Since the Internet has existed, people have been trying to access other people’s data. The hackers – who should strictly speaking be called “crackers” – take advantages of the gaps and weaknesses that can be found in practically every software. For example, versions 2.0 to 2.0.46 of the widespread Web server Apache contain an error in one module that makes them susceptible to denial-of-service attacks (DoS). Things that required a very high level of knowledge a few years ago can be carried out today by practically any lay person today using ready-to-use tools and devices. For example, a script available on the Internet makes use of a vulnerable point in Red Hat Linux 7.1 and gives the attacker full control over this server.
Two main technologies, namely firewalls and IDS, are at the forefront in the drive to protect against such attacks. The two work on different principles. A firewall is an active component that checks the transmitted data and releases or blocks it as required. IDS is quite different. Among other things, it uses a “sniffer” program to determine whether an attack on the network is likely, and logs this using a log file. Other IDS detection methods are also used, but all have one thing in common: an IDS is passive, and does not prevent someone gaining unauthorized access to a network.
A network IDS is based on two underlying principles. First, the network traffic is monitored so that anomalies can be determined. The assumption here is that an attack is accompanied by unusual behavior, for example in the transfer protocols. So if the user “Henry” does not usually use the FTP server, and a user of this name suddenly accesses the FTP protocol, this is unusual. To be able to determine unusual behavior, it is first necessary to define what constitutes normal behavior. The IDS compares the target and actual situation, and flags any behavior that deviates from the defined profiles.
The second principle is signature recognition – similar to that in virus scanners. Here, the IDS uses known patterns that indicate an attack from outside. The first alarm signal could be, for example, a port scan across several ports, which the attacker uses to find open gateway into the company’s IT system.
IDS may disturb intruders, but does not keep them at bay
There is heated debate about the purpose and benefit of an IDS. The main argument in favor of an IDS is that by evaluating the log file, a company can locate potential security gaps within its own systems and can close them quickly, because a hacker who can infiltrate a company’s IT system unnoticed has all the time in the world to manipulate data in any way, find out passwords, or to misuse the external computers for malicious actions such as distributed denial-of-service (DDoS) attacks. The faster an attempted attack can be discovered, the better the chances of restricting the damage.
Opponents of IDS claim that such systems do not prevent an attack. In the worst case, it gives the administrator a false sense of security. In addition, an IDS produces a huge number of log files, which can hardly be evaluated manually. Without an intelligent evaluation software, the data that was generated is usually worthless. And as an IDS often leads to false alarms, known as “false positives”, the system administrator needs a certain level of experience in order to interpret the log data correctly.
Failure of “sniffers” overwhelmed by the volume of data
In addition, today’s IDS solutions have now reached their technical limits. In view of the growing volume of data, the main problem is the performance of network-based systems. A device that is designed for the currently most common 100 MBit/s network manages to monitor an average of 60 to 80 MBit/s. In a switched network, the load can slightly exceed the sniffer’s capacity, and the sniffer must then allow data packets through without checking them. Switches do not transfer the data to all the connected computers, as hubs do. They only transport the packets to the particular destination. Therefore, while for a hub, the data packets are the same for all connected computers, a switch only sends the information to specific, individual ports. In the case of switches, therefore, it is not enough to connect the IDS to one of the ports. The IDS needs to be connected to the SAN or mirror port of the switch – which constitutes a very high data load for a switch with 10 or more ports.
On top of this, today’s IP packets are often transmitted via different lines, and are therefore fragmented. If one IDS receives part of the packet, and another instance of the IDS receives the other part, an attack may go unnoticed, because neither of the IDS instances checks the complete data.
Port 80 as the gateway for attacks
A second problem for network-based IDS is the “port 80 problem” of the firewall: HTTP data traffic, that is, accesses to the Internet, flows on port 80. In almost all companies, this port is open, as otherwise, employees would not be able to access the Internet. More and more Web-based applications are also using HTTP via port 80 – a fact that hackers are of course wise to. Neither firewalls nor a purely network-based IDS can identify these port 80 attacks in any straightforward way. The situation is intensified by new technologies such as Web services, which also use port 80. As a result, an intruder could take control of an application on a server in this way – for example by using over-long arguments in the GET command, which the system under attack cannot interpret correctly. With this command, data is sent to an Internet address. As the Internet access cannot be blocked without adversely effecting a company’s ability to function correctly, these risks must be countered with new, effective strategies.
A current study by the Gartner Group also questions the effectiveness of the IDS used up to now. An IDS is expensive, but does not add a further security layer in the IT system. By 2005, these systems will be obsolete, according to the Gartner Group. The firm of consultants recommends that companies invest more in the area of firewalls and introduce products here that offer protection at both network and application level.
Firewall and IPS combined
Many IDS providers are now trying to gain a competitive edge in the market by offering intrusion prevention instead of intrusion detection. Intrusion prevention systems aim to not only identify attacks, but also actively trigger measures against them, like firewalls. If an attack is identified, an IPS instigates countermeasures immediately and automatically. The obvious solution is to integrate IPS and firewalls in on appliance – an independent device – which is located at the switching point for outbound data traffic: “Functionality is moving into firewalls, which will perform deep packet inspection for content and malicious traffic blocking, as well as antivirus activities,” predicts Richard Stiennon, Research Vice President at Gartner.
Multifunctional appliances of this kind are available on the market. For example, firewall manufacturer Watchguard has recently extended its portfolio to include firewall products for small and medium-size businesses that have integrated IPS. Here, the IP address traffic with suspicious behavior, for example, is generally blocked for a certain period. According to the manufacturer, this solves the problem of fragmented data packets, because the packets are merged for inspection.
Identifying signs of attack directly on the server
Klaus Hornung, Enterprise Technical Account Manager at Symantec confirms the movement towards combined appliances identified by Gartner. He also agrees with the main problem of an IDS: “With a network sniffer, I can’t prevent anything, all I can do is raise the alarm. In the gateway, on the other hand, I can prevent attacks with a pass-through IDS.” The purely sniffer-based approach is increasingly becoming a dead end.
The security expert, who is involved in particular with weak point analyses, feels that considerable progress is being made with the detection technologies: “Intrusion detection systems today detect attacks with almost 100% certainty.” However, according to Hornung, this is increasingly moving in the direction of host-based IDS, which look for signs of attack directly on the server. These systems investigate the behavior of individual applications in order to prevent an attacker from taking control of a server by means of a buffer overflow, for example.
In his opinion, active and independent intrusion prevention is difficult to achieve, and depends on the person operating the console knowing what to do about the IDS messages that are generated. An attack must be identified in the first place, but the methods and tools of the hackers are being developed at a faster pace than the resources of those seeking to prevent attacks.
For Hornung, intrusion prevention is primarily a strategic process: “All systems must have the current patch level. This fends of the large majority of hackers.” He uses the infamous Code Red virus as an example of how negligent update guidelines make an IT system susceptible to attack. When this virus was activated, all the necessary security updates had already been available for some time. However, users had not implemented them soon enough. “Prevention relies above all on security guidelines being communicated and observed,” says Hornung.
The right balance between productivity and security is needed
Automatic intrusion prevention or passive intrusion detection – both approaches have their supporters and detractors. Despite all its weaknesses, the main benefit of an IDS is that it allows gaps to be identified in good time, so that a company is in a position to prevent malicious access. On the other hand, it makes good sense to automatically prevent attacks at application and network level. But regardless of whether a company merely wants to identify problems in good time, or also react immediately, the systems are costly and require a considerable amount of fine tuning. After all, it is necessary not only to prevent hackers from gaining unauthorized access to the company, but also to ensure that managers can synchronize their e-mail accounts while traveling on business, for example. Security always has to be weighed up against productivity – the most secure system would be completely closed and would not allow any contact to the outside world. In the age of e-mail, the Internet and e-business, however, this is not a viable solution. A company needs to find the right balance between productivity and security, which requires a good deal of expertise, and a lot of time.
This makes the issue of security a potential candidate for outsourcing, according to the experts at Forrester Research. By 2008, the European market for managed IT security services will have achieved a volume of 4.6 billion euros, according to the forecast. In the area of managed IDS, Forrester predicts growth of 47 percent per year, and a share of almost one third of the total market. “Few firms have effective intrusion detection systems in-house, and they struggle with the lack of internal skills and labor-sensitive processes.”