Intrusion Detection - CommandCenter NOC by Raritan Inc.

Network Intrusion Detection System

A network intrusion detection system (NIDS) monitors one or more network segments with an objective of detecting inappropriate, incorrect, or anomalous network activity. It is an important part of a layered security approach. A NIDS provides added protection against hackers attempting to intrude on your network. The most common approach is to monitor the traffic at the segment of concern, typically on the secure side of the firewall.

The system is comprised of three components - sensors that monitor the traffic on a network segment; an engine that records the events generated by the senor and matches them to a set of known attack patterns (signatures); and a console to control the sensors and generate alerts & reports.

A NIDS can provide you the peace of mind that your network security specialist will be alerted if a network invasion is in progress and the information needed to make your network more resistant to attacks.

Why is NIDS important?

Your business depends upon your network and protecting it is one of the most important jobs of an IT organization. It is so important that the standard practice is to have a layered approach to keep it secure. The typical layered approach includes a security policy, host system security, auditing, router security, firewalls, NIDS, and an incident response plan.

A NIDS leverages the knowledge of known vulnerabilities and attack patterns. This approach requires some effort to set-up and configure the system to most closely match the monitored environment. In addition, the system signatures need to be updated on a regular basis to ensure coverage of known vulnerabilities and attack patterns. However, there is great benefit if you properly deploy, configure and maintain a knowledge based IDS on your network. Such a system will provide a lower rate of false positives and some context analysis to help your response to a specific attack and make your network more resistant to future attacks.

The benefits include the peace of mind that your network is more secure. Your organization's vital information is better protected against outside attacks. It is more secure and better protected since the NIDS will act as an additional security layer to not only alert your security specialist when a hacker is attempting to break into your network, but will also help identify the source of the attack and provide worthwhile information about the attack. After all, you want to do all you can to secure and protect your information and the network that carries it.

How can CommandCenter NOC help?

Fortunately, the CommandCenter NOC (CC-NOC) does the heavy work for you. Deliverable as an appliance it provides the complete NIDS solution. The hardware and software components are provided and integrated for you. Just rack mount the appliance and an "easy to use" installation wizard walks you through a series of questions to automatically configure the NIDS to match your environment. Updated attack pattern signatures are automatically delivered to your system on a frequent basis. CommandCenter NOC has a flexible notification and reporting engine to ensure that the proper specialist is notified of incidents and activity can be monitored via reports.

How the CommandCenter NOC NIDS works

The CommandCenter NOC NIDS listens to network traffic and indicates when certain behaviors are identified, traffic patterns appear, or recognized character strings are passed. This provides an easy-to-deploy and technically sound approach to analyzing your traffic for things that probably shouldn't be there.

Raritan's team of security experts is constantly monitoring security-related news sources, as well as doing internal testing and analysis, ferreting out information related to the latest hacker threats and system vulnerabilities. Once identified, these threats and vulnerabilities are distilled down to their simplest form-the network traffic they generate. Armed with this information, our team creates a series of “signatures” that uniquely, or as uniquely as possible, identify those threats that could be encountered in your network. However, because it's impossible to say that a specific behavior, traffic pattern, or character string could be associated only with malicious traffic, there are times that the CommandCenter NOC will trigger an event not associated with an actual threat. These situations are referred to as false positives, and are inevitable in the world of intrusion detection. Raritan falls on the side of “better safe than sorry”, and would rather give you the information to disprove, then to let a hacker have his way. And we're not alone-this approach is considered by many to be an industry best practice. But too many false positives is not good either, so Raritan has taken great strides to help you reduce them in your environment by leveraging the information you have about your IT infrastructure.

Reducing False Positives with the Signature Profiler

Because Raritan provides signature files for your CommandCenter NOC as part of our Advanced Administration options, you needn't worry about keeping up to date on all of the latest threats – we will do the investigation and make the new signatures available. But no two networks are alike, we must provide all of the available signatures to each of our CommandCenter NOCs that are in the field. This means that every CommandCenter NOC has a copy of every signature that we distribute. And in many cases, not all of these signatures are necessary for the environment in which the CommandCenter NOC is installed. For example, one of our signatures watches for traffic attempting to exploit the ToolTalk database server on Sun Solaris platforms. And by default, if we see the traffic that indicates this particular threat, we will notify you-even if you don't have any Sun Solaris platforms running the ToolTalk database server. This is specifically why we've built the Signature Profiler.

The Signature Profiler is a way for you to deploy a CommandCenter NOC with customizations for its environment once, and our rules engine will maintain those customizations for you as new signatures and features are rolled out.

Signature Profiler and the Rules Engine

The Signature Profiler provides an easy-to-use, web-based interface that asks simple questions: Are you running this platform or that? What platforms do you use for email? Web services? What kinds of routers do you use? By simply moving through the web page and checking or un¬checking the boxes that correspond to your configuration, you are building the rules necessary to keep the CommandCenter NOC up-to-date. Once complete, the Rules Engine makes decisions on your behalf as to whether or not new signatures should be applied to a given CommandCenter NOC. This reduces your workload, while automating the most difficult part of intrusion detection-keeping it up-to-date.

Responding to Events and Notifications

Once you've used the Signature Profiler to build a model of your network and systems infrastructure, your CommandCenter NOC is now ready to start generating events and notifications. Now the question becomes “What events/notifications will I receive, and what will I do with them once I've got them?”

Sample of Event Categories

Successful Administrator Privilege Gain: This category includes threats in which the traffic indicates that an attempt to compromise the security on a system at an administrator level has occurred, and that attempt was successful.
Attempted Administrator Privilege Gain: This category includes threats in which an attempt to compromise the system security at an administrator level has occurred, but there are no indications as to whether or not the attempt succeeded.
Successful User Privilege Gain: This category includes attempts to compromise systems at a user level, and the traffic indicates that this attempt was successful.
Attempted User Privilege Gain: This category includes attempts to compromise systems at a user level, with no indication as to whether or not the attack succeeded.
Unsuccessful User Privilege Gain: This category includes attempts to compromise systems at a user level that have failed.
Denial of Service: This category identifies traffic patterns designed to disable a service or user access to a machine through excessive network traffic or system exploits.
Attempted Denial of Service: This category identifies attempts to generate the traffic or exploits necessary to create a denial of service attack.
Large Scale Information Leak: This category includes attacks in which the loss of system or environmental information across a number of nodes was incurred, including access to password lists or user information. This is significant, as these types of attacks usually precede more in-depth and destructive attacks.
Information Leak: This category includes attacks where some system information is compromised which could aid in future attacks.
Attempted Information Leak: This category includes attacks that indicate an attempt to gather information about systems or users that could aid in future, larger scale attacks.
Potentially Bad Traffic: This category includes any traffic that may be normal in the course of business, but is likely to be traffic that really should not occur.
Unknown traffic: This category includes traffic recognized as abnormal, but that is not associated with a known attack or intrusion. Events from this category are ignored by default.
Normal traffic: This category includes traffic that doesn't fit into any other categories, because it hasn't triggered a signature, and is really useful only for troubleshooting the CommandCenter NOC. Events from this category are ignored by default.

Notification paths define the users or groups who will receive notifications, how the notifications will be sent, e.g., numeric or text pages, SMS or e-mail, and who to notify if escalation is needed. Notification paths are selected when configuring an event notification. CommandCenter NOC can be configured to send a subsequent escalation notification. This escalation can be sent to an individual user, a group, or an e-mail address.

What do I do when...

The CommandCenter NOC's job is to inform when you and your infrastructure are potentially at risk, and the decision as to how to respond is left to you-the one with the understanding of your infrastructure and your business. While we cannot provide a list of how to respond to each particular potential threat, we can share this list of things to consider when receiving events and notifications from your CommandCenter NOC:

Does this event mean that traffic is coming through my firewall that shouldn't be? Can I further refine my firewall configuration to disallow this type of traffic? What about traffic to/from this source/destination address?
Are all of your systems at the most recent revision of operating system and patch level? Patches and hot-fixes are extremely important for Microsoft platforms.
Have my network platforms been upgraded to avoid unnecessary risks?
Have I used the Signature Profiler to tune the CommandCenter NOC to watch for the traffic I'm really concerned about? The Signature Profiler is available under the Admin menu on your CC¬NOC. Click the Configure Intrusion Detection link.
Have I drilled down into the detail view of the event and checked the other sources for information? CVE, Bugtraq, Whitehats, and Raritan are all reliable, trusted sources for information on security threats.
Has someone installed something on my network that I'm not aware of? This might include new applications as well as new systems or network gear.
Is this event or notification part of a category that I'm not interested in? Can I review my CC¬NOC event configuration details, on the CommandCenter NOC: Admin tab under Intrusion Detection Configuration, and not receive these events/notifications in the future?
Is this a false positive? Have I checked out this potential threat and am confident that this is not a risk?

What if I have been hacked?

Unfortunately, there's not often much you can do to react gracefully to a successful intrusion event-the important thing is to react quickly.

Depending on the nature of your business, the type of attack and possible loss involved, and the potential for further loss, your reactions may vary. However, you might want to consider one or more of the following responses. They might not save you this time around, but considering the threats at play and the responses you'll need to take, developing a planned response before an event is a critical piece of an overall solution as well. Forewarned is forearmed.

Are you still connected to the source of the attack? If the intruder came in via the Internet, is your connection still up? Should it be?
Is only one system compromised or are there others? Are you sure?
Once a system is compromised, it's difficult to recover cleanly, as you have no idea what tools the offender may have left behind. Plan for a complete drive format and reinstall of the compromised platforms, restoring from a known good backup, if at all possible.
Have passwords been compromised? Force your users to change their passwords immediately.
Have you confirmed the attack and verified that it has in fact occurred?
Are there preventative steps you can take to keep this from happening again?
Establish a relationship with a local, trusted “go-to” partner who can provide security related expertise, insights, and assistance when needed.
Do you have a comprehensive security policy documented and in force?
Will you be pursuing legal action in response to the attack? Are you preserving the necessary evidence to support that action?
Is it possible to overreact?

Security – An Elusive Goal

While intrusion detection alone is not a security plan, it certainly is a critical component in the layered approach. And as is so often the case, the best weapon is knowledge. Having the right information at the right time is paramount when protecting your mission critical business infrastructure from threats unknown.



© 2007 Raritan, Inc. Use of this site indicates you accept the Terms of Use and the Privacy Statement.	Raritan.com