What you will learn from this tip: How intrusion-detection systems, honeypots and darknets bridge the gap between perimeter and host security to secure the network.
Most organizations recognize the importance of information security and devote resources to an information security program with adequate technical controls. In many cases, controls are well-developed in the areas of controlling access to the network (perimeter protection) and fortifying individual systems on the network (host protection). We're now beginning to see an increased emphasis on bridging the gap between these two areas with network-based security mechanisms.
In this tip, we'll explore three technical controls you can put in place to help bridge the gap in your enterprise:
There are two basic approaches to intrusion detection:
- Signature-based intrusion-detection systems (IDSes) work in a manner similar to modern antivirus technology. They are constantly updated with attack-definition files (signatures) that describe each type of known malicious activity. They then scan network traffic for packets that match the signatures, and then raise alerts to security administrators.
- Anomaly-based IDSes work on a different principle. They learn the profile of "normal" network activity by monitoring the network over time, and then alert administrators to any deviations from that norm. The major advantage to anomaly-based systems is their ability to identify previously unknown attacks. Unfortunately, they haven't quite entered the mainstream of information security and reached the point of maturity where they're reliable enough for use on production networks.
If you'd like to implement an IDS, you may consider two different avenues, depending upon the time and financial resources you're able to commit to the project. The first option is the open-source route. The Snort intrusion-detection system is available for free at Snort.org and is well-supported by the information security community. If you're not willing to spend the time necessary to get Snort up and running, you may purchase a commercial IDS. There are quite a few products available today from vendors like Cisco and Enterasys. You also might wish to consider the commercial appliance versions of Snort available from Sourcefire.
Honeypots and honeynets
Honeypots and honeynets are another option available to security practitioners to secure the network. These tools are, believe it or not, designed to attract malicious attackers. Honeypots are systems designed to be targets of opportunity, useful for monitoring and observing hacker activity in an attempt to learn new hacking tools and techniques. Knowledge gained from honeypot systems may be used to protect the production network.
Honeynets are networks of honeypot systems, normally running different operating systems and applications with differing configurations. There is quite a bit of research underway in the academic community on so-called self-healing honeynets. These honeynets are designed to attract and monitor malicious activity and then quickly restore themselves to their original state, ready for the next attack attempt and saving a considerable amount of administrative time. For more information on establishing a honeypot or honeynet, consult the Honeynet Project at Honeynet.org.
One of the simplest tools you can implement on your network is a darknet. All you need to do is set aside a portion of unused IP address space and designate it as the darknet. Next, configure your IDS or other network-monitoring device to detect any traffic headed to a darknet address. As there are no legitimate systems running on the darknet, you may safely assume that any traffic bearing a darknet destination address is from a malicious or misconfigured system. Darknets are especially useful for detecting systems on your network that may be infected by worms or other malicious code and are attempting to spread to random addresses on your network.
- Our Snort Technical Guide answers frequently asked questions about Snort operation.
- Learn how honeypots can strengthen reconnaissance and lower intrusion noise.
- Visit our intrusion management resource center for more news, advice and tips.
About the author
Mike Chapple, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles including the CISSP Prep Guide and Information Security Illuminated.
This was first published in May 2005