IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Communications Remarks
____________________________________________________________________ .........................................
S 5.71 Intrusion detection and intrusion response
systems
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrators
One of the key tasks of a firewall administrator is to analyse the accruing
logging data so as to be able to detect attacks soon after the event. In view of
the wealth of data and the multitude and complexity of the various possible
means of attack, this results in a considerable amount of work. Intrusion
detection (ID) and intrusion response (IR) systems can help in this.
The aim of an ID system must be to provide assistance to an average
administrator to the extent that he or she is able to detect an attack in a large
number of logging files without the need for in-depth knowledge of the field
of Internet security. IR systems, on the other hand, serve the purpose of
initiating countermeasures automatically as soon as an attack has been
detected.
In an ideal situation these programs will have as much information at their
disposal as a good administrator, and will therefore be able not only to detect
an attack in any logging data but also to provide indication of the severity of
the threat and what countermeasures are necessary. Currently, however, this
field is still the subject of intensive research, so significant improvements to
existing programs are possible at any time.
Intrusion detection systems can essentially be divided into two classes:
signature analysis and anomaly detection.
Signature analysis is based on the assumption that many attacks can be
detected on the basis of a certain sequence of logging data. One example is the
technique known as port scanning. In advance of an attack, the intruder first
establishes which services on the attacked computer are addressable, i.e. to
which TCP ports it is possible to set up a connection. This involves using a
program to send a connection setup packet to all TCP ports one after the other.
If a connection is established, a service is installed there and can be attacked.
The corresponding signature, i.e. distinctive feature, of this attack is simple:
connection setup packets which are successively sent to all TCP ports.
The problems with this type of intrusion detection also become immediately
apparent, however: in what order do the ports have to be addressed and at
what time intervals, if an attack is to be distinguished from normal operation?
The latest port scanning programs operate in such a way that they do not scan
port 1, port 2 through to port n, but do this in a random order. It is also
possible for the packets not to be sent directly one after the other, but at
random intervals (e.g. 1 s, 100 ms, 333 ms, 5 s ...). This makes it difficult to
determine the signature.
A subtle variant of port scanning involves sending individual packets from
different source addresses. Used in conjunction with the time-staggered
initiation of the packets described above, the probability that an attack will
remain undetected is currently very high.
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000