Paper of Network Security

Instrusion Detection System &

Instrusion Preventing System
by :

Taufik Ramadhan 114071131

M. Khoirul Irvan 114071182

1. Intrusion Detection System (IDS)
In the last three years, the networking revolution has finally come of age. More than ever before, we
see that the Internet is changing computing as we know it. The possibilities and opportunities are
limitless; unfortunately, so too are the risks and chances of malicious intrusions.

There are two ways to handle subversion attempts. One way is to prevent subversion itself
by building a completely secure system. We could, for example, require all users to
identify and authenticate themselves; we could protect data by various cryptographic
methods and very tight access control mechanisms. However this is not really feasible
because:

1. In practice, it is not possible to build a completely secure system. Miller gives a compelling
report on bugs in popular programs and operating systems that seems to indicate that (a) bug
free software is still a dream and (b) no-one seems to want to make the effort to try to develop
such software. Apart from the fact that we do not seem to be getting our money's worth when
we buy software, there are also security implications when our E-mail software, for example,
can be attacked. Designing and implementing a totally secure system is thus an extremely
difficult task.
2. The vast installed base of systems worldwide guarantees that any transition to a secure system,
(if it is ever developed) will be long in coming.
3. Cryptographic methods have their own problems. Passwords can be cracked, users can lose their
passwords, and entire crypto-systems can be broken.
4. Even a truly secure system is vulnerable to abuse by insiders who abuse their privileges.
5. It has been seen that that the relationship between the level of access control and user efficiency
is an inverse one, which means that the stricter the mechanisms, the lower the efficiency
becomes.

It is very important that the security mechanisms of a system are designed so as to prevent
unauthorized access to system resources and data. However, completely preventing breaches
of security appear, at present, unrealistic. We can, however, try to detect these intrusion
attempts so that action may be taken to repair the damage later. This field of research is
called Intrusion Detection.

An Intrusion Detection System (IDS) monitors network traffic and monitors for suspicious activity
and alerts the system or network administrator. In some cases the IDS may also respond to
anomalous or malicious traffic by taking action such as blocking the user or source IP address from
accessing the network.
It is very important that the security mechanisms of a system are designed so as to prevent
unauthorized access to system resources and data. However, completely preventing breaches of
security appear, at present, unrealistic. We can, however, try to detect these intrusion attempts so that
action may be taken to repair the damage later.

If there are attacks on a system, we would like to detect them as soon as possible (preferably
in real-time) and take appropriate action. This is essentially what an Intrusion Detection
System (IDS) does. An IDS does not usually take preventive measures when an attack is
detected; it is a reactive rather than pro-active agent. It plays the role of an informant rather
than a police officer.

1
IDS come in a variety of “flavors” and approach the goal of detecting suspicious traffic in
different ways. There are network based (NIDS) and host based (HIDS) intrusion detection
systems. There are IDS that detect based on looking for specific signatures of known threats-
similar to the way antivirus software typically detects and protects against malware- and
there are IDS that detect based on comparing traffic patterns against a baseline and looking
for anomalies. There are IDS that simply monitor and alert and there are IDS that perform an
action or actions in response to a detected threat.

NIDS

Network Intrusion Detection Systems are placed at a strategic point or points within the
network to monitor traffic to and from all devices on the network. Ideally you would scan
all inbound and outbound traffic, however doing so might create a bottleneck that would
impair the overall speed of the network.

HIDS

Host Intrusion Detection Systems are run on individual hosts or devices on the network.
A HIDS monitors the inbound and outbound packets from the device only and will alert
the user or administrator of suspicious activity is detected

Signature Based

A signature based IDS will monitor packets on the network and compare them against a
database of signatures or attributes from known malicious threats. This is similar to the
way most antivirus software detects malware. The issue is that there will be a lag between
a new threat being discovered in the wild and the signature for detecting that threat being
applied to your IDS. During that lag time your IDS would be unable to detect the new
threat.

Anomaly Based

An IDS which is anomaly based will monitor network traffic and compare it against an
established baseline. The baseline will identify what is “normal” for that network- what
sort of bandwidth is generally used, what protocols are used, what ports and devices
generally connect to each other- and alert the administrator or user when traffic is
detected which is anomalous, or significantly different, than the baseline.

2
Intrusion detection systems may be effective at detecting suspicious activity, but do not provide
protection against attacks. That’s why we need IPS (Intrusion Prevention System)

 Passive IDS

A passive IDS simply detects and alerts. When suspicious or malicious traffic is detected
an alert is generated and sent to the administrator or user and it is up to them to take
action to block the activity or respond in some way.

 Reactive IDS

A reactive IDS will not only detect suspicious or malicious traffic and alert the
administrator, but will take pre-defined proactive actions to respond to the threat.
Typically this means blocking any further network traffic from the source IP address or
user.

There is a fine line between a firewall and an IDS. There is also technology called IPS –
Intrusion Prevention System. An IPS is essentially a firewall which combines network-level
and application-level filtering with a reactive IDS to proactively protect the network. It
seems that as time goes on firewalls, IDS and IPS take on more attributes from each other
and blur the line even more.

Essentially, your firewall is your first line of perimeter defense. Best practices recommend
that your firewall be explicitly configured to DENY all incoming traffic and then you open
up holes where necessary. You may need to open up port 80 to host web sites or port 21 to
host an FTP file server. Each of these holes may be necessary from one standpoint, but they
also represent possible vectors for malicious traffic to enter your network rather than being
blocked by the firewall.

That is where your IDS would come in. Whether you implement a NIDS across the entire
network or a HIDS on your specific device, the IDS will monitor the inbound and outbound
traffic and identify suspicious or malicious traffic which may have somehow bypassed your
firewall or it could possibly be originating from inside your network as well.

An IDS can be a great tool for proactively monitoring and protecting your network from
malicious activity, however they are also prone to false alarms. With just about any IDS
solution you implement you will need to “tune it” once it is first installed. You need the IDS
to be properly configured to recognize what is normal traffic on your network vs. what
might be malicious traffic and you, or the administrators responsible for responding to IDS
alerts, need to understand what the alerts mean and how to effectively respond.

3
2. Instrusion Preventing System (IPS)

The problem is, that many exploits attempt to take advantage of weaknesses in the very protocols
that are allowed through our perimeter firewalls, and once the Web server has been compromised,
this can often be used as a springboard to launch additional attacks on other internal servers. Once a
“rootkit” or “back door” has been installed on a s erver, the hacker has ensured that he will have
unfettered access to that machine at any point in the future.

The inadequacies inherent in current defences has driven the development of a new breed of
security products known as Intrusion Prevention Systems (IPS). This is a term which has provoked
some controversy in the industry since some firewall and IDS vendors think it has been “hijacked”
and used as a marketing term rather than as a description for any kind of new technology.

These systems are proactive defence mechanisms designed to detect malicious packets within
normal network traffic (something that the current breed of firewalls do not actually do, for
example) and stop intrusions dead, blocking the offending traffic automatically before it does any
damage rather than simply raising an alert as, or after, the malicious payload has been
delivered.

Within the IPS market place, there are two main categories of product:

a. Host IPS (HIPS)

As with Host IDS systems, the Host IPS relies on agents installed directly on the system being
protected. It binds closely with the operating system kernel and services, monitoring and
intercepting system calls to the kernel or APIs in order to prevent attacks as well as log them.

It may also monitor data streams and the environment specific to a particular application (file
locations and Registry settings for a Web server, for example) in orde r to protect that
application from generic attacks for which no “signature” yet exists.

One potential disadvantage with this approach is that, given the necessarily tight integration
with the host operating system, future OS upgrades could cause problems.

Since a Host IPS agent intercepts all requests to the system it protects, it has certain
prerequisites - it must be very reliable, must not negatively impact performance, and must not
block legitimate traffic. Any HIPS that does not meet these minimum requirements should
never be installed in a host, no matter how effectively it blocks attacks.

4
b. Network IPS (NIPS)

The Network IPS combines features of a standard IDS, an IPS and a firewall, and is
sometimes known as an In-line IDS or Gateway IDS (GIDS). Th e next -generation firewall -
the deep inspection firewall - also exhibits a similar feature set, though we do not believe that
the deep inspection firewall is ready for mainstream deployment just yet.

As with a typical firewall, the NIPS has at least two network interfaces, one designated as
internal and one as external . As packets appear at the either interface they are passed to the
detection engine, at which point the IPS device functions much as any IDS would in
determining whether or not the packet being examined poses a threat.

However, if it should detect a malicious packet, in addition to raising an alert, it will discard
the packet and mark that flow as bad. As the remaining packets that make up that particular
TCP session arrive at the IPS device, they are discarded immediately.

Legitimate packets are passed through to the second interface and on to their intended
destination. A useful side effect of some NIPS products is that as a matter of course - in fact
as part of the initial detection process - they will

provide “ packet scrubbing” functionality to remove protocol inconsistencies resulting from

varying interpretations of the TCP/IP specification (or intentional packet manipulation).

Thus any fragmented packets, out-of-order packets, or packets with overlapping IP fragments
will be re-ordered and “cleaned up” before being passed to the destination host, and illegal
packets can be dropped completely. One thing to watch out for - don’t let the “reactive” IDS
vendors kid you into believing that they have intrusion prevention capabilities just because
they can send TCP reset commands or re-configure a firewall when they detect an attack (a
worrying piece of FUD that we have noticed in some IDS marketing literature recently).

The problem here is that unless the attacker is operating on a 2400 baud modem, the
likelihood is that by the time the IDS has detected the offending packet, raised an alert, and
transmitted the TCP Resets - and especially by the time the two ends of the connection have
received the Reset packets and acted on them (or the firewall or router has had time to activate
new rules to block the remainder of the flow) - the payload of the exploit has long since
been delivered….. game over ! Our guess is that there are not many crackers using 2400 baud
modems these days….

A true IPS device, however, is sitting in -line - all the packets have to pass through it.
Therefore, as soon as a suspicious packet has been detected - and before it is passed to the
internal interface and on to the protected network, it can be dropped. Not only that, but now
that flow has been flagged as suspicious, all subsequent packets that are part of that session
can also be dropped with very little additional processing. Oh, and for good measure, some

5
products are also capable of sending TCP Resets or ICMP Unreachable messages to the
attacking host.