Cmplliiance Cmpnentt Descriptin Ratinale Benefits List the Dmain List the Discipline List the Technlgy Area List Prduct Cmpnent Dcument the Cmpliance Cmpnent Type Cmpnent Sub-type DEEFFI INITION Hst-Based Intrusin Detectin Systems (HIDS) Hst-Based Intrusin Detectin Systems (HIDS) perate n infrmatin cllected frm within an individual cmputer system. This vantage pint allws HIDS t analyze activities t determine exactly which prcesses and users are invlved in an attack n a particular system r hst. HIDS can see the utcme f an attempted attack, as they can directly access and mnitr the data files and perating system prcesses targeted by the attack. The first step in delivering an efficient and secure intrusin prtectin strategy is accurately detecting all pssible threats. T achieve this gal, multiple detectin methds including HIDS shuld be emplyed t ensure cmprehensive cverage. The failure t secure any State f Missuri hst system with HIDS puts agencies at a much greater risk f lss. A single attack can cst millins f dllars in time spent recvering frm the attack and liability fr cmprmised data and hardware. The damage frm an attack t State f Missuri services can als include incnvenience t citizens and the lss f public cnfidence. HIDS can detect attacks that cannt be seen by a Netwrk-Based IDS since they mnitr events lcal t a hst. HIDS can ften perate in an envirnment where netwrk traffic is encrypted. HIDS are unaffected by switched netwrks. HIDS can detect, and in sme cases prevent, attacks that invlve sftware integrity breaches, such as Trjan Hrses. HIDS have the ability t mnitr lcal files fr any changes r mdificatins. HIDS can see the utcme f an attempted attack since they can directly access and mnitr the data files and perating system prcesses targeted by the attack. ASSSSOCI IATEED ARCHITEECTUREE LLEEVEELLSS Security Technical Cntrls Intrusin Detectin Systems Guideline COMPPLLI IANCEE COMPPONEENT TYPPEE
COMPPLLI IANCEE DEETAI ILL General HIDS Requirements Administratrs shall be trained n the IDS befre implementatin. Despite vendr claims f ease f use, training and/r experience are abslutely necessary t manage any IDS. It is preferred t have the HIDS cntrlled directly frm a central lcatin(s). Hwever, the HIDS may be agent-based where respnse decisins are made at the hst. IDS administratrs shall be able t create r change plicies easily. State the Guideline, Standard r Legislatin HIDS Deplyment Requirements HIDS shall be deplyed in cnjunctin with Netwrk-Based IDS t fully prtect the system. It is recmmended that rganizatins install the Netwrk-Based IDS first, fllwed by the HIDS installatin n critical servers. Once administratrs are familiar with the HIDS, it may be installed n the remainder f the rganizatin s hsts. HIDS shall be installed n any hst where sensitive r critical infrmatin is stred. It is preferred t install IDS Management sftware n a separate system frm the target hst being mnitred. It is preferred t have the HIDS use an agent-manager (server) architecture, where plicy is created and mdified n the manager and autmatically distributed t all agents. It is preferred that hst agents pll the manager at peridic intervals fr plicy changes r new sftware updates. HIDS Analysis Requirements HIDS shall utilize infrmatin frm perating system audit trails and system lgs. HIDS shall have easy-t-use tls t analyze the lgs. HIDS shall detect, and preferably prevent, the fllwing: System scanning (prbing the target with different kinds f packets t garner infrmatin abut the system, such as tplgy, active hsts, perating systems and sftware in use), Denial f Service (DS) (slw r shut dwn targeted systems r hsts), and Penetratin (unauthrized acquisitin and/r alteratin f system privileges, resurces, r data). HIDS shall use Misuse Detectin methds (matching a predefined pattern f events describing an attack) and may als include Anmaly Detectin (abnrmal, unusual behavir) cmpnents. Administratrs shall fllw a schedule fr checking the results f the HIDS t ensure attackers have nt mdified the system.
HIDS Respnse Requirements HIDS shall respnd in real-time. It is preferred that HIDS prvide active respnses t intrusins by: Cllecting additinal infrmatin: Turning up the number f events lgged, r Capturing all packets, nt just thse targeting a particular prt r system. Changing the envirnment: Terminating the cnnectin, r Recnfiguring ruters and firewalls t: Blck packets frm the intruder s IP address, Blck netwrk prts, prtcls r services, r Sever all cnnectins that use certain netwrk interfaces. HIDS administratrs shall wrk clsely with ruter and firewall administratrs when creating rules fr ruters and firewalls t ensure intruders cannt abuse the feature t deny access t legitimate users. HIDS may prvide passive respnses requiring subsequent human actin t intrusins by: Generating alarms and ntificatins with ppup windws, cellular phnes, pagers and email, r Reprting alarms and alerts using SNMP traps and plug-ins t central netwrk management cnsles. All HIDS cmmunicatins shall be secure and use encrypted tunnels r ther cryptgraphic measures HIDS shall create utput with the fllwing infrmatin fr each intrusin detected: Time/date Sensr IP address Specific attack name Surce and destinatin IP addresses Surce and destinatin prt numbers Netwrk prtcl used Descriptin f the attack type Attack severity level Type f lss expected Type f vulnerability explited Input validatin (buffer verflw r bundary cnditin) Access validatin (faulty access cntrl mechanism) Exceptinal cnditin Envirnmental (unexpected interactin with an applicatin and the perating system r between tw applicatins) Hst Cnfiguratin
Race (delay between the time a system checks t see if an peratin is allwed and the time it perfrms the peratin) Design Sftware types and versins vulnerable Patch infrmatin t cunter the attack References t advisries abut the attack r vulnerability It is preferred that HIDS reprts cmbine redundant attack entries and make attacks f highest imprtance stand ut. NIST SP 800-31 (www.csrc.nist.gv/publicatins/nistpubs) Intrusin Detectin Systems (IDS), Dcument Surce Reference # NIST SP 800-18 (www.csrc.nist.gv/publicatins/nistpubs) CERT Guide t System and Netwrk Security Practices (www.cert.rg/security-imprvement/) Standard Organizatin Website Cntact Infrmatin Cntact Infrmatin Gvernment Bdy Natinal Institute f Standards and Technlgy (NIST), Cmputer Security Resurce Center Website (CSRC) CVE Vulnerability Search n ICAT Metabase inquiries@nist.gv http://csrc.nist.gv/ http://icat.nist.gv/ List all Keywrds KEEYWORDSS Hney Pt, intrusin, cracker, buffer verflws, passwrds, sniffing, explit, denial-f-service, Java, ActiveX, SMURF, DNS, prbes COMPPONEENT CLLASSSSI IFFI ICATION Prvide the Classificatin Emerging Current Twilight Sunset Ratinale fr Cmpnent Classificatin Dcument the Ratinale fr Cmpnent Classificatin Dcument the Cnditinal Use Restrictins Dcument the Migratin Strategy Dcument the Psitin Statement n Impact Cnditinal Use Restrictins Migratin Strategy Impact Psitin Statement
CURREENT SSTATUSS Prvide the Current Status) In Develpment Under Review Apprved Rejected AUDIT TRAILL Creatin Date 04/03/2003 Date Accepted / Rejected 05/14/2003 Reasn fr Rejectin Last Date Reviewed Reasn fr Update Last Date Updated