Network Intrusion Chapters 1-4

Occurs when an outsider comes in over the network and logs into your system uninvited.

Once a computer has been compromised it usually contains information that opens up several other computers within the same organization. These types of attacks are identifiable by the patterns of traffic leading out of the network.

Unauthorized password file downloads gives attackers the ability to compromise other systems.

Clever attackers will take over a machine and run whole businesses from networks they do not own (e.g. running an Internet Service Provider [ISP] to an adult web site from inside a commercial organization).

Are named because they result in a resource not being able to service its users.

They come in a variety of shapes and sizes with the intent of causing a protocol stack to crash. In most cases, programmers do not attempt to handle impossible situations such as null arguments in critical fields. Hackers take advantage of this by creating these very situations, causing the protocol to fail.

Is a simple DOS techinique that involves sending as many packets as you can at a single network device until it either crashes because it can't handle the load or becomes so slow that legitimate user requests can't get through.

An effective audit policy is one that produces an appropriate number of event records; not so many that they can't be effectively analyzed and not so few that interesting behaviors are lost.

Defines the patterns that are detected in the event log records. Signature recognition is the most common detection mechanism in host-based systems. The key to a good detection policy is properly configured signatures, with the appropriate number of active signatures detected in real-time and batch.

Are priori rules that define a sequence of events and a set of transitions between the events. They may be single or multiple event signatures.

Audit policies and detection policies are dependent upon each other. The events that comprise any pattern of activity in the detection policy must also be reflected in the audit policy. Failure to do this will result in signatures that will never be detected, whether or not the behavior they represent ever takes place on your system.

Even though application sources are better, most host-based intrusion detection systems focus on operating system data as opposed to application logs. Operating systems have been instrumented to produce event logs and most applications have not. Each audit source is unique and requires its own parser, policy management, detection policy and audit policy, so multiple audit sources can increase complexity.

Good event logs contain a wealth of information and are protected in the kernel of the operating system.

Syslog is a generic logging utility available in most types of UNIX. Syslog is very loosely formatted in ASCII andd may be written by any application. The ASCII format of Syslog is very easy to modify and spoof.

Kernel logs are written by the UNIX kernel, which is the closest thing to a trusted computing base (TCB) in most UNIX implementations. They reflect kernel actions, including permissions usage, object access, application execution, and trusted operations. The kernel logs are preferable to Syslog because of the richness and trustworthiness of the data.

Windows NT and Windows 2000 provide the trusted security log, which features 52 event types and is well controlled. A powerful feature in Windows NT/2000 is the ability to audit on a per-object basis.

A middleware audit source is potentially higher quality than operating system log files because it ties many applications togather that use the middleware.

Relational database managment systems (RDBMS) middleware applications, such as Oracle and Sybase, provide detailed data on access to tables, rows, and columns of sensitive data. Database audit sources are usually kept in the database itself as a protected table.

Application audit sources are usually the hightest quality because they have considerable inherent correlated properties among transactions, users, and applications.

A firewall source is actually a special case of an application audit source in which the events reflect access control through a choke point on the network. Firewall sources are like most application audit sources; they are usually ASCII-based and configurable through the application interface. Events usually reflect services used, direction of traffic, and source and destination addresses. Firewall audit sources typically provide source and destination addresses but lack information about an end user's identity.

Backup applications provide logs of another critical component of corporate infrastructure. The logs reflect success and failures backing up the data across an enterprise. These logs can provide early warning of such an attack.

Host-based benefits include threat detection, response, deterrence, attack anticipation, and damage assessment. Prosecution support is also possible if the audit data comes from a trusted source and the intedgrity is protected.

Host-based intrusion detection systems are massively distributed mechanisms for processing the entire behavior in a large network. Performance degradation can occur on the network and at the target.

One major trade-off available in deploying IDS systems with regard to performance. Although challenges still exist the option to choose either the target or the network is available. If a realtime distributed architecture is chosen, the event log processing takes place on the target using the network to centralize alerts only. The result is impact on the target and negligible effect on the network. On the flip side, choosing a centralized architecture that centralizes the raw data to a common host and processes the data there will have negligible impact on the target but significant network impact.

Deploying a host-based system is difficult because the agents are widely distributed. Every target requires an agent, so initial deployment and maintenance require distributed deployment and remote update mechanisms.

Host-based agents are present on the targets they monitor. If an unauthorized user gains privileges on the monitored system, that user can shut down the agent, rendering the intrusion detection system useless.

Spoofing a host-based system can be accomplished by inserting records into the audit stream that indicate false activity or removing them to erase an unauthorized activity. The best defense is always a trusted and protected audit source, such as a binary kernel log. Syslog, as an ASCII file from an untrusted source, is an example of a data source that can be spoofed quite easily.