Intrusion detection (ID) FAQ (Elementary) (2)

Are there any open standards for intrusion detection?

So far, there are no mature open standards for intrusion detection. But we are working in this direction.
An Internet Engineering Task Group (IETF) is an entity that develops Internet standards. They have a working group dedicated to developing a common IDS alarm format. The team has completed the demand investigation phase and the specific design scheme has basically ended, but the details may be slightly changed. Preliminary implementation may be subject to a small amount of modifications due to the final determination of the standards. The current design is to send XML-based IDS warnings using connection formats similar to HTTP. In order to meet the needs of IDS analysis and enable the Protocol to pass through the firewall in a natural way, people have done a lot of work.
We welcome more people to join us. The IEFT Working Group is open to anyone who wants to participate and is technically competent. This is because the individual is always able to propose the best way to solve the problem, rather than giving the answer according to the boss's schedule.
For the purposes of the Working Group, refer to idea
The ISO T4 Committee has also made a lot of efforts to propose an intrusion detection framework. The progress of this project is still unknown, and the FAQ author cannot obtain known data.
The general Intrusion Detection Framework (CIDF) is an attempt made by the US Defense Advanced Research Institute (DARPA) to exchange IDS Data. CIDF is just a research project rather than a standard that can affect commercial products. The current CIDF development seems to have stopped. CIDF exchanges information about intrusion-related events in a format similar to Lisp, and defines a large number of system prototypes for using these messages. You can get more information on http://www.gidos.org.
Stuart Staniford-Chen
President, Silicon Defense
Stuart@silicondefense.com

How can we implement an intrusion detection system (based on the network) in an exchange environment with heavy network traffic )? The main difficulty in implementing an intrusion detection system in an exchange environment is caused by the differences between hubs and switches. The Hub does not have a connection concept. Therefore, each packet received from a port will be copied to another port. However, a vswitch is connected. When a data packet enters from a temporary connection port of the vswitch, the data packet is forwarded to the destination port. Therefore, in a hub environment, we can place our detectors in any location, but for a switch, we must use some means to enable the detector to monitor the required traffic.
Currently, the options include TAPS (indicating the tap in Chinese), hub, and cross-port (spanning Port, also known as Mirror port ), you can configure a vswitch to work on a port like a hub. For example, in Figure 1, we want to monitor the connection status between the switch and the Resource Machine. For this reason, we can let the switch transmit the data from the resource server port to the port where IDS is located. We can transmit the data packets sent by the resource machine, the data packets we receive, or the two. Some existing switches cannot ensure that 100% of the monitoring traffic is transferred across ports. Therefore, even if the intrusion detection system is set to monitor all attacks, some attacks may not be noticed. A vswitch sometimes only allows data packets from one port. Therefore, it is very difficult or impossible to monitor multiple hosts at the same time.

Using a hub or a TAP is similar. A hub or tap is placed in the middle of a monitored connection, usually between two vswitches, between a vswitch and a vro, or between a server and vswitch. In Figure 2, the hub is placed between the resource host and the switch. In this way, the network between the resource host and the switch still runs normally, but due to the characteristics of the hub, the network data is copied to IDS. This is similar to crossing a port, but crossing a port can only monitor a single host. Connecting multiple machines on the hub can cause network problems and offset the benefits of the switch. In addition, using a fault-tolerant hub greatly increases costs. The Tap is used to design a pair of Primary Connections (that is, the connection from the resource host to the switch) for fault tolerance, and is implemented by hardware to ensure that no error occurs.

In Figure 3, a tap is used to monitor a resource host. The Tap function only allows traffic from the switch and the resource host to the IDS. This avoids the traffic from IDS to switches or resource hosts, and the traffic will not return to IDS. Since the tap is in the single direction, we can direct the network traffic from several taps to the hub, and then the IDS will monitor the traffic, so that it will not cause network problems. See figure 4.

 

What is a honeypot? How to Use honeypot?

Honeypot is a program that can simulate one or more network services running on the specified port of your computer. Attackers will think that you are running some services with vulnerabilities and can use these services to break the system. A honeypot can be used to record all the activities connected to those ports, and even include the attacker's hitting key records. This will provide you with early warnings of some joint attacks.
There is a honeypot program called the Deception Tool Kit, which can be downloaded from http://www.all.net/dtk/index.html. You can configure the connection response for each port.
It is appropriate to run well-known servers on a honeypot, such as web pages, email or domain name servers, because these systems are often attacked. The honeypot can also be used to replace the system being attacked.
Richard Caasi SAIC