use sigs or behavior anamolies (both are fallable). does anyone know of anything that looks at pre-attack behavior? i.e. network recon?
Just remember, your NIDS is only as good as the amount of clue that it has to admin it. No matter what the Snort purists say, Snort doesn't cut it, period. We've done a bake-off on all the NIDS packages here at my company and found that the two worst performers were Snort and NFR. True it does depend on your application and the size of your company, but it's I/O and false positives that really matter. Enterasys Dragon is the only IDS that cuts the mustard in terms of performance, up-to-date signatures, and low false positives. Expensive but worth the money. All of the sys/network admin people here have the clue and knowledge to write filters for Snort, but honestly who wants to waste the time doing it. This was a big debate when we decided to deploy a NIDS, with the admin people against Snort and the suits for it. In the end the admins won out because we were able to show the suits that more money will be spent^H^H^H^Hwasted writting and fine tuning Snort filters than if we bought a commercial product. There's more important fish to fry. On the host end we use Sygate Personal Firewall Pro(better volume discounting is always a good thing :D). If you don't believe me ask the IDS guru himself, SN, which NIDS would he go into battle with. He'll tell you Dragon without any hesitation.
In order for traffic to get through the outside interface of the inner firewall OR the inside interface of the outer firewall, there needs to be some sort of authentication or other interaction. It need only happen at the start of sessions, but all of this assumes there is something there.
All firewalls, on the interface pointing to the middle section, default to blocking ALL traffic from ALL IP addresses, other than that of the authentication server and NIDS device, although NEITHER server can reach other networks - they may only talk to the firewalls.
Once a stream authenticates with the authentication server, the authentication server notifies the firewall to allow that IP/port combination and ALSO notifies the NIDS that it is to stop monitoring that IP/port combination.
In the event of the NIDS detecting ANY actual conversation between two machines that is NOT on its list of authorized connections AND is not an authorization request, it can know that it is an intrusion involving the compromise of one of the firewalls. It then notifies the OTHER firewall to shut down that conversation.
Because the NIDS isn't in-line, there is no latency once the conversation has been approved. Because there is an enforced delay at the start, the NIDS has time to verify that the connection is not an intrusion attempt.
What if someone tries to compromise the authentication server? Well, then it is an unauthorized conversation that is not an authentication request, so will get blocked.
What if someone tries to compromise the NIDS server? Well, because the NIDS server needs to only talk to the two fiewalls and the authentication server, AND because communication is going to be very limited, you can use strong encryption and digital certificates to ensure nobody else can connect to the NIDS system. Everything else can be harvested by passive monitoring.
Is this fool-proof? Probably not, fools are just so ingenious. On the other hand, it would probably be good enough to block the bulk of scans, firewall exploits and other such stuff. Breaking one firewall would not be enough, and by the time you detected the other, you'd be locked out.
This kind of portcullis arrangement is not going to be perfect, but is going to be a lot better than having a single firewall and a copy of Snort running.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
As far as securing a *nix system, I usually put it behind a good firewall router. I have used MonoWall at work. I also hear that PF is becoming very hot (check out pfsense). That will cut down on your DOS attacks.
Other than scripting the hell out of the Snort Logs... just stay updated, make sure you are running your services securely, and don't piss anyone off. If they are good enough... they can get passed almost anything you setup no matter what.
Tipping Point
Snort/NEVO sensors on inside and outside internet interfaces, and other strategic areas.
Snort DB server with BASE
Tenable Lightning and Thunder Console.
Long Term SYSLOG server for syslog producing equipment.
These will prety much cover you at this particular angle.
Most cell phone companies provide an smtp-to-txt gateway. Alter your login scripts so that you get sent a txt whenever anyone logs into your system. If you're the only one logging in, you'll know about any intrusion that involves execution of the login scripts.
NFR has a new version coming out pretty soon. NFR is interesting in that the signatures can be pretty rich because they are written in a procedural language. That means that in addition to traditional intrusion detection/prevention, you can use the signatures for network monitoring tasks that go beyond simple fixed signatures.
It's got a Java interface that looks pretty cool.
I attended USENIX '05 out in Anaheim, CA this year. One of the training sessions was lead by Richard Bejtlich who is one of the co-authors of a tool called sguil. When I got back from the conference I started playing around with sguil and discovered that it is one of the most awesome network security tools ever! It combines all of the information that I need when investigating a network security incident all in one place.
Doesn't use signatures, doesn't produce false positives. Combine anomaly-detection technology with an information source like NetFlow, and you have a scalable and flexible detection system.
Forescout works great for me. It has no false positives, is very quiet, flexable and easy to manage IPS.
I use Snort + Swatch. Of all the attacks detected by Snort, I only care about a few that may compromise my system, like the SSH password scans and POP/IMAP/SMTP attacks. Swatch is tailing /var/log/snort/alert and, if an attack is detected 3 times or more in 30 seconds coming from the same IP, I block the IP with iptables. Once a week I rerun my firewall script to cleanup the swatch generated rules.
If I had time I would improve this in two ways:
- To have an e-mail sent to me if the same IP attacks the system again after being blocked for a few days.
- To clean the swatch generated rules by age, and not once a week via cron as I do now.
IDS (Intrusion Detection Systems) are all fine. Snort is in my opinion the best system around. The difficult part is the overview over the whole network. You can set up Snort at your border gateways to collect all the attacs, but in my experience you'll not pay attention to the alerts after a while (half a year). There are just to many alerts every day.
The best solution you can get so far is a product which was called "Demarc PureSecure" not long ago. It is based on Snort, does file integrity checks and monitors all your services, disk space, CPU and a lot more.
The cool thing about that solution is the web-based centralized management console. You can update the (Snort-)roule-sets at once, and have a look at all the attacks to your network in a browser window. It's the most sophisticated and most underestimated system around. Just have a look:
Demarc
Most of the commercial IDSs are based on snort, but the Demarc stuff is what you need for larger networks.
Disclamer: I don't have anything to do with the company behind Demarc, but I know, that this solution is pretty unknown to most of the admins out there.
Enterasys Netsight policy manager with Dragon Intrustion detection system is by far the best I've worked with so far.
A state government customer of mine has a mixed hardware network (cisco, nortel, ETS, HP) and runs Netsight and Dragons. They hired a reputable firm to run through an "ethical hacking" session to test network security.
It was pretty amazing to watch the network get automatically reconfigured as 5000 differing attacks were launched. Not one was sucessful...
Far better than anything Cisco offers IMHO.
Their Sentry product will do in-line detection with practically no latency.h tml
http://www.cymtec.com/pages/propagation/features.
I set up my scripts so I am emailed ONLY on new activity not seen before. So I find ways to silence minor attacks/alerts which does not interest me in conjunction with finding automatic ways to react on attempts.
I can recommend this setup:
Enough is said about this. Absolutely needed, but useless without intervention. Oinkmaster is nice to use for automatic downloading of new rules.
Perl script for iptables/ipchains. Fast and easy to set up, however any decent firewall will do. Narc allows for user-customization/hacking, which is a plus for those who wants to learn ipchains/iptables and do more advanced stuff than a GUI can offer. I like to fiddle with the rules myself for outgoing packets, which very few firewalls supports. It's nice to know your computer is not sending out traffic you don't know what is. By blocking everything outgoing by default, I will catch stuff in the logs and adjust the rules when I know what it is (not recommended while in production).
Blocks hosts temporarily and permanently based on SSH-logs, snort-alerts and firewall-logs. Nice and easy to extend even if you don't know perl, but have patience to test alot. The maintainer is cool about accepting patches. Yes, you need a list of hosts to never block, and yes a dedicated cracker can spoof IP addresses to DOS you. However, I'll deal with that when somebody does just that. It depends how important your service is I guess.
I set up Samhain to email me of EVERY change in the root filesystem. However, I run Samhain with the silent option just after every upgrade at night. So upgrades are done automatically and silently without alerting me (Debian Stable - Sarge).
It's in the Debian-tree. Can't hurt to use more than one checker. This one is less spammy than Samhain and checks for other kinds of signatures in the system.
This might seem much, but I consider it a bare minimum for an install I'm not going to watch over continuously. Running Linux doesn't make you secure, and even with all this, I know I'm still vulnerable to:
A) Crackers hacking over time. Little by little they may do a portscan and find out enough to do a:
B) Full-scale successful attack. Reactive firewalls just won't stop it, and then you're cracked.
C) DOS. Automatic blocking based on IP and DSL-connection is just not enough to stop DOS and DDOS.
However, with a hardware firewall in front, I feel a bit more secure..
One interesting project is a firewall based on snort: Hogwash. The project is in need of maintainers though. However the idea is cool: To block based on snort-alerts in real-time. This can actually be useful to block intrusions before they can do harm other than DDOSing. I for one will accept the increase in latency if it means my network is that much more secure. I really hope this one will take off one day.
http://www.debunkingskeptics.com/
You can try with aide , which is an opensource replacement for Tripwire.
Aide takes a MD5/SHA1 snapshot of your relevant files and store it for later comparison in order to detect modifications.
Also, keep in mind that you should take proper measures to avoid tampering with the aide tool itself (otherwise, it will be useless). For example, you could keep your aide binary, configuration and database files in a read-only media (like a CD/DVD-ROM).
What you need to do, is to make it virtually impossible to compromise your system and the data. Keep in mind that most problems do not arise from outside the netwrk, but from within. So your basic concern should be: Can I prevent things happening? Not entirely, but you can secure your organisation if you make the right choices. First, and MOST important: Use an OS that is immune BY DESIGN to ANY virus, worm or other malware, to be installed on any server in your network that is 'directly' exposed to the Internet. These servers should be configured to block spam by mail, contain software to protect other systems in the network against these threats, and be configured that non-privileged users to have access to files, programs, resources and whatever there is in the system, that they are not authoroized for, AND disallow others to gain access to the system at all if they are not authorized to enter it. The system should also, by design, be able to audit all access when required, block intruders and signal them, and do a lot fo accounting for security reasons. And, of course, the system should be as free as possible from code errors that would allow malware to function at all. All this should be BUILT-IN, not ADD-ON - it should be part of the OS itself. That rules out at least the following OS's as MAIN SERVER: * Windows (any version) for well-known reasons * Unix (any flavour and any version) because security is not built-in, but an add-on) * Linux (any distribution and version) for the same reason Second: do not run software on any server that is not needed for it to function. Disable all access possibilities that are not required on the system. Use only software that has been proven to be safe. Third: Use a router at your boundary that blocks all incoming traffic on ports that are not required, and routes all ports that you explicility need, to the secure servers. Unneccessary to mention that this system should be considered a server as above, itself (access server). Fourth, all other systems should NEVER be accessable from the Internet itself. Mail should be retrieved from an internal server as described above. All machines MUST have an scanner installed, even if the main server contains one, to detect any malicious software on these systems. Unsafe protocols should be avoided within the network whenever possible. Use those that are secure by design. Such systems doesn't come cheap, but security never is. Any whitepapaer will tell you. If you have any doubt on these matters take a look on WWW.CERT.ORG and compare OpenVMS's records agains any other. Look around on the Internet to find more proof of this OS's security and other advantages (where can you find a system where, in a period of over 7 years, all hardware have been moved, upgraded and replaced, the OS has been updated, without interrupting user applications - only when these appliactions needed an overhaul?)