Perfect use of intrusion detection system in linux

Article Title: perfect solution for using the intrusion detection system in linux. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
   Introduction to intrusion detection systems
As more and more companies transfer their core services to the Internet, network security is an unavoidable problem. Traditionally, companies generally adopt firewalls as the first line of defense for security. With the increasingly sophisticated knowledge of attackers and the increasingly complex and diverse attack tools and techniques, simple firewall policies cannot meet the needs of highly sensitive security departments, network defense must adopt a variety of in-depth methods. At the same time, today's network environment is becoming more and more complex. a variety of complex devices need to be constantly upgraded and leaked systems to make the work of network administrators more and more intensive, accidental negligence may cause major security risks. In this environment, intrusion detection systems have become a new hot spot in the security market. not only have they received more and more attention, but they have begun to play a key role in different environments.
  
Intrusion in this article is a broad concept, including not only the attackers (such as malicious hackers) who have obtained control of the system beyond the legal scope, it also involves collecting vulnerability information, resulting in Denial of access (Denial of Service) and other behaviors that cause harm to computer systems.
  
Intrusion Detection, as the name suggests, is the discovery of Intrusion behaviors. It collects and analyzes several key points in a computer network or computer system to find out whether the network or system violates security policies and shows signs of attacks. The combination of the software and hardware used for Intrusion Detection is the Intrusion Detection system (IDS ). Unlike other security products, the intrusion detection system requires more intelligence. it must be able to analyze the data and produce useful results. A qualified intrusion detection system can greatly simplify the work of administrators and ensure secure network operation.
  
   Specifically, the main functions of the intrusion detection system include:
A. monitor and analyze user and system activities;
B. check system configurations and vulnerabilities;
C. evaluate the integrity of key system resources and data files;
D. identify known attack behaviors;
E. statistical analysis of abnormal behaviors;
F. manage operating system logs and identify user activities that violate security policies.
  
Due to the rapid development of the market of intrusion detection systems in recent years, many companies have invested in this field. Companies such as ISS, axent, NFR, and cisco have launched their own products (there are no mature products in China ). However, at present, the intrusion detection system still lacks relevant standards. At present, there are two organizations trying to standardize IDS: Intrusion Detection Working Group (idwg) and Common Intrusion Detection Framework (CIDF) of IETF, but the progress is very slow, there are no widely accepted standards.
  
   Intrusion detection system model
CIDF model
Common Intrusion Detection Framework (CIDF) (http://www.gidos.org/) describes a general model of Intrusion Detection system (IDS. It divides an intrusion detection system into the following components:
L Event generators)
L Event analyzers
L Response units)
L Event database)
  
CIDF collectively refers to the data to be analyzed by IDS as an event. it can be a packet in the network or information obtained from other channels such as system logs.
  
The event generator is designed to obtain an event from the entire computing environment and provide it to other parts of the system. The event analyzer analyzes the data and generates analysis results. The response unit is a functional unit that responds to the analysis results. it can make a strong response, such as disconnecting and changing file attributes, or simply generate an alarm. The event database is a general term for storing various intermediate and final data. it can be a complex database or a simple text file.
In this model, the first three appear in the form of a program, while the last is usually in the form of a file or data stream.
In other articles, , analysis, and console are often used to replace the terms "event generator", "event analyzer", and "response unit. Common logs are used to easily refer to the event database. Unless otherwise specified, the two sets of terms in this article have the same meanings.
  
   IDS classification
Generally, intrusion detection systems can be classified into master and network models.
Host-based intrusion detection systems often use system logs and application logs as data sources. of course, you can also collect information from the host through other means (such as monitoring system calls) for analysis. The host intrusion detection system generally protects the system.
  
The data source of the network-type intrusion detection system is data packets on the network. A sub-network card is usually set to promisc mode, listening to all packets in this segment and making judgments. Generally, the network-type intrusion detection system is responsible for protecting the entire network segment.
  
It is not hard to see that the main advantage of network-type IDS is simplicity: only one or several such systems can be installed on a network segment to monitor the entire network segment. Because such applications are often implemented by separate computers, it will not increase the load on hosts running key services. However, due to the increasing complexity of networks and the popularization of high-speed networks, this structure is facing increasing challenges. A typical example is switched Ethernet.
  
However, although the disadvantages of host-type IDS are obvious: different programs must be developed for different platforms, the system load must be increased, and a large number of installations are required, the internal structure is not bound, at the same time, the functions provided by the operating system and exception analysis can be used to more accurately report attack behavior. Next Generation Intrusion Detection in High-Speed Networks. For more information, see.
  

(1) if the network segment is connected with a bus-type hub, you can simply connect it to a port of the hub;
(2) for Switched Ethernet switches, the problem becomes complicated. Because vswitches do not use shared media, the traditional method of using an sniffer to listen to the entire subnet is no longer feasible. The following solutions are available:
A. Generally, the core chip of a vSwitch has a span port for debugging. the inbound and outbound information of any other ports can be obtained from this. If the switch vendor opens this port, you can connect the IDS system to this port.
Advantage: you do not need to change the IDS architecture.
  
Disadvantage: using this port will reduce the performance of the vSwitch.
  
B. Place the intrusion detection system at the key entry and exit of the data flow inside the switch or inside the firewall.
Advantage: almost all key data can be obtained.
Disadvantage: you must work closely with other vendors to reduce network performance.
  
C. Use a splitter (Tap) to connect it to all the lines to be monitored.
Advantage: the required information is collected without compromising network performance.
Disadvantage: you must purchase an additional device (Tap). if there are many resources protected, IDS must be equipped with multiple network interfaces.
  
D. The only theoretically unlimited method is host IDS.
Communication Protocol
  
IDS system components need to communicate with each other, and IDS systems of different vendors also need to communicate with each other. Therefore, it is necessary to define a unified protocol so that all parts can communicate according to the standards set by the protocol.
  
IETF currently has a dedicated team, Intrusion Detection Working Group (idwg), which defines this communication format, called Intrusion Detection Exchange format. Currently, there are only relevant drafts (internet draft) and no formal RFC documents are formed. However, the draft provides some guidance for communication between different parts of IDS and even between different IDS systems.
  
IAP (Intrusion Alert Protocol) is an application layer Protocol developed by idwg and runs on TCP. its design is largely based on HTTP, however, many other functions are added (such as initiating a connection from any end, combining encryption and authentication ). For the specific implementation of IAP, see Intrusion Alert Protocol-IAP, which provides a very detailed description. Here we will mainly discuss the issues that should be considered when designing a communication protocol for the intrusion detection system:
  
1. it is very important to analyze the information transmitted between the system and the control system. Therefore, we must maintain the authenticity and integrity of the data. There must be a certain mechanism for authentication and confidential transmission between both parties (both active and passive attacks are prevented at the same time ).
2. both parties may interrupt the communication due to exceptions. The IDS system must take additional measures to ensure the normal operation of the system.
  
   Intrusion detection technology
Analyzes various events and finds that violations of security policies are the core functions of the intrusion detection system. Technically, intrusion detection is divided into two types: signature-based and anomaly-based ).
For the identification-based detection technology, first define the characteristics of events that violate security policies, such as some header information of network packets. The detection mainly checks whether such features appear in the collected data. This method is very similar to anti-virus software.
Exception-based detection technology first defines a set of system "normal" values, such as CPU utilization, memory utilization, and file checksum (such data can be manually defined, it can also be obtained by observing the system and using statistical methods), and then comparing the system running value with the defined "normal" to determine whether the system is under attack. The core of this detection method is how to define the so-called "normal" situation.
  
The methods and conclusions of the two detection technologies differ greatly. The core of exception-based detection technology is to maintain a knowledge base. For known attacks, it can report attack types in detail and accurately, but the effect on unknown attacks is limited, and the knowledge base must be constantly updated. Exception-based detection technology cannot accurately identify attack methods, but it can (at least theoretically) identify more extensive or even unknown attacks.
  
If conditions permit, the combined detection will achieve better results.
  
   System Framework