Once upon a time, an ordinary firewall and anti-virus programs were enough to protect the local network, but such a set is no longer effective enough against the attacks of modern hackers and the malware that has recently proliferated. The good old firewall analyzes only packet headers, passing or blocking them in accordance with a set of formal rules. It does not know anything about the contents of the packages, and therefore cannot recognize the outwardly legitimate actions of intruders. Anti-virus programs do not always catch malware, so the administrator is faced with the task of monitoring anomalous activity and isolating infected hosts in a timely manner.
There are many advanced tools that allow you to protect the company's IT infrastructure. Today we will talk about open source intrusion detection and prevention systems that can be implemented without buying expensive hardware and software licenses.
IDS/IPS classification
IDS (Intrusion Detection System) is a system designed to register suspicious activities on a network or on a separate computer. It maintains event logs and notifies the person responsible for information security about them. The IDS includes the following elements:
- sensors for viewing network traffic, various logs, etc.
- an analysis subsystem that detects signs of harmful effects in the received data;
- storage for accumulation of primary events and analysis results;
- management console.
Initially, IDS were classified by location: they could be focused on protecting individual nodes (host-based or Host Intrusion Detection System - HIDS) or protecting the entire corporate network (network-based or Network Intrusion Detection System - NIDS). It is worth mentioning the so-called. APIDS (Application protocol-based IDS): They monitor a limited set of application layer protocols to detect specific attacks and do not deep analyze network packets. Such products usually resemble proxies and are used to protect specific services: web server and web applications (for example, written in PHP), database servers, etc. A typical representative of this class is mod_security for the Apache web server.
We are more interested in universal NIDS that support a wide range of communication protocols and DPI (Deep Packet Inspection) packet analysis technologies. They monitor all passing traffic, starting from the data link layer, and detect a wide range of network attacks, as well as unauthorized access to information. Often such systems have a distributed architecture and can interact with various active network equipment. Note that many modern NIDS are hybrid and combine several approaches. Depending on the configuration and settings, they can solve various problems - for example, protecting one node or the entire network. In addition, the functions of IDS for workstations were taken over by anti-virus packages, which, due to the spread of Trojans aimed at stealing information, turned into multifunctional firewalls that also solve the tasks of recognizing and blocking suspicious traffic.
Initially, IDS could only detect malware activity, port scanners, or, say, user violations of corporate security policies. When a certain event occurred, they notified the administrator, but it quickly became clear that simply recognizing the attack was not enough - it needed to be blocked. So IDS transformed into IPS (Intrusion Prevention Systems) - intrusion prevention systems that can interact with firewalls.
Detection methods
Modern intrusion detection and prevention solutions use various methods to detect malicious activity, which can be divided into three categories. This gives us another option for classifying systems:
- Signature-based IDS/IPS look for patterns in traffic or monitor system state changes to detect a network attack or infection attempt. They practically do not give misfires and false positives, but are not able to identify unknown threats;
- Anomaly-detecting IDSs do not use attack signatures. They recognize abnormal behavior of information systems (including anomalies in network traffic) and can detect even unknown attacks. Such systems give quite a lot of false positives and, if used incorrectly, paralyze the operation of the local network;
- Rule-based IDSs work like: if FACT then ACTION. In fact, these are expert systems with knowledge bases - a set of facts and rules of inference. Such solutions are time-consuming to set up and require the administrator to have a detailed understanding of the network.
History of IDS development
The era of rapid development of the Internet and corporate networks began in the 90s of the last century, however, experts were puzzled by advanced network security technologies a little earlier. In 1986, Dorothy Denning and Peter Neumann published the IDES (Intrusion detection expert system) model, which became the basis of most modern intrusion detection systems. She used an expert system to identify known attacks, as well as statistical methods and user/system profiles. IDES ran on Sun workstations, checking network traffic and application data. In 1993, NIDES (Next-generation Intrusion Detection Expert System) was released - a new generation intrusion detection expert system.
Based on the work of Denning and Neumann, the MIDAS (Multics intrusion detection and alerting system) expert system appeared in 1988, using P-BEST and LISP. At the same time, the Haystack system based on statistical methods was created. Another statistical anomaly detector, W&S (Wisdom & Sense), was developed a year later at Los Alamos National Laboratory. The development of the industry proceeded at a rapid pace. For example, in 1990, anomaly detection was already implemented in the TIM (Time-based inductive machine) system using inductive learning on sequential user patterns (Common LISP language). NSM (Network Security Monitor) compared access matrices for anomaly detection, and ISOA (Information Security Officer's Assistant) supported various detection strategies: statistical methods, profile checking and expert system. The ComputerWatch system created at AT & T Bell Labs used both statistical methods and rules for verification, and the developers of the University of California received the first prototype of a distributed IDS back in 1991 - DIDS (Distributed intrusion detection system) was also an expert system.
At first, IDS were proprietary, but already in 1998, the National Laboratory. Lawrence at Berkeley released Bro (renamed Zeek in 2018), an open source system that uses its own rules language for parsing libpcap data. In November of the same year, the APE packet sniffer using libpcap appeared, which a month later was renamed Snort, and later became a full-fledged IDS / IPS. At the same time, numerous proprietary solutions began to appear.
Snort and Suricata
Many companies prefer free and open source IDS/IPS. For a long time, the already mentioned Snort was considered the standard solution, but now it has been replaced by the Suricata system. Consider their advantages and disadvantages in a little more detail. Snort combines the advantages of a signature method with the ability to detect anomalies in real time. Suricata also allows other methods besides attack signature detection. The system was created by a group of developers who split off from the Snort project and supports IPS features since version 1.4, while intrusion prevention appeared in Snort later.
The main difference between the two popular products is Suricata's ability to use the GPU for IDS computing, as well as the more advanced IPS. The system was originally designed for multi-threading, while Snort is a single-threaded product. Due to its long history and legacy code, it does not make optimal use of multi-processor/multi-core hardware platforms, while Suricata can handle traffic up to 10 Gbps on normal general purpose computers. You can talk about the similarities and differences between the two systems for a long time, but although the Suricata engine works faster, for not too wide channels it does not matter.
Deployment Options
IPS must be placed in such a way that the system can monitor the network segments under its control. Most often, this is a dedicated computer, one interface of which connects after the edge devices and βlooksβ through them to unsecured public networks (Internet). Another IPS interface is connected to the input of the protected segment so that all traffic passes through the system and is analyzed. In more complex cases, there may be several protected segments: for example, in corporate networks, a demilitarized zone (DMZ) is often allocated with services accessible from the Internet.
Such an IPS can prevent port scanning or brute-force attacks, the exploitation of vulnerabilities in the mail server, web server or scripts, as well as other types of external attacks. If the computers on the local network are infected with malware, IDS will not allow them to contact the botnet servers located outside. More serious protection of the internal network will most likely require a complex configuration with a distributed system and expensive managed switches capable of mirroring traffic for an IDS interface connected to one of the ports.
Often corporate networks are subject to distributed denial-of-service (DDoS) attacks. Although modern IDSs can deal with them, the deployment option above is of little help here. The system recognizes malicious activity and blocks spurious traffic, but for this, the packets must pass through an external Internet connection and reach its network interface. Depending on the intensity of the attack, the data transmission channel may not be able to cope with the load and the goal of the attackers will be achieved. For such cases, we recommend deploying IDS on a virtual server with a known better Internet connection. You can connect the VPS to the local network through a VPN, and then you will need to configure the routing of all external traffic through it. Then, in the event of a DDoS attack, you will not have to drive packets through the connection to the provider, they will be blocked on the external host.
The problem of choice
It is very difficult to identify a leader among free systems. The choice of IDS / IPS is determined by the network topology, the necessary security features, as well as the personal preferences of the administrator and his desire to fiddle with the settings. Snort has a longer history and is better documented, although information on Suricata is also easy to find online. In any case, to master the system, you will have to make some efforts, which will eventually pay off - commercial hardware and hardware-software IDS / IPS are quite expensive and do not always fit into the budget. You should not regret the time spent, because a good administrator always improves his qualifications at the expense of the employer. In this situation, everyone wins. In the next article, we will look at some options for deploying Suricata and compare the more modern system with the classic IDS/IPS Snort in practice.
Source: habr.com