Network Intrusion Detection

RealSecure from Information Security System

Name: Jen Luo

Date: Mar 26, 2001


An Intrusion Detection System, or IDS for short, attempts to detect an intruder breaking in to your system or a legitimate user misusing the system. The IDS runs constantly in the background of the system and informs the user if anything suspicious or illegal occurs. There are two types of Intrusion Detection System: Insider Intrusion and Outside Intrusion. Most people perceive the outside world to be the largest threat to their security. The media scare over "hackers" coming in over the Internet has only heightened this perception. FBI studies have revealed that 80% of intrusions and attacks come from within organizations. Think about it - an insider knows the layout of your system, where the valuable data is and what security precautions are in place. So despite the fact that most security measures are put in place to protect the inside from a malevolent outside world, most intrusion attempts actually occur from within an organization. A mechanism is needed to detect both types of intrusions - a break-in attempt from the outside, or a knowledgeable insider attack. An effective intrusion detection system detects both types of attacks. Intrusion can be categorized as misuse intrusion and anomaly intrusion.
misuse detection model : the intrusion detection system detects intrusions by looking for activity that corresponds to known intrusion techniques (signatures) or system vulnerabilities.
anomaly detection model : the intrusion detection system detects intrusions by looking for activity that is different from a user's or system's normal behavior.

As misuse intrusions follow well-defined patterns they can be detected by doing pattern matching on audit-trail information. For example, an attempt to create a setuid file can be caught by examining log messages resulting from system calls. This can be done using a pattern matching approach. Anomalous intrusions are detected by observing significant deviations from normal behavior.

What is RealSecure?

RealSecure is one of software applications of Network Intrusion Detection System using SAMP (Suspicious Activity Monitoring Protocol). It provides end-to-end protection from internal and external threats against the network assets. RealSecure detection components monitor network and server activity for signs of malicious intent, such as denial of service attacks, unauthorized access attempts, and pre-attack reconnaissance probes. When RealSecure detects such activity, the system can respond in a variety of ways, including recording the event, notifying the network administrator immediately, and terminating the attack automatically.

What components comprise the RealSecure system?

The RealSecure system uses distributed client-server architecture and its components fall into two functional categories:

a) Sensors. A class of modules that provide automated detection and response to threats. These modules are installed at strategic locations throughout the enterprise network and include a network Sensor that monitors network traffic in real time for signs of malicious intent and responds automatically.

A Server Sensor that monitors both inbound and outbound network traffic directed at a single host as well as the operating-system log entries and key system files for indications of intrusion or unauthorized activity.

An OS Sensor that monitors operating-system log entries and key system files for indications of unauthorized activity and responds automatically.

b) Managers. A class of modules that provide for configuration of the sensors as well as detailed management of the threat data generated by the sensors. All management of RealSecure sensors is accomplished across a secure communications channel.

How do the RealSecure sensors work?

RealSecure sensors have a similar structure, although they vary considerably in what they detect and how they respond.

RealSecure sensors are policy enforcement engines. The basic structure of a RealSecure sensor can be viewed as a generic-processing module. The inputs to the system include the user or administrator specified configuration rules as well as the raw data source used to detect threats. For Network Sensors, this data source is raw network packets; for the OS Sensor, this data source is operating system log entries. The outputs of the system include the threat responses that the system initiates. The sensor itself receives the data, compares it against the signature base, which is a precompiled database list of known intrusion activity. If there's a match, initiates the appropriate response. The signature base comes from ISS' XForce research and development team and is the most comprehensive database of attack signatures in the industry today. Additionally, user-defined signatures are also available in both the Network Sensor and the OS Sensor, supporting customization.

The RealSecure Network Sensor is installed on a host having a network adapter card. RealSecure puts the adapter card in promiscuous mode so that it receives all the traffic on the local network segment. If a packet meets the filter criteria currently in force, it is parsed through decode and attack recognition logic. Each active session is maintained and tracked, so that attack patterns that span many packets can be detected. This way, when an "interesting event" is detected, the appropriate actions can be taken. The OS Sensor runs as a process on a server. When a new log file entry is generated by the operating system, the operating system interrupts the OS Sensor. The OS Sensor reads the new log entry, compares it against the signatures currently in force, if a match is found, initiates the appropriate responses. Some signatures span multiple log entries, so the OS Sensor also maintains the state of several user activity and Workgroup Managers at the same time. This is useful for environments where there are geographical or organizational management boundaries.

With regard to placement of RealSecure sensors, the best rule is to place a RealSecure Network Sensor on each segment where there is critical data to protect, or a set of users that should be monitored. A RealSecure Network Sensor will only see the traffic that is on the local network segment. Since routers, bridges, switches, and firewalls prevent traffic from being copied to inappropriate segments, several RealSecure engines will be needed for complete coverage of the critical network resources.

A Server Sensor should also be installed on all servers containing critical information. These include everything from internal file servers to external DMZ devices and communications servers.

How does RealSecure respond to attacks?

The actions taken upon detection of an attack or unauthorized activity are determined by the administrator. It fall into three categories:


Network Sensor

Host Sensor


Send alarm to console

Send alarm to console


Send e-mail

Send e-mail



Send SNMP trap


View active session


Notify Lucent Management Server



Log summary

Log summary


Record network session



Kill connection(TCP Reset)

Terminate user session


Reconfigure Check Point Firewall-1

Disable user account


Block network traffic (Server Sensor)


Execute a user-specified program

Execute a user-specified program

The last option ("Execute a user-specified program") can be used to initiate any response that can be expressed in an executable binary (or batch file/shell script) form. Examples include initiating a pager call, playing a sound, or reconfiguring a network device that does not have an API for management.


It is important to have a good Networking Intrusion Detection System to secure your network. Intrusion Detection System can not replace firewall in the network but an addition security method to secure your network. RealSecure from ISS is one of many software applications of Networking Intrusion Detection system. It combines the misuse model and anomaly model. It meets the basic requirements of network security but still in the stage of improvement. It can not solve all the problems occurring in the networking today but provide the necessary step to prevent malicious activity to damage the network system.



Avi Golan, "check point realsecure", Mar 11, 2001

Katherine Price, "Intrusion Detection Pages", Sep 22, 20 01,