Lecture 8: IDS System

We already have access to manual and automatic scanning programs. These tools are very useful in the audit process. You also use the package sniffer, which is another tool used to determine the activity types in the network. The intrusion monitoring system will attract your attention in two aspects. First, this form of network protection is becoming increasingly popular. You need to understand the current network structure to determine whether the configuration is appropriate. Second, you may be recommending such products. Therefore, you must know how to recommend such products for special network conditions.
You can use multiple types of tools during testing. These tools are essential throughout the audit process. They will help you save time in the boring analysis process.
What is intrusion monitoring?
The intrusion monitoring system detects network activity in real time after it is in the firewall. In many cases, because network activities can be recorded and prohibited, the intrusion monitoring system is a continuation of the firewall. They can work with your firewall and vro. For example, your IDS can be reconfigured to prohibit malicious traffic from outside the firewall. You should understand that the intrusion monitoring system works independently of the firewall.
IDS of the intrusion monitoring system is different from system scanner. The system scanner scans System Vulnerabilities Based on the attack feature database. It focuses more on the configured vulnerabilities than the traffic currently in and out of your host. On the host under attack, even if a scanning program is running, the attack cannot be identified.
IDS scans the activity of the current network, monitors and records network traffic, filters traffic from the host Nic to the network cable according to the defined rules, and provides real-time alarms. The Network Scanner detects previous vulnerabilities on the host, and IDS monitors and records network traffic. If you run IDS and scanners on the same host, you will receive many alarms when you configure IDS properly.
Intrusion monitoring
Most IDS programs provide a very detailed analysis of network traffic. They can monitor any defined traffic. Most programs have default settings for FTP, HTTP, and Telnet traffic, and other traffic such as NetBus, local and remote logon failures, etc. You can also customize your own policies. The following describes some more common detection techniques.
Network Traffic Management
IDS such as Computer Associates 'etrust Intrusion Detection (previously SessionWall), Axent Intruder Alert, and ISS RealSecure allow you to record, report, and prohibit almost all forms of network access. You can also use these programs to monitor the network traffic of a host. eTrust Intrusion Detection can read the last web page accessed by users on this host.
If you define policies and rules, you can obtain FTP, SMTP, Telnet, and any other traffic. This rule helps you track the connection and determine what happened on the network and what is happening now. These programs are very effective tools when you need to determine the consistency of policy implementation in the network.
Although IDS is a valuable tool for security administrators or auditors, company employees can also install programs such as eTrust Intrusion Detection or Intrude Alert to access important information. Attackers can not only read unencrypted emails, but also sniff passwords and collect important protocol information. Therefore, you must first check whether similar programs are running on the network.
System scanning, Jails, and IDS
Earlier in this tutorial, you learned how to apply different policies to enhance effective security. This task requires control in different parts of the network, from the operating system to the scanner, IDS program and firewall. You have used system scanners, and many security experts combine these programs with IDS. System Integrity check, extensive log recording, hacker "prison" and lure programs are both effective tools that can work with IDS.
Tracking
What IDS can do is not only record events, but also determine the location of events. This is the main reason why many security experts purchase IDS. By tracking the source, you can learn more about attackers. These experiences not only help you record the attack process, but also help you determine the solution.
Necessity of intrusion Monitoring System
　　
The firewall seems to be able to meet all the requirements of the system administrator. However, as employee-based attacks and product-related problems increase, IDS is increasingly necessary to monitor illegal activities within the firewall. New technologies also pose a serious threat to firewalls. For example, VPN can penetrate the firewall, so IDS must provide security protection after the firewall. Although VPN itself is safe, it is possible that one of the parties who communicate through VPN is controlled by root kit or NetBus, and such destructive behavior cannot be defended by the firewall. Because of the preceding two reasons, IDS has become an important part of security policies.
We also need to note that attackers can carry out attacks to overload IDS. the result may be that the IDS system becomes a participant in DoS attacks. In addition, attackers try to adjust their attack methods so that IDS cannot track activities on the network.
Architecture of intrusion Monitoring System
There are two architectures available for IDS, each of which has its own applicable environment. Although host-level IDS are more powerful and provide more detailed information, it is not always the best choice.
Network-level IDS
You can use network-level products, such as eTrust Intrusion Detection, which only needs to be installed once. Programs (or services) scan all transmitted information in the entire network segment to determine real-time activities in the network. The Network-level IDS program acts as a manager and proxy at the same time. The host that installs IDS completes all the work, and the network only accepts passive queries.
Advantages and disadvantages
This intrusion monitoring system is easy to install and implement. Generally, you only need to install the program on the host once. Network-level IDS are especially suitable for preventing scanning and DoS attacks. However, this IDS architecture does not work well in the exchange and ATM environments. In addition, it is not particularly effective in dealing with illegal account upgrades, damage policies and tampering logs. When scanning a large network, the performance of the host decreases sharply. Therefore, for large and complex networks, you need host-level IDS.
Host-level IDS
As mentioned above, the host-level IDS structure uses one manager and several proxies. The manager sends a query request to the agent, and the agent reports the information transmitted by the host on the network to the manager. Direct communication between agents and managers solves many problems in complex networks.
Technical tip: Before applying any host-level IDS, You need to test in an isolated network segment. This test helps you determine whether the Manager-to-agent communication is secure and the impact on network bandwidth.
Manager
The Administrator defines the rules and policies for managing agents. The Administrator installs the agent on a specially configured host to query the proxy in the network. Some managers have graphical interfaces. Other IDS products only run managers in the form of daemon, and then use other programs to manage them.
Physical security is critical to the host that acts as a manager. If attackers can gain access to the hard disk, they can obtain important information. In addition, unless necessary, the Administrator's system should not be accessed by network users. Such restrictions include Internet access.
Install the Administrator's operating system as secure and free of vulnerabilities as possible. Some vendors require you to use a specific type of operating system to install managers. For example, ISS RealSecure requires you to install Windows NT Workstation instead of Windows NT Server, because it is easier to streamline the operating system on NT Workstation.
Special considerations
Every IDS vendor has special considerations for their products. These considerations are usually specific to the operating system. For example, many vendors require you to install agents on hosts using static IP addresses. Therefore, you may need to configure DHCP and WINS servers to work with managers. This special consideration explains to some extent why most IDS programs use one manager to manage several hosts. In addition, the installation manager will reduce the system performance. In addition, too many managers installed in the same network segment will occupy too much bandwidth.
In addition, many IDS products may encounter problems when working on networks faster than 10 MB. Generally, IDS vendors require that you do not install administrators on UNIX operating systems that use NFS or NFS +. because such file systems allow remote access, administrators may make them unstable and insecure.

Unless in special circumstances, you should not install the IDS manager on a host with dual or multi-nic as a router, or on a firewall. For example, Windows nt pdc or BDC is not an ideal system for installing most IDS managers, not only because managers may affect logon, but also the services necessary for PDC or BDC will generate trap door and system errors.
Ratio of managers to agents
The ratio of managers to agents varies with the manufacturer and version. For example, Axent Intruder Alert recommends that you do not use more than 100 proxies on a UNIX or NT network. In a NetWare network, each manager should not use more than 50 proxies. However, you need to establish a baseline to determine the ideal configuration of the IDS structure. Ideally, IDS can monitor network intrusion in real time without affecting normal network operations.
Proxy
Because the agent monitors network security, most IDS allow you to install the agent on any host that can accept the configuration. When you are considering a product, make sure it can work with hosts on the network. Most products work well in UNIX, NT, and Novell network environments. Some manufacturers also produce agents that work in special network environments, such as DECnet and mainframes. In any case, you should select the product that best suits your network through testing. All proxies work in the hybrid mode and capture packets transmitted over the network.
Ideal Proxy Layout
Consider installing proxies on important resources such as databases, Web servers, DNS servers, and file servers. Scan-based IDS programs such as eTrust Intrusion Detection may be more suitable for scanning individual hosts at specific time periods. This tool ensures that you monitor network activities with minimum bandwidth usage.
The following lists suitable for placing proxy resources:
· Accounts, human resources, and R & D Databases
· Backbone networks of LAN and WAN, including routers and switches
· Temporary staff host
· SMTP, HTTP, and FTP servers
· Modem pool servers and switches, routers, and hubs
· File Server
Many new network connection devices limit IDS scanning.
Communication between managers and Proxies
　　
When you learn how to select products for the network, you need to clarify the communication methods between managers and agents. Most IDS programs require you to first communicate with the manager, and then the manager will query the proxy.
Generally, the administrator and proxy use a public key for encryption during communication. For example, Axent products use 400-bit long Diffie-Helman encryption. Standard SSL sessions Use 128-bit encryption. By comparing these two standards, you can find that most IDS vendors adopt Secure Communication.
Some old host-level products use plain text or very weakly encrypted sessions. This feature is ironic because plaintext transmission is vulnerable to hijacking and Man-in-the-middle attacks, which seriously damage your monitoring and network security.
Some managers can communicate with other managers. Communication between managers can save bandwidth and reduce your management burden. This communication may be avoided by using the organizational structure. For example