Talking about intrusion detection Mao 01-5-22 at 10:59 am
Intrusion detection system
With the rapid development of computer network technology, the application range continues to expand, from early document transfer, email to current e-commerce, Internet / intranet, computer network in modern life is constantly strengthening. However, the computer network attack is also increasing, due to the objective existence of system vulnerability and the existence of various intrusion, makes the information system have greatly improved.
Network Intrusion Detection System (IDS) is a very new network security technology. Although there are only a few years of history, it has been widely concerned that it has an important supplement to the original security system. Intrusion Detection System collects information about computer systems and networks, and analyzes this information, safety audit, monitoring, attack identification, and real-time response to protected systems.
Intrusion detection system function:
* Monitor, analyze users and system activities
* Audit system configuration and weaknesses
* Evaluate the integrity of key systems and data files
* Identify the activity mode of the attack
* Statistical analysis of abnormal activity
* Operating system audit tracking management, identify user activities in violation of policies
Advantages of intrusion detection products:
* Improve the integrity of other parts of information security construction
* Improve system monitoring
* Track users from entry points to export points
* Identify and report changes in data files
* Detecting system configuration errors and corrects them
* Identify special attack types, and issue an alert to managers to defense
Disadvantages of intrusion detection:
* Cannot compensate the difference of the correct certification mechanism
* If there is no human intervention, you cannot manage the attack survey.
* You can't know the content of the security policy
* Cannot compensate the weaknesses on the network protocol
* Can not make up for the system to provide quality or integrity
* Can't analyze a clogged network
* Cannot handle attacks related to Packet-Level
The necessity of intrusion detection:
Figure 1 is a security system management with a detection module
As can be seen from Figure 1, the security system is a continuous process in a dynamic environment. Among them, the defense module includes encryption, authentication, and firewalls; the detection module includes monitoring target systems, analyzing information, responding to problems, and reporting issues; investigation module records the cause of the problem; Analyze how to resist similar intrusion in the future.
At present, network security has a main technical means with firewalls, safety routers, etc., which have a certain effect on preventing system illegal intrusion. But they just play a defense function, and the safety of computer systems always prevents preventive, once they are broken, the entire system has no way. Therefore, only these means is not enough to deal with illegal attacks, in order to change this passive situation, a safe network system should have both firewalls and other defense, and there is also a network of real-time monitoring, attack and anti-attack networks. Intrusion detection system.
The firewall is a limit as an internal network and the Internet, which filter into the internal network according to the security policy. However, there is not enough firewall because:
1. Not all threats come from the outside of the firewall;
2. The firewall itself is prone to attack.
Firewall, identity authentication products, access control products, encryption products, viral scanners, etc. They complete the most basic features of system security, however, they are also an object being attacked. Once they are attacked, the security of their system is in danger.
Safety equipment such as firewalls belong to static safety technology, and they cannot actively track invasants. Intrusion detection belongs to dynamic security technology, it can take the initiative to detect the vulnerable point of attack and security vulnerabilities, the biggest advantage of dynamic security technology is "initiative", combined with the network monitoring system with the network monitoring system, invading The detection system can discover the characteristics of hazard attacks, and then detect attack behavior and issue an alert while adopting protection measures. To get a high level of security, you should choose a more active and intelligent network security technology. In the face of various practical issues and users of network security, intrusion detection ensures network security by combining traditional firewalls and verification techniques. Classification of intrusion detection software
First, based on the host
That is, running an agent on each host to be protected. For example INTRusion Detection, Kane Security Monitor. The agent will issue a "heartbeat" signal to a management site regularly, and of course the alarm. This kind of heartbeat can detect the management site to detect an attack of the service class. This attack may make a host to be completely paralyzed. Of course, it will not be able to respond or work.
Host-based methods have the following advantages:
1, performance price ratio is high. In the case where the number of hosts is small, the performance price of this method may be higher.
2, more delicate. This approach can be easily monitored, such as access to sensitive files, directories, programs, or ports, and these activities are difficult to discover in protocol-based clues.
3, the view is concentrated. Once the intruder gets a host's username and password, host-based agents are most likely to distinguish between normal activities and illegal activities.
4, easy to cut it. Every host has its own agent, of course, the user is more convenient.
5, fewer hosts. Host-based methods Sometimes there is no need to add a special hardware platform.
Not sensitive to network traffic. The way of using the agent generally does not throw away the monitoring of network behavior due to the increase in network traffic.
Second, based on the network
Capture the package on the web and analyze it with a known attack mode to determine whether it is an intruder. For example, NetWork Associates Cybercop and NetRanger. When these products find some suspicious phenomena, a alarm is also generated, and it is also possible to issue a "heartbeat" signal to a central management site.
Network-based detection has the following advantages:
1, the detection speed is fast. Network-based monitors can usually find problems in microseconds or seconds. Most host-based products have to rely on the analysis of auditing records in recent minutes.
2, hidden hidden. A monitor on a network is not as prominent and easy to access as a host, so it is not so easy to suffer. Since it is not a host, a network-based monitor does not need to respond to ping, which does not allow others to access its local memory, and cannot make people running procedures, and do not let multiple users use it.
3, wider field of field. The network-based approach can even be stopped on the edge of the network, that is, the attacker has not been able to access the network.
4, fewer monitors. Since a monitor can protect a shared network segment, you don't need a lot of monitors. Conversely, if a host is based on a host, a proxy is required on each host, so that it costs expensive, and it is difficult to manage. However, if each host is available in an exchange environment, each host is on your own network segment.
5, accounting for less resources. No resource is taken up on the protected device.
The above two techniques are complementary. Implementing a network-based monitoring, while adding agency on a particular sensitive host is a policy that can be considered.
Intrusion detection system model
System operating environment: UNIX, Windows NT
System function: · Monitor, analyze users and system activities
· The configuration and weaknesses of the audit system
· Assess the integrity of key systems and data files
· Identify the activity mode of the attack
· Discover illegal access to make a timely reaction
· Make intrusion responses
System Frame: Figure 2 is a framework of an intrusion detection system
This system includes a central monitors and a proxy (agent) that monitors the host. Central monitors have two parts: monitoring management systems and expert systems. The monitoring manager provides security management capabilities for the surveillance host, which is managed throughout the monitoring system, collecting audit data sent by agents, and pays an expert system for analysis, and responds according to the results obtained by the expert system. The agent runs on the monitored host, it acquires two data: First, obtain the audit data collected by the audit module of the audit host, and the second is to collect data about the system according to the actual situation.
Intrusion detection product introduction
At present, there are not only a number of laboratories not only study and develop in invasive detection systems, but have completed some prototyping systems and commercial products, but domestic research status is relatively backward. Here are some foreign products:
Cisco's NetRanger
In March 1996, WheelGroup launched NetRanger based on years of industry experience. The product is divided into two parts: monitoring the sensors ($ 9,000) of the network package and the alarm ($ 9,000), and the controller ($ 10,000) that receives and analyzes the alarm and initiation countermeasures.
NetRanger is known for its high performance, and it is also very easy to cut. The controller program can integrate multi-site information and surveillance the attack on the entire enterprise online. The maximum reputation of NetRanger is designed for companies. One of the flags of this reputation is its distribution channel, EDS, PEROTSYSTEMS, IBM GLOBAL SERVICES is its distributor.
NetRanger is running successfully on the global WAN. For example, it has a path backup (Path-Double "feature. If a path is broken, the information can be uploaded from the backup path. It can even do the monitoring of the whole network from one point or transfer the monitoring rights to third parties.
Another strength of NetRanger is that it not only observes the content of a single package when detecting problems, but also looks at the clues from multiple packages. This is very important because the intruder may access a port in character mode and then only one character in each package. If a monitors only observe a single package, it will never find complete information. NetRanger is one of the products that have the most practical test based on network-based intrusion detection software in the market.
However, for some users, NetRanger's strength may just be inadequate. It is designed to integrate Under OpenView or NetView, it is useful in the Network Operation Center (NOC), which requires a detailed understanding of UNIX. NetRanger is relatively expensive, which is not necessarily suitable for general local area networks.
NetWork Associates Cybercop
NetWork Associates is incorporated by McAfee Associates, which is known as NetWorkGenele, which is known for the Sniffer class detector and McAfee Associates, known as a Sniffer class detector. Network Associates obtains licenses from Cisco to use NetRanger's engine and attack mode databases in Cybercop.
In addition, Cybercop is designed as a network application, usually installed in 20 minutes. It presupposes 6 usual configuration modes: Windows NT and UNIX mixed subnets, UNIX subnets, NT subnets, remote access, front and backbone. It doesn't have a NetWare configuration.
The front-end design is mainly to consider easy to use, playing NetworkGeneral experience on refining package data, and is easy to view and understand. As in Sniffer, it combines experts knowledge in helping documents. Cybercop can also generate trace files that can be identified by Sniffer. Compared with NetRange, Cybercop lacks features of some enterprise applications, such as path backup functions.
The CuberCoP invasion protection product range includes Cybercop Scanner, Cybercop Monitor and Cybercop Sting. Cybercop Scanner checks the security fragility of computer systems and network devices, which can test NT and UNIX workstations, servers, and hubs.
Cybercop Monitor is a host-based intrusion detection tool that provides quality service-based package analysis and system event abnormal detection, warnings, and responses to prevent malicious attacks. It can run on the Windows NT and UNIX platforms.
Cybercop Sting provides an information collected by the attack on the Internet from providing an information. The attack is from the internal or external, CyberCop Sting uses the behavior of the analysis tool to record attacks, collect and record evidence of attack sources and technologies. It can run in Windows NT.
Internet Security System's RealSecure
The advantage of RealSecure is its simpleness and low prices. Similar to NetRanger and Cybercop, RealSecure is also two parts. The engine part is responsible for monitoring the packet and generates alarm, the console receives alarm and acts as a central point of the database report. Both parts can be run on NT, Solaris, SunOS, and Linux and can be used in a mixed operating system or matching operating system environment. They can run on the commercial microcomputer.
For a small system, the engine and console are running on the same machine, but this is not available for NetRanger or cybercop. Realsecure's engine is worth 10,000, the console is free. A engine can report to multiple console, and a console can also manage multiple engines.
Realsecure can configure the firewall-1 of CheckPoint Software. According to the Intrusion Detection Technical Manager Mark Wood, ISS also plans to make it reconfigured for Cisco's routers, and is also developing applications under OpenVIEW.
Intrusion Detection's Kane Security Monitor for NT
The host-based Kane Security Monitor (KSM) for NT is launched in September 1997. It consists of three parts, an auditor, a console and agent. The agent is used to browse NT logs and send the statistics to the auditors. The system security officer uses the GUI interface of the console to receive alarm, view history, and real-time behavior of the system. KSM quotes each protected server $ 1495 (including the Auditors and Console), on which the workstation proxy offer $ 295.
KSM is particularly strong in TCP / IP monitoring, but the product of Intrusion Detection is not designed for a faster wide area network.
OmniGuard / Intruder Alert of Axent Technologies
OmniGuard / Intruderalert (ITA) corresponding to KSM's auditors, console, and agents are a manager (US $ 1995), console (free) and agent ($ 995 for each server) Each workstation is $ 95).
ITA provides a broader platform support for KSM than IntrusionDetection. Its manager and agent can run on WindowsNT, 95, 3.1 and NetWare3.x, 4.x, all parts are running under multiple UNIX, such as Solaris, Sunos, IBMAIX, HP-UX, and DEC Unix .
Trusted Information System company stalkers
The Stalker, which is launched by Haystack Labs in 1993 is a host-based monitor that can be used in NT and a variety of Unix, including Solaris, AIX, HP-UX, and SCO Unixware. The version 2.1 manager price is $ 9995, each agent is $ 695. Haystack Labs launched WebStalkerPro in June 1996, the operating system is the same, but its use object is a web server. It is $ 4,995 under UNIX, and the offer under NT is $ 2995. Sun's NetRaweb server has a special version of WebStalker at the time of sale. IBM GlobalServices also sells WebStalker.
Developed by NT Firewall Products, Trusted INFORMATIONSYSTEM acquired Haystack in October 1997. In December 1997, it announced that only Monitor designed to be operated at NT and a Microsoft Proxy Server 2.0. Proxystalker is planned in the first quarter, its price has not yet been announced, but it is estimated that PROXY Server should be the same grade product, which is less than 1,000 dollars.
All three STALKER products can reconfigure firewall products Gauntlet, three products can also eliminate invasion while discovering invasion. For example, WebStalkerPro can terminate a login or a process, which can also restart a web server. The STALKER family can also be integrated with TME.
Intrusion monitoring is just an integral part of a complete security system. Because if you don't have to verify, authorization and encryption, you are useless to lock your door, even if you have installed alarm system. Intrusion detection is to prepare for customers who have adopted the firewall and verification technology measures, intrusion detection has increased the security