Intrusion Detection System: Theory and Practice

Since computers are connected through networks, network security has become a major problem. With the development of the INTERNET, security system requirements are also increasing. One of its requirements is intrusion detection systems.
This article aims to introduce several common Intrusion Detection Systems and Their theories and practices. It should be noted that this article is just an introductory article, even if I have recommended many possible systems, before you believe in their reliability, you 'd better study them in depth. (NND, I'm tired of it. I need to enter four words, and I will be referred to as ID in the future. The intrusion detection system is IDS :-))
1. What is intrusion detection.
Intrusion detection is an effort that monitors or, if possible, prevents intrusions or attempts to control your system or network resources.
In short, it works like this: you have a machine that is connected to the INTERNET. For some understandable reason, you are also willing to set a permit for the authorized person to access your system from the network. For example, if you have a WEB server connected to the INTERNET, you are willing to allow customers, employees, and potential customers to access the pages stored on the WEB server.
However, you do not want unauthorized employees, customers, or other unauthorized third parties to access the system. For example, you do not want people other than the web designers hired by the company to modify the pages stored on machines. One typical practice is to use a firewall or an authentication system to prevent unauthorized access.
However, in some cases, simple firewall or authentication systems can also be cracked. Intrusion detection is a technology that can respond to unauthorized connection attempts and even defend against some possible intrusions.
2. Why use ID?
The reasons for using ID are as follows:
(1) You need to protect your data security and system. In the current INTERNET environment, if you only use common passwords and file protection methods, you cannot always ensure the security of your data and system.
(2) for data protection, nothing is more important than system security. If you want to connect your machine to INTETNET without any protection, or even the administrator password, it is almost wishful thinking to expect this machine to be okay. Similarly, the system protects core files or authorized databases (such as nt sam and UNIX/ETC/PASSWORD or/ETC/SHADOW.
(3) In an environment connected to the INTERNET through a LAN, firewall or other protection measures are often used. If file sharing is enabled in an NT environment, or TELNET is allowed, this machine requires better protection, for example, in the firewall for port 137-139 (TCP/UDP ), use SSH to replace TELNET connections in UNIX environments.
(4) ID also plays a further role. Because it is placed between the firewall and the protected system, ID and so on, layer-based protection is added on the system. For example, you can use the ID to monitor the sensitive port to determine whether the firewall has been broken or whether the protection measures have been disabled.
| 3. What types of IDs are available?
  
IDS can be divided into two categories,
(1) network-based systems: these IDs are placed on the network and close to the system to be detected. They monitor network traffic and determine whether the system is normal.
(2) host-based systems: these systems often run on the monitored system to monitor whether the processes running on the system are legal. I also want to add a kind of ID that has recently appeared: It is located in the kernel of the operating system and monitors the underlying behavior of the system. All these systems have recently been used on multiple platforms.
Network-based ID
Introduction
Network-based IDS refers to the system that monitors the entire network traffic. One network card may have two purposes:
Normal Mode: The data is sent to the target host based on the MAC address contained in the data packet.
Promiscuous mode: all information that can be monitored is received by the host.
The NIC can be switched between the common mode and any mode. Similarly, you can use the low-level features of the operating system to complete this change. Network-based IDS generally requires you to set the NIC to a later mode.
Packet sniffing and Network Monitoring
Packet sniffing and NETWORK monitoring were initially designed to MONITOR Ethernet traffic. The representative products were NOVEL's LANALYSER and MS's network monitor.
These products generally intercept all data packets that they may intercept on the network. When a data packet is intercepted, the following situations may occur:
Accumulate packets and  packets during the intercepted period to determine the network load during the period, both LANALYSER and ms nm have good performance in network load representation interface.
Analysis of data packets: for example, when you want to analyze the data arriving at a WEB server, you will often first capture some data for analysis.
Packet sniffing tools have made great strides in recent years. For example, ETHEREAL and the new version of MSNM can analyze data packets in detail.
Finally, let's say (NND, a foreigner is more than P): the tool itself has no good or evil. It's all in the hearts of the people. By sniffing packets on TELNET connections connected to UNIX, you may be able to intercept the user's password, once an intruder gets an attacker, the first thing to do is to install the package sniffer (NND, which is a master, like installing a sniffer on his own machine at most)
| Packet sniffing and any Mode
  
All Packet sniffing requests must be set to any Mode on the NIC, because only in this mode can all data transmitted through the NIC be transmitted to the sniffer, the prerequisite for Packet sniffing is that the user on the machine that installs the package has administrator permissions.
Another thing to note is the use of vswitches. Please note that it is not the HUB (NND. We have never seen a vswitch before when we are Chinese !), In a vswitch, the data received by an interface is not necessarily forwarded to another interface. Therefore, in this case, the packet sniffer may not play its role.
Network-based ID: the development of sniffer
Unfortunately, packet sniffing has limited benefits from a security perspective. It is really cumbersome to capture every packet and then analyze and take action manually. But what if we use software to replace our work?
This is what the network-based ID will do. For example, the frequently used ISS RealSecure Engine and Network Flight Recorder.
The following describes the functions of RealSecure Engine IDs:
Monitors data transmission over the network.
If the data is normal data, allow it to pass (or leave it for later analysis), if the data packet is considered to be dangerous to the security of the destination system, issue "connection closed" (when using TCP protocol) or "port unreachable" (when ICMP is used) to intercept the connection between the data sender and the receiver.
In this case, RealSecure can establish an effective blocking system after the firewall. Of course, RS can also be directly used in the firewall, and me (the original author-not a bandit me !) We do not recommend that you use this method.
Network-based ID has some other functions, such:
Monitor obvious port scans. Before attacking a system, attackers generally scan the system to discover system defects. Generally, port scanning from a host on the INTERNET is a precursor to attacks.
Monitors common attack methods. Connecting to a WEB server through port 80 seems to be a normal thing, but some connections through port 80 may be a curse, look at this command and you will know:
"GET/.../../etc/passwd HTTP/1.0"
Identifies various IP spoofing attacks. The ARP protocol used to convert IP addresses and MAC addresses is often the focus of attacks. packets containing false ARP data are published to the destination address over Ethernet, intruders can pretend to be on another system. The result is various denial-of-service attacks. When large servers (such as DNS or Authentication servers) are attacked, intruders can forward data packets to their own systems. Network-based IDS identifies information sources (Ethernet addresses) by registering ARP packets. If the information is identified by a compromised system, intruders are intercepted.
If any problematic action is detected, the network-based ID will take its own action, including re-configuring nearby firewalls to intercept all data streams from intruders.
Host-Based ID
Introduction
When the data packet arrives at the target host, firewall and network monitoring are powerless, but there is another way to try it, that is, "host-based ID"
| Host-based ID can be divided into two categories:
  
Network Monitoring: This kind of monitoring analyzes the data arriving at the host and tries to identify which threats are potential. Any connection may be caused by potential intruders. Please note that, this is different from the network-based ID because it only monitors the data that has arrived on the host, while the latter monitors the traffic on the network. For example, you do not need to set the NIC to the x× mode.

Host monitoring: Any intrusion attempt (or successful intrusion) will leave traces in the monitoring files, file systems, logon records, or files on other hosts, system Administrators can find related traces from these files.
External Connection monitoring:
The host can monitor the packets that attempt to enter the host before the packets actually arrive at the host, so as to avoid possible damage after the packets enter the system.
The following processing methods are available:
Monitor unauthorized connection attempts over TCP or UDP ports. For example, if someone tries to connect through a port that does not open any service, it usually means someone is looking for a system vulnerability.
Monitoring Port Scan: Here I recommend another method: Adjust the firewall or adjust the local IP configuration (you can use IPCHAINS in LINUX) to reject connection requests from potential intruders.
Two recommended files are RealSecure Agent and PortSentry of ISS.
Registration Behavior Monitoring
Even if the network administrator makes the best effort to install the latest IDS, intruders may also use measures that cannot be monitored to intrude into the system, one of the most important reasons for this is that intruders have obtained the user password and can log on to the system using the packet sniffing tool.
One of the tasks of a product such as HOSTSENTRY is to look for unusual system operations and monitor users' attempts to register and log out, and sends alerts to the system administrator for abnormal or unexpected activities.
Root operation monitoring
The ultimate goal of intruders is to grasp the root user permissions on the compromised host. If a WEB server is well planned, except for a very small number of scheduled maintenance times, root users should have very few operations, but root users rarely perform maintenance according to their plans. Instead, they can catch the empty ones, but even in this case, intruders are also likely to do something at the time or place where rabbits don't shit.
There are also lines to be defended: monitor any operations performed by the root user or system administrator. Many UNIX systems allow root users to perform all operations including logon and monitoring, while tools such as LOGCHECK can monitor these logon records and draw the attention of network administrators.
If an open-source operating system is used, the network administrator has only one option: Improve the kernel. How to Improve is beyond the scope of this article. After all, there are many resources such as INTERNET.
Monitoring File System
No matter how good your wishes are, what is your ID?