Intrusion Detection Systems

Cal Poly Pomona

Enterprise Computing

Cal Poly Pomona Phone: (909) 869-7659

3801 West Temple Avenue Submitted By: Daniel Formel

Pomona, California 91768

Title V Project

Intrusion Detection Systems

Introduction

Intrusion detection is a type of security management system for computers and networks. An intrusion detection system (IDS) gathers and analyzes information from various areas within a computer or a network to identify possible security breaches, which include both intrusions and misuse.

Intrusion detection functions include:

§ Monitoring and analyzing both user and system activities

§ Analyzing system configurations and vulnerabilities

§ Assessing system and file integrity

§ Ability to recognize patterns typical of attacks

§ Analysis of abnormal activity patterns

§ Tracking user policy violations

A host based IDS looks at system logs for evidence of malicious or suspicious application activity in real time. It also monitors key system files for evidence of tampering.

A network based IDS watches all live network packets and looks for signs of malicious activities, network attacks, and network misuse.

Host Based IDS

TRIPWIRE

Tripwire, Inc.

www.tripwire.com

Tripwire for Servers automatically monitors changes to files and system attributes, including file size, access flags, write time, and much more.

The Tripwire for Servers software engine conducts subsequent file checks, automatically comparing the state of the system with the baseline database. Any inconsistencies are reported to Tripwire Manager and to the host systems log file. Reports can also be emailed to an administrator.

If a violation is actually an authorized change (such as installing an upgrade or new application), a user can update the database so changes no longer show up as violations.

§ Flexible Policy Language

By utilizing the Policy Wizard, Tripwire for Servers builds a baseline policy file based on files actually present on the system

§ Integrated Command Execution

This feature gives the user the ability to associate each rule in the policy file with a single arbitrary system command that will be run whenever that rule is violated.

§ Flexible Reporting Options

Reports can be viewed from the Tripwire Manager, syslog, email or XML and ensure that you have enough detail to aid in discovery and remediation.

§ Secure Management

Tripwire for Servers software communicates with the Tripwire Manager management console via Secure Sockets Layer (SSL) protocol that provides date encryption and server authentication. Tripwire for Servers and Tripwire Manager allow you to manage data integrity from one central location.

§ Supported Platforms

Windows XP, Professional Edition

Windows NT 4.0 Workstation, Server, and "Server, Enterprise Edition"

Windows 2000 Professional, Server, and Advanced Server

Solaris (SPARC) 2.6, 7 & 8

IBM AIX 5L V5.1. 4.3, 4.3.3

HP-UX 10.2*, 11.0**, and 11i**

Linux

FreeBSD 4.4 and 4.5

Compaq Tru64 UNIX 4.0F, 4.0G, 5.0A, 5.1 and 5.1A

§ Pricing

Tripwire for Servers: $595

Tripwire Manager: $6,995

For more information contact sales@tripwire.com

All product information was obtained from the Tripwire website http://www.tripwire.com/products/servers/features.cfm

DRAGON SQUIRE

Enterasys Networks, Inc.

www.enterasys.com

A host-based intrusion detection and firewall monitoring system, Dragon Squire looks at system logs for evidence of malicious or suspicious application activity, and monitors key system files for evidence of tampering in real time. Dragon Squire detects attacks by monitoring output to the system and audit logs. And like Dragon Sensor, another key component in the Dragon family, Dragon Squire is signature based, and identifies and analyses system/audit messages for telltale signs of misuse or attack.

Unlike other host-based intrusion detection systems, Dragon Squire can monitor the logs of applications running on the host, such as mail servers, web servers and FTP servers.

§ Operating System Monitoring

Analyzes system and audit logs for signs of misuse and attacks. Monitors the integrity of key system files to report when accessed, modified or deleted.

§ Firewall Support

Supports most commercial firewalls including Checkpoint Firewall, Cisco PIX and NetScreen by running on the firewall itself or via log forwarding. Correlates attack activity at the perimeter with activity on the host or application.

§ Application and Web Server Support

Detects attacks against highly targeted and often vulnerable applications, including mail, DNS, FTP and web servers. Also, detects attacks against Microsoft Internet Information Server, Apache and Netscape web servers.

§ Logging

Dragon can accept logs from any system capable of reporting security events via SNMP or Syslog

§ Small Performance Footprint

Dragon Squire has been designed to minimize system impact. All system performance varies greatly from operating system to operating system as well as server load and network activity. Dragon Squire has a very small footprint that takes up little memory and hard drive space for logs.

§ Supported Platforms

Windows 2000

Windows NT

Linux

Solaris Sparc

Solaris x86

HP-UX

FreeBSD

OpenBSD

§ Pricing

Dragon Squire: $650

For more information contact sales@enterasys.com

All product information was obtained from the Enterasys website http://www.enterasys.com/products/ids/

REALSECURE SERVER SENSOR

Internet Security Systems, Inc.

www.iss.net

The RealSecure Server Sensor performs real-time intrusion monitoring, detection, and prevention of malicious activity by analyzing kernel-level events, host logs, and network activity on critical servers. Server Sensor monitors, detects, and prevents intrusions with packet interception, blocking capabilities, and automated correction analysis using security fusion technology.

RealSecure is also available as a network based IDS (RealSecure Network Sensor).

§ Intrusion Protection

Automatic responses to improper activity include log events to a database, record a complete session for playback, kill a connection, block a connection, send an email, send a SNMP trap, suspend an account, disable an account, reconfigure a firewall, or create a user defined alert.

§ Centralized Management

With RealSecure SiteProtector management console, you can control, monitor, and analyze their security protection systems from one central site.

§ Web Application Protection

Server Sensor provides SSL encrypted application layer intrusion monitoring, analysis, and response capabilities for both Apache and ISS web server platforms.

§ Reporting System

Graphical reporting system saves time and money by accelerating the monitoring and review process. RealSecure has a wide selection of predefined reports and extensive report filtering.

§ Supported Platforms

Windows 2000

Windows NT

Solaris SPARC 2.5, 2.6, 7 & 8

Linux

IBM AIX 4.3.2, 4.3.3

HP-UX 11.x

§ Pricing

Server Sensor: $695 (1 device)

For more information contact sales@iss.net

All product information was obtained from the ISS website http://www.iss.net/products_services/enterprise_protection/rsnetwork/sensor.php

Network Based IDS

DRAGON SENSOR

Enterasys Networks, Inc.

www.enterasys.com

A high-speed network-based intrusion detection system (NIDS), Dragon Sensor detects attacks by monitoring network traffic as it passes over the IT infrastructure. Dragon Sensor analyzes network traffic at the protocol and application level, employing both signature- and anomaly-based techniques to identify network misuse, attack and denial of service efforts. This combination of techniques provides market-leading detection capability. Dragon Sensor can be configured to collect raw packets surrounding an attack and, via its command line interface or the powerful Dragon Server, an attacker's session can be replayed and analyzed as it occurred.

§ High Speed IDS

Dragon Sensor supports networks exceeding 100 Mbps without dropping a packet. It also supports up to 300 Mbps with the right tuning and proper architecture, in a saturated Gigabit environment.

§ Signature and Anomaly Based Detection

Dragon Sensor uses both anomaly- and signature-based techniques for the highest level of detection capability on the market. It can detect intrusions from stealth port scans to worms, such as Code-Red or NIMDA.

§ IDS Evasion Countermeasures

Overcomes IP-fragmentation, TCP/UDP stream deassembly tactics, or more recent protocol-encoding methods: RPC, HTTP, DNS and many others.

§ Management and Monitoring Interfaces

Management interface offers secure management and monitoring over an encrypted channel. The monitoring interface is configurable without a TCP/IP stack, making it inaccessible and virtually invisible on the monitored network.

§ Supported Platforms

Linux
FreeBSD 3.x, 4.x
Solaris SPARC

§ Pricing

Dragon Sensor: $7500

For more information contact sales@enterasys.com

All product information was obtained from the Enterasys website http://www.enterasys.com/products/ids/

SNORT

www.snort.org

Snort is a lightweight network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.

Snort uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plug-in architecture. Snort has a real-time alerting capability as well, incorporating alerting mechanisms for syslog, a user specified file, a UNIX socket, or WinPopup messages to Windows clients using Samba's smbclient.

Snort has three primary uses. It can be used as a straight packet sniffer like tcpdump, a packet logger (useful for network traffic debugging, etc), or as a full blown network intrusion detection system.

§ Packet Decoder

The decode engine is organized around the layers of the protocol stack present in the supported data-link and TCP/IP protocol definitions. Snort provides decoding capabilities for Ethernet, SLIP, and raw (PPP) data-link protocols.

§ Powerful Detection Engine

Snort can perform content pattern matching and detect a variety of attacks and probes, such as buffer overflows [ALE96], stealth port scans, CGI attacks, SMB probes, and much more.

§ Logging and Alerting Subsystem

The alerting and logging subsystem is selected at run-time with command line switches. There are currently three logging and five alerting options.

§ Custom Rules

Snort rules are simple to write, yet powerful enough to detect a wide variety of hostile or merely suspicious network traffic.

§ Supported Platforms

Win32 – Win9x/2000/NT

OpenBSD, FreeBSD, NetBSD

Linux

Solaris SPARC

SunOS 4.1.x

HP-UX

AIX