Benjamin Thomas, an active LinuxSecurity.com contributor, puts together an Intrusion Detection Primer. It is a collection of six research summaries that outline the basics of Intrusion Detection.



Introduction

Internet security and privacy is an issue that is beginning to get the attention of almost all who use computers. Last month the news media was inundated with reports of Internet vandals unleashing DDoS (Distributed Denial of Service) attacks on major websites. Almost all attacks on computer networks can be prevented if system administrators take the appropriate steps to secure and monitor their networks. The process of preventing and detecting security breaches by monitoring user and application activity is known as intrusion detection. In this paper I illustrate what makes systems vulnerable, how they are attacked, how to react when a system is compromised, and give a brief introduction of LIDS(Linux Intrusion Detection System). Intrusion detection is a proactive process that requires constant attention of system administrators. In order to remain secure, network systems must continually be probed for new security weaknesses. Security is a process of staying informed.


Intrusion Detection Basics

Why is intrusion detection important in today's network environment? Phil Bandy, Michael Money, and Karen Worsted write in the "SANS Institute Intrusion Detection FAQ" (1999) that intrusion detection is important because it is impossible to keep up with the rapid pace of potential threats of computer systems. The Internet is changing rapidly day by day. Businesses are expanding exponentially using the Internet as a resource. Because of its quick evolution, system monitoring and administration is becoming an endless task. Intrusion detection tools make it easier for administrators to keep a secure network environment. Who is attacking our networks? The vandals probing networks for security vulnerabilities may be curious teenagers, disgruntled employees, or corporate criminals from rival companies. Network intrusion is a systematic process. Usually unauthorized access is gained by exploiting operating system vulnerabilities (flaws in installed software). This can be done a number of ways. When an attacker chooses a target, he/she will execute software to determine the remote operating system, search various underground websites for flaws in that particular operating system, and then execute scripts that exploit the victim system. Virtually all server attacks progress in this manner. Intrusion detection tools help system administrators stop network attacks and aid in tracking down the attackers.

System flaws that exist in software are the root cause of network intrusions. What are some of the vulnerabilities that exist? What types of software is vulnerable to attack? The next article addresses the type of applications vulnerable to attack, password security, and the importance of security policies.

The rapid expansion of client/server networking is taking a toll on information security. Yona Hollander, in "Intrusion Prevention: The Next Step in IT Security," writes that new system vulnerabilities are discovered each day. Because information on intrusion techniques is freely available on the Internet, breaking into systems is an easier feat. Usually, a companies first line of defense is a firewall. When a firewall is compromised, system administrators rely on security assessment tools to simulate attacks, analyze logs, and audit file permissions. Many believe that operating systems are the only applications vulnerable to attack. This is untrue; many network servers such a mail daemons, ftp(file transfer protocol) hosts, and and web browsers have significant problems. If assessment software is out-of-date how will the security hole be found? It won't! Many companies do not have on-hand security experts to analyze their networks. Another major problem is lack of security enforcement. Passwords are widely used, but never long enough or obscure. Words found in the dictionary will not serve as adequate protection. Companies should conduct periodic security audits on all terminals, workstations, and servers. Security policies are also important in a work environment. Some companies go as far as employee termination for repeated violation of security policies. On the spot prevention/detection, security policy enforcement, and limiting local user privileges will create a more secure network.

In order to effectively audit a network for security vulnerabilities, one must be familiar with how security can be compromised. Are passwords secure? In most cases, no. Crackers have many systematic methods of circumventing a networks security structure.

Robert Graham in "FAQ: Network Intrusion Detection Systems" (2000) writes that user passwords can be obtained very easily. Crackers have many techniques of capturing passwords. One way they can be obtained is called clear-text sniffing. The three most popular Internet protocols HTTP, FTP, and TELNET use plain-text passwords that can be intercepted if an intruder installed a protocol analyzer ( aka Packet Sniffer ) between the client and server. Another way crackers can obtain passwords is by capturing the password ( /etc/passwd ) file on the server, and using a cracker program with a dictionary file to uncover passwords. Bruteforce ( programming a computer to try every possibility) cracking can take significant lengths of time especially if users have chosen passwords greater than 8 charters long. Social Engineering is probably the easiest way to obtain passwords. This is simply a method of calling the target and simply conning them into giving out their password. Usually intruders will call large companies, find vulnerable people, claim to be in the IS department, and ask for the password. This technique is very common. Passwords are the foundation of computer security. Keeping them confidential, using a combination of uppercase/lowercase/numbers, and changing periodically is extremely important.

Many administrators spend hours securing network servers, updating software/firmware, and analyzing logs searching for abnormal system activity. Because software is constantly evolving, security is an endless process. Has every intrusion possibly been covered? From time to time systems are compromised because one vulnerability is overlooked. What should be done when a intrusion is detected?

Practical UNIX & Internet Security, (1996) written by Simson Garfinkel and Gene Spafford offers much more than security methods. An entire section is devoted to handling events such as break-ins, DoS attacks, and computer security law. When an intrusion is discovered, what steps should be taken? First of all, don't panic! Events that look like system intrusion may actually be software configuration errors. If an intrusion is suspected, react quickly by terminating the network connection. (This can be done by physically unplugging the Ethernet or modem cable.) Next, document all that you observed, and any actions taken to restore the system. Documentation can prove to be a valuable tool when trying to determine which backups to restore. Finally, plan ahead for the next network intrusion by identifying the problem, determining the damage caused, restoring the system, and reporting the incident to the proper authorities. Unexplained reboots, significant hard drive activity, system crashes, and sluggish network connections may all be signs of an intruder. If any of these symptoms exist it would be wise to review /var/log/syslog and /var/log/messages. (These are the standard log files on UNIX based architecture). If an intrusion occurs, organizations such CERT (Computer Emergency Response Team) and FIRST (Forum of Incident Response and Security Teams) should be notified immediately. They can assist in tracking down the criminal. If handled properly, system damage can be minimized when a network intrusion is discovered.

If a security breach has been detected and reported to authorities, what else should be done? The attacker could potentially return and utilize malicious backdoors he/she installed, or exploit other vulnerabilities. How can the intruder be tracked down?

The February 2000 issue of Network Magazine contains an interesting article titled " Gauging the Real Hacker Threat to Your Network.." The author, Ramon J. Hontanon, explores incident response, reading intruders' tracks, ways to avoid intrusion, and information warfare. When a security breach is discovered, disconnect the computer from the network, make an external copy of all log files, look for date modification of "static" system utilities, and search for amendments to the passwd file. Following the filesystem check a full TCP (Transport Control Protocal) system scan should be executed. This will uncover newly opened ports, reconfigured services, or installed trojan horses. After a thorough system examination, the log files should be studied to determine the skill level and geographical location of the intruder. Did he make any mistakes, or leave anything uncovered? Using the logfiles to determine, the time of attack and originating host will help uncover the location of the intruder. When not tracking down an intruder, energy should be devoted to internal system auditing. This includes reviewing log files daily, running periodic port scans, and changing system passwords monthly. Systems administrators should also install and maintain the latest kernel security patches that are available. There is no substitute for quick human response and thorough investigations. Searching security websites, and sifting thorough security news groups should be a normal routine.


Rather than only taking standard security precautions, many administrators feel that installing intrusion detection software can help lessen the burden of network analysis. Additional software can also help remove unneeded modules, better apply permissions, and implement cryptography.

Philppe Biondi, a member of the Linux Intrusion Detection System project, wrote (2000) documentation for LIDS (Linux Intrusion Detection/Defense System). LIDS is a free software package for i386 Linux architecture with the primary goal of protecting against root account intrusions. In order for LIDS to properly secure the server operating system, it must restrict the use of modules, raw memory/disk access, protect boot files, and prevent access to I/O Ports. LIDS will also log every denied access attempt, lock routing tables/firewall rules, and restrict mounting. Another interesting features is it's ability to hide system processes. Users logged into the system will not be able to execute a simple command such as "ps aux" to reveal running daemons. After LIDS is installed it is first executed as a boot image initiated by LILO (Linux Loader). This feature guarantees the system remaining secure throughout the entire boot process. LIDS has proven to be an effective tool in both intrusion detection and prevention.


Conclusion

Intrusion detection is a process that must be executed by system administrators in order to maintain secure networks. An administrator must understand the importance of protecting his/her network, how exploited vulnerabilities can bring a system to it's knees, and how to react to security incidents. System administrators must stay informed of all system advisories, flaws, and software updates. Not taking appropriate actions to fix known problems can prove to be fatal to network servers. The summaries outlined illustrate various methods of intrusion detection and how to react when a breach has occurred. As our society begins depending more on network systems, information security will become more of an issue. If network administrators do not remain informed of software updates and fail to closely monitor their servers, network security will remain to be problematic. Intrusion detection is a necessary process that must be fully understood and executed to maintain network security.