Conectronica Revista Maganize industrial de electronica

In this article one analyzes the systems of detection-prevention-management of attack-intrusions, a vital technology that constitutes a technical countermeasure key at present to make against the violation of other measures installed safety techniques (like firewalls, anti-virus, physical and logical controls of access, etc.) as much in the network as in the final systems.

Some reasons for the needs of the IDS/IPS are to do against the losses of intellectual property, process control, data integrity, industrial spying, etc. make possible the registry of sequences of events.

The daily life is every day more influenced by Internet, for example, it allows to carry out of simple form tasks like the banking transferences, the sales or trips, the relations with the public administrations, with health, etc. But the benefit of Internet is accompanied by the danger of the threats of fraud and the illegal use. For example, phishing, that is a form of fraud by Internet, allows the robbery of valuable information like the numbers of credit cards, the numbers of social security, the identifiers and passwords of users, etc. causing only in the USA in a 2007 damage of three trillions of dollars (to see report of December of the 2007 in http:/www.gartner.com).

As well as the increasing dependency in Technologies of the Information (more concretely ICT, Information and Technology Communication) on the part of the world-wide economy, the structures of state, the communications, the industry, the businesses and the society generally, is observed a significant increase of the risk related to the dominant intrusions in the electronic space. It is possible to be detected at the moment that the malicious agents of intrusion through vectors of threats manage to surpass the systems of protection (firewalls, anti-virus, systems of identity management, control systems of access, etc.) designed to limit the accesses the resources of networks of computers of the institutions installed in banks, companies and organizations generally. In order to be able to reduce to the risk and the possible consequences it is very important to identify the intrusions in an early stage of his accomplishment and to respond to them of suitable form. For this intention it is necessary to apply systems of detection-prevention of intrusions and the advanced case more is the systems of management of intrusions. A IDS/IPS suitably formed and updated is an integral component of a solution of defense in depth. IDS (Intrusion Detection System) is a designed system of protection to identify and to respond to the malicious activities directed against the computers and resources of network. It is important that the IDS can process all the packages that are transmitted without concerning the use level that becomes of the network, is needed therefore the minimum packages excluded from the detection, this can be realised with schemes of load balance and mechanisms of redundancy with functionalities of high availability. Some parameters of network traffic commonly used are: (i) Number of package-datagrams IP, for example 7.5 million, classified by type of protocol encapsulation, indicating its proportion, for example: tcp-86%, UDP-11%, ICMP-1%, igmp, etc. (II) average Rate of data transmission measured in Mbps. (III) So large half of the packages measured in bytes, for example 720 bytes. (IV) Average number of packages per second, for example 114,765 pps. (v) Duration, measurement in units of time, the international system in seconds. The security of the information is the process to protect the information (data, programs, knowledge) of an ample group of threats (in continuous growth) in order to assure the continuity the business, to diminish the damage in the businesses and of maximizing the ROI and the opportunities and objectives of business, therefore the security of the information is not a fashion, nor a tendency, is a necessity and an investment with yield. Problem of security. Category-methods of violations. Levels of safety measures threats The security of the information must as much consider all the surroundings of the network as of its final systems (PCs, PDAs, servants, etc.) and protect its resources and the information. The intruders try to break the security. A threat is a potential violation of the security using some vulnerability (the number of vulnerabilities is infinite although the well-known vulnerabilities every day increase). An attack is an attempt to break the security. An attack can be accidental or malicious. It is easier to protect itself of accidental attacks that malicious of illegal use. The security violations can be classified in categories like the following: to break the confidentiality, to break integrity, to break the availability, robbery of services and refusal of services. The main methods of security violation are: mascarada (to break the authentication), repetition attack (modification of messages), attacks MITM/Man-In-The-Middle (for the suplantación of organizations) and robbery of sessions. The four main levels of safety measures are: physicist, human (to avoid social engineering, phishing, to dumpster diving), operating system and network. We cannot forget that the security is always as weak as the weakest link of the chain. Some of the main threats to the programs are trojans, back doors, logic bombs, stack and buffer overflow, virus (of files, boot, macro, of source code, polymorphic, codings, sigilosos, from tunnel, leave, with shield). Some excellent threats to the system and network are the worms, I scan of the Two ports and/DDoS.

Threats to the network security

The network security makes reference to the protection of the resources of the network, in particular the computer systems (PCs, servants, PDAs, etc.) and the information-data-knowledge. With respect to as they are the different risks from the network resources are possible to be identified in relation to the computer systems those that they have to do with the availability-tolerance failures and those that are related to the nonauthorized access and in relation to the information-data those that they have to do with acronym company (Confidentiality, Integrity, Availability). With respect to where are the risks, three areas can be delimited: those that they have to do with the people of inside in relation to those of outside, those that they are related to the network, for example clandestine listening and those that they have to do with the computers like the vulnerabilities of the systems, the control of access and the physical security. The main present threats to the security are: (i) The used ones to jeopardize the security of the systems: to scan/to explore other systems to find doors back to obtain nonauthorized access and the attacks of type Two (Denial of Service). (II) Malware. Like virus computer science, spyware, troyanos, worms, etc. (III) Spamming. Used systems to send not asked for electronic mails.

Detection-prevention of intrusions.

Functions technology-methods of a IDS. Prevention of intrusions A intrusion is any intentional event through what an intruder who gains access jeopardizes the confidentiality, integrity or availability of the computers, the networks or of the data-information-knowledge that resides in them. An attacker or adversary or intruder or hacker can deceive firewall and to rob secret files located in a servant, the solution is to use some type of system of detection-prevention-management of intrusions that can be contemplated like a camera of TV with the informant paper. The IDS detects the intrusive behaviors of an automated form. In a IDS the following functions can be identified: (i) Monitoring of events in the traffic of network and the computers or hosts. (II) Analysis of events in real time in search of intrusion signs. (III) Registry of information in an audit registry. (IV) Notification of alert, for example using messages of electronic mail, SMS, activating sonorous or luminous alarms, etc. (v) Producing customized information to size of the interest events. Basically two technologies in relation to the IDSs can be identified: HIDS (Host-based IDS) and NIDS (Network IDS). Also two methods of detection can be identified: Detection based on company/signature (it identifies sequences known events that indicates intrusive behavior) and Detection based on anomalies (it looks for abnormal behaviors consequently it is probable to detect unknown attacks). The prevention of intrusions is the capacity to detect an event and to try to stop the possible incidents. IPS (Intrusion Prevention Systems) prevents the attempts of intrusion detected by the IDS. Therefore: IPS = (IDS + prevention module). The IPS acts like a “traffic police of network” that automates the answer. A IPS uses diverse techniques of answer: (i) It stops the offensive in himself, blocking the access to the victim, finishing the networking. (II) It changes to the security surroundings, reshaping devices of network like firewall, to router (L3), switch-bridge (L2). (III) It changes to the contents of the attack, eliminating for example an infected file attached an electronic mail, modifying the content of a form datagram UDP inline, etc. (IV) Changes the traffic to a Honeypot/PaddleCell

Strategies of control IDS/IPS.

Types of NIDS/NIPS unfolding A IDS can be implemented using one of the three basic strategies of control: (1) Centralized. All the functions of control IDS implement and manage from a location or central console. (2) Totally distributed. All the functions of control are applied in the physical location of each component IDS. (3) Partially distributed. It combines the two previous ones; while the individual agents can analyze and report local threats, they report to a hierarchic central station to allow that the organization detects general attacks.

The NIST (National Institute of Standards and Technology, to see http://www.nist.gov) recommends four locations to place sensors NIDS: (i) Behind each firewall external in network DMZ. (II) Outside firewall outer. (III) In backbones or main main of network. (IV) In the subnetworks critics. Other possible locations are: in DMZ (Non militia area), ahead and behind firewall (this combination allows to detect attacks to firewall and can help to refine the set of rules of firewall), in the segments of network of the servants, in the segments of network with users of “powerful”, behind the servant EVENNESS (Remote Server Access), between the units of businesses, the corporative network and the networks of the corporative partners. 

Measurement of the effectiveness of the IDS/IPS

Two metric dominant ones used to evaluate IDS/IPS are: (1) the administrators evaluate the number of attacks detected on a set known tests. (2) the administrators examine the level of use in each IDS with failure. The evaluation of a IDS can be expressed of the following form, for example to 1000 Mbps a IDS can detect 97% of directed attacks. Because to develop this collection he can be tedious, most of IDS manufacturers provide test mechanisms to verify that the systems are rendering as it is expected of them. Some of these processes of test will allow the administrator: (i) To register and to relay packages from real scanners of virus or worms. (II) To register and to transmit packages from real scanners of virus and worms with connections of incomplete session TCP (losing packages SYN). (III) To realise I scan of virus or real worms against an invulnerable system.

Classification and disadvantages of  IDS/IPS

Three criteria used at the time of classifying the IDS/IPS are: (1) According to the used technologies or methods to detect the intrusions. They are possible to be identified: (i) The based ones on companies of attacks. They use the NIDS that use pre-identified companies of attack. (II) The based ones on anomalies. They use statistical methods, is based on finding activities irregular that they differ from the normal basic landlord. (III) Illegal use of the protocol of the system. The deviations of the normal protocol monitor. This method is useful to detect attempts on the part of a user or application to try to gain nonauthorized access to a system. (2) According to the practical implementation of the system, that is to say, according to the monitored objective.

Three great groups can be identified: (i) Based on host or HIDS (the examples are: Related Tripwire, ISS RealSecure OS Sensor and Axent Intruder Alert) and all the IDS, like based on application or IDAs and the based ones on protocol or PIDS. The HIDS are small software programs denominated agents who reside in a computer; access and modification of files, insertion of removable disk drives USB/CDs/DVDs, yield of the CPU, etc. monitor metric like. The IDAs reside in a computer and monitor metric like the anomalous completions of processes, exits, the message queues, etc. (II) Based on network or NIDS (for example Snort 2.8.0, Netpowler de Axent, Cybercop Monitor of NAI, RealSecure Sensorial Network of ISS, Secure IDS of Cisco) and the all the IDS related like the based ones on protocol or PIDS. A NIDS resides in one appliance separated, monitors the anomalous traffic of network, devices and the internal attacks. A PIDS can reside on a NIDS or on a computer, it is in charge to monitor the use of the communication protocol between the systems. (III) Distributed hybrid IDS or IDS. They combine the two locations of action, being able to as much detect internal intrusions in the final computer systems (HIDS) like external in the traffic of network with or without switch (NIDS). (3) functional Classification. Taking care of its functionality: (i) Capturador of packages and comparator of landlords or companies. (II) Analyzer of logs. (III) Tester of integrity of files. (IV) Monitor of activity. (v) Firewall of host. Some styles of detection of intrusions are based on: well-known companies (syntax), known illegal use (it can include semantics), detection of anomalies (it must operate in the dominion), specification (the allowed thing is defined and the rest is prohibited), behavior (it demonstrates contextual, for example “unset HISTFILE”.). The main disadvantages of the IDS are: (i) The volume of positive false alarms is enormous. (II) The number of events nonnotified. (III) Most of solutions of sniffing of packages are free of context. They do not have nor idea if an attack is excellent. (IV) They are only organizations that inform, are reactive agents. (v) Elevated service load for the administrator of the IDS. (VI) Answer manual to the events. (vii) Preventive noncapacity. Comparative between HIDS and NIDS: (a) HIDS. Two methods common to implement them are based on agent and the analyzer of logging. The unfolding based on agent needs to install in the system host specialized programs. The implementation of the analysis of logging depends on logs of host that puts or extracts to a system of logging. The HIDS are better than the NIDS to treat based information. (b) NIDS. They are placed in one or several points throughout the network. The agent to sniffer analyzes the packages of network that contain data, including the message and head that identifies the parts emitting and receiving. The attacks of network like the IP spoofing, the flood of packages and the refusal of services are detected better through an examination of packages NIDS that using a HIDS.

Criteria at the time of choosing a IDS/IPS.

Potential problems At the time of choosing a IDS the following directives or criteria of valuation can be considered: (1) used Companies of attack. Its quality is due to value and the organism creates that them; the rate of false positives is due to examine, of false negatives as well as BRF (Base Rate Fallacy). Also, the frequency of its update is due to consider (if he is greater of eight hours can be dangerous). In addition he is advisable to value the update mechanism (if it is protected and in what consists). (2) Scalability. The management capacity is due to value and manipulation of traffic is due to observe if it counts on functionalities of balance of load for rush hours. Also in HIDS the supported platforms. Another aspect to be able to value with criterion is the type of mechanism of shutdown (to extinguish) used. (3) the type of used platform hardware. For example on a PC or appliance switch with processors of general intention like processors based on Intel (for example Intel the 2 Cores Quad), either based on processors sparc, or based on hardware ASIC (Application-Specific Integrated Circuits, integrated circuits that realise an instruction set codified in hardware on the data that happen), or based on hardware FPGA (Field Programmable Gate Arrays, integrated circuits that can be programmed to conduct certain operations on the data that happen). (4) Capacity of administration or gestionabilidad. They are possible to be examined if it incorporates functionalities like: crossed capacity of examination of log, references, capacity of file, centralized console existence. Some of the potential problems that present/display the IDS/IPS: the quality of the attack companies; the management of based traffic SSL, tunnels IPSEC/PPTP, associates PGP in electronic mail; the use of LANs with switch (multiple dominions of collision) against LANs with hub (a collision dominion) demands to realise connections through port of spanning/mirroring of switch to monitor all the traffic, possible degradation of the yield; the unfolding in networks of very high speed can occur the nonmonitoring of all the traffic.

Action of answer of a IDS/IPS

A IDS/IPS monitors and detects malicious behaviors and identifies suspicious patrons who can jeopardize the security of the network/computer system. The IDS is a passive system, detects a potential breach of security, registers the information and indicates an alert. The IPS is a as much reactive system, responding to the suspicious activity reshaping firewall to block the network traffic or eliminating traffic of the proactive network like taking measured ahead of time on the basis of detected indications. Between the possible actions of answer that can realise a system of management of intrusions is: (1) Register on log: heads of packages IP and the protocols encapsulations, excellent data of application, raw packages IP. (2) Advice. By means of a console to the administrators, by electronic mail, SMS, emitting messages traps SNMP to a system of network management. (3) Completion of intrusers connections. Using the commando kill TCP, using kernel drop. (4) Warning or interacting with devices of third parts in integrated surroundings: reshaping to firewalls or router-L3 or switches-L2. (5) Using script of user. Increasing the level of log, sending a message to a modem it makes so that it arrive at a pager, sending messages of electronic mail so that they send SMSs, redirigiendo the suspicious traffic to honeypot or paddle-cell, putting the file or equipment infected in a zone of group of forty for example with VLAN. Two strategies of detection of used intrusions: (i) Detection of policy. It consists of deciding ahead of time that type of behavior is undesirable and through use of a permission or refusal or policy by defect to detect intrusions. (II) Detection of anomalies. It consists of declaring everything what is unusual for suspicious and deserving the subject (computer, user, etc.) of additional investigation.

Standards associated to the IDS/IPS

Two standards used in IDS/IPS are: (1) IDMEF (Intrusion Detection Message Exchange Format) of the IETF. The objective of IDWG (Intrusion Detection Working Group) is to define the data format, to define the interchange procedure and to specify a language of common intrusion. The IDMEF is standard and interoperable a data format that uses XML. The typical unfoldings are the communications between sensor and manager, the storage in the data base, the interaction with the centralized console and the system of correlation of events. (2) CVE (Common Vulnerabilities and Exposures). It makes possible the interoperability between tools. A nomenclature example is CVE-2000-0809, is an entrance to the list CVE that standardizes a security problem, in this case a buffer overflow in the VPN-1/Firewall-1 tool v4.1 of CheckPoint.

Approach of defense in depth to protect surroundings

The need of a set of different levels from defense is evident to be able to reduce the risk to the levels demanded by the high direction of an organization. These levels are: (N1) Blockade of attacks based on network. Firewalls and systems of detection are used/prevention of corporative intrusions, tools NAC (Network Admisión Control), antispam-anti-virus type security appliance. (N2) Blockade of attacks based on computer. They are used firewall personal, systems of detection/prevention of intrusions based on host, anti-virus, antispam-antiphishing. (N3) To eliminate the security vulnerabilities. Tools of management of vulnerabilities are used, tools of management of patches/remedy of vulnerabilities, tools of fulfillment of configuration of security, laws, standards and norms, tools of verification of the security of applications. (N4) authorized safe Support of users. Tools of management of accesses and identity, federation of identities, systems of coding of files, tools of VPN with clients, SSL VPN without clients are used. (N5) To diminish the losses of business and of maximizing its effectiveness. Tools of management of information of security with command cadres are used, tools of integrity monitoring, recovery, backup tools of businesses, forensic tools, development tools of skills (abilities) of security.

Final considerations

Our group of investigation has worked actively for more than fifteen years in the development, analysis and evaluation of mechanisms, schemes and systems of management of intrusions concerning equipment of final computation and resources of network. It has unfolded by topologies very varied so much in surroundings little as very contaminated with electromagnetic interferences systems IDS/IPS with very satisfactory results as far as effectiveness. It has analyzed the yield and the problematic one of the errors. It has provided solutions in the area of the hampered, sigilosos attacks, with packages fragmented and manipulated concerning heads and fields of data L2/L3/L4/L5.

This article is framed in the activities developed within project LEFIS-APTICE (financed by Socrates 2005-2007. European Commission).

Author: Prof. Dr. Javier Areitio Bertolín - E.Mail: jareitio@eside.deusto.esThis electronic mail is protected against robots of Spam, needs to have activated Javascript to be able to see it University professor of the Faculty of Engineering. ESIDE. Director of the Group of Investigation Networks and Systems. University of Deusto (UD). Prof. Dra. Gloria Areitio Bertolín - E. Mail: gloria.areitio@ehu.es Thiselectronic mail is protected against robots of Spam, needs to have activated Javascript to be able to see it. Laboratory of Applied Computer science. University of the Basque Country (UPV/EHU).

Bibliography - Areitio, J. and Areitio, G. “Identification, analysis and defenses around malware or malicious code”. Conectrónica magazine. Nº 107. May 2007. - Areitio, J. “Identification and analysis around the technologies of authentication of users”. Conectrónica magazine. Nº 106. April 2007. - Areitio, J. “solid Integration between the management of incidents and the forensic analysis of security of the information”. Conectrónica magazine. Nº 103. January 2007. - Areitio, J. “Necessity to complement firewall: systems of detection-prevention of intrusions and valuation of vulnerabilities”. Conectrónica magazine. Nº 101. October 2006. - Areitio, J. “Security of the Information: Networks, Computer science and Information systems”. Cengage Learning Paraninfo. 2008. - Cox, K. and Gerg, C. “Managing Security with Snort and IDS Tools”. Average O'Reilly, Inc. Sevastopol, CA. 2004. - Beale, J., Baker, A. and Esler, J. “Snort IDS and IPS Toolkit”. Syngress Publishing, Inc. Rockland, MA. 2007. - Provos, N. and Holz, T. “Virtual Honeypots: From Botnets Tracking to Detection Intrusion”. Addison-Wesley. Upper Saddle River. NJ. 2008. - Huang, C-T. and Gouda, M.G. “Hop Integrity: To Defence Against Denial-of-Service Attacks”. Springer. 2005. - Snort, http://www.snort.org. Tool open source of type NIDS created by Martin Roesch, founder of the product company of Sourcefire security. - OSSEC, http://www.ossec.net. Tool open source of type HIDS. - Tcpdump, http://www.tcpdump.org (Tool of traffic registry). - Tcpreplay, http://tcpreply.sourceforge.net (Tool of repetition of traffic). - WireShark, http://www.wireshark.org. Tool that allows the plan and to observe packages IP, available in several platforms of operating system. - Nmap, http://insecure.org/nmap/. Tool of exploration of ports for intrusion tests and identification of services. - Web site CVE that classifies the existing vulnerabilities, http://cve.mitre.org/cve. Tool - Kasabov, N. “Foundations of Neural Networks, Fuzzy Systems and Knowledge Engineering”. MIP Press. Cambridge. MA. 1998. - Manikopoulos, C.N. “Detection Intrusion and Security Network: Statistical Anomaly Approaches”. CRC. 2008. - I gave Pietro, R. and Mancini, L.V. “Detection Intrusion Systems”. Springer. 2008. - Flegel, U. “Privacy-Respecting Detection Intrusion”. Springer. 2007.