A survey of commercial tools for intrusion detection

1
A survey of commercial toolsfor intrusion
detection

• Introduction
• Systems analyzed
• Methodology
• Results
• Conclusions
• Cao er Kai. INSA lab. 2003.09

2
1. Introduction

• Intrusion Detection Systems
• generic ID architecture
• Common Intrusion Detection Framework (CIDF) -
  DARPA (Defense Advanced Research Projects Agency)
• Event generators (E-boxes)
• Event analyzers (A-boxes)
• Event databases (D-boxes)
• Event response units (R-boxes)

3

• event generators
• obtain information from sources and transformed
  into a standard format (gido)
• event analyzers
• statistical analysis and pattern recognition
  searching
• event databases
• storage of events and information (gidos)
• response units
• initiate the proper response

4
(No Transcript)
5
2. Systems analyzed
6
3. Methodology

• Comparison criteria
• Granularity of data processing
• Source of audit data (raw events)
• network-based Ethernet (see all traffic)
• IPSEC
• host-based security logs
• Detection method
• rule based
• anomaly based
• Response to detected intrusions
• passive
• active

7

• System organization
• Centralized data analysis
• Distributed data collection
• Security withstand attacks againstitself
• Degree of interoperability
• Exchange of audit data records
• Exchange of audit data records
• Exchange of misuse patterns or statistical
  information about user activities
• Exchange of alarm reports and event notifications
• Manageability
• HP Openview , BMC Patrol
• Adaptivity
• System and network infrastructure requirements
• TCP/IP

8

• Classification of comparison criteria

9
4. Results

• Functional aspects
• Granularity of data processing
• real-time
• T-Sight
• Source of audit data (Raw events)
• host-based (H)
• both host-based and network-based (NW/H)
• network-based (NW)
• switched networks
• network encryption
• Response to detected intrusions
• Passive responses
• sending e-mails, paging or displaying alert
  messages.
• Active response
• network-based systems terminating transport
  level sessions
• Host-based systems control processes, terminate
  network sessions
• Interfaces to network management applications
  SNMP (send traps)
• Interfaces to network elements firewall control
  sessions/connections
• Service availability aspects

10

• Degree of interoperability
• Exchange of audit data records
• Exchange of security policies
• Exchange of misuse patterns or statistical
  information about user activities
• Exchange of alarm reports, event notifications
  and response mechanisms

11
(No Transcript)
12

• Adaptivity (customization)
• Adding new intrusion patterns
• Adopting rules for site specific protocols and
  applications
• Detection method
• Rule based detection
• anomaly based detection
• Detection capabilities
• Physical and data-link layer
• Network and transport layer
• Operating Systems
• Applications, databases, management and support
  systems, office automation

13
(No Transcript)
14
(No Transcript)
15

• Security aspects
• Confidentiality of audit data
• Integrity of audit data using encryption
• Confidentiality of the detection policy
• Integrity of detection policy
• Protection of response mechanisms
• Availability
• Encrypted communication channels
• Heartbeat functions
• Stealth behavior
• Access control
• Weaknesses of network-based systems

16

• Architectural aspects
• System organization
• distributed environment
• single host or network segment
• System and network infrastructure requirements
• Operating systems
• Network technology

17
(No Transcript)
18
(No Transcript)
19

• Operational aspects
• Performance aspects
• Communication overhead
• network-based intrusion detection, the
  overhead is caused by the distribution of audit
  data and the communication between the various
  subsystems of the IDS.
• Computational overhead
• host-based IDS execute and collect audit data
  on the target they monitor.

20

• Management aspects
• Configuration management
• management of the detection capability and
  the corresponding response mechanisms
• Security management
• Access security
• Audit trails and security alarms
• Security of management
• Authenticity
• Integrity
• Confidentiality
• Availability
• Management interfaces
• Management model
• Many-to-Many
• One-to-Many
• One-to-one

21
5. Conclusions

• The role of IDS in corporate security
  infrastructures
• IDS are not a substitute for other security
  services such as firewalls, authentication
  servers etc
• Host-based versus network-based IDS.
• Security of IDS
• Lack of modularity and interoperability
• Background of vendors

22
RealSecure
23
RealSecure

• Architecture
• RealSecure Engines
• Network interface
• Ethernet, fast Ethernet, FDDI and Token-ring
• Packet Capture Module
• Windows NT network service
• Solaris Data Link Provider Interface
• Filter Module
• Attack recognition Module
• Response Module

24
RealSecure

• RealSecure Agents
• RealSecure Manager
• Central real-time alarm
• Central data management
• Central engine configuration

25
Intruder Alert
26
Intruder Alert

• Architecture
• Interface console
• Manager
• interface console and manager only runs on
  Windows NT/95
• Agents

27
Intruder Alert

• Intruder Alert Domains groups of agents/hosts
• Intruder Alert Policies
• Drop Detect Policies
• Detect and respond Policies
• Custom-configurable Policies
• Carte Blanche

28
NetRanger
29
NetRanger

• Architecture
• Sensors
• Ethernet, Fast Ethernet, Token Ring and FDDI
• Director
• Post office

30
Stake Out I.D
31
Stake Out I.D

• Architecture
• Network Observation
• Intrusion Detection
• Evidence logging
• Alert Notification
• Incident Analyzer/Reporter

32
Kane Security Monitor
33
Kane Security Monitor

• Architecture
• Monitoring Console
• Collection Auditor and Alerting Engine
• Intelligent Agents

34
Session Wall-3
35
Session Wall-3

• Architecture
• Network Usage Reporting
• Network Security
• WEB and Internal Usage Policy Monitoring and
  Controls
• Company Preservation

36
Entrax
37
Entrax

• Architecture
• Command Console
• Assessment Manager
• Alert Manager
• Detection Policy Editor
• Audit Policy Editor
• Collection Policy Editor
• Report Manager
• Target Agent

38
CMDS (Computer Misuse Detection System)
39
SecureNET PRO
40
CyberCop
41
CyberCop

• Architecture
• CyberCop Sensors
• CyberCop Management Server

42
INTOUCH INSA
43
T-sight
44
NIDES
45
ID-Trak
46
SecureCom
47
POLYCENTER
48
Network Flight Recorder