EPL423 – Network and

Information Security
Lecture 21-22-23
Intrusion, Intrusion Prevention,
Firewalls, Intrusion Detection
Vasos Vassiliou
[email protected]

EPL423 Network and Information Security - Fall2019 1

Intruders

• significant issue hostile/unwanted trespass

• from benign to serious
• user trespass
• unauthorized logon, privilege abuse
• software trespass
• virus, worm, or trojan horse
• classes of intruders:
• masquerader, misfeasor, clandestine user
Examples of Intrusion

• remote root compromise

• web server defacement
• guessing / cracking passwords
• copying viewing sensitive data / databases
• running a packet sniffer
• distributing pirated software
• using an unsecured modem to access net
• impersonating a user to reset password
• using an unattended workstation
Security Intrusion & Detection

• Security Intrusion
• a security event, or combination of multiple security
events, that constitutes a security incident in which an
intruder gains, or attempts to gain, access to a system (or
system resource) without having authorization to do so.
• Intrusion Detection
• a security service that monitors and analyzes system
events for the purpose of finding, and providing real-time
or near real-time warning of attempts to access system
resources in an unauthorized manner.
Hackers

• motivated by thrill of access and status

• hacking community a strong meritocracy
• status is determined by level of competence
• benign intruders might be tolerable
• do consume resources and may slow performance
• can’t know in advance whether benign or malign
• IDS / IPS / VPNs can help counter
• awareness led to establishment of CERTs
• collect / disseminate vulnerability info / responses
 Hacker Behavior Example
1. select target using IP lookup tools
2. map network for accessible services
3. identify potentially vulnerable services
4. brute force (guess) passwords
5. install remote administration tool
6. wait for admin to log on and capture password
7. use password to access remainder of network
Criminal Enterprise

• organized groups of hackers now a threat

• corporation / government / loosely affiliated gangs
• typically young
• often Eastern European or Russian hackers
• common target credit cards on e-commerce server
• criminal hackers usually have specific targets
• once penetrated act quickly and get out
• IDS / IPS help but less effective
• sensitive data needs strong protection
Criminal Enterprise Behavior

• act quickly and precisely to make their activities

harder to detect
• exploit perimeter via vulnerable ports
• use trojan horses (hidden software) to leave back
doors for re-entry
• use sniffers to capture passwords
• do not stick around until noticed
• make few or no mistakes.
Insider Attacks

• among most difficult to detect and prevent

• employees have access & systems knowledge
• may be motivated by revenge / entitlement
• when employment terminated
• taking customer data when move to competitor
• IDS / IPS may help but also need:
• least privilege, monitor logs, strong authentication,
termination process to block access & mirror data
Insider Behavior Example

• create network accounts for themselves and their

friends
• access accounts and applications they wouldn't
normally use for their daily jobs
• e-mail former and prospective employers
• conduct furtive instant-messaging chats
• visit web sites that cater to disgruntled employees,
such as f'dcompany.com
• perform large downloads and file copying
• access the network during off hours.
Intrusion Techniques

• objective to gain access or increase privileges

• initial attacks often exploit system or software
vulnerabilities to execute code to get backdoor
• e.g. buffer overflow
• or to gain protected information
• e.g. password guessing or acquisition
Firewalls and Intrusion
Prevention
Firewalls and Intrusion Prevention
Systems
• effective means of protecting LANs
• internet connectivity essential
• for organization and individuals
• but creates a threat
• could secure workstations and servers
• also use firewall as perimeter defence
• single choke point to impose security
Definition
• A firewall is a hardware, software or a combination of both
that monitors and filters traffic packets that attempt to
either enter or leave the protected private network. It is a
tool that separates a protected network or part of a
network, and now increasingly a user PC, from an
unprotected network – the “bad network” like the Internet.
• Most firewalls perform two basic security functions:
• Packet filtering based on accept or deny policy that is itself based on
rules of the security policy.
• Application proxy gateways that provide services to the inside users
and at the same time protect each individual host from the “bad”
outside users.

Kizza - Guide to Computer Network Security 14

Firewall Policies

• Two commonly used firewall security policies:

• Deny-everything-not-specifically-allowed which sets the
firewall in such a way that it denies, all traffic and services
except a few that are added as the organizations needs
develop.
• Allow-everything-not-specifically-denied which lets in all
the traffic and services except those on the “forbidden”
list which is developed as the organization’s dislikes grow.

Kizza - Guide to Computer Network Security 15

Types of
Firewalls
Types of Firewalls
• Packet Inspection Firewalls - are routers that inspects the
contents of the source or destination addresses and ports
of incoming or outgoing TCP,UDP, ICMP packets being
sent between networks and accepts or rejects the packet
based on the specific packet policies set in the
organization’s security policy.
• Application Proxy Server: Filtering Based on Known
Services - is a machine server that sits between a client
application and the server offering the services the
client application may want. It behaves as a server to the
client and as a client to the server, hence a proxy,
providing a higher level of filtering than the packet filter
server by examining individual application packet data
streams.
Kizza - Guide to Computer Network Security 17
Packet Filtering Firewall

• applies rules to packets in/out of firewall

• based on information in packet header
• src/dest IP addr & port, IP protocol, interface
• typically a list of rules of matches on fields
• if match rule says if forward or discard packet
• two default policies:
• discard - prohibit unless expressly permitted
• more conservative, controlled, visible to users
• forward - permit unless expressly prohibited
• easier to manage/use but less secure
Packet Filter
Rules
Packet Filter Weaknesses

• weaknesses
• cannot prevent attack on application bugs
• limited logging functionality
• do no support advanced user authentication
• vulnerable to attacks on TCP/IP protocol bugs
• improper configuration can lead to breaches
• attacks
• IP address spoofing, source route attacks, tiny fragment
attacks
Stateful Inspection Firewall

• reviews packet header information but also keeps

info on TCP connections
• typically have low, “known” port no for server
• and high, dynamically assigned client port no
• simple packet filter must allow all return high port
numbered packets back in
• stateful inspection packet firewall tightens rules for TCP
traffic using a directory of TCP connections
• only allow incoming traffic to high-numbered ports for
packets matching an entry in this directory
• may also track TCP seq numbers as well
Application-Level Gateway

• acts as a relay of application-level traffic

• user contacts gateway with remote host name
• authenticates themselves
• gateway contacts application on remote host and relays
TCP segments between server and user
• must have proxy code for each application
• may restrict application features supported
• more secure than packet filters
• but have higher overheads
Circuit-Level Gateway

• sets up two TCP connections, to an inside user and

to an outside host
• relays TCP segments from one connection to the
other without examining contents
• hence independent of application logic
• just determines whether relay is permitted
• typically used when inside users trusted
• may use application-level gateway inbound and circuit-
level gateway outbound
• hence lower overheads
SOCKS Circuit-Level Gateway

• SOCKS v5 defined as RFC1928 to allow TCP/UDP

applications to use firewall
• components:
• SOCKS server on firewall
• SOCKS client library on all internal hosts
• SOCKS-ified client applications
• client app contacts SOCKS server, authenticates,
sends relay request
• server evaluates & establishes relay connection
• UDP handled with parallel TCP control channel
Firewall Basing

Several options for locating firewall:

• bastion host
• individual host-based firewall
• personal firewall
Bastion Hosts

• critical strongpoint in network

• hosts application/circuit-level gateways
• common characteristics:
• runs secure O/S, only essential services
• may require user auth to access proxy or host
• each proxy can restrict features, hosts accessed
• each proxy small, simple, checked for security
• each proxy is independent, non-privileged
• limited disk use, hence read-only code
Host-Based Firewalls

• used to secure individual host

• available in/add-on for many O/S
• filter packet flows
• often used on servers
• advantages:
• taylored filter rules for specific host needs
• protection from both internal / external attacks
• additional layer of protection to org firewall
Personal Firewall

• controls traffic flow to/from PC/workstation

• for both home or corporate use
• may be software module on PC
• or in home cable/DSL router/gateway
• typically much less complex
• primary role to deny unauthorized access
• may also monitor outgoing traffic to detect/block
worm/malware activity
Firewall
Locations
Virtual Private Networks
Distributed
Firewalls
Firewall Operations

• Host IP address hiding – when the host inside the

trusted network sends an application request to the
firewall and the firewall allows the request through
to the outside Internet, a sniffer just outside the
firewall may sniff the packet and it will reveal the
source IP address. The host then may be a potential
victim for attack. In IP address hiding, the firewall
adds to the host packet its own IP header. So that
the sniffer will only see the firewall’s IP address. So
application firewalls then hide source IP addresses
of hosts in the trusted network.
Kizza - Guide to Computer Network Security 32
Firewall Operations

• Header destruction – is an automatic protection

that some application firewalls use to destroy
outgoing packet TCP, UDP and IP headers and
replace them with its own headers so that a sniffer
outside the firewall will only see the firewall’s IP
address. In fact this action stops all types of TCP,
UDP, an IP header attacks.

Kizza - Guide to Computer Network Security 33

Firewall Operations

• Protocol enforcement – Since it is common in

packet inspection firewalls to allow packets through
based on common port numbers, hackers have
exploited this by port spoofing where the hackers
penetrate a protected network host using
commonly used and easily allowed port numbers.
With application proxy firewall this is not easy to do
because each proxy acts as a server to each host
and since it deals with only one application, it is
able to stop any port spoofing activities.

Kizza - Guide to Computer Network Security 34

Configuring and Implementation of a
Firewall
• There are actually two approaches to configuring a
firewall to suit the needs of an organization.
• One approach is to start from nothing and make the
necessary information gathering to establish the needs
and requirements of the organization. This is a time
consuming approach and probably more expensive.
• The other approach is what many organizations do and
take a short cut and install a vendor firewall already
loaded with features.

Kizza - Guide to Computer Network Security 35

The Demilitarized Zone (DMZ)
• A DMZ is a segment of a network or a network
between the protected network and the “bad external
network”. It is also commonly referred to as a service
network.
• The purpose for a DMZ on an organization network is
to provide some insulation and extra security to
servers that provide the organization services for
protocols like HTTP/SHTTP, FTP, DNS, and SMTP to the
general public.

Kizza - Guide to Computer Network Security 36

Improving Security Through the Firewall

• For added security, sometimes it is usually better to

use two firewalls.
• Firewalls can also be equipped with intrusion
detection systems (IDS). Many newer firewalls now
have IDS software built into them.
• Some firewalls can be fenced by IDS sensors.

Kizza - Guide to Computer Network Security 37

Firewall Services and Limitations
• As technology improves, firewalls services have widened far
beyond old strict filtering to embrace services that were
originally done by internal servers.
• Firewall Services - are based on the following access controls:
• Service control – where the firewall may filter traffic on the basis of IP
addresses, TCP, UDP, port numbers, and DNS and FTP protocols in
addition to providing proxy software that receives and interprets each
service request before passing it on.
• Direction control – where permission for traffic flow is determined from
the direction of the requests.
• User control – where access is granted based on which user is
attempting to access the internal protected network; may also be used
on incoming traffic.
• Behavior control – in which access is granted based on how particular
services are used. For example, filtering e-mail to eliminate spam.

Kizza - Guide to Computer Network Security 38

Firewall Capabilities & Limits

• capabilities:
• defines a single choke point
• provides a location for monitoring security events
• convenient platform for some Internet functions such as
NAT, usage monitoring, IPSEC VPNs
• limitations:
• cannot protect against attacks bypassing firewall
• may not protect fully against internal threats
• improperly secure wireless LAN
• laptop, PDA, portable storage device infected outside
then used inside
Limitations of Firewalls
• Firewalls suffer from limitations and these limitations and
other weaknesses have led to the development of other
technologies. Among the current firewall limitations are:
• Firewalls cannot protect against a threat that by-passes it, like a dial-in
using a mobile host,
• Firewalls do not provide data integrity because it is not possible,
especially in large networks, to have the firewall examine each and
every incoming and outgoing data packet for anything.
• Firewalls cannot ensure data confidentiality because, even though
newer firewalls include encryption tools, it is not easy to use these
tools. It can only work if the receiver of the packet also has the same
firewall.
• Firewalls do not protect against internal threats, and
• Firewalls cannot protect against transfer of virus-infected programs or
files

Kizza - Guide to Computer Network Security 40

Intrusion Prevention Systems (IPS)

• recent addition to security products which

• inline net/host-based IDS that can block traffic
• functional addition to firewall that adds IDS capabilities
• can block traffic like a firewall
• using IDS algorithms
• may be network or host based
Host-Based IPS

• identifies attacks using both:

• signature techniques
• malicious application packets
• anomaly detection techniques
• behavior patterns that indicate malware
• can be tailored to the specific platform
• e.g. general purpose, web/database server specific
• can also sandbox applets to monitor behavior
• may give desktop file, registry, I/O protection
Network-Based IPS

• inline NIDS that can discard packets or terminate

TCP connections
• uses signature and anomaly detection
• may provide flow data protection
• monitoring full application flow content
• can identify malicious packets using:
• pattern matching, stateful matching, protocol anomaly,
traffic anomaly, statistical anomaly
• cf. SNORT inline can drop/modify packets
Unified Threat
Management
Products
Summary

• introduced need for & purpose of firewalls

• types of firewalls
• packet filter, stateful inspection, application and circuit
gateways
• firewall hosting, locations, topologies
• intrusion prevention systems
Intrusion Detection Systems
Intrusion Detection
• A system’s second line of defense
• Is based on the assumption that the behavior of the
intruder differs from that of a legitimate user in
ways that can be quantified
• Considerations:
• If an intrusion is detected quickly enough, the intruder
can be identified and ejected from the system before any
damage is done or any data are compromised
• An effective intrusion detection system can serve as a
deterrent, so acting to prevent intrusions
• Intrusion detection enables the collection of information
about intrusion techniques that can be used to
strengthen the intrusion prevention facility
© 2017 Pearson Education, Inc., Hoboken, NJ. All rights
reserved.
IDS Principles
• assume intruder behavior differs from legitimate
users
• expect overlap as shown
• observe deviations
• from past history
• problems of:
• false positives
• false negatives
• must compromise
IDS Requirements

• run continually
• be fault tolerant
• resist subversion
• impose a minimal overhead on system
• configured according to system security policies
• adapt to changes in systems and users
• scale to monitor large numbers of systems
• provide graceful degradation of service
• allow dynamic reconfiguration
Intrusion Detection Systems

• classify intrusion detection systems (IDSs) as:

• Host-based IDS: monitor single host activity
• Network-based IDS: monitor network traffic
• logical components:
• sensors - collect data
• analyzers - determine if intrusion has occurred
• user interface - manage / direct / view IDS
Audit Records
• Fundamental tool for intrusion detection

Native audit Detection-specific

records audit records
A collection facility can be implemented
Virtually all multiuser operating systems
that generates audit records containing
include accounting software that collects
only that information required by the
information on user activity
intrusion detection system

One advantage of such an approach is

The advantage of using this information is
that it could be made vendor
that no additional collection software is
independent and ported to a variety of
needed
systems

The disadvantage is that the native audit

The disadvantage is the extra overhead
records may not contain the needed
involved in having two accounting
information or may not contain it in a
packages running on a machine
convenient form
Intrusion Detection Systems (IDSs)

• An intrusion detection system (IDS) is a system

used to detect unauthorized intrusions into
computer systems and networks. Intrusion
detection as a technology is not new, it has been
used for generations to defend valuable resources.
• These are three models of intrusion detection
mechanisms: anomaly-based detection, signature-
based detection, and hybrid detection.

53
Approaches to Intrusion Detection
• Statistical anomaly detection
• Involves the collection of data relating to the behavior of
legitimate users over a period of time
• Then statistical tests are applied to observed behavior to
determine whether that behavior is not legitimate user
behavior

• Rule-based detection
• Involves an attempt to define a set of rules or attack
patterns that can be used to decide that a given behavior
is that of an intruder
• Often referred to as signature detection

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights

reserved.
Statistical Anomaly Detection

• Threshold detection • Profile-based

• Involves counting the • Focuses on characterizing
number of occurrences of a the past behavior of
specific event type over an individual users or related
interval of time groups of users and then
• If the count surpasses what detecting significant
is considered a reasonable deviations
number that one might • A profile may consist of a
expect to occur, then set of parameters, so that
intrusion is assumed deviation on just a single
• By itself is a crude and parameter may not be
ineffective detector of even sufficient in itself to signal
moderately sophisticated an alert
attacks

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Measures
That
May
Be
Used
For
Intrusion
Detection
Signature Detection

• observe events on system and applying a set of

rules to decide if intruder
• approaches:
• rule-based anomaly detection
• analyze historical audit records for expected behavior, then match with
current behavior
• rule-based penetration identification
• rules identify known penetrations / weaknesses
• often by analyzing attack scripts from Internet
• supplemented with rules from security experts
Rule-Based Intrusion Detection
• Techniques detect intrusion by observing events in the
system and applying a set of rules that lead to a decision
regarding whether a given pattern of activity is or is not
suspicious
• Rule-based anomaly detection
• Is similar in terms of its approach and strengths to statistical anomaly
detection
• Historical audit records are analyzed to identify usage patterns and to
automatically generate rules that describe those patterns
• Current behavior is then observed, and each transaction is matched
against the set of rules to determine if it conforms to any historically
observed pattern of behavior
• In order for this approach to be effective, a rather large database of
rules will be needed

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights

reserved.
Rule-Based Intrusion Detection
• Rule-based penetration identification
• Typically, the rules used in these systems are specific to
the machine and operating system
• The most fruitful approach to developing such rules is to
analyze attack tools and scripts collected on the Internet
• These rules can be supplemented with rules generated by
knowledgeable security personnel

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights

reserved.
 Table 11.2
USTAT Actions versus SunOS Event Types

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Base-Rate Fallacy
• To be of practical use, an intrusion detection system should
detect a substantial percentage of intrusions while keeping
the false alarm rate at an acceptable level
• If only a modest percentage of actual intrusions are detected, the
system provides a false sense of security
• If the system frequently triggers an alert when there is no intrusion,
then either system managers will begin to ignore the alarms or much
time will be wasted analyzing the false alarms
• Because of the nature of the probabilities involved, it is very
difficult to meet the standard of high rate of detections with
a low rate of false alarms
• If the actual numbers of intrusions is low compared to the number of
legitimate uses of a system, then the false alarm rate will be high
unless the test is extremely discriminating

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights

reserved.
Host-Based IDS

• specialized software to monitor system activity to

detect suspicious behavior
• primary purpose is to detect intrusions, log suspicious
events, and send alerts
• can detect both external and internal intrusions
• two approaches, often used in combination:
• anomaly detection - defines normal/expected behavior
• threshold detection
• profile based
• signature detection - defines proper behavior
Distributed Intrusion Detection
• Traditional systems focused on single-system stand-
alone facilities
• The typical organization, however, needs to defend a
distributed collection of hosts supported by a LAN or
internetwork
• A more effective defense can be achieved by coordination
and cooperation among intrusion detection systems across
the network
• Major design issues:
One or more
A distributed
nodes in the
intrusion Either a
network will serve
detection system centralized or
as collection and
may need to deal decentralized
analysis points for
with different architecture can
the data from the
audit record be used
systems on the
formats
network

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Distributed Host-Based IDS
Distributed Host-Based IDS
Network-Based IDS

• network-based IDS (NIDS)

• monitor traffic at selected points on a network
• in (near) real time to detect intrusion patterns
• may examine network, transport and/or application level
protocol activity directed toward systems
• comprises a number of sensors
• inline (possibly as part of other net device)
• passive (monitors copy of traffic)
NIDS Sensor Deployment
Distributed Adaptive Intrusion Detection
Intrusion detection exchange format

• To facilitate the development of distributed

intrusion detection systems that can function across
a wide range of platforms and environments,
standards are needed to support interoperability
• IETF Intrusion Detection Working Group
• Purpose of the group is to define data formats and
exchange procedures for sharing information of interest to
intrusion detection with response systems and to
management systems that may need to interact with
them
• Have issued the following RFCs:
• Intrusion Detection Message Exchange Requirements (RFC 4766)
• The Intrusion Detection Message Exchange Format (RFC 4765)
• The Intrusion Detection Exchange Protocol (RFC 4767)
© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
Intrusion
Detection
Exchange
Format
SNORT
• lightweight IDS
• real-time packet capture and rule analysis
• passive or inline
SNORT Rules

• use a simple, flexible rule definition language

• with fixed header and zero or more options
• header includes: action, protocol, source IP, source
port, direction, dest IP, dest port
• many options
• example rule to detect TCP SYN-FIN attack:
Alert tcp $EXTERNAL_NET any -> $HOME_NET any \
(msg: "SCAN SYN FIN"; flags: SF, 12; \
reference: arachnids, 198; classtype: attempted-
recon;)
 Honeypots
• Decoy systems that are designed to lure a potential attacker away
from critical systems
Has no •These systems are filled with fabricated information designed to appear
valuable but that a legitimate user of the system wouldn’t access

production value •Thus, any attempt to communicate with the system is most likely a
probe, scan, or attack

•Divert an attacker from accessing critical systems

Designed to: •Collect information about the attacker’s activity

•Encourage the attacker to stay on the system long enough for
administrators to respond

• Because any attack against the honeypot is made to seem

successful, administrators have time to mobilize and log and track
the attacker without ever exposing productive systems
• Recent research has focused on building entire honeypot
networks that emulate an enterprise, possible with actual or
simulated traffic and data

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

• Anomaly Detection –
• Anomaly based systems are “learning” systems in a sense
that they work by continuously creating “norms” of
activities. These norms are then later used to detect
anomalies that might indicate an intrusion.
• Anomaly detection compares observed activity against
expected normal usage profiles “leaned”. The profiles may
be developed for users, groups of users, applications, or
system resource usage.

Kizza - Guide to Computer Network Security 75

• Misuse Detection -
• The misuse detection concept assumes that each intrusive
activity is representable by a unique pattern or a signature
so that slight variations of the same activity produce a new
signature and therefore can also be detected.
• Misuse detection systems, are therefore, commonly
known as signature systems. They work by looking for a
specific signature on a system. Identification engines
perform well by monitoring these patterns of known
misuse of system resources.
• Hybrid Detection -
• Because of the difficulties with both the anomaly-based and
signature-based detections, a hybrid model is being
developed. Much research is now focusing on this hybrid
model.

Kizza - Guide to Computer Network Security 76

Types of Intrusion Detection Systems
• Intrusion detection systems are classified based on
their monitoring scope. There are: network-based
intrusion detection and host-based detections.
• Network-Based Intrusion Detection Systems (NIDSs)
• NIDSs have the whole network as the monitoring scope.
They monitor the traffic on the network to detect
intrusions. They are responsible for detecting anomalous,
inappropriate, or other data that may be considered
unauthorized and harmful occurring on a network. There
are striking differences between NIDS and firewalls.

Kizza - Guide to Computer Network Security 77

• Host-Based Intrusion Detection Systems (HIDS)
• Recent studies have shown that the problem of organization
information misuse is not confirned only to the “bad” outsiders but the
problem is more rampart within organizations. To tackle this problem,
security experts have turned to inspection of systems within an
organization network. This local inspection of systems is called host-
based intrusion detection systems (HIDS).
• Host-based intrusion detection is the technique of detecting malicious
activities on a single computer.
• A host-based intrusion detection system, is therefore, deployed on a
single target computer and it uses software that monitors operating
system specific logs including system, event, and security logs on
Windows systems and syslog in Unix environments to monitor sudden
changes in these logs.
• When a change is detected in any of these files, the HIDS compares the
new log entry with its configured attack signatures to see if there is a
match. If a match is detected then this signals the presence of an
illegitimate activity.

Kizza - Guide to Computer Network Security 78

• The Hybrid Intrusion Detection System
• Both NIDS and HIDS are each patrolling its own area of the network for
unwanted and illegal network traffic. They, however, complement each
other. Both bring to the security of the network their own strengths and
weaknesses that nicely complement and augment the security of the
network.
• Hybrids are new and need a great deal of support to gain on their two
cousins. However, their success will depend to a great extent on how
well the interface receives and distributes the incidents and
integrates the reporting structure between the different types of
sensors in the HIDS and NIDS spheres. Also the interface should be able
to smartly and intelligently gather and report data from the network or
systems being monitored.

Kizza - Guide to Computer Network Security 79

The Changing Nature of IDS Tools
• Recent studies have shown that the majority of system intrusion actually
come from insiders. So newer IDS tools are focusing on this issue and are
being built to counter systems intrusion, new attack patterns are being
developed to take this human behavior unpredictability into account.
• To keep abreast of all these changes, ID systems are changing constantly.
• The primary focus of ID systems has been on a network as a unit where they
collect network packet data by watching network packet traffic and then
analyzing it based on network protocol patterns “norms,” “normal”
network traffic signatures, and network traffic anomalies built in the rule
base. But since networks are getting larger, traffic heavier, and local
networks more splintered, it is becoming more and more difficult for the ID
system to “see” all traffic on a switched network such as an Ethernet. This is
leading to new designs of IDS.

Kizza - Guide to Computer Network Security 80

Other Types of Intrusion Detection Systems

• Although NIDS and HIDS and their hybrids are the

most widely used tools in network intrusion detection,
there are others that are less used but more targeting
and, therefore, more specialized.
• Because many of these tools are so specialized, many
are still not considered as being intrusion detection
systems but rather intrusion detection add-ons or
tools.

Kizza - Guide to Computer Network Security 81

• System Integrity Verifiers (SIVs)
• SIVs monitor critical files in a system, such as system files, to
find whether an intruder has changed them. They can also
detect other system components’ data; for example, they
detect when a normal user somehow acquires
root/administrator level privileges. In addition, they also
monitor system registries in order to find well known
signatures.
• Log File Monitors (LFM)
• LFMs first create a record of log files generated by network
services. Then they monitor this record, just like NIDS,
looking for system trends, tendencies, and patterns in the
log files that would suggest an intruder is attacking.

Kizza - Guide to Computer Network Security 82

• Honeypots
• A honeypot is a system designed to look like something that an intruder
can hack. They are built for many purposes but the overriding one is to
deceive attackers and learn about their tools and methods.
• Honeypots are also add-on/tools that are not strictly sniffer-based
intrusion detection systems like HIDS and NIDS. However, they are good
deception systems that protect the network in much the same way as
HIDS and NIDS.
• Since the goal for a honeypot is to deceive intruders and learn from
them without compromising the security of the network, then it is
important to find a strategic place for the honeypot. In the DMZ for
those networks with DMZs or behind the network firewall if the private
network does not have a DMZ.

Kizza - Guide to Computer Network Security 83

Response to System Intrusion
• A good intrusion detection system alert should
produce a corresponding response.
• A good response must consist of pre-planned
defensive measures that include an incident response
team and ways to collect IDS logs for future use and
for evidence when needed.

Kizza - Guide to Computer Network Security 84

• Incident Response Team
• An incident response team (IRT) is a primary and centralized
group of dedicated people charged with the responsibility
of being the first contact team whenever an incidence
occurs. An IRT must have the following responsibilities:
• keeping up-to-date with the latest threats and incidents,
• being the main point of contact for incident reporting,
• notifying others whenever an incident occurs,
• assessing the damage and impact of every incident,
• finding out how to avoid exploitation of the same vulnerability,
and
• recovering from the incident.

Kizza - Guide to Computer Network Security 85

• IDS Logs as Evidence
• IDS logs can be kept as a way to protect the organization in
case of legal proceedings. If sensors to monitor the internal
network are to be deployed, verify that there is a published
policy explicitly stating that use of the network is consent to
monitoring.

Kizza - Guide to Computer Network Security 86

Challenges to Intrusion Detection Systems
• There is an exciting future and challenges for IDS as the marriage between it and
artificial intelligence takes hold
• Although there are also IDS challenges in many areas including in the deployment of
IDSes in switched environments.
• Deploying IDS in Switched Environments
• Network-based IDS sensors must be deployed in areas where they can “see”
network traffic packets. However, in switched networks this is not possible
because by their very nature, sensors in switched networks are shielded from
most of the network traffic. Sensors are allowed to “see” traffic only from
specified components of the network.
• One way to handle this situation has traditionally been to attach a network
sensor to a mirror port on the switch. But port mirroring, in addition to putting
an overhead on the port, gets unworkable when there is an increase in traffic on
that port because overloading one port with traffic from other ports may cause
the port to bulk and miss some traffic.

Kizza - Guide to Computer Network Security 87

• Other issues still limiting IDS technology are:
• False alarms. Though the tools have come a long way, and are slowly
gaining acceptance as they gain widespread use, they still produce
a significant number of both false positives and negatives,
• The technology is not yet ready to handle a large-scale attack. Because
of its very nature it has to literally scan every packet, every contact point,
and every traffic pattern in the network. For larger networks and in a
large-scale attack, it is not possible that the technology can be relied on
to keep working with acceptable quality and grace.
• Unless there is a breakthrough today, the technology in its current
state cannot handle very fast and large quantities of traffic efficiently.
• Probably the biggest challenge is the IDS’s perceived and sometimes
exaggerated capabilities. The technology, while good, is not the cure of
all computer network ills that it is pumped up to be. It is just like any
other good security tool.

Kizza - Guide to Computer Network Security 88

Implementing an Intrusion Detection System
• An effective IDS does not stand alone. It must be supported by a number of other
systems. Among the things to consider, in addition to the IDS, in setting up a good
IDS for the company network are:
• Operating Systems. A good operating system that has logging and auditing
features. Most of the modern operating systems including Windows, Unix, and
other variants of Unix have these features. These features can be used to
monitor security critical resources.
• Services. All applications on servers such as Web servers, e-mail servers, and
databases should include logging/auditing features as well.
• Firewalls. A good firewall should have some network intrusion detection
capabilities.
• Network management platform. Whenever network management services
such as OpenView are used, make sure that they do have tools to help in setting
up alerts on suspicious activity.

Kizza - Guide to Computer Network Security 89

Intrusion Prevention Systems (IPSs)
• Although IDS have been one of the cornerstones of network
security, they have covered only one component of the total
network security picture since they have been and they are a
passive component which only detects and reports without
preventing.
• A promising new model of intrusion is developing and picking
up momentum. It is the intrusion prevention system (IPS)
which, is to prevent attacks.
• Like their counterparts the IDS, IPS fall into two categories:
network-based and host-based.

Kizza - Guide to Computer Network Security 90

• Network-Based Intrusion Prevention Systems (NIPSs)
• Because NIDSs are passively detecting intrusions into the network without
preventing them from entering the networks, many organizations in recent times
have been bundling up IDS and firewalls to create a model that can detect and
then prevent.
• The bundle works as follows.
• The IDS fronts the network with a firewall behind it. On the detection of an
attack, the IDS then goes into the prevention mode by altering the firewall
access control rules on the firewall. The action may result in the attack being
blocked based on all the access control regimes administered by the firewall.
• The IDS can also affect prevention through the TCP resets; TCP utilizes the
RST (reset) bit in the TCP header for resetting a TCP connection, usually sent
as a response request to a non-existent connection. But this kind of bundling
is both expensive and complex, especially to an untrained security team.
It suffers from latency – the time it takes for the IDS to either modify the
firewall rules or issue a TCP reset command. This period of time is critical in
the success of an attack.

Kizza - Guide to Computer Network Security 91

• Host-Based Intrusion Prevention Systems (HIPSs)
• Most HIPSs work by sand-boxing, a process of restricting the
definition of acceptable behavior rules used on HIPSs. HIPS
prevention occurs at the agent residing at the host. The
agent intercept system calls or system messages by utilizing
dynamic linked libraries (dll) substitution.
• The substitution is accomplished by injecting existing system
dlls with vendor stub dlls that perform the interception.

Kizza - Guide to Computer Network Security 92

Summary

• introduced intruders & intrusion detection

• hackers, criminals, insiders
• intrusion detection approaches
• host-based (single and distributed)
• network
• distributed adaptive
• exchange format
• honeypots
• SNORT example