they notify you, typically by pager, e-mail, or an SNMP trap. Intrusion-detection products may also have automated responses that can cut short a hacker's visit to your network within milliseconds.
Complementary Technologies
There are two kinds of intrusion-detection products: host-based and network-based.
Host-based products
have an agent running on each protected host. Examples include the Kane Security Monitor, from Intrusion Detection; OmniGuard/Intruder Alert, from Axent Technologies; and Stalker, WebStalker Pro, and ProxyStalker, from Trusted Information Systems. The agent sends a regular heartbeat, as well as alarms, to a manag
ement station. The heartbeat ensures that the management station can detect a denial of service aimed at overwhelming a host so that it's unable to respond or do normal work.
Network-based monitors sit on the network capturing packets and matching what they see with known attack patterns. Examples include Internet Security Systems' RealSecure, Network Associates' CyberCop, and NetRanger (introduced by WheelGroup but now a Cisco product). They, too, generate alarms when they see something suspicious and may also send a heartbeat to a central console.
Each approach has its strengths and weaknesses. Advantages of network-based detection include:
Faster detection:
A network-based monitor will typically detect a problem in seconds or milliseconds. Most host-based approaches depend on auditing logs every few minutes.
Less visible:
A monitor is less visible and accessible than a host, and thus less vulnerable to attack. Unlike a host, a network-based monitor doesn't have to respond to p
ings, allow access to its local storage, let users run programs on it, or allow access to multiple users.
Bigger perimeter:
The network-based approach may be able to stop an attack at the perimeter of the network, before the perpetrator ever accesses a host.
Fewer monitors:
You need fewer monitors because one monitor can protect a shared network segment. In contrast, you need an agent per host, which can be costly and hard to manage. On the other hand, in switched environments, you may need a monitor per host, too, because every host is on its own segment.
Fewer resources:
It doesn't take up any resources on the protected device.
The host-based approach also has its advantages:
More cost-effective:
It may be more cost-effective for small numbers of hosts.
More granular:
It can easily monitor activities, such as access to sensitive files, directories, programs, or ports, that are difficult to deduce from protocol-based clues.
Tighter perimeter:
Once a perpetrator has obtained a password and user name for a host, the host-based agent has the best chance of distinguishing harmful from normal activities.
More customizable:
Per-host customization is easy with a separate agent for each host.
Fewer hosts:
The host-based approach may not require a dedicated hardware platform.
Less traffic-sensitive:
An agent is unlikely to miss any activity due to traffic loads.
These two approaches complement one another. One possible strategy is to implement network-based monitoring and add agents on particularly sensitive hosts.
Real-time intrusion detection also differs from programs such as TripWire, a freeware utility that creates checksums for critical files. Normally run once a day, TripWire notifies you if a file changes, possibly indicating corruption or virus infection. While very useful, this is not real-time intrusion detection.
Cisco's NetRanger
NetRanger, introduced in March 1996 by WheelGroup, is b
ased on years of field experience. The product has two components: the sensor ($9000), which monitors packets and generates alarms, and the director ($10,000), which receives and correlates alarms and initiates responses.
You'll also need at least a Pentium PC for the sensor and a Sun SparcStation running OpenView or NetView for the director. Both run Sun's Solaris. Your hardware and software costs will be $13,000 for a sensor and $25,000 for a director.
NetRanger has a reputation for high performance. It is also highly scalable. Directors can coordinate information from multiple sites and watch for attacks that span an enterprise. NetRanger's biggest claim to fame is its enterprise focus. One indication of this focus is the distribution channel, which includes companies such as EDS, Perot Systems, and IBM Global Services -- all serving large clients with large global networks.
NetRanger works well across global WANs. For instance, it has a path-doubling feature. If one link goes down, informatio
n can flow along an alternate path. It is feasible to watch a global network from a single point or to outsource monitoring to a third party.
Another NetRanger strength is considering context (i.e., clues gained from multiple packets) as well as single-packet contents when looking for possible problems. This can be important, because a perpetrator may access a port in character mode and then send one character per packet. If a monitor thinks only in terms of single packets, it will never see the whole message.
NetRanger is one of the most sophisticated network-based intrusion-detection products on the market today, according to Jude O'Reilley, a research analyst with the GartnerGroup (Stamford, CT).
However, NetRanger's very strengths can turn out to be weaknesses for some users. It is designed for use in a network operations center (NOC) and for integration under OpenView or NetView. Its configuration requires detailed Unix knowledge. NetRanger is also relatively expensive. These won't suit the t
ypical LAN administrator very well.
Network Associates' CyberCop
Network Associates is the result of a 1997 merger between Network General, of Sniffer fame, and McAfee Associates, known for its antivirus expertise. CyberCop uses NetRanger's engine and database of attack signatures, which Network Associates licensed from Cisco. Network Associates created its own browser-based graphical front end.
CyberCop
is basically NetRanger packaged for the LAN administrator -- Network Associates' main customer base. The software is more expensive than NetRanger: $9000 for a sensor and $15,000 for a server. However, the platform is a Dell PC running Solaris 2.5.1. (CyberCop is typically sold preinstalled.) The cost for the platform is about $3000 for a sensor and $5000 for a server.
In addition, CyberCop is designed as a network appliance. Network Associates says it should typically take 20 minutes to install. The company has created six standard configurations for the typical s
ituations it expects to see: mixed Windows NT and Unix subnet, Unix subnet, NT subnet, remote access, perimeter (e.g., an Internet connection), and backbone. It lacks a NetWare configuration.
The browser front end is designed for ease of use and draws on Network General's experience in condensing packet data and making it easy for users to view and understand. Expert knowledge is built into help files, as it is with the Sniffer. CyberCop can also create trace files readable by a Sniffer. CyberCop lacks some enterprise features of NetRanger, such as path doubling.
Network Associates plans a number of acquisitions and partnerships in the security arena, says Katherine Stolz, product manager for CyberCop. "We will be setting the tone for large-scale security. We are going to be a holistic provider."
Internet Security Systems' RealSecure
RealSecure's strong points include simplicity and low cost, says the GartnerGroup's O'Reilley. Like NetRanger and CyberCop,
RealSecure
has a two-component architecture. Engines monitor packets and generate alarms. Consoles receive alarms and provide a central point for configuration and database reporting. Both run under NT, Solaris, SunOS, and Linux. You can mix and match OSes. They can run on commodity PCs.
For small installations, it is possible to run the console software on the same machine as the engine. That's not possible with NetRanger and CyberCop. The RealSecure engine costs about $10,000; console software is free. One engine can report to multiple consoles. One console can manage multiple engines.
RealSecure can reconfigure the FireWall-1 from Check Point Software. ISS has plans for reconfiguring Cisco routers, according to Mark Wood, manager of intrusion-detection technology. ISS is also working on an OpenView application for RealSecure, according to Wood.
Intrusion Detection's Kane Security Monitor for NT
Kane Security Monitor
(KSM) for NT, a host-based monitor, was introduced in S
eptember 1997. It has three architectural components: an auditor, a console, and agents. The agents browse NT logs and forward statistics to the auditor. The security administrator uses the console GUI to receive alerts and look at historical reports and real-time activity. KSM costs $1495 per protected server (auditor and console included). Add workstation agents to this for $295 each.
KSM is particularly strong in TCP/IP monitoring, according to David Brussin, a senior consultant with Miora Systems Consulting, security specialist in Playa Del Rey, California. But he also adds that Intrusion Detection's products are not designed for speedy WAN performance.
Intrusion Detection will release an OpenView application for KSM in this quarter, according to Robert Kane, founder and CEO. Integration with the Tivoli Management Environment (TME) will follow toward the end of the year. In the future, Intrusion Detection plans to support Unix, Microsoft BackOffice, and Novell NetWare.
Axent Technologies' O
mniGuard/Intruder Alert
The three architectural components of OmniGuard/Intruder Alert (ITA) are a manager ($1995), console (free), and agents ($995 per server, $95 per workstation). They correspond to KSM's auditor, console, and agents.
ITA offers much broader platform coverage than Intrusion Detection's KSM. It runs on Windows NT, 95, and 3.1; NetWare 3.x and 4.x (manager and agent only); and various versions of Unix, including Solaris, SunOS, IBM AIX, HP-UX, and Digital Equipment Unix.
You can customize ITA using solution packs for major OSes, firewall vendors, Web-server vendors, database applications, and router manufacturers. Axent acquired firewall vendor Raptor in February and will enhance ITA to reconfigure Raptor firewalls.
Trusted Information Systems' Stalkers
Stalker, introduced in 1993 by Haystack Labs, is a host-based monitor for NT and various versions of Unix, including Solaris, AIX, HP-UX, and The Santa Cruz Operation's UnixWare. Pricing for version 2.1 was $999
5 for the manager and $695 for each agent. At press time, pricing had not been announced for version 3.0, which should be out now.
WebStalker Pro, which was introduced by Haystack Labs in June 1996, runs under the same OSes as Stalker. It specifically addresses Web servers. It costs $4995 for Unix and $2995 for NT. A version of WebStalker ships with Sun's Netra Web server. IBM Global Services also resells WebStalker.
Trusted Information Systems, maker of the NT-based Gauntlet firewall, bought Haystack in October 1997. In December 1997, it announced ProxyStalker, a monitor that runs only under NT and is designed for Microsoft Proxy Server 2.0. At press time, ProxyStalker was expected out in the first quarter. Pricing had not been announced, but it was expected to be commensurate with Proxy Server, which costs less than $1000.
All three Stalker products can reconfigure Gauntlet firewalls, and all three are able to terminate attacks as well as detect them. For instance, WebStalker Pro can terminate a
log-in or a process, or restart the Web server. The Stalker family also integrates with TME.
An Alarming Conclusion
Intrusion detection is only one part of a complete security program. It's no use installing burglar alarms, for instance, if you don't lock the doors with proper authentication, authorization, and encryption.
"Intrusion detection is for the customer who has already taken the steps to put together good strong firewalling and an authentication process. Intrusion detection offers an added layer of security," says
John Freres
, president of N2N Solutions, a security integrator in Mount Prospect, Illinois.
In addition, many if not most security breaches are based on social engineering -- which, in plain language, often means tricking users into revealing passwords. Therefore, education is fundamental to making security technology work. Users must understand what they're supposed to do and what they're not supposed to do -- like ever give their passwords o
ut over the phone.
In the context of a well-planned security program, intrusion-detection products can help a security manager sleep at night.
Where to Find
Axent Technologies
Rockville, MD
Phone: 800-298-2620
Phone: 301-258-5043
Internet:
http://www.axent.com
Cracker Tracking: Tighter Security with Intrusion Detection
