Dr. Hossein Eslambolchi
March 2012
Security is a fundamental challenge of the 21st century network.
Back in the 1980s, we used dumb devices over intelligent networks. In the 90s, IP bigots wanted to make the network dumb, and invest devices and services with intelligence.
About a decade ago, I started to push back against the bigots. “If you dumb-down the network,” I asked, “how do you expect to add billions of intelligent end points requiring authentication, encryption and security?” No-one could give me a satisfactory answer.
My theory held that there was an “intelligence continuum” with network intelligence and device intelligence at either end. Perhaps there was a “middle way” that would feature intelligent networks and smart devices.
I don’t mean to brag – well, perhaps I do, a little: The industry took the middle path. In order to address the challenge of an intelligent network connecting smart devices, a series of technologies was developed to handle network security.
Intrusion detection technologies are an important part of this development, and I’d like to share my perspective on them, including the first Intrusion Detection and Prevention services in IP-based Networks.
KEY POINTS
• Intrusion detection systems (IDS) passively monitor a network or a host for incoming attacks. They were first developed in the 1980s, and commercial products became available in the mid-90s. They were designed to respond to the growing problem of hacker attacks against hosts and networks.
• The bane of intrusion detection has been its inability to weed out false positives and false negatives. IDS developed a poor reputation because they do not prevent attacks and because of the burden they place on administrators who have to examine large logs to find the real thing.
• Although intrusion detection has proved much less successful than originally hoped, its capabilities are evolving and have been integrated into in-line security appliances known as intrusion prevention systems (IPS). IPS are products that actively monitor a network or host for attacks and block those attacks from occurring by preventing potentially malicious traffic from entering.
• False positives are a primary challenge for intrusion prevention vendors. Eliminating them requires that system administrator configures and periodically tunes his or her IPS. Another challenge has been to run IPS without creating network bottlenecks.
• IPS uses a variety of techniques to identify potential attacks, including rate-based and content-based (or signature-based) techniques. Moreover, IPS are being integrated with other security capabilities; the ultimate security appliance is an IPS melding the best of firewall, IDS, antivirus and vulnerability assessment technologies to prevent attacks automatically.
• IPS is beginning to be adopted by many enterprises. To test IPS – especially to ensure that blocking false positives does not block legitimate traffic – enterprises introduce it in a hybrid system, with both active blocking and passive intrusion detection. Some security experts feel that false positives will remain a problem despite technology improvements in non-passive IPS.
• Sales of intrusion prevention products began to overtake those of intrusion detection products last year. In 2012, IPS began being packaged as integrated security appliances incorporating firewall capabilities.
• Tier one service providers have pioneered a network-based approach to intrusion prevention that monitors backbone traffic and alerts customers about potential attacks, instead of distributing security solutions at the edge of the IP network.
THE TECHNOLOGY
Hackers have looked for ways to exploit hardware and software bugs and system miss-configurations since the earliest days of computers and computer networks. A large and active community of hackers has evolved, leading to the development of a variety of sophisticated attacks.
Today these attacks include multi-vector worms using multiple propagation methods including email attachments, open network shares and other methods. Blended threats combine the characteristics of viruses, worms, Trojan horses and malicious code to spread attacks. Flash worms use a hit list to simultaneously infect large numbers of systems within seconds. And most familiar to the public, distributed denial of service attacks employ multiple compromised systems (zombies) to bombard a target system with various types of network traffic; the flood of traffic eventually overwhelms the system.
The quantity, variety, and potential disruptiveness of these techniques have been growing rapidly and the frequency with which these attacks are launched has increased. Although accurate data about security issues is notoriously difficult to collect, the CERT Coordination Center at Carnegie Mellon University reported that vulnerabilities have increased from 1,900 in 2000 to 8,000 in the first quarter of 2009 alone.
Understanding the vulnerability of hosts and networks led computer scientists in the 1980s to develop IDS. These systems passively monitor a network or host for attacks launched against it. IDS examine network traffic as it goes by and deliver reports, after the fact, based on what was noticed.
Commercial IDS were introduced in the early 1990s and the intrusion detection market began to take off toward the end of the same decade. IDS evolved from host-based to network-based systems. Today, intrusion detection employs several different techniques for detecting malicious traffic, including state-full pattern matching, protocol anomaly detection and statistical anomaly detection.
State-full pattern matching searches for specific signatures in a packet or a stream of packets. For example: An IDS may search for the string vrfy root, because this string can be used to gather reconnaissance information from an SMTP server. To detect malignant traffic, an IDS needs to reassemble IP fragments and determine the state of the session, because exploits are only effective during certain states.
In the previous example, the attack is only effective in the control portion of an SMTP session. Protocol anomaly detection searches for traffic that bends the rules of certain protocols, such as looking for IP packets longer than 65,535 bytes (which may indicate the poetically named attack ping of death). Unfortunately, many custom and legacy applications and certain network equipment also bend these rules; most protocols have at least some grey areas where interpretation is required.
Statistical anomaly detection looks for deviations from the normal traffic patterns in a network. For example, detecting a large number of connections from a computer outside a network to a specific destination port on various systems inside the network may indicate a host sweep.
IDS have not met the pressing need of keeping hosts and networks safe from attack because they cannot prevent attacks. Preventing them proved to be impractical for developers until the late 90s. There were many reasons why developers decided that it was practical to detect potentially malicious traffic, rather than to prevent attacks.
Hardware and software limitations were the chief reasons; they engendered accuracy and performance problems. Without specialized hardware it is impossible to process packets deeply and quickly enough to determine whether incoming traffic is malicious.
Moreover, the bane of IDS has been its inability to weed out false positives and false negatives. A false positive occurs when legitimate network traffic or system activity is incorrectly identified as malicious. False positives lead to an enormous waste of time and resources as administrators search through voluminous log files for actual attacks. IDS produced logistical nightmares for system administrators because they did not prevent attacks and because they generated huge log files. System administrators have spent countless hours fine-tuning and customizing their IDS systems trying to eliminate worthless false positives.
A false negative occurs when malicious network traffic or system activity is incorrectly identified as legitimate. This inaccuracy makes IDS an extremely inefficient security solution. False negatives expose the internal assets of an enterprise to undetected damage or theft. Furthermore, without specialized hardware, inserting an IDS in-line introduces intolerable latency and throughput problems.
Because of these accuracy and performance problems, it was necessary to configure IDS so that they hung off of a hub or network tap, rather than configure them as an active part of the network. This put IDS could therefore only passively monitor traffic. Unfortunately, this meant that they were unable to prevent damage.
System administrators had to spend countless hours analyzing exploited systems, determining the value of the compromised or altered data, restoring altered files or completely rebuilding their systems. They also had to devise ways to prevent successful attacks in the future.
Thus, between limited intrusion detection, inefficiency, inaccuracy, and extra time and labor imposed on system administrators, commercial IDS earned a bad reputation. In 2002 Network World conducted a head-to-head evaluation of various IDS products. The magazine was so unimpressed with the entrants that they declined to declare a winner.
Because IDS failed to protect hosts and systems from attack, developers began introducing IPS. This new technology includes specialized hardware, including network processors, ASICs and field-programmable gate arrays (FPGAs). It is now possible to implement IPS as an integral part of the network fabric. This stands in contrast with IDS, which are passively connected to the network.
The goal of an intrusion prevention system is to actually prevent malicious traffic from entering the system, while allowing legitimate traffic to enter unimpeded. IPS need to encapsulate the functions of IDS, a firewall and antivirus programs, and must possess vulnerability-assessment capabilities.
When the IPS intrusion-detection or virus-detection function identifies a possible attack and the vulnerability-assessment function confirms vulnerability, the firewall function blocks it or shunts the offending packets to a safe destination, thwarting the attack. But although advances in technology have made it possible to implement IPS, a myriad of potential pitfalls remain.
Clearly, false positives need to be eliminated before intrusion prevention can work without disrupting applications. False positives are bad enough for IDS where large log files are created, but for an intrusion prevention system, they can shut down a host or network.
If not properly configured, an intrusion prevention system will identify attacks as legitimate traffic even if those attacks have no bearing on a network. For example: An intrusion prevention system on a network of Apache web servers needs to be configured to not shut down the network when it sees attacks to a Microsoft Internet Information Server (IIS). In this case, it would be more appropriate to simply issue an alarm.
Similarly, when a security flaw is fixed, an IPS must be updated with patch information. Otherwise the system will set off an alarm when it registers attacks against the flaw corrected by the patch. Unfortunately, there are many valid business transactions that can erroneously be labeled as attacks. Furthermore, IPS need to be run in-line without creating performance bottlenecks. Some security experts feel that despite technology improvements in non-passive IPS, a troublesome number of false positives are likely to be generated.
Detecting potential attacks is a crucial area in intrusion prevention. IPS generally fall into two general categories: rate-based products and content-based (or signature and anomaly-based) products. Both types of products resemble firewalls, and generally provide basic firewall functionality. However, firewalls block all traffic except that which they have a reason to pass, whereas IPS pass all traffic except that which they have a reason to block.
Rate-based IPS products block traffic based on load, blocking traffic containing too many packets, too many connects or too many errors. When such a threshold is exceeded, a rate-based IPS blocks, throttles or otherwise mediates traffic. Rate-based IPS often combine configuration options and a broad range of response technologies. There are varying definitions of “excessive traffic” and in the decisions that follow its identification. Configuring an IPS by defining excessive traffic is difficult, even for savvy network professionals.
However, vendors have developed a variety of approaches for limiting traffic and are incorporating expert system and learning capabilities into their products. The IPS can then learn to identify normal traffic patterns and fine tune its criteria for what is considered “abnormal”.
Rate-based IPS are most useful in very high-volume web, application and mail server environments because they require frequent tuning and adjustment. For the same reason, they are not useful in many enterprise applications.
Content-based products block traffic based on attack signatures and protocol anomalies. This allows worms that match a signature, such as Sasser, Blaster and MyDoom, to be blocked. Packets not following one of the multitude of TCP/IP RFCs are also dropped.
Furthermore, content-based IPS is triggered by many types of suspicious behavior. Port scanning is an example. The best content-based IPS offer a range of techniques for identifying malicious content and options for how to handle attacks, from dropping bad packets to dropping future packets from the same attacker. Content-based IPS can be used deep inside networks, complementing firewalls and providing security policy enforcement.
Although the first generation of IPS consisted of systems that were either content-based or rate-based, the new generation is combining both content-based approaches and rate-based approaches.
IPS appliances were first put on the market in 2002. Since then, they have evolved (and their prices have declined).
In-line intrusion prevention poses a significant challenge: Much like firewalls, IPS tends to become a network bottleneck. All network traffic needs to flow through these devices; if they fail to operate quickly enough, they drop packets. Consequently, speed has become a main criterion for comparing intrusion-prevention systems.
Most start-ups offer IPS operating at gigabits per second, and are steadily improving performance. But even as they improve, IPS devices do not measure up to the marketing hype which promises a set-and-forget operational mode. IPS still need to be periodically tuned so that wanted traffic is not inadvertently dumped.
This task is complicated because the traffic patterns of different enterprises vary. Current techniques have found it impossible to characterize traffic as inherently bad or good. When an enterprise first adds an IPS, it begins by using it in a hybrid system. The IPS acts as IDS for most traffic and only blocks traffic that is unambiguously malicious, such as computer worms.
Finally, when considering the evolution of IDS into IPS, it is important to note that there is a spectrum ranging from purely passive IDS to in-line, real time IPS. There are many products that offer functions boasted by both extremes. For example: There are passive IDS that are not in-line, but still have capabilities to provide prevention in real time. These systems send instructions to firewalls, which dynamically change their access policy. Or they may inject packets that tear down a connection.
Global service providers have pioneered a network-based approach to intrusion prevention that monitors backbone traffic and alerts customers to potential attacks, instead of relegating security solutions to the edge of the IP network. They use proprietary tools developed to protect their own network. These tools analyze Internet traffic samples at peering points, and then compare daily traffic to historical traffic patterns. This allows the system to predict threats by specific port and application. Through this approach, security is built into the IP network, protecting the customer’s own network and applications.
THE PLAYERS
2008 saw the transformation of intrusion detection into intrusion prevention. This evolution is now being followed by the convergence of firewalls and intrusion prevention in 2012.
Intrusion detection and prevention offerings are now available from both established network-equipment vendors as well as companies specializing in security offerings. The following descriptions focus on intrusion prevention offerings, rather than the traditional IDS.
Established network equipment vendors include:
• For the most part, Cisco has acquired its intrusion detection and prevention technologies through the acquisition of start-up companies. Among the companies acquired are the Wheel Group, Okena and Riverhead Networks. The Cisco IPS 4200 Series intrusion prevention system sensors are an important component of the Cisco Self-Defending Network.
• IBM offers its Tivoli Access Manager for operating systems, providing host-based intrusion prevention for applications and platforms. The IBM Research Web & Services Intrusion Prevention project addresses protection for web services and grid services.
• Juniper Networks integrates intrusion detection and protection technology into its all-in-one appliances. The devices combine a state-full inspection firewall with deep inspection technology for application-level protection, IPSec VPN capabilities, and denial of service mitigation functions. It acquired Net Screen Technologies in 2004.
Established Security Players include:
• Computer Associates offers intrusion prevention capabilities as part of its eTrust initiative, especially as part of its eTrust Identity Access Management and eTrust Threat Management offerings. In particular, the Threat Management product can locate, isolate, contain and extinguish threats.
• Internet Security Systems (ISS) offers its Proventia intrusion-prevention system products. These systems operate in three modes: active blocking of attacks, passive detection or simulated blocking and response.
• Network Associates offers the McAfee Entercept host-based intrusion prevention product line and the McAfee IntruShield in-line intrusion prevention product line.
• Symantec acquired Platform Logic and its IDS platform in December 2004. This software uses behavioral detection to protect individual computers and hosts from threat. Symantec’s early warning solutions include the DeepSight Threat Management System, which delivers customized early warnings and mitigation steps on the imminent threats. They also offer the DeepSight Alert Service, which provides vulnerability and malicious code alerts tailored to the customer’s exact network infrastructure.
Start-up security vendors include:
• iPolicy Networks’ Intrusion Prevention Firewall appliances. These appliances share a common code base and incorporate multiple defense mechanisms that are intrinsically built into the firewall. Defense mechanisms block worms, attacks, Trojans, mitigate DoS-DDoS, stop blended threats and encrypted attacks and prevent undesirable content from entering the network. The auxiliary iPolicy Scanning Appliance can be used in conjunction with iPolicy Intrusion Prevention Firewall to detect and eliminate viruses in SMTP and POP3 mail and enables administrators to manage email traffic based on customer content.
• Verizon operates its NetSec Managed Intrusion and Detection services which offer managed IPS, network intrusion detection and host-based intrusion detection.
• AT&T introduced the AT&T Premier-Serve Managed Security Service in June 2005. It provides clients with a managed tool which can detect, contain and/or neutralize network threats as well as address zero-day threats.
• Symantec provides its Symantec Event Manager for Intrusion Protection, which offers centralized, cross-tier monitoring, alerting and reporting enterprise-wide for Symantec intrusion protection solutions.
• VeriSign offers a range of managed security services, including managed firewalls, intrusion detection and vulnerability alerts under the VeriSign Managed Security Services brand.
- The U.S. Federal Trade Commission (FTC) has launched Operation Spam Zombies, which is urging Internet Service Providers to voluntarily take measures to assist customers in intrusion prevention and detection.
