Forwarded from: Elizabeth Lennon <elizabeth.lennon (at) nist.gov> ITL BULLETIN FOR FEBRUARY 2007 INTRUSION DETECTION AND PREVENTION SYSTEMS Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Technology Administration U.S. Department of Commerce Intrusion detection and prevention systems (IDPSs) are composed of software that helps organizations to monitor and analyze events occurring in their information systems and networks, and to identify and stop potentially harmful incidents. With the growing dependence of organizations on information systems to carry out essential activities and with the increasingly frequent and intense attacks on systems, IDPSs have become an essential component of the security infrastructure of nearly every organization. The Information Technology Laboratory of the National Institute of Standards and Technology (NIST) recently updated its recommendations to organizations about the use of intrusion detection and prevention systems. NIST Special Publication (SP) 800-94, Guide to Intrusion Detection and Prevention Systems (IDPS) NIST SP 800-94, Guide to Intrusion Detection and Prevention Systems (IDPS), Recommendations of the National Institute of Standards and Technology, was published in February 2007. The publication explains how intrusion detection and prevention systems can help organizations strengthen the security of their information systems, and recommends ways that organizations can design, implement, configure, secure, monitor, and maintain intrusion detection and prevention systems. Written by Karen Scarfone and Peter Mell, the publication replaces NIST Special Publication 800-31, Intrusion Detection Systems. NIST SP 800-94 explains the basic concepts of intrusion detection and prevention. It provides an overview of IDPS technologies, including typical components, general detection methodologies, and implementation and operation assistance. Four classes of IDPS products - network-based, wireless, network behavior analysis, and host-based systems - are presented to help users compare them and to determine the appropriate type or types of IDPS needed for their environments. Also included are descriptions of other technologies that can detect intrusions, such as security information and event management software and network forensic analysis tools. The publication focuses on helping organizations that are implementing enterprise-wide IDPS solutions, but most of the information is also applicable to standalone and small-scale IDPS deployments. One section of the publication provides specific information to help organizations in the selection of IDPS products after they have determined the particular type of IDPS technology needed. The guide discusses the identification of general requirements that the IDPS products should meet. Sets of criteria are provided to enable organizations to evaluate four aspects of IDPS technologies: security capabilities, performance, management, and life cycle cost. The guide provides a discussion of how to perform hands-on and paper evaluations of products, and when each evaluation technique is most appropriate. The appendices to NIST SP 800-94 provide extensive information about intrusion detection and prevention systems. Included are a glossary, an acronym list, and lists of in-print resources and online tools and resources. The intrusion detection and prevention guide is available on NISTÂs web pages at: http://csrc.nist.gov/publications/nistpubs/index.html. Functions of Intrusion Detection and Prevention Systems Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices. Incidents have many causes, such as malware (e.g., worms, spyware), attackers gaining unauthorized access to systems from the Internet, and authorized users of systems who misuse their privileges or attempt to gain additional privileges for which they are not authorized. Although many incidents are malicious in nature, many others are not; for example, a user could enter an incorrect address of a system and accidentally attempt to connect to a different system without authorization. An intrusion detection system (IDS) is software that automates the intrusion detection process. An intrusion prevention system (IPS) is software that has all the capabilities of an intrusion detection system and can also attempt to stop possible incidents. Intrusion detection systems (IDS) and intrusion prevention systems (IPS) have many of the same capabilities, so for brevity this publication refers to them collectively as intrusion detection and prevention systems (IDPS). Intrusion detection and prevention systems identify possible incidents, log information about them, attempt to stop them, and produce reports for security administrators. The systems also assist organizations in identifying problems with security policies, documenting threats, and deterring individuals from violating security policies. Four Types of IDPSs NIST SP 800-94 discusses four types of IDPSs, which are based on the type of events that they monitor and the ways in which they are deployed: - Network-Based systems monitor network traffic for particular network segments or devices and analyze the network and application protocol activity to identify suspicious activity. This type of system can identify many different types of events of interest, and is most commonly deployed at a boundary between networks, such as in proximity to border firewalls or routers, virtual private network (VPN) servers, remote access servers, and wireless networks. - Wireless systems monitor wireless network traffic and analyze it to identify suspicious activity involving the wireless networking protocols themselves. This type of system cannot identify suspicious activity in the application or higher-layer network protocols (e.g., TCP, UDP) that the wireless network traffic is transferring. It is most commonly deployed within range of an organizationÂs wireless network to monitor it, but it can also be deployed to locations where unauthorized wireless networking could be occurring. - Network Behavior Analysis (NBA) systems examine network traffic to identify threats that generate unusual traffic flows, such as distributed denial of service (DDoS) attacks, certain forms of malware, and policy violations (e.g., a client system providing network services to other systems). NBA systems are most often deployed to monitor flows on an organizationÂs internal networks, and are sometimes deployed where they can monitor flows between an organizationÂs networks and external networks. - Host-Based systems monitor the characteristics of a single host and the events occurring within that host for suspicious activity. The types of characteristics that a host-based IDPS might monitor are network traffic for that host, system logs, running processes, application activity, file access and modification, and system and application configuration changes. Host-based IDPSs are most commonly deployed on critical hosts such as publicly accessible servers and servers containing sensitive information. Components, Architecture, Security Capabilities, and Management Issues NIST SP 800-94 explains in detail the components and architecture, security capabilities, and management issues related to each of the types of IDPSs. The typical components of an IDPS are sensors or agents, management servers, database servers, and consoles. Sensors and agents monitor and analyze activity; sensors are used to monitor networks and agents are used to monitor hosts. Management servers handle information from sensors or agents and manage them. Database servers are repositories for event information recorded by the sensors or agents and by management servers. Consoles are programs that provide interfaces for IDPS users and administrators. These components can be connected to each other through an organizationÂs standard networks or through a separate network that is designed for security software management. A management network helps to protect the IDPS from attack and to ensure it has adequate bandwidth under adverse conditions. A virtual management network can be created using a virtual local area network (VLAN) to provide protection for IDPS communications. Most IDPSs can provide a wide variety of security capabilities. Some products offer information-gathering capabilities, such as collecting information on hosts or networks from observed activity. IDPSs can perform extensive logging of data related to detected events. This data can be used to confirm the validity of alerts, investigate incidents, and correlate events between the IDPS and other logging sources. Logs of collected information should be stored both locally and centrally to support the integrity and availability of the data. IDPSs offer extensive, broad capabilities to detect events, but may require at least some tuning and customization to improve their detection accuracy, usability, and effectiveness. Most IDPSs offer multiple prevention capabilities; the specific capabilities vary by IDPS technology type. IDPSs usually allow administrators to specify the prevention capability configuration for each type of alert. This includes enabling or disabling prevention, as well as specifying which type of prevention capability should be used. Architectural considerations include component placement, solution reliability, interoperability with other systems, management network architecture, and necessary changes to other security controls. NIST Recommendations for Implementing IDPSs NIST recommends that organizations carry out the following activities when implementing IDPSs: - Ensure that all IDPS components are secured appropriately. Securing IDPS components is very important because IDPSs are often targeted by attackers who want to prevent the IDPSs from detecting attacks or want to gain access to sensitive information in the IDPSs, such as host configurations and known vulnerabilities. IDPSs are composed of several types of components, including sensors or agents, management servers, database servers, user and administrator consoles, and management networks. All components operating systems and applications should be kept fully up to date, and all software-based IDPS components should be hardened against threats. Specific protective actions of particular importance include creating separate accounts for each IDPS user and administrator, restricting network access to IDPS components, and ensuring that IDPS management communications are protected appropriately, such as encrypting them or transmitting them over a physically or logically separate network. Administrators should maintain the security of the IDPS components on an ongoing basis, including verifying that the components are functioning as desired, monitoring the components for security issues, performing regular vulnerability assessments, responding appropriately to vulnerabilities in the IDPS components, and testing and deploying IDPS updates. Administrators should also back up configuration settings periodically and before applying updates to ensure that existing settings are not inadvertently lost. - Consider using multiple types of IDPS technologies to achieve more comprehensive and accurate detection and prevention of malicious activity. The four primary types of IDPS technologiesÂnetwork-based, wireless, NBA, and host-basedÂeach offer fundamentally different information-gathering, logging, detection, and prevention capabilities. Each technology type offers benefits over the others, such as detecting some events that the others cannot and detecting some events with significantly greater accuracy than the other technologies. In many environments, a robust IDPS solution cannot be achieved without using multiple types of IDPS technologies. For most environments, a combination of network-based and host-based IDPS technologies is needed for an effective IDPS solution. Wireless IDPS technologies may also be needed if the organization determines that its wireless networks need additional monitoring or if the organization wants to ensure that rogue wireless networks are not in use in the organizationÂs facilities. NBA technologies can also be deployed if organizations desire additional detection capabilities for denial of service attacks, worms, and other threats that NBAs are particularly well-suited to detecting. Organizations should consider the different capabilities of each technology type along with other cost-benefit information when selecting IDPS technologies. - Consider whether or not the IDPSs should be integrated when planning the use of multiple types of IDPS technologies or multiple products of the same IDPS technology type. Direct IDPS integration most often occurs when an organization uses multiple IDPS products from a single vendor, and has a single console that can be used to manage and monitor the multiple products. Some products can also mutually share data, which can speed the analysis process and help users to better prioritize threats. A more limited form of direct IDPS integration is having one IDPS product provide data for another IDPS product but preventing data sharing in the opposite direction. Indirect IDPS integration is usually performed with security information and event management (SIEM) software, which is designed to import information from various security-related logs and correlate events among them. SIEM software complements IDPS technologies in several ways, including correlating events logged by different technologies, displaying data from many event sources, and providing supporting information from other sources to help users verify the accuracy of IDPS alerts. - Define the requirements that the products should meet before evaluating IDPS products. Evaluators need to understand the characteristics of the organizationÂs system and network environments, so that a compatible IDPS can be selected that can monitor the events of interest on the systems and/or networks. Evaluators should articulate the goals and objectives they wish to attain by using an IDPS, such as stopping common attacks, identifying misconfigured wireless network devices, and detecting misuse of the organization's system and network resources. Evaluators should also review their existing security policies, which serve as a specification for many of the features that the IDPS products need to provide. In addition, evaluators should understand whether or not the organization is subject to oversight or review by another organization. If so, they should determine if that oversight authority requires IDPSs or other specific system security resources. Resource constraints should also be taken into consideration by evaluators. Evaluators also need to define specialized sets of requirements for the following: - Security capabilities, including information gathering, logging, detection, and prevention. - Performance, including maximum capacity and performance features. - Management, including design and implementation (e.g., reliability, interoperability, scalability, product security), operation and maintenance (including software updates), and training, documentation, and technical support. - Life cycle costs, both initial and maintenance costs. - Consider using a combination of several sources of data on the products' characteristics and capabilities when evaluating IDPS products. Common product data sources include test lab or real-world product testing, vendor-provided information, third-party product reviews, and previous IDPS experience from individuals within the organization and trusted individuals at other organizations. When using data from other parties, organizations should consider the fidelity of the data because it is often presented without an explanation of how it was generated. There are several major challenges in performing in-depth hands-on IDPS testing, such as the considerable resources needed and the lack of a standard test methodology and test suites, which often make it infeasible. However, limited IDPS testing is helpful for evaluating security requirements, performance, and operation and maintenance capabilities. More Information NIST publications assist organizations in planning and implementing a comprehensive approach to information security. For information about NIST standards and guidelines that are referenced in the intrusion and detection guide, as well as other security-related publications, see NIST's web page: http://csrc.nist.gov/publications/index.html. Disclaimer Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by NIST nor does it imply that the products mentioned are necessarily the best available for the purpose. Elizabeth B. Lennon Writer/Editor Information Technology Laboratory National Institute of Standards and Technology 100 Bureau Drive, Stop 8900 Gaithersburg, MD 20899-8900 Telephone (301) 975-2832 Fax (301) 975-2378 __________________________________________ Visit the InfoSec News Security Bookstore! http://www.shopinfosecnews.org
This archive was generated by hypermail 2.1.3 : Thu Mar 01 2007 - 00:21:22 PST