[ISN] ITL Bulletin for February 2007

From: InfoSec News (alerts@private)
Date: Thu Mar 01 2007 - 00:04:56 PST

Forwarded from: Elizabeth Lennon <elizabeth.lennon (at) nist.gov>



Shirley Radack, Editor
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
Technology Administration
U.S. Department of Commerce

Intrusion detection and prevention systems (IDPSs) are composed of 
software that helps organizations to monitor and analyze events 
occurring in their information systems and networks, and to identify and 
stop potentially harmful incidents. With the growing dependence of 
organizations on information systems to carry out essential activities 
and with the increasingly frequent and intense attacks on systems, IDPSs 
have become an essential component of the security infrastructure of 
nearly every organization. The Information Technology Laboratory of the 
National Institute of Standards and Technology (NIST) recently updated 
its recommendations to organizations about the use of intrusion 
detection and prevention systems.

NIST Special Publication (SP) 800-94, Guide to Intrusion Detection and 
Prevention Systems (IDPS)

NIST SP 800-94, Guide to Intrusion Detection and Prevention Systems 
(IDPS), Recommendations of the National Institute of Standards and 
Technology, was published in February 2007. The publication explains how 
intrusion detection and prevention systems can help organizations 
strengthen the security of their information systems, and recommends 
ways that organizations can design, implement, configure, secure, 
monitor, and maintain intrusion detection and prevention systems. 
Written by Karen Scarfone and Peter Mell, the publication replaces NIST 
Special Publication 800-31, Intrusion Detection Systems.

NIST SP 800-94 explains the basic concepts of intrusion detection and 
prevention. It provides an overview of IDPS technologies, including 
typical components, general detection methodologies, and implementation 
and operation assistance. Four classes of IDPS products - network-based, 
wireless, network behavior analysis, and host-based systems - are 
presented to help users compare them and to determine the appropriate 
type or types of IDPS needed for their environments. Also included are 
descriptions of other technologies that can detect intrusions, such as 
security information and event management software and network forensic 
analysis tools. The publication focuses on helping organizations that 
are implementing enterprise-wide IDPS solutions, but most of the 
information is also applicable to standalone and small-scale IDPS 

One section of the publication provides specific information to help 
organizations in the selection of IDPS products after they have 
determined the particular type of IDPS technology needed. The guide 
discusses the identification of general requirements that the IDPS 
products should meet. Sets of criteria are provided to enable 
organizations to evaluate four aspects of IDPS technologies: security 
capabilities, performance, management, and life cycle cost. The guide 
provides a discussion of how to perform hands-on and paper evaluations 
of products, and when each evaluation technique is most appropriate.

The appendices to NIST SP 800-94 provide extensive information about 
intrusion detection and prevention systems. Included are a glossary, an 
acronym list, and lists of in-print resources and online tools and 
resources. The intrusion detection and prevention guide is available on 
NIST’s web pages at:


Functions of Intrusion Detection and Prevention Systems

Intrusion detection is the process of monitoring the events occurring in 
a computer system or network and analyzing them for signs of possible 
incidents, which are violations or imminent threats of violation of 
computer security policies, acceptable use policies, or standard 
security practices. Incidents have many causes, such as malware (e.g., 
worms, spyware), attackers gaining unauthorized access to systems from 
the Internet, and authorized users of systems who misuse their 
privileges or attempt to gain additional privileges for which they are 
not authorized. Although many incidents are malicious in nature, many 
others are not; for example, a user could enter an incorrect address of 
a system and accidentally attempt to connect to a different system 
without authorization.

An intrusion detection system (IDS) is software that automates the 
intrusion detection process. An intrusion prevention system (IPS) is 
software that has all the capabilities of an intrusion detection system 
and can also attempt to stop possible incidents. Intrusion detection 
systems (IDS) and intrusion prevention systems (IPS) have many of the 
same capabilities, so for brevity this publication refers to them 
collectively as intrusion detection and prevention systems (IDPS).

Intrusion detection and prevention systems identify possible incidents, 
log information about them, attempt to stop them, and produce reports 
for security administrators. The systems also assist organizations in 
identifying problems with security policies, documenting threats, and 
deterring individuals from violating security policies.

Four Types of IDPSs

NIST SP 800-94 discusses four types of IDPSs, which are based on the 
type of events that they monitor and the ways in which they are 

- Network-Based systems monitor network traffic for particular network 
  segments or devices and analyze the network and application protocol 
  activity to identify suspicious activity. This type of system can 
  identify many different types of events of interest, and is most 
  commonly deployed at a boundary between networks, such as in proximity 
  to border firewalls or routers, virtual private network (VPN) servers, 
  remote access servers, and wireless networks.

- Wireless systems monitor wireless network traffic and analyze it to 
  identify suspicious activity involving the wireless networking 
  protocols themselves. This type of system cannot identify suspicious 
  activity in the application or higher-layer network protocols (e.g., 
  TCP, UDP) that the wireless network traffic is transferring. It is 
  most commonly deployed within range of an organization’s wireless 
  network to monitor it, but it can also be deployed to locations where 
  unauthorized wireless networking could be occurring.

- Network Behavior Analysis (NBA) systems examine network traffic to 
  identify threats that generate unusual traffic flows, such as 
  distributed denial of service (DDoS) attacks, certain forms of 
  malware, and policy violations (e.g., a client system providing 
  network services to other systems). NBA systems are most often 
  deployed to monitor flows on an organization’s internal networks, and 
  are sometimes deployed where they can monitor flows between an 
  organization’s networks and external networks.

- Host-Based systems monitor the characteristics of a single host and 
  the events occurring within that host for suspicious activity. The 
  types of characteristics that a host-based IDPS might monitor are 
  network traffic for that host, system logs, running processes, 
  application activity, file access and modification, and system and 
  application configuration changes. Host-based IDPSs are most commonly 
  deployed on critical hosts such as publicly accessible servers and 
  servers containing sensitive information.

Components, Architecture, Security Capabilities, and Management Issues

NIST SP 800-94 explains in detail the components and architecture, 
security capabilities, and management issues related to each of the 
types of IDPSs.

The typical components of an IDPS are sensors or agents, management 
servers, database servers, and consoles. Sensors and agents monitor and 
analyze activity; sensors are used to monitor networks and agents are 
used to monitor hosts. Management servers handle information from 
sensors or agents and manage them. Database servers are repositories for 
event information recorded by the sensors or agents and by management 
servers. Consoles are programs that provide interfaces for IDPS users 
and administrators. These components can be connected to each other 
through an organization’s standard networks or through a separate 
network that is designed for security software management. A management 
network helps to protect the IDPS from attack and to ensure it has 
adequate bandwidth under adverse conditions. A virtual management 
network can be created using a virtual local area network (VLAN) to 
provide protection for IDPS communications.

Most IDPSs can provide a wide variety of security capabilities. Some 
products offer information-gathering capabilities, such as collecting 
information on hosts or networks from observed activity. IDPSs can 
perform extensive logging of data related to detected events. This data 
can be used to confirm the validity of alerts, investigate incidents, 
and correlate events between the IDPS and other logging sources. Logs of 
collected information should be stored both locally and centrally to 
support the integrity and availability of the data. IDPSs offer 
extensive, broad capabilities to detect events, but may require at least 
some tuning and customization to improve their detection accuracy, 
usability, and effectiveness. Most IDPSs offer multiple prevention 
capabilities; the specific capabilities vary by IDPS technology type. 
IDPSs usually allow administrators to specify the prevention capability 
configuration for each type of alert. This includes enabling or 
disabling prevention, as well as specifying which type of prevention 
capability should be used.

Architectural considerations include component placement, solution 
reliability, interoperability with other systems, management network 
architecture, and necessary changes to other security controls.

NIST Recommendations for Implementing IDPSs

NIST recommends that organizations carry out the following activities 
when implementing IDPSs:

-  Ensure that all IDPS components are secured appropriately.

Securing IDPS components is very important because IDPSs are often 
targeted by attackers who want to prevent the IDPSs from detecting 
attacks or want to gain access to sensitive information in the IDPSs, 
such as host configurations and known vulnerabilities. IDPSs are 
composed of several types of components, including sensors or agents, 
management servers, database servers, user and administrator consoles, 
and management networks. All components’ operating systems and 
applications should be kept fully up to date, and all software-based 
IDPS components should be hardened against threats. Specific protective 
actions of particular importance include creating separate accounts for 
each IDPS user and administrator, restricting network access to IDPS 
components, and ensuring that IDPS management communications are 
protected appropriately, such as encrypting them or transmitting them 
over a physically or logically separate network. Administrators should 
maintain the security of the IDPS components on an ongoing basis, 
including verifying that the components are functioning as desired, 
monitoring the components for security issues, performing regular 
vulnerability assessments, responding appropriately to vulnerabilities 
in the IDPS components, and testing and deploying IDPS updates. 
Administrators should also back up configuration settings periodically 
and before applying updates to ensure that existing settings are not 
inadvertently lost.

- Consider using multiple types of IDPS technologies to achieve more 
  comprehensive and accurate detection and prevention of malicious 

The four primary types of IDPS technologies­network-based, wireless, 
NBA, and host-based­each offer fundamentally different 
information-gathering, logging, detection, and prevention capabilities. 
Each technology type offers benefits over the others, such as detecting 
some events that the others cannot and detecting some events with 
significantly greater accuracy than the other technologies. In many 
environments, a robust IDPS solution cannot be achieved without using 
multiple types of IDPS technologies. For most environments, a 
combination of network-based and host-based IDPS technologies is needed 
for an effective IDPS solution. Wireless IDPS technologies may also be 
needed if the organization determines that its wireless networks need 
additional monitoring or if the organization wants to ensure that rogue 
wireless networks are not in use in the organization’s facilities. NBA 
technologies can also be deployed if organizations desire additional 
detection capabilities for denial of service attacks, worms, and other 
threats that NBAs are particularly well-suited to detecting. 
Organizations should consider the different capabilities of each 
technology type along with other cost-benefit information when selecting 
IDPS technologies.

- Consider whether or not the IDPSs should be integrated when planning 
  the use of multiple types of IDPS technologies or multiple products of 
  the same IDPS technology type.

Direct IDPS integration most often occurs when an organization uses 
multiple IDPS products from a single vendor, and has a single console 
that can be used to manage and monitor the multiple products. Some 
products can also mutually share data, which can speed the analysis 
process and help users to better prioritize threats. A more limited form 
of direct IDPS integration is having one IDPS product provide data for 
another IDPS product but preventing data sharing in the opposite 
direction. Indirect IDPS integration is usually performed with security 
information and event management (SIEM) software, which is designed to 
import information from various security-related logs and correlate 
events among them. SIEM software complements IDPS technologies in 
several ways, including correlating events logged by different 
technologies, displaying data from many event sources, and providing 
supporting information from other sources to help users verify the 
accuracy of IDPS alerts.

- Define the requirements that the products should meet before 
  evaluating IDPS products.

Evaluators need to understand the characteristics of the organization’s 
system and network environments, so that a compatible IDPS can be 
selected that can monitor the events of interest on the systems and/or 
networks. Evaluators should articulate the goals and objectives they 
wish to attain by using an IDPS, such as stopping common attacks, 
identifying misconfigured wireless network devices, and detecting misuse 
of the organization's system and network resources. Evaluators should 
also review their existing security policies, which serve as a 
specification for many of the features that the IDPS products need to 
provide. In addition, evaluators should understand whether or not the 
organization is subject to oversight or review by another organization. 
If so, they should determine if that oversight authority requires IDPSs 
or other specific system security resources. Resource constraints should 
also be taken into consideration by evaluators. Evaluators also need to 
define specialized sets of requirements for the following:

- Security capabilities, including information gathering, logging, 
  detection, and prevention.

- Performance, including maximum capacity and performance features.

- Management, including design and implementation (e.g., reliability, 
  interoperability, scalability, product security), operation and 
  maintenance (including software updates), and training, documentation, 
  and technical support.

-  Life cycle costs, both initial and maintenance costs.

- Consider using a combination of several sources of data on the 
  products' characteristics and capabilities when evaluating IDPS 

Common product data sources include test lab or real-world product 
testing, vendor-provided information, third-party product reviews, and 
previous IDPS experience from individuals within the organization and 
trusted individuals at other organizations. When using data from other 
parties, organizations should consider the fidelity of the data because 
it is often presented without an explanation of how it was generated. 
There are several major challenges in performing in-depth hands-on IDPS 
testing, such as the considerable resources needed and the lack of a 
standard test methodology and test suites, which often make it 
infeasible. However, limited IDPS testing is helpful for evaluating 
security requirements, performance, and operation and maintenance 

More Information

NIST publications assist organizations in planning and implementing a 
comprehensive approach to information security. For information about 
NIST standards and guidelines that are referenced in the intrusion and 
detection guide, as well as other security-related publications, see 
NIST's web page: http://csrc.nist.gov/publications/index.html.

Any mention of commercial products or reference to commercial organizations is
for information only; it does not imply recommendation or endorsement by NIST
nor does it imply that the products mentioned are necessarily the best available
for the purpose.

Elizabeth B. Lennon
Information Technology Laboratory
National Institute of Standards and Technology
100 Bureau Drive, Stop 8900
Gaithersburg, MD 20899-8900
Telephone (301) 975-2832
Fax (301) 975-2378

Visit the InfoSec News Security Bookstore!

This archive was generated by hypermail 2.1.3 : Thu Mar 01 2007 - 00:21:22 PST