Network Intrusion Detection and Prevention?

c0dyd asks: "Lately, computer attacks have gained much popularity in the news; however, it is not often that we hear of new software, hardware or 'appliances' that combat malicious code attacks and data intrusions. Obviously, the need is present. I've searched thoroughly for network intrusion detection and prevention systems, but the choices and technologies seem somewhat limited or proprietary-- Snort appears an obvious open source solution for intrusion detection but many users many find it lacking in intrusion prevention capabilities. What do you, the experienced network admin, use for detecting intrusions on the network and how does your network react to those intrusions?"

NV ActiveArmor

[AKAImBatman]

I have no idea if this help or not, but NVidia has a technology called ActiveArmor that may be of interest. In a nutshell, it's a Gigabit hardware firewall solution that is built into many inexpesive boards. Supposedly it can be used in both incoming and outgoing directions, allowing you to know immediately if a penetrator attempts to access improper network resources. Here's the schpiel:

ActiveArmor Firewall supports stateless and stateful inspection, Web-based management, pre-defined security profiles, port block filtering, remote administration, and provides an easy-to-use set-up wizard. In addition, ActiveArmor Firewall has anti-hacking features such as anti-IP-spoofing, anti-sniffing, anti-ARP-cache-poisoning, and anti-DHCP server-important security controls for corporate network environments. In a corporate setting, an end-point firewall (such as a desktop firewall) with anti-hacking capabilities can reduce the internally originated security breaches, and can inhibit desktops from generating unauthorized traffic. The result is improved overall security, with reduced requirements from the IT staff.

Again, I'm not sure if it's what you're looking for, but it's at least a very interesting product.

Personalized Login System

[Compholio]

I think the best way to prevent intrusions is to design a personalized login system (and have the system install updates regularly). Just about everyone uses the same system (username then password), so changing the login program to do something funky is enough to screw up any script. Ex:

Please enter todays date (MM/DD/YY):
Please enter your username:
Please enter a valid email address:
Please enter your password:

Just randomize the questions (or have a bunch of questions and randomly ask a few of them) and unless someone is really dedicated to get into your system they're just going to choose another target rather than go after your weird setup.

Re:intrusion detection

[pHZero]

Why isn't there a 'bad advice' mod category?

intrusion prevention

[uqbar]

Real prevention is a double edged sword. To really prevent an attack, your device needs to sit in line - or it reacts too late. As such you introduce latency, and the more sophisticated you get, the more the time spent on analysis before the traffic is allowed through. NIDS and HIDS analyse after the fact, so they have the luxury of time since they aren't in line with your traffic. If you have good event correlation, you can raise alerts to appropriate support personnel. But all these don't directly prevent attacks - they just let you know to respond to an attack.

Companies like Tipping Point have devices that claim to do intrusion prevention with low latency - I'd test that claim before purchase, but the demo I saw seemed to indicate it was worth checking out.

Where to start?

[mysfitt]

I'm an IDS engineer by trade and I could go on for days about this topic. Yes, snort is great. No, it's not anywhere near enough by itself. That's why you take a varied approach. Snort is probably one of the best signature based IDSes available. The user community behind it is very strong and produces some great sigs, usually same day as the vulnerability is announced. But the downside is no protection against 0 day attacks. Therefore you have to have some behavioral systems in place as well. Problem with those is tuning out the false positives can be very difficult and time-consuming. Add a Honey pot/IPS with blocking capabilities like activescout to the mix and you're starting to get there. Add a SIM (security information management) product that can correlate data from all of your sensors and issue blocks to your firewalls and you're well on your way.

Re:Ethereal

[RedPhoenix]

Actually, during a period of 'heightened awareness' at an organisation I used to work at (ie: A national television program that discussed the organisation at length), we did something like this for real.

"Ethereal activity" was "a change in any MD5 signature or file-size for any file on the web server"..
"trained monkey" was a bunch of 24x7 operators (no offence guys.. I'm not making the comparison - just emphasising the distinction)..
"shell script" and "flash the screen red" were still a shell script, and a red flashing screen.. .. but yes, the instructions were to pull the cat-5 cable out of the back of the router as soon as things started flashing.

Red.

Re:Snort-Inline+IPTables+Scripts = Decent IPS

[turbidostato]

"An upstream provider should have been configured as host to never be blocked"

So any attack shown as coming from your upstream provider is going to be passed through, isnt' it?

Of course, that very same rule (don't stop your upstream provider) is valid for whatever other "valuable" connections you may have opened (you don't want your IDS to be fooled into droping connections to your e-commerce database server, do you?).

But then, if any "higher privilege" connection is to be opened, probability is that it will be against some of those "high profile" servers (it has no sense allow say, wide access from a random IP to your Ms SQL Server , ha!-, but it does have it from your management console, and then you won't want your IDS to block connections from you management console just because the bad guys threw some IP-spoofed packets, will you?), and if ever spoofed a connection, chances are they will look as if coming from one of those IPs.

Dinamyc firewall ruling as an attack response is a terribly dumb choice on most circumnstances, still, it has everything needed to be accepted by PHBs when shown on glossy paper on ultrabuzzy products like UltraFireBlade MegaDynSec Pro and such.

Quite a pity.

Castle gates

[jd]

This goes back to a method I've suggested on Slashdot before. Have two firewall/proxy devices in serial. You have one line linking the two together, and one line from each firewall to a single Active NIDS device. Also in parallel is an authentication server.

In order for traffic to get through the outside interface of the inner firewall OR the inside interface of the outer firewall, there needs to be some sort of authentication or other interaction. It need only happen at the start of sessions, but all of this assumes there is something there.

All firewalls, on the interface pointing to the middle section, default to blocking ALL traffic from ALL IP addresses, other than that of the authentication server and NIDS device, although NEITHER server can reach other networks - they may only talk to the firewalls.

Once a stream authenticates with the authentication server, the authentication server notifies the firewall to allow that IP/port combination and ALSO notifies the NIDS that it is to stop monitoring that IP/port combination.

In the event of the NIDS detecting ANY actual conversation between two machines that is NOT on its list of authorized connections AND is not an authorization request, it can know that it is an intrusion involving the compromise of one of the firewalls. It then notifies the OTHER firewall to shut down that conversation.

Because the NIDS isn't in-line, there is no latency once the conversation has been approved. Because there is an enforced delay at the start, the NIDS has time to verify that the connection is not an intrusion attempt.

What if someone tries to compromise the authentication server? Well, then it is an unauthorized conversation that is not an authentication request, so will get blocked.

What if someone tries to compromise the NIDS server? Well, because the NIDS server needs to only talk to the two fiewalls and the authentication server, AND because communication is going to be very limited, you can use strong encryption and digital certificates to ensure nobody else can connect to the NIDS system. Everything else can be harvested by passive monitoring.

Is this fool-proof? Probably not, fools are just so ingenious. On the other hand, it would probably be good enough to block the bulk of scans, firewall exploits and other such stuff. Breaking one firewall would not be enough, and by the time you detected the other, you'd be locked out.

This kind of portcullis arrangement is not going to be perfect, but is going to be a lot better than having a single firewall and a copy of Snort running.