Get the LinuxSecurity news you want faster with RSS
Powered By
Intrusion Detection Primer
Benjamin Thomas, an active LinuxSecurity.com contributor, puts together an Intrusion Detection Primer. It is a collection of six research summaries that outline the basics of Intrusion Detection.
Introduction
Internet
security and privacy is an issue that is beginning to get the attention
of almost all who use computers. Last month the news media was
inundated with reports of Internet vandals unleashing DDoS (Distributed
Denial of Service) attacks on major websites. Almost all attacks on
computer networks can be prevented if system administrators take the
appropriate steps to secure and monitor their networks. The process of
preventing and detecting security breaches by monitoring user and
application activity is known as intrusion detection. In this paper I
illustrate what makes systems vulnerable, how they are attacked, how to
react when a system is compromised, and give a brief introduction of
LIDS(Linux Intrusion Detection System). Intrusion detection is a
proactive process that requires constant attention of system
administrators. In order to remain secure, network systems must
continually be probed for new security weaknesses. Security is a
process of staying informed.
Intrusion Detection Basics
Why is intrusion detection important in today's network environment?
Phil Bandy, Michael Money, and Karen Worsted write in the "SANS Institute Intrusion Detection FAQ"
(1999) that intrusion detection is important because it is impossible
to keep up with the rapid pace of potential threats of computer
systems. The Internet is changing rapidly day by day. Businesses are
expanding exponentially using the Internet as a resource. Because of
its quick evolution, system monitoring and administration is becoming
an endless task. Intrusion detection tools make it easier for
administrators to keep a secure network environment. Who is attacking
our networks? The vandals probing networks for security vulnerabilities
may be curious teenagers, disgruntled employees, or corporate criminals
from rival companies.
Network intrusion is a systematic process. Usually unauthorized access
is gained by exploiting operating system vulnerabilities (flaws in
installed software). This can be done a number of ways. When an
attacker chooses a target, he/she will execute software to determine
the remote operating system, search various underground websites for
flaws in that particular operating system, and then execute scripts
that exploit the victim system.
Virtually all server attacks progress in this manner. Intrusion
detection tools help system administrators stop network attacks and aid
in tracking down the attackers.
System flaws that exist in software are the root cause of network
intrusions. What are some of the vulnerabilities that exist? What types
of software is vulnerable to attack? The next article addresses the
type of applications vulnerable to attack, password security, and the
importance of security policies.
The rapid expansion of client/server networking is taking a toll on
information security. Yona Hollander, in "Intrusion Prevention: The Next Step in IT Security,"
writes that new system vulnerabilities are discovered each day. Because
information on intrusion techniques is freely available on the
Internet, breaking into systems is an easier feat. Usually, a companies
first line of defense is a firewall. When a firewall is compromised,
system administrators rely on security assessment tools to simulate
attacks, analyze logs, and audit file permissions.
Many believe that operating systems are the only applications
vulnerable to attack. This is untrue; many network servers such a mail
daemons, ftp(file transfer protocol) hosts, and and web browsers have
significant problems. If assessment software is out-of-date how will
the security hole be found? It won't! Many companies do not have
on-hand security experts to analyze their networks. Another major
problem is lack of security enforcement. Passwords are widely used, but
never long enough or obscure. Words found in the dictionary will not
serve as adequate protection. Companies should conduct periodic
security audits on all terminals, workstations, and servers. Security
policies are also important in a work environment. Some companies go as
far as employee termination for repeated violation of security
policies. On the spot prevention/detection, security policy
enforcement, and limiting local user privileges will create a more
secure network.
In order to effectively audit a
network for security vulnerabilities, one must be familiar with how
security can be compromised. Are passwords secure? In most cases, no.
Crackers have many systematic methods of circumventing a networks
security structure.
Robert Graham in "FAQ: Network Intrusion Detection Systems"
(2000) writes that user passwords can be obtained very easily. Crackers
have many techniques of capturing passwords. One way they can be
obtained is called clear-text sniffing. The three most popular Internet
protocols HTTP, FTP, and TELNET use plain-text passwords that can be
intercepted if an intruder installed a protocol analyzer ( aka Packet
Sniffer ) between the client and server. Another way crackers can
obtain passwords is by capturing the password ( /etc/passwd ) file on
the server, and using a cracker program with a dictionary file to
uncover passwords. Bruteforce ( programming a computer to try every
possibility) cracking can take significant lengths of time especially
if users have chosen passwords greater than 8 charters long. Social
Engineering is probably the easiest way to obtain passwords. This is
simply a method of calling the target and simply conning them into
giving out their password. Usually intruders will call large companies,
find vulnerable people, claim to be in the IS department, and ask for
the password. This technique is very common. Passwords are the
foundation of computer security. Keeping them confidential, using a
combination of uppercase/lowercase/numbers, and changing periodically
is extremely important.
Many administrators spend hours
securing network servers, updating software/firmware, and analyzing
logs searching for abnormal system activity. Because software is
constantly evolving, security is an endless process. Has every
intrusion possibly been covered? From time to time systems are
compromised because one vulnerability is overlooked. What should be
done when a intrusion is detected?
Practical UNIX & Internet Security,
(1996) written by Simson Garfinkel and Gene Spafford offers much more
than security methods. An entire section is devoted to handling events
such as break-ins, DoS attacks, and computer security law. When an
intrusion is discovered, what steps should be taken?
First of all, don't panic! Events that look like system intrusion may
actually be software configuration errors. If an intrusion is
suspected, react quickly by terminating the network connection. (This
can be done by physically unplugging the Ethernet or modem cable.)
Next, document all that you observed, and any actions taken to restore
the system. Documentation can prove to be a valuable tool when trying
to determine which backups to restore. Finally, plan ahead for the next
network intrusion by identifying the problem, determining the damage
caused, restoring the system, and reporting the incident to the proper
authorities.
Unexplained reboots, significant hard drive activity, system crashes,
and sluggish network connections may all be signs of an intruder. If
any of these symptoms exist it would be wise to review /var/log/syslog
and /var/log/messages. (These are the standard log files on UNIX based
architecture). If an intrusion occurs, organizations such CERT
(Computer Emergency Response Team) and FIRST (Forum of Incident
Response and Security Teams) should be notified immediately. They can
assist in tracking down the criminal. If handled properly, system
damage can be minimized when a network intrusion is discovered.
If a security breach has been
detected and reported to authorities, what else should be done? The
attacker could potentially return and utilize malicious backdoors
he/she installed, or exploit other vulnerabilities. How can the
intruder be tracked down?
The February 2000 issue of Network Magazine contains an interesting article titled " Gauging the Real Hacker Threat to Your
Network.."
The author, Ramon J. Hontanon, explores incident response, reading
intruders' tracks, ways to avoid intrusion, and information warfare.
When a security breach is discovered, disconnect the computer from the
network, make an external copy of all log files, look for date
modification of "static" system utilities, and search for amendments to
the passwd file. Following the filesystem check a full
TCP (Transport Control Protocal) system scan should be executed. This
will uncover newly opened ports, reconfigured services, or installed
trojan horses. After a thorough system examination, the log files
should be studied to determine the skill level and geographical
location of the intruder. Did he make any mistakes, or leave anything
uncovered? Using the logfiles to determine, the time of attack and
originating host will help uncover the location of the intruder. When
not tracking down an intruder, energy should be devoted to internal
system auditing. This includes reviewing log files daily, running
periodic port scans, and changing system passwords monthly. Systems
administrators should also install and maintain the latest kernel
security patches that are available. There is no substitute for quick
human response and thorough investigations. Searching security
websites, and sifting thorough security news groups should be a normal
routine.
Rather than only taking
standard security precautions, many administrators feel that installing
intrusion detection software can help lessen the burden of network
analysis. Additional software can also help remove unneeded modules,
better apply permissions, and implement cryptography.
Philppe Biondi, a member of
the Linux Intrusion Detection System project, wrote (2000)
documentation for LIDS (Linux Intrusion Detection/Defense System).
LIDS is a free software package for i386 Linux architecture with the
primary goal of protecting against root account intrusions. In order
for LIDS to properly secure the server operating system, it must
restrict the use of modules, raw memory/disk access, protect boot
files, and prevent access to I/O Ports.
LIDS will also log every denied access attempt, lock routing
tables/firewall rules, and restrict mounting. Another interesting
features is it's ability to hide system processes. Users logged into
the system will not be able to execute a simple command such as "ps
aux" to reveal running daemons.
After LIDS is installed it is first executed as a boot image initiated
by LILO (Linux Loader). This feature guarantees the system remaining
secure throughout the entire boot process. LIDS has proven to be an
effective tool in both intrusion detection and prevention.
Conclusion
Intrusion detection is a process that must be executed by system
administrators in order to maintain secure networks. An administrator
must understand the importance of protecting his/her network, how
exploited vulnerabilities can bring a system to it's knees, and how to
react to security incidents. System administrators must stay informed
of all system advisories, flaws, and software updates.
Not taking appropriate actions to fix known problems can prove to be
fatal to network servers. The summaries outlined illustrate various
methods of intrusion detection and how to react when a breach has
occurred.
As our society begins depending more on network systems, information
security will become more of an issue. If network administrators do not
remain informed of software updates and fail to closely monitor their
servers, network security will remain to be problematic.
Intrusion detection is a necessary process that must be fully
understood and executed to maintain network security.
