System Security-IDS and Its Implementation in linux-Linux Enterprise Application-Linux server application information. For details, refer to the following section.
Introduction to Intrusion Detection Systems
As more and more companies transfer their core services to the Internet, network security is an unavoidable problem. Traditionally, companies generally adopt firewalls as the first line of defense for security. With the increasingly sophisticated knowledge of attackers and the increasingly complex and diverse attack tools and techniques, Simple Firewall policies cannot meet the needs of highly sensitive security departments, network Defense must adopt a variety of in-depth methods. At the same time, today's network environment is becoming more and more complex. A variety of complex devices need to be constantly upgraded and leaked systems to make the work of network administrators more and more intensive, accidental negligence may cause major security risks. In this environment, intrusion detection systems have become a new hot spot in the security market. Not only have they received more and more attention, but they have begun to play a key role in different environments.
Intrusion in this article is a broad concept, including not only the attackers (such as malicious hackers) who have obtained control of the system beyond the legal scope, it also involves collecting vulnerability information, resulting in Denial of access (Denial of Service) and other behaviors that cause harm to computer systems.
Intrusion Detection, as the name suggests, is the discovery of Intrusion behaviors. It collects and analyzes several key points in a computer network or computer system to find out whether the network or system violates security policies and shows signs of attacks. The combination of the software and hardware used for Intrusion Detection is the Intrusion Detection System (IDS ). Unlike other security products, the intrusion detection system requires more intelligence. It must be able to analyze the data and produce useful results. A qualified intrusion detection system can greatly simplify the work of administrators and ensure secure network operation.
Specifically, the main functions of the intrusion detection system include:
A. Monitor and analyze user and system activities;
B. Check System configurations and vulnerabilities;
C. Evaluate the integrity of key system resources and data files;
D. Identify known attack behaviors;
E. Statistical Analysis of Abnormal behaviors;
F. Manage operating system logs and identify user activities that violate security policies.
Due to the rapid development of the market of intrusion detection systems in recent years, many companies have invested in this field. Companies such as ISS, axent, NFR, and cisco have launched their own products (there are no mature products in China ). However, at present, the intrusion detection system still lacks relevant standards. At present, there are two organizations trying to standardize IDS: Intrusion Detection Working Group (idwg) and Common Intrusion Detection Framework (CIDF) of IETF, but the progress is very slow, there are no widely accepted standards.
Intrusion Detection System Model
CIDF Model
Common Intrusion Detection Framework (CIDF) (http://www.gidos.org/) describes a general model of Intrusion Detection System (IDS. It divides an intrusion detection system into the following components:
L Event generators)
L Event analyzers
L Response units)
L Event Database)
CIDF collectively refers to the data to be analyzed by IDS as an event. It can be a packet in the network or information obtained from other channels such as system logs.
The event generator is designed to obtain an event from the entire computing environment and provide it to other parts of the system. The event analyzer analyzes the data and generates analysis results. The Response Unit is a functional unit that responds to the analysis results. It can make a strong response, such as disconnecting and changing file attributes, or simply generate an alarm. The event database is a general term for storing various intermediate and final data. It can be a complex database or a simple text file.
In this model, the first three appear in the form of a program, while the last is usually in the form of a file or data stream.
In other articles, data collection, analysis, and console are often used to replace the terms "event generator", "event analyzer", and "Response Unit. Common logs are used to easily refer to the event database. Unless otherwise specified, the two sets of terms in this article have the same meanings.
IDS Classification
Generally, intrusion detection systems can be classified into Master and network models.
Host-Based Intrusion Detection Systems often use system logs and application logs as data sources. Of course, you can also collect information from the host through other means (such as monitoring system calls) for analysis. The Host Intrusion detection system generally protects the system.
The data source of the network-type intrusion detection system is data packets on the network. A sub-network card is usually set to promisc mode, listening to all packets in this segment and making judgments. Generally, the network-type intrusion detection system is responsible for protecting the entire network segment.
It is not hard to see that the main advantage of network-type IDS is simplicity: Only one or several such systems can be installed on a network segment to monitor the entire network segment. Because such applications are often implemented by separate computers, it will not increase the load on hosts running key services. However, due to the increasing complexity of networks and the popularization of high-speed networks, this structure is facing increasing challenges. A typical example is switched Ethernet.
However, although the disadvantages of host-type IDS are obvious: different programs must be developed for different platforms, the system load must be increased, and a large number of installations are required, the internal structure is not bound, at the same time, the functions provided by the operating system and exception analysis can be used to more accurately report attack behavior. Next Generation Intrusion Detection in High-Speed Networks. For more information, see.
Several components of the intrusion detection system are usually located on different hosts. Generally, three machines run the event generator, event analyzer, and Response Unit. HereLine combines the first two. Therefore, only two servers are required. When installing IDS, the key is to select the location of the data collection part because it determines the visibility of the "event.
For host-type IDS, the data collection part is of course located on the host it monitors.
For Network-type IDS, the data collection part has multiple possibilities:
(1) If the network segment is connected with a bus-type hub, you can simply connect it to a port of the hub;
(2) For switched Ethernet switches, the problem becomes complicated. Because vswitches do not use shared media, the traditional method of using an sniffer to listen to the entire subnet is no longer feasible. The following solutions are available:
A. Generally, the core chip of a vswitch has a span port for debugging. the inbound and outbound information of any other ports can be obtained from this. If the switch vendor opens this port, you can connect the IDS system to this port.
Advantage: you do not need to change the IDS architecture.
Disadvantage: using this port will reduce the performance of the vswitch.
B. Place the intrusion detection system at the key entry and exit of the data flow inside the switch or inside the firewall.
Advantage: almost all key data can be obtained.
Disadvantage: You must work closely with other vendors to reduce network performance.
C. Use a splitter (Tap) to connect it to all the lines to be monitored.
Advantage: the required information is collected without compromising network performance.
Disadvantage: You must purchase an additional device (Tap). If there are many resources protected, IDS must be equipped with multiple network interfaces.
D. The only theoretically unlimited method is Host IDS.
Communication Protocol
IDS system components need to communicate with each other, and IDS systems of different vendors also need to communicate with each other. Therefore, it is necessary to define a unified protocol so that all parts can communicate according to the standards set by the Protocol.
IETF currently has a dedicated team, Intrusion Detection Working Group (idwg), which defines this communication format, called Intrusion Detection Exchange format. Currently, there are only relevant drafts (internet draft) and no formal RFC documents are formed. However, the draft provides some guidance for communication between different parts of IDS and even between different IDS systems.
IAP (Intrusion Alert Protocol) is an application layer Protocol developed by idwg and runs on TCP. Its design is largely based on HTTP, however, many other functions are added (such as initiating a connection from any end, combining encryption and authentication ). For the specific implementation of IAP, see Intrusion Alert Protocol-IAP, which provides a very detailed description. Here we will mainly discuss the issues that should be considered when designing a communication protocol for the intrusion detection system:
1. It is very important to analyze the information transmitted between the system and the control system. Therefore, we must maintain the authenticity and integrity of the data. There must be a certain mechanism for authentication and confidential transmission between both parties (both active and passive attacks are prevented at the same time ).
2. Both parties may interrupt the communication due to exceptions. The IDS system must take additional measures to ensure the normal operation of the system.
Intrusion Detection Technology
Analyzes various events and finds that violations of security policies are the core functions of the intrusion detection system. Technically, intrusion detection is divided into two types: signature-based and anomaly-based ).
For the identification-based detection technology, first define the characteristics of events that violate security policies, such as some header information of network packets. The detection mainly checks whether such features appear in the collected data. This method is very similar to anti-virus software.
Exception-based detection technology first defines a set of system "normal" values, such as CPU utilization, memory utilization, and file checksum (such data can be manually defined, it can also be obtained by observing the system and using statistical methods), and then comparing the system running value with the defined "normal" to determine whether the system is under attack. The core of this detection method is how to define the so-called "normal" situation.
The methods and conclusions of the two detection technologies differ greatly. The core of exception-based detection technology is to maintain a knowledge base. For known attacks, it can report attack types in detail and accurately, but the effect on unknown attacks is limited, and the knowledge base must be constantly updated. Exception-based detection technology cannot accurately identify attack methods, but it can (at least theoretically) identify more extensive or even unknown attacks.
If conditions permit, the combined detection will achieve better results.
Implementation in linux
System Framework
HereLine is a network ID based on ID detection that runs in linux. It is logically divided into three parts: data collection, data analysis, and result display, which comply with CIDF specifications.
In terms of implementation structure, HereLine is divided into three applications:
1. Data Collection and Analysis Program (watcher); 2. Alarm information collection program (listener); 3. Alarm information display program (console ). Watcher is a combination of data collection and data analysis. listener receives the alarm information sent by watcher and stores the received information as logs. The console provides a user-friendly graphical interface for administrators to observe logs.
Like most commercial IDS, HereLine adopts a distributed structure. We recommend that you use two PCs to run HereLine. One is watcher, and the other is listener and console.
Compared with other similar programs, HereLine has the following advantages:
1. provides a complete framework that can be flexibly applied to various environments and expanded;
2. Data Analysis and alarm program separation are used to facilitate centralized management in a large-scale network environment;
3. The Slice Processing has been implemented to solve the problem of using the slice to escape the check;
4. The data analysis part is not completely dependent on the existing attack program, but analyzes its core features to detect its variant attacks. At the same time, it relies on the details of the existing attack program to assess the accuracy of the judgment. The above design increases the alarm reliability.
Implementation process and important issues of each part
Data collection
Watcher uses the PF_PACKET socket provided in the linux2.2 kernel (without using the API interface provided by libpcap) to directly obtain data frames from the link layer. (The main purpose of directly using the interfaces provided by the operating system is to consider efficiency. However, for future porting problems, the function interfaces provided by The libpcap library may be used in the future .) According to linux requirements, to create such a socket requires the root permission, that is, uid = 0. The data read from the packet socket is in link layer format, but after processing (the second parameter of the socket function, SOCK_DGRAM, indicates that the data header of the second layer is to be removed, after the third parameter ETH_P_IP is used to receive only ipv4 packets, the content in the buffer zone is a complete IP packet (without any other processing ). The analysis is done by the data analysis program.
The data collection part has also done a job of placing the network card in the hybrid mode, so that you can listen to the data of the entire network segment.
This implementation of HereLine actually copies data to the application layer through socket. This structure is flexible and secure (application crashes won't cause system crashes), but frequent switching between application states and core states wastes the CPU. Another way is to use the module (modular) method in linux and use IDS as part of the kernel. Building Into The Linux Network Layer provides a sniffer framework in The kernel. It can be used to implement a more efficient intrusion detection system embedded in the kernel. HereLine can be easily transferred to this method, but it is not used yet considering its impact on operating system stability and the difficulty of debugging.
It should be noted that watcher only listens to data packets and does not participate in the processing of the operating system protocol stack. If the operating system is attacked and the service is denied, watcher cannot run. Therefore, we must first ensure that the operating system is safe. Some commercial intrusion detection systems (such as NFR) place data collection on specialized, improved, and highly secure systems to ensure that important programs in the IDS system work normally. For HereLine itself, we recommend using the gcc compiler with stackguard added to reduce the potential buffer overflow vulnerability.
Watcher first encapsulates the data into the sbuff structure after reading the data into the buffer zone. This structure is used when the data is transmitted in the program. It is defined: