Are you frustrated by the operation of your intrusion-detection system (IDS)? The answer, according to Foundstone security consultant Richard Bejtlich, is network security monitoring (NSM). NSM is the collection, analysis and escalation of indications and warnings to detect and respond to intrusions.
NSM is not an IDS, although it relies on IDS-like products as part of an integrated data collection and analysis suite. NSM involves collecting the full spectrum of data types (event, session, full content and statistical) needed to identify and validate intrusions, explains Richard.
In a recent on-demand webcast
Why are vendors more interested in event-driven tools rather than those that collect other sorts of NSM data?
Vendors have the user's interests in mind, but they tend to follow the antivirus model of intrusion detection. This involves trying to say "event X happened," without giving the user enough information to independently confirm or deny the product's judgement. The NSM model tries to give more control to the analyst by providing enough background to make independent decisions.
NSM is a waste of time. I can't monitor all of my Internet points-of-presence because they have too much bandwidth, and they use assymmetric routing. I don't know where they all are anyway! What advice can you give me?
Being able to defend the enterprise involves appropriate design and knowledge of its implementation. Those who design networks without the capability to monitor them have decided performance is more important than security. Unfortunately, I believe they don't really care about performance, either. Monitoring for performance reasons is very similar to monitoring for security reasons. Too many network engineers think their work is done if packets flow and customers don't complain.
How can NSM handle encryption?
NSM is more concerned with network auditing than with real-time identification of intrusions. Although encryption denies the analyst the ability to see packet contents, it doesn't deny analysts the ability to see traffic patterns. Simply knowing who talked to whom, and when, is more information than most enterprises are collecting today.
You advise using Unix for NSM. Why can't I use my Windows system to collect the data?
Most free NSM tools run on Unix. This is the result of programmers recognizing that Unix systems have more robust TCP/IP stacks and make packet collection easier at the interface level. Many commercial NSM tools run on Windows. This is more for customer acceptability than for performance reasons.
Why do you prefer FreeBSD to Linux?
I think FreeBSD is the best general-purpose, free Unix operating system available. Linux is only a kernel. FreeBSD is a complete operating system. While you can run complete Linux-based operating systems, you have to pick a single distribution, like Red Hat or SuSe. FreeBSD has better package management tools, although Gentoo Linux has a similar system. I prefer to run Linux on desktop systems since Linux tends to have better driver support and is more popular.
In your presentation, you suggest using Snort. What's so great about it?
Snort gives the analyst the ability to customize his event collection capabilities. Snort can be examined, modified, and tuned to meet the needs of the analyst. It is unique in this respect, although several other open source IDS projects exist. These competitors aren't mature by Snort standards.
What are your thoughts on host-based intrusion detection?
I think eventually every host will be responsible for its own defense. To this end, I am interested in projects like Niels Provos' systrace, which monitors and enforces system call policies on Unix systems. Keep in mind, there is a difference between audit, detection and prevention. Systrace can do all three.
Speaking of prevention, what are your thoughts on intrusion-prevention systems?
An intrusion-prevention system is an access control device, like a firewall. It can also be a system call control device, like systrace. In this respect, they are nothing new. The term intrusion "prevention" system was invented by marketing people who wanted to answer the concerns of their customers. Vendors tired of selling their product to customers who thought prevention was a 100% possible proposition. So, they replaced the "detection" in IDS with "prevention," and told customers, "Yes, we prevent intrusions."
Is IDS dead?
No! IDS, as implemented by many commercial vendors and deployed by many companies, is a failure. IDS, properly implemented with an NSM model, is a viable way to detect, escalate and remediate intrusions.
>> Listen to the on-demand webcast Implementing network security monitoring with open source tools.
About the speaker
Richard Bejtlich, CISSP, is a principal consultant at Foundstone. He performs incident response, digital forensics, security training and consulting on network security monitoring. His work appears in Hacking Exposed, Fourth Edition and Incident Response, Second Edition, both published by Osborne McGraw-Hill. He is currently working on a book called The Tao of Network Security Monitoring. You can visit his Web site at www.taosecurity.com.
This was first published in September 2003