Intrusion Detection System Overview
Intrusion detection is the process of monitoring events occurring in a computer system or network and analyzing them for signs of intrusions. Intrusion is defined as an attempt to compromise the confidentiality, integrity, availability, or to bypass the security mechanisms, of a computer or network. Intrusion detection may be accomplished either by manually reviewing system generated logs and taking appropriate action, or by using intrusion detection system software for automated review, analysis, and response to an intrusion.
Intrusion detection system (IDS)
software monitors computer systems and network traffic and analyzes that data
for possible hostile attacks originating from outside the court, as well as for
system misuse or attacks originating from inside the enterprise. The main
advantage of an intrusion detection system is that it provides a clearer view
of server and network activity and issues alerts notifying system
administrators of unauthorized or unusual activity.
Types of Intrusion Detection Systems
Currently two primary types of
intrusion detection systems are available: host-based and network-based. Some
vendors market either a host-based or network-based type of product; however,
the trend is to provide an integrated approach that combines both types of IDS
products into a centrally managed product that improves network resistance to
intrusions and provides greater flexibility in deployment of the products.
Host-Based - With the host-based system, the intrusion detection software
resides on a server and monitors the server (and some application) logs for
unauthorized access attempts and aberrant behavior patterns. The security
administrator authors the host-based rules that trigger the analysis of the
audit and event logs. The host-based system can then evaluate those actions,
such as user or login activity or user account and/or application activity. The
host-based systems analyze audit and event logs to look for aberrant patterns
of local or remote users that may indicate unauthorized attempts to access the
system(s).
Network-Based - The network-based type of IDS resides as an agent on LAN servers in the form of a sensor. It filters and analyzes network data packets in real-time and compares them against a database of known "attack signatures" or patterns. The attack signatures are known methods that intruders have employed in the past to penetrate a network.
Intrusion
Detection Limitations:
·
Intrusion
detection systems will not compensate for weak authentication and
identification mechanisms, network protocol weaknesses, or lack of a security
policy.
·
IDS
software cannot analyze encrypted data or all data on a busy network.
·
IDS
software requires extensive resources to install, configure, and maintain.
·
False
positive detections can create administrative problems.
·
IDS
software will not always address problems involving packet level attacks.
·
IDS
software will not work effectively with high-speed Asynchronous Transfer Mode
(ATM) networks that use packet fragmentation to optimize bandwidth.
·
IDS
software cannot always protect itself from attack when running on a network
server.
Intrusion Detection System Standards
Minimum Security
Option
|
Description |
Benefits |
Disadvantages |
|
Enable
logging on all servers and network devices and manually review logs on a
regular basis. |
Low
cost (no additional hardware or software required, no personnel time required
to implement and monitor IDS software).
|
Will
not detect all intrusions. Intrusions
that are detected are often after-the-fact. |
Implementation
1. Logging processes shall be enabled on all host and server systems.
2. If a court has access to an un-trusted network, alarm and alert functions, as well as logging, of any firewalls installed and other network perimeter access control settings shall be enabled.
3. Procedures will be established for reviewing and investigating potential intrusions identified in the intrusion detection process.
4. Court management and legal counsel shall approve incident response procedures which, depending on severity, will include notifying the OCA and appropriate law enforcement.
Administration
1. Audit logs from the perimeter access control systems shall be reviewed on a daily basis.
2. Audit logs for servers and hosts on the internal, protected network shall be reviewed on a weekly basis.
Optimum Security Option
|
Description |
Benefits |
Disadvantages |
|
Minimum
security requirements plus require network-based IDS (for those courts that
have a LAN connected to the network). |
Identify
intrusion attacks in real-time and provides for automatic notification. Strong security capabilities. |
Costs associated with implementing and managing
the IDS software. |
Implementation
1. Logging processes shall be enabled on all host and server systems.
2. Alarm and alert functions, as well as logging, of any firewalls and other network perimeter access control settings shall be enabled.
3. If a court has access to an un-trusted network, network-based IDS tools will be installed which monitor for traffic patterns consistent with known attacks. Optimal location of the network sensors depends on the network architecture. Some options include:
- Behind each external firewall (location 1)
- Identifies attacks that are penetrating the network’s perimeter defenses
from the outside world.
- In front of an external firewall (location 2) - Shows attacks from the Internet that
are regularly launched against the network.
- On major network backbones (location 3) - Detects unauthorized activity from
within a network and monitors a significant portion of a network’s
traffic.
- On critical subnets (location 4) - Detects attacks on critical
resources.
Diagram
1
(below) illustrates the placement of IDS sensors:
The
following factors shall be considered as part of the selection process for
Intrusion Detection Systems:
·
The
vendor must be well established and financially viable. According to the Gartner Group, the following
vendors are market leaders:
o
Axent
Intruder Alert (host-based) and Axent Net Prowler (network-based)
o
Cisco
Secure Intrusion Detection System (formerly NetRanger) (network-based)
o
Cybersafe
Centrax (affiliation with TripWire) (host-based and network-based)
o
Computer
Associates eTrust Intrusion Detection (formerly SessionWall-3) (network-based)
o
Internet
Security Systems RealSecure (host-based and network-based)
o
Intrusion.com
(host-based and network-based)
o
NFR
Intrusion Detection Appliance (network-based)
o
Tripwire
(host-based)
·
Certified
by the National Security Agency (NSA) or International Computer Security
Association (ICSA).
·
The
IDS shall be able to work in conjunction with network management activity.
·
The
IDS product must be capable of adapting to the changing security needs of the
organization.
·
Subscription
and signature updates will be included.
·
Technical
support services will be included.
·
Training
services will be included.
·
System
documentation will be included.
· The option of working with a vendor that can provide IDS as a managed service shall be evaluated alongside the "build your own" IDS approach.
4. The IDS system shall be configured to notify the administrator via e-mail, page, or network management traps in the event of intrusion detection.
5. The IDS administrator shall receive training in the operation and use of the IDS software.
6. Court management and legal counsel will approve incident response procedures which, depending on severity, will include notifying the OCA and appropriate law enforcement.
Administration
1. All system audit logs shall be reviewed on a daily basis.
2. Users will be trained to report any anomalies in system performance to the system administration staff. All trouble reports received by system administration staff must be reviewed for symptoms that may indicate intrusive activity.
3. Network-based IDS tools will be checked on a routine basis to ensure they are operating as intended.
4. Administrators shall stay up-to-date with IDS signature file (files used to identify potential intrusions based on network traffic characteristics) updates and implement the updates in a timely manner.
5. The system administration personnel will establish relationships with incident response organizations, including the OCA and the DIR, and share relevant threats, vulnerabilities, and incidents discovered.
Maximum Security Option
|
Description |
Benefits |
Disadvantages |
|
Optimum
security requirements plus require use of integrated host-based IDS software. |
Provides
most complete intrusion detection (both network-based and host-based). |
Costs
associated with implementing and installing host-based and network-based IDS
software. |
In addition to the standards listed in the Optimum Security Option, the following standards will apply to the Maximum Security Option:
Implementation
1. All critical servers shall also have host-based IDS tools loaded to detect modifications, as a supplement to the activity logging process provided by the operating system. The host-based and network-based IDS tools shall be integrated.
Administration
1. All audit logs shall be reviewed on a daily basis.
2. IDS systems will be checked and maintained on a annual basis for proper function and configuration.