Evolutionism of Intrusion Detection

Transcription

1 Evolutionism of Intrusion Detection Jackie Lai The network technology changes with each passing day; and the attack technique of hacker also weeds through the old to bring forth the new. Worms such as Code Red, Nimda, Slammer, Blaster and Sasser always regard the firewall /anti-virus software as nothing at the beginning of attack. They drive into the core server of enterprise with sudden speed directly, paralyze the operation of the server, or clog the bandwidth of network to cause large loss of the enterprise. Just the same as Darwin s evolutionism, species must evolve to get with the environment, otherwise they will be eliminated by the environment. The traditional intrusion detection system installed by the enterprise and Layer 4 Firewall could not block the exquisite and wily attacks by hackers. They also face the fate of evolution. The intrusion detection system evolves into intrusion detection & prevention system The operation structure of Intrusion Detection System (IDS) is shown as Figure 1. IDS just monitors the past packets at the side of network. When it finds the network attack, generally it will (1) notify administrator to adopt suitable defense measure; (2)change the firewall rules; or (3) send the command of TCP Reset to attacker and victim to terminate session connection. Figure 1 The operation structure of IDS 1

2 Such method might work in early stage. However, IDS has been unable to manage new type of attack. For IDS does not detect the content of the packet actively and immediately, but collect the data passively. Taking the attack of SQL Slammer as an example, it is easy to infect the host by sending a packet with 376 bytes to the port (1434/UDP) of the vulnerable host. When IDS finds the attack and tries to do something, it is too late to do anything. Therefore, to manage the flash attack of the hacker, IDS gradually evolves to Intrusion Detection & Prevention System (IDP). The operation structure of IDP is shown as Figure 2. Figure 2 The operation structure of IDP Instead of subordinate role in network before, IDP plays the leading role to detect the past packets immediately and deeply in the entry gateway of enterprise network. If it finds malicious attack packet, it will discard it directly and not allow the packet into the network. The operation features of IDP are listed below: Deep Packet Inspection - Current IDP can break through the limitation of traditional firewall to detect the content of the packets mapping with OSI model 4 to 7 Layer (equal to the application layer in TCP/IP model). For the new attack program code data hidden inside the application layer of TCP/IP protocol, the Deep Packet Inspection technology can make those network packets with malicious attack not concealing themselves. In-Line Mode - IDP must be placed in the entry of gateway of enterprise network (see Figure 2). All of the packets pass in and out of the Intranet of enterprise must be detected deeply by IDP. The feature of In-Line mode is the greatest difference in operation between IDP and IDS. IDS can just monitor network packet with sniff mode. When it detects the malicious attack packet, 2

3 such malicious attack packet has intruded into Intranet of enterprise. By the way, in-line mode is also named Gateway mode. Real-Time Detection - IDP must do real-time detection to all the packets that pass in and out of the intranet of enterprise. If it could not detect in real-time, it would be too late to defend the attack of the packet crossing through IDP. IDS also cannot finish real-time detection. Its main job is to record the intrusion of network packet and send out warning message when find out large amount of doubtful attack packets, or offer the record of packet for analyzing by relational people. Proactive Prevention - The features of deep packet inspection, in-line mode and real-time detection can find the malicious attack packets hidden inside the TCP/IP application layer in real-time and discard them immediately. Later, all the packets that relate to such malicious attack packets will be thrown away directly without any inspection. Thus, the malicious attack packets cannot access into the network and the function of proactive prevention can be reached. Wire-Line Speed - IDP connects Intranet of enterprise and Internet by using gateway mode. On the one part it must do the real-time work of deeply inspecting/discarding past packets and on the other part it must avoid the situation that user thinks delay appearing in data transmission due to the existence of IDP. So, it must have high execution efficiency to make the passing packets reaching wire-line speed. If IDP cannot operate with wire-line speed, it would be a burden on the transmission rate for the enterprise network to outside world and might affect the will of enterprise to install IDP. Evolution in Firewall Traditional firewall cannot block the new type attack of hackers. Therefore it tries to improve in packet detection and defense ability continuously. New defense trend of firewall can be listed as the following: Adding Inspection & Management Capability in Application Layer Traditional firewall using the technique of packet filter does not inspect the network packet in application layer. Though, in theory, proxy-based firewall can fully detect the content of the packet in application layer, yet actually it still has great fall. The reason is simple. It needs large amount of calculating rate in hardware for overall detecting packets in application layer. However, the proxy-base firewall is always installed on the industrial personal computer, the calculating rate is restricted. So, the proxy-based firewall of enterprise generally detects the contents of packets in the 3

4 protocols of HTTP, SMTP and FTP. Yet, current the exploit code of hacker attack always is hidden inside the application layer and can avoid the detection of firewall easily. To defend such attack with new pattern, recently the detection ability in application layer has been added already into the new generation firewall (no matter proxy-based or packet-filter based). The capabilities added in detecting application layer are listed below: HTTP header filtering - Such function can judge if the general behavior of Internet browsing for the application packets passing through port 80/TCP or application packets that have no relation with HTTP is allowed or not. At present, many network attack penetrates the firewall through port 80/TCP by pretending HTTP application packets to start attack. HTTP URL filtering - Such function can filter malicious or illegal URL to avoid intentional or unwitting access by users. For example, some malicious websites lay up Trojan horse program purposely. Once a user connects to such website, he will be forced to download such malicious program and be embedded with backdoor program. As a result, the system might be unstable. And if worse, the network account, password, credit card number will be revealed, be stolen or the money on deposit will be withdrawn by someone else. HTTP content filtering - For many malicious program or Trojan horse program might pretend normal program to be downloaded through HTTP protocol by users. Or if users browse the malicious web page, the script of the program will be executed automatically to damage the computer of the user. Therefore such capability becomes an important function that newly added to the firewall. The managing range includes: file format, MIME format control; managing the download from ActiveX, Java, JavaScript, VBScript, XML, Cookies, WebDAV, DCOM, etc. HTTP action controls - The internal users of network might use browser to upload confidential documents of the company through HTTP protocol. HTTP actions include HEAD, GET, POST, PUT and DELETE. The firewall which has the capability of controlling HTTP actions can prevent the improper data revealing stated above. Management for the content of FTP and SMTP communication It can determine if it is necessary to add anti-virus inspection, Anti-SPAM function, limitation of file size onto the transmission of the communication ports. 4

5 Management for the content of LDAP and SNMP communication The firewall which supports LDAP management can block any rewritten job from outside world to the internal server. And the firewall which supports SNMP management can protect SNMP MIB database from rewritten by hackers arbitrarily. Management for the content of VoIP communication Some enterprises will need to save the expenditure of long-distance calls through the technology of VoIP. When they plan the firewall, they need to consider such capability of supporting H.323 or SIP. Built-in Intrusion Detection & Prevention Capability New types of firewall have built-in part of functions of IDP to execute simple work of defense. For example, through Anomaly-based detection, it can discard the packets that do not match with the RFC standard directly, or it can discard the quite dangerous and not misjudged packets immediately. For the main functions of firewall still emphasize on data source access management, VPN, protocol usage management and some firewall also have to bear the job of virus inspection, therefore the functions of built-in IDP for most of the new type firewall are still limited. To the enterprise which requires high security in network, it is not recommended to depend on the built-in IDP function of firewall completely. Conclusion Each time, people usually realize the insufficiency in the protection of information security only the network attack events occur in large scale. With the changes of attacks measures of hackers, the advanced information security equipment of the past years might become out of date. At present, there is no resolution which can offer absolutely protection to the network security. Only keeping up with the change of the age and choosing suitable information security equipment can help people to obtain relative protection. About the author Jackie Lai owns the certificate of CISSP and has written/translated several books, such as Network Hacker Manual Attack, detection and defense of backdoor program, Intrusion Detection, Virus Protection Handbook and so on. 5