Combining Network Intrusion Detection withFirewalls for Maximum Perimeter Protection
...s from the leaders. Electronic security mimics physical security Interestingly, electronic security mimics time-proven physical security practices. Physical security assigns varying access rights to employees, contractors, partners and the general public. The physical security policy drives the level of access to each of these categories of individuals. The firewall is similar to a door, and like most doors has a lock on it. Only those with the proper credentials or profiles are allowed to enter. For example, you may be able to enter a bank lobby, but it’s unlikely that you will be given access to the vault. Likewise, a firewall will let outsiders into specific system areas, but not to the internal network. IDSs mimic another physical security practice. A casual glance around most buildings will reveal closed circuit television cameras (CCTVs). The cameras are used to detect an intruder attempting to pick a lock or rob a bank. If a video recorder is connected to the camera it is possible to replay the events and potentially identify the suspects. IDSs are like the CCTV cameras; they detect unusual and unwanted activity at the perimeter and “public” areas of systems and through logs and event trails can identify or help trace an intruder. In the bank example, attempted unauthorized entry or unusual behavior in the lobby will likely tip off a security guard that a problem exists. IDSs also have the ability to alarm and apply countermeasures if they detect unusual activity. As with physical security, alarm systems significantly enhance the perimeter security of a building. As with alarm systems, IDSs can act is a deterrent by providing countermeasures such as session kill, automated firewall reconfiguration and real-time warnings. The security administrator uses firewalls and IDSs in much the same way that a security guard uses locked doors and CCTV cameras. As with physical security, the level of electronic security is layered. Each layer provides an enhancement to the overall security level. A locked door is one level, but the addition of cameras and alarm systems greatly enhances the security of a building. Insurance companies routinely require the installation of alarm systems in buildings to reduce the risk of break-ins. In the same way, electronic insurance programs such as ICSA’s® TruSecure™ require IDSs on insured websites and Internet connections. Combining a firewall with the network intrusion detection system Effective use of a network IDS requires two things. Proper placement of the IDS and the policy associated with the type of traffic on the Internet connection. Placement of the network IDS to support a firewall is dependant on the intended objectives for intrusion detection. Ideally, two sensors should be used and placed on both the outside and inside of the firewall (see figure 1). Copyright @ 2001 Nokia Inc. 4 Combining Network Intrusion Detection with Firewalls All rights reserved. April 2001 Figure 1. Placement of the network IDS to support a firewall. One sensor monitors the segment between the router and firewall. The second sensor monitors the segment between the firewall and internal network. Deployed in this configuration, the two sensors perform complimentary functions acting as a “firewall leak detector.” The policy configuration of each sensor is a bit different. The outside sensor is used to monitor for attack attempts and network probes of an organization’s Internet connection, while the inside sensor is used to detect certain types of events that have made it through the firewall or are coming from the internal network. The security administrator should make sure the implementation doesn’t just focus on external activity. Insiders can have distributed denial of service, Trojan horse programs, worms and attack programs installed on internal computers. There is potential for litigation if an organization is the source of the attack. If the budget is limited, the inside sensor should be deployed in a single sensor implementation. Setting intrusion detection policies Optimally, network IDS policies should be tuned to the environment. Setting policy is not as complicated as it has been portrayed, but efficient policy selection does require knowledge of internal network and systems. There are specific goals and objectives for each sensor. This is where a console’s configuration user interface can be a help or hindrance. It is important to tune the sensor’s policies for the type of systems inside the firewall. For example, if the devices such as user workstations and servers are based on Microsoft Windows, there is little need to test for Unix exploits. In addition, if there are no externally available web or FTP servers on the inside of the firewall, there is no requirement to check for those categories of exploits. The outside network sensor should be configured to detect a variety of probing activities, firewall exploits, suspicious activity and protection of external or DMZ devices at the Internet connection. Since there are large amounts of exploit activity on the Internet, care must be taken in tuning this network sensor to protecting the specific environment. Implementing all of a vendor’s signatures can cause all IDSs to get bogged down detecting signatures that have no impact on internal systems. • Activate detection of port probes such as NMAP and others. The objective is to understand when probing activity increases significantly, maybe a precursor to an attack. Activating probe-oriented Copyright @ 2001 Nokia Inc. 5 Combining Network Intrusion Detection with Firewalls All rights reserved. April 2001 signatures can generate heavy event traffic. Advanced network IDSs offer threshold settings that will reduce the level of “nuisance” alerts and false positives while alerting the security administrator of significant events. • Implement custom signatures to monitor external connection rules. Nearly all firewalls have some rules that allow for external access to services on the internal network. Normally, these are narrowly defined to include specific addresses and ports. Custom-developed IDS policies should be developed to monitor and log all activity on those external access rules. • Activation of “suspicious behavior” signatures. These should be tuned to protect the firewall, routers and externally connected devices such as web, mail, DNS and FTP servers that are often attached to specialized or “DMZ” segments. • Distributed denial of service activity. Ingress and egress DDoS zombie detection is a key element here. Detection of an in-bound DDoS attack gains precious seconds in mitigating the effects of the denial of service attack. It is also important to detect out-bound DDoS activity, unless IP spoof limiting egress filters have been implemented at the external router. Inside the firewall, the objective is to detect suspicious activity. Detection of Trojans, backdoors, unauthorized access exploits and externally bound attacks signatures are important. Properly configured firewalls will filter many exploits, but are typically weak against Trojan and backdoor activity. • Activate Trojan and backdoor detection signatures. A good network IDS will be able to detect hundreds of Trojans and their variants by analyzing packet contents and not just their default TCP ports. Note also, many infected computers belong to users attached to DSL and cable modems. A VPN connection does not protect against a Trojaned system outside the perimeter. • Unauthorized access attempts—mainly buffer overflows—exploit bugs in operating systems and applications. While usually filtered out at the firewall, there are session hijacking techniques that can fool a firewall into allowing traffic to pass. • Detection of outbound attacks is a very important aspect as well. While not common, insiders attacking external systems from the internal network exposes and organization to potential litigation for being the source of an attack. Other network intrusion detection deployments Currently, the primary use of a network IDS is for perimeter monitoring and protection. There are a number of other uses for the technology. The objective varies in terms of systems being monitored and exploits, but the technology can significantly enhance enterprise security. Below are some examples to consider: • WAN and Frame Relay connections. Ordinarily, these are considered “private” connections, but they often connect to smaller branch offices that are sometimes lax in physical security and adherence to p...