Network Intrusion Detection

RealSecure from Information Security System

Name: Jen Luo

Date: Mar 26, 2001

As misuse intrusions follow well-defined patterns they can be detected by doing pattern matching on audit-trail information. For example, an attempt to create a setuid file can be caught by examining log messages resulting from system calls. This can be done using a pattern matching approach. Anomalous intrusions are detected by observing significant deviations from normal behavior.

RealSecure is one of software applications of Network Intrusion Detection System using SAMP (Suspicious Activity Monitoring Protocol). It provides end-to-end protection from internal and external threats against the network assets. RealSecure detection components monitor network and server activity for signs of malicious intent, such as denial of service attacks, unauthorized access attempts, and pre-attack reconnaissance probes. When RealSecure detects such activity, the system can respond in a variety of ways, including recording the event, notifying the network administrator immediately, and terminating the attack automatically.

The RealSecure system uses distributed client-server architecture and its components fall into two functional categories:

a) Sensors. A class of modules that provide automated detection and response to threats. These modules are installed at strategic locations throughout the enterprise network and include a network Sensor that monitors network traffic in real time for signs of malicious intent and responds automatically.

A Server Sensor that monitors both inbound and outbound network traffic directed at a single host as well as the operating-system log entries and key system files for indications of intrusion or unauthorized activity.

An OS Sensor that monitors operating-system log entries and key system files for indications of unauthorized activity and responds automatically.

b) Managers. A class of modules that provide for configuration of the sensors as well as detailed management of the threat data generated by the sensors. All management of RealSecure sensors is accomplished across a secure communications channel.

RealSecure sensors are policy enforcement engines. The basic structure of a RealSecure sensor can be viewed as a generic-processing module. The inputs to the system include the user or administrator specified configuration rules as well as the raw data source used to detect threats. For Network Sensors, this data source is raw network packets; for the OS Sensor, this data source is operating system log entries. The outputs of the system include the threat responses that the system initiates. The sensor itself receives the data, compares it against the signature base, which is a precompiled database list of known intrusion activity. If there's a match, initiates the appropriate response. The signature base comes from ISS' XForce research and development team and is the most comprehensive database of attack signatures in the industry today. Additionally, user-defined signatures are also available in both the Network Sensor and the OS Sensor, supporting customization.

The RealSecure Network Sensor is installed on a host having a network adapter card. RealSecure puts the adapter card in promiscuous mode so that it receives all the traffic on the local network segment. If a packet meets the filter criteria currently in force, it is parsed through decode and attack recognition logic. Each active session is maintained and tracked, so that attack patterns that span many packets can be detected. This way, when an "interesting event" is detected, the appropriate actions can be taken. The OS Sensor runs as a process on a server. When a new log file entry is generated by the operating system, the operating system interrupts the OS Sensor. The OS Sensor reads the new log entry, compares it against the signatures currently in force, if a match is found, initiates the appropriate responses. Some signatures span multiple log entries, so the OS Sensor also maintains the state of several user activity and Workgroup Managers at the same time. This is useful for environments where there are geographical or organizational management boundaries.

With regard to placement of RealSecure sensors, the best rule is to place a RealSecure Network Sensor on each segment where there is critical data to protect, or a set of users that should be monitored. A RealSecure Network Sensor will only see the traffic that is on the local network segment. Since routers, bridges, switches, and firewalls prevent traffic from being copied to inappropriate segments, several RealSecure engines will be needed for complete coverage of the critical network resources.

A Server Sensor should also be installed on all servers containing critical information. These include everything from internal file servers to external DMZ devices and communications servers.

The actions taken upon detection of an attack or unauthorized activity are determined by the administrator. It fall into three categories:

The last option ("Execute a user-specified program") can be used to initiate any response that can be expressed in an executable binary (or batch file/shell script) form. Examples include initiating a pager call, playing a sound, or reconfiguring a network device that does not have an API for management.

It is important to have a good Networking Intrusion Detection System to secure your network. Intrusion Detection System can not replace firewall in the network but an addition security method to secure your network. RealSecure from ISS is one of many software applications of Networking Intrusion Detection system. It combines the misuse model and anomaly model. It meets the basic requirements of network security but still in the stage of improvement. It can not solve all the problems occurring in the networking today but provide the necessary step to prevent malicious activity to damage the network system.

Bibliography

Avi Golan, "check point realsecure", Mar 11, 2001

http://www.checkpoint.com/products/firewall-1/realsecure.html