ids or ips: what is best?
TRANSCRIPT
Cohen has demonstrated the importanceof quick response. In a simulation studyhe showed that if 10 hours elapse betweendetection and response, then attackershave an 80% chance of success. At 20hours, the success rate rises to 95%, andafter 30 hours the attacker will alwayssucceed, regardless of the skill of theadministrator. But if the response isinstant, the probability of success againsta skilled administrator is almost zero. 1
Such findings are valuable in view of the rapid escalation that character-ises many of today’s Internet-basedattacks. Recent incidents such as Sasser and MyDoom have shown us thatwe do not have the luxury of time toreact.
Such factors have led to increasedinterest in an alternative technology,namely the intrusion prevention sys-tem (IPS). Although these incorporate
intrusion detection mechanisms, andshare similarities such as being deploy-able in both network and host-basedcontexts, they also have two significantdifferences. Instead of passively monitor-ing activity on systems and networks,IPSs are positioned inline and can there-fore block unauthorized activity before ittakes place (see Figure 1). In a networkcontext, conceptually they combine fire-wall approaches with intrusion detectioncapabilities; in host environments, theymonitor all system and API calls andblock those that would cause maliciousbehaviour. 2
With reference to Figure 1, productsare now available that can be configuredto operate in either mode (an examplebeing McAfee’s Intrushield). However, aslater discussion will establish, this is notto suggest that the use of IDS and IPS isan either/or decision.
can execute active content, which in turnmay be able to make calls and send multi-media messages. If active content is able tocreate active content to other devices then,of course, self-replication is possible andthus viruses infecting mobile devices arepossible. Until now, mobiles phones havebeen closed environments, but that ischanging. We do not know what will hap-pen after the Cabir virus, but what we doknow is that current mobile technologyallows viruses to exist in mobile devices.What is frightening is that mobile phonesare likely to have more and more complex-ity, features, and capacity.”
Now that we know that these kinds ofdevices can be infected by malicious codewhat should we do? Leave Bluetooth dis-abled unless you really need it becauseapart from the mobile phone virus, whichis not in the wild, Bluesnarfing hasarrived. “For Bluesnarfing to be success-ful”, says Colm Murphy, “the sender andthe recipients need Bluetooth enabled ontheir mobile phones. You simply searchfor all the Bluetooth enabled deviceswithin a 30-feet radius and send yourmessage. This could be a derogatoryremark, a marketing ploy at an Expo–‘free coffee and cakes at stand 51’, or
anything your imagination feels free toconjure up. Things could easily get outof hand with this facility, especially inrelation to bullying or sexual harassment.One way to avoid this and take yourselfout of the loop is to set your phone toonly accept or send messages from and toa preferred list, or simply disableBluetooth”, says Murphy.
“I think the 'Expo' example is a goodone”, says Murphy. “It is perfect ground torelease a mobile virus that spreads quicklyand targets a specific audience. Or whatabout a mobile phone virus that makes thephone dial a specific number! Some dis-gruntled ex-employees with a grudge couldhave some fun with that one!”
“The big concern is that in the futurelarge mobile virus outbreaks may be reali-ty”, says Dr. Helenius. “Denial-of-serviceattacks may affect critical infrastructures,like emergency phone numbers. Indeed,an efficient virus may be able to blockphone lines and phone networks, like anefficient Internet worm can block Internetconnections. However, we do not know ifsuch disasters will happen. The mobiledevice and network developers have achoice. They can adapt more security in their products in order to prevent
disasters. Software could be writtensecurely in order to prevent buffer over-flows and other critical errors. Moreimportantly, security can be an essentialpart of design. For example, it is possibleto adapt hardware components that willprevent unauthorized phone calls. Weshould not merely trust software, andsecurity should be based on more thanone layer. If one security layer fails, therecould be other security layers that will pre-vent further damage.” On a more skepti-cal note Colm Murphy says, “If youconsider the tens of millions of EUROthat companies are investing in develop-ing products that stop these kinds ofthreats, I think it is safe to assume that wewill see more mobile phone viruses as timepasses. The investors will demand it!!!”
References:1 It spreads to devices that run underSymbian OS, which is used in manymodels of phones manufactured byNokia, Siemens, Sony and Ericcson.2 Even a Bluetooth-enabled printeraccording to the Symantec securityresponse. 3 (www.symantec.com)
15
ips
IDS or IPS: what is best?Maria Papadaki and Steven Furnell University of Plymouth,
Intrusion detection systems (IDS) have become one of the most common coun-termeasures in the network security arsenal. But while other technologies such asfirewalls and anti-virus provide proactive protection, most current IDSs are pas-sive; detection of a suspected intrusion typically triggers a manual response froma system administrator. Too often, this comes too late.
The IDS is dead, long live theIPS?Although IPS solutions have been availablefor several years, their adoption had beenlimited. More recently, however, there hasbeen a shift in the attitudes of vendors andusers in relation to IDS, and in the charac-teristics of the products on offer.
A notable contributor to this was amarket report from Gartner in June2003. This set tongues wagging becauseit branded IDS technology a “market fail-ure”, and predicted that it would be deadby 2005.3 The report suggested that cus-tomers hold off big investments in IDSbecause the technologies added no practi-cal value in enterprise security. Reactionto this report from IDS vendors andsecurity specialists was intense.4
Gartner argued against IDS mainlybecause of their inability to prevent intru-sions, and the vast number of false posi-tive alarms they can generate. Falsealarms are indeed a recognized problemwith IDS, and are the bane of many secu-rity administrators’ lives. A 2003 surveyby OpenService, Inc (www.open.com)established that management of false pos-itives is among the top three problemsfacing security practitioners; only shrink-ing budgets and threat risk assessmentsraised more concern. 5
The tendency of IDS to generate falsepositives also has the undesirable side-effect that administrators tire of follow-ing-up dead ends and become slack abouttracking fresh alerts.
Gartner’s other main point, that IDSdoes not prevent intrusions, is also fair.
Usually this is because the IDS is placedout of band as a monitoring device, withits response capability restricted to pas-sive actions such as logging data and issu-ing alerts. Given the problem of falsepositives, it is understandable that IDS isnot often trusted to respond more active-ly, such as blocking traffic, ending sessions, restricting access and the like.
The debate had forced many IDS ven-dors to incorporate intrusion preventionsolutions in their products. Even wherevendors have not adopted prevention solutions, the term “intrusion detec-tion system” tends to be avoided. In itsplace people talk of “intrusion manage-ment system” or “intrusion protectionsystem”. This may be to distance productsfrom any doubts in potential customers’minds. Indeed, some effects amongst theuser community can also be observed. Forexample, for the first time, the CSI/FBIsecurity survey reports fewer respondentsusing IDS technology (see Figure 2). It isalso notable that the 2004 survey was thefirst to ask respondents specifically aboutthe use of IPS technology. The questiongot a 45% response rate.6
So, why the sudden interest in IPSproducts? Is it vendors running scared,wanting to distance themselves from thefallout from the Gartner report? Is it amarketing exercise? Refocusing of prod-ucts certainly has the potential to pressthe right buttons from a consumer per-spective—after all, why would you wantto buy a detection product if you can getone that actually prevents intrusions? Orhave we hit upon a technology that solves
the problem of attacks, without the per-ceived weaknesses of IPS? In short . . .
Is IPS really an alternative?The ability to stop intrusions logicallysuggests a maturing of the technology. Itsuggests that intrusion detection tech-nologies have become accurate enoughfor us to rely upon their decisions to becorrect. Without the IDS-related con-cerns over accuracy and false positives, wecan thus rely on them to issue preventa-tive responses with confidence.Unfortunately, however, intrusion pre-vention systems do not have a silver bul-let for this problem; they may in fact usethe same detection methods as IDS.
The solutions provided by IPS prod-ucts therefore attempt to sidestep theproblem of false positives by only block-ing those attacks that can be detectedwith high certainty. In effect, this meanstransfer of the strongest and most reliabletechnologies from the IDS domain into adifferent mode of operation. Even then,IPS cannot be regarded as a fix of theproblem of false alarms. The solutionswill seldom work perfectly “out of thebox”; most require tuning to tailor theirmost effective operation.7
The biggest advantage of intrusion prevention is its potential to respond inreal time and to nip attacks in the bud.However, as promising as it sounds, thereare concerns about the IPS approach. Thefirst is the overhead they can introduce innetworks and systems by having toauthorize all traffic and all system calls.This becomes more significant in busy
16
ips
Figure 1: Offline vs. inline placement
IDS Mode IPS Mode
IDS
Internet
Router Switch Router IPS Switch
Internet
networks and servers, where performanceis crucial.8 At the same time, however,there are parallels with firewall technolo-gies, and devices can be designed anddeployed with performance considera-tions in mind.
Single point of failureA potentially worse problem is that IPSsare a single point of failure. An error herecould have significant impact upon sys-tems and networks. For example, if anIPS crashed because it couldn’t cope withthe traffic, or was the target of an attack,the disturbance on the network’s opera-tion would be considerable. There aresome moves to overcome this problem(e.g. using a back-up IPS that takes overin an emergency, or reconfiguring therouter to redirect traffic around the IPS,or pre-configuring the IPS to run withminimum capabilities, allowing all trafficto pass), these solutions do not fullyaddress the issue because systems may beunprotected.
The problem of volume-related crashesis well known. Vendors are improvingtheir products, but still have issues toaddress. So far, a good solution remainselusive.9
A more significant concern is to avoidfalse positives. Killing only the most sus-pect attacks means that a range of differ-ent attacks may pass because the cautiousIPS does not recognize them as intru-sions. In this scenario, a further line ofdefence is still very desirable.
So, to answer the question posed at thehead of this section, IPS is not an alterna-tive to IDS; it is not meant to be. But thetechnologly does provide another layer ofsecurity, which is important in a defence indepth strategy. As such, both IDS and IPShave important roles, and it should not bethe case that one is used in place of theother.
Improving our response But it is essential that either approachprovide a correct response to the intru-sion. Indeed, the fact of IPS and itsattractiveness is closely linked to the needto respond.
However, blocking sessions and drop-ping packets is not the only appropriateresponse. It should be possible to limitmore subtle attacks by investigatingthem further to reach a more informedjudgement.
Indeed, an IPS configured with a sim-ple “block or pass” strategy may not pro-vide enough flexibility; the fact that theyrespond only to the most definite signa-tures means that false negatives can occur.As such, it would be unwise to considerIPS as the only defence against intru-sions. It therefore makes sense to subjectthe traffic that gets through to furtheranalysis using an IDS.
At this point, however, the questionstill remains about what the IDS shouldactually do if it finds something itbelieves to be intrusive. If the technologyis simply used in its current form, thenthe need to limit responses to passiveactions for fear of false positives will belargely unchanged.
An alternative strategy is to endow theIDS with a sense of its own inadequacy. Inother words, account for the fact thatsome detection judgements are likely tobe stronger than others, and allow flexiblelevels of response to be issued accordingly.
Our group and others have researchedthis. Given that today’s commercial IDStechnologies are rooted in research fromthe 1980s, we should consider how cur-rent research may help to advance thecommercial incarnations in the future.Our results suggests that incorporatingtwo aspects is particularly desirable:
• Adaptation of responses according tothe current context.
• Assessment of the appropriateness ofresponse actions before and after initiating them.
Adaptive decision-making relates to theneed for response decisions to changewith the context in which an incident hasoccurred (i.e. a response that is appropri-ate to a one type of incident on one occa-sion will not necessarily be appropriate ifthe same incident happened again underdifferent circumstances).
When considered in terms of two col-laborating IDS entities, a DetectionEngine and a Responder, the determina-tion of this context may include a num-ber of considerations. These include • Whether the incident is part of an
ongoing series of attacks (e.g. howmany targets have already been affect-ed? Which responses have alreadybeen issued?) .
• The current status of the target (e.g. isit a business critical system? What isits load at the moment? Is there anyinformation or service that needs tobe protected? What software/hard-ware can be used for response?).
• The perpetrator of the attack (is thereenough information to suggest a spe-cific attacker? Is he/she an insider/outsider?).
• The privileges of the user accountinvolved (e.g. what is the risk of dam-age to the system?).
• The probability of a false alarm (howreliable has the sensor/source that
17
ips
Figure 2 : Organisations using IDS technology (source: CSI/FBI surveys)
detected the incident been in thepast? What is the level of confidenceindicated by the Detection Engineabout the occurrence of an intrusion?)
• the probability of a wrong decision(how effective has the Respon-der been so far? Have these respon-ses been applied before in similar circumstances?).
Having assessed the above factors,response decisions must then be adaptedto the context accordingly. For example,if the incident has been detected on abusiness critical system, but theDetection Engine has indicated a lowconfidence, then the selection of aresponse with minimal impact upon thesystem would represent the most sensiblecourse of action (i.e. minimizing thechance of critical operations being dis-rupted in the case of a false positive).However, if the same scenario occurred inconjunction with previous alerts (i.e.showing that the current incident is partof a series of attacks), then a more severeresponse is warranted.
The other required feature is the abilityto assess the appropriateness of responseactions. There are two ways to do this,firstly by considering the potential sideeffects of a response action before issuingit, and secondly by retrospectively analyzing its effectiveness in containingor combating attacks.
The problem of side effects is a partic-ular concern when using active responses(e.g. blocking, termination and accessrestrictions) because they may disruptlegitimate users. As a result, the responseneeds to be considered before a givenaction is executed. Several characteristicswould be relevant to consider in thiscontext:• The transparency of the response
action. In some cases it might bepreferable to issue responses that donot alert the attacker to the fact thathe/she has been noticed; in others itcould be preferable to respond veryexplicitly.
• The degree to which the action woulddisrupt the user against whom it isissued. This is especially relevantwhen a response is mistakenly issued
against a legitimate user. In situationswhere the Detection Engine hasflagged an incident, but expressed lowconfidence, it may be desirable tostart by issuing responses that a legiti-mate user would be able to overcomeeasily.
• The degree to which the action woulddisrupt other users, or the operationof the system in general. Certainresponses (e.g. termination of aprocess, restriction of network con-nectivity) would affect more than justthe perceived attacker. As such, theResponse Policy may wish to reservesuch responses only for the mostextreme conditions.
Each of these factors needs to be assessedindependently, and incorporated intothe response selection process as appro-priate, as well as during the formulationof the Response Policy by the systemadministrator.
The second factor that would influenceappropriateness is whether a suspectedattack has been used before in the samecontext. If the Responder keeps track ofits previous response decisions, then theycan be used later to assess whether theselected actions were actually effective.This requires a feedback mechanism thatcan then be used to refine the ResponsePolicy.
Feedback could be provided in twoways: explicitly by a system admini-strator, and implicitly by the Responderitself. In the former, the administratorwould inspect the alert history and manually provide feedback in relation tothe responses that had been selected.This would say whether or not they had been effective or appropriate to theincident.
Otherwise, the Responder itself couldinfer whether previous responses hadbeen effective. For instance, it could saywhether it had been required to issuerepeated responses in relation to the samedetected incident. If this was true, itcould potentially infer that (a) the initialresponse actions were not effectiveagainst that type of incident, and (b) thelast response action issued might form abetter starting point on future occasions
(i.e. upgrading and downgrading the per-ceived effectiveness of the responses whenused in that context).
We have a prototype implementationof the above approach. It forms part ofPhD research work within our group.12 Ithas provided a practical proof of conceptfor the ideas expressed here, and suggeststhat the long-term choice in the intru-sion-handling domain may be broaderthan current detection and preventiontechnologies.
Having said this, we need to do somemore work on it before it is ready forlarge-scale deployment.
ConclusionThe title of this article was perhaps a littlemisleading, in the sense that neither tech-nology is a complete answer. AlthoughIPS technologies provide a way to thwarthigh-certainty attacks, we still need theIDS to account for other cases.
This leaves us with a problem. Theimperfect nature of detection means thatwe can easily mistake normal activity foran intrusion. At the same time manualresponses could be too late to preventincidents.
We advocate a more flexible and intelli-gent approach, one that offers escalatinglevels of response according to severalcontextual factors. Although we haveworked on this with some effect, we needto do more to reduce the uncertainty inresponse decisions before we look toautomate fully prevention and responseactivities.
About the authorsMaria Papadaki has recently completed herPhD research within the Network ResearchGroup, focusing upon the issue of flexible,automated IDS response. This researchactivity was undertaken with support fromthe State Scholarship Foundation ofGreece.Dr Steven Furnell is head of the NetworkResearch Group at the University ofPlymouth, UK. He is author of“Cybercrime: Vandalizing the InformationSociety”, published by Addison Wesley.
ips
18
References:1 Cohen F.B. 1999. "Simulating CyberAttacks, Defences, and Consequences",The Infosec Technical Baseline studies,March 1999. http://all.net/journal/ntb/simulate/simulate.html.2 Network Associates. 2003. The Path toPrevention, White Paper, NetworkAssociates Technology, Inc, October2003. http://www.nai.com/3 Gartner. 2003. "Gartner InformationSecurity Hype Cycle Declares IntrusionDetection Systems a Market Failure",Gartner Press Release, 11 June 2003.4 Taylor S. and Wexler J. (2003) "IDS vs.IPS: Is one strategy 'better?'", NetworkWorld Fusion, 16 October 2003.http://www.nwfusion.com/newsletters/frame/2003/1013wan2.html5 OpenService, Inc. 2003 Security EventManagement Survey Results Analysis:Insight into the Threats, Issues and
Trends Facing Network SecurityDepartments in 2003. White Paper.February 2003. www.open.com.6 Gordon, L.A., Loeb, M.P., Lucyshyn,W. and Richardson, R. 2004. NinthAnnual CSI/FBI Computer Crime andSecurity Survey. Computer SecurityInstitute.7 McAffee Security. 2003. IntrusionPrevention: Myths, Challenges, andRequirements. White Paper. NetworkAssociates. April 2003.8 Messmer, E. 2002. "Intrusion preven-tion' raises hopes, concerns", NetworkWorld Fusion, 4 November 2002,http://www.nwfusion.com/news/2002/1104prevention.html9 Snyder, J. 2003. "False positives remaina major problem", Network WorldFusion Online Magazine, 13 October2003.http://www.nwfusion.com/reviews/2003/1013idsalert.html
10 Papadaki M., Furnell S.M., LinesB.M., and Reynolds P.L. 2003."Operational Characteristics of anAutomated Intrusion Response System",in Communications and MultimediaSecurity: Advanced Techniques forNetwork and Data Protection Lioy A.and Mazzochi D. (eds), Springer Verlang,October 2003: pp 65-75.11 Ragsdale, J.D., Carver, C.A. Jr.,Humphries, J.W., and Pooch, U.W.2001. "Adaptation Techniques forIntrusion Detection and IntrusionResponse Systems", 2nd Annual IEEESystems, Man, and CyberneticsInformation Assurance and SecurityWorkshop, West Point New York, June 5-6 2001.12 Papadaki, M. 2004. Classifying andResponding to Network Intrusions. PhDThesis. University of Plymouth, UnitedKingdom.
Broken Zones in Internet ExplorerThe Security Zone model of InternetExplorer has been criticised almost con-tinuously, and once again it has beencompromised. This time it appears that aWeb master has used it to maliciously toinstall adware.
Internet Explorer has had multipleinappropriate functionalities and minorsecurity issues for a long time. Alone,these issues doesn’t pose a real threat toInternet Explorer users; however, combined with other vulnerabilitiesthat allow websites to interact with theLocal Security Zone, it is possible toplace and execute arbitrary code onusers’ systems with no warning or userinteraction.
Currently, there is only one effectivesolution: disable Active Scripting.However, most businesses and private
individuals find this is inappropriate, astoo many sites rely on Active Scripting towork properly.
Many professionals believe there is abetter solution: use another browser.Even US-CERT/cert.org has suggested(recommended) use of an alternativebrowser, a solution rarely suggested byUS-CERT.
We can only hope that Microsoftissues an out of schedule patch to dealwith these latest issues. Hopefully it willsoon release a cumulative patch toremove some of the inappropriate fea-tures and minor security issues that per-mit someone to compromise a fullsystem.
Spoofing IEYet another spoofing vulnerability wasfound in Internet Explorer. This allows
malicious people to change the appear-ance of a domain in the address bar. Thiscould be used to establish outboundSMB/CIFS connections, if this kind oftraffic isn’t properly filtered at theperimeter firewalls.
Internet Explorer Jelmer issued adetailed analysis of a very sophisticated“zero-day” exploit for Internet Explorer.Jelmer obtained the exploit from anadware site that is using this exploit toinstall a toolbar in Internet Explorer onvulnerable users’ systems.
Please read Secunia advisory SA11793below for additional details.
Furthermore, Microsoft’s monthlysecurity bulletins for June addressed vulnerabilities in DirectX and variousproducts that implement CrystalReports. http://secunia.com/SA11793http://secunia.com/SA11803http://secunia.com/SA11802
Another vulnerability was identified inInternet Explorer. This could be exploit-ed by a malicious website to bypass secu-rity zone restrictions and spoof theaddress bar. Only Mozilla suffers thesame vulnerability. However, in Mozilla’s
19
vulnerabilities
The big picture on bigholesThomas Kristensen, Secunia