Welcome to Volume 3, Issue 1 of The Internet Security Conference Newsletter, Insight. Insight provides commentaries and educational columns, authored by some of the best minds in the security community. Many of our columnists teach and speak at The Internet Security Conference.
Previous issues are posted here.
TISC is about sharing clue. So is the newsletter. We promise to provide something useful each issue. If we don't, flame me.
Enjoy, and be safe,
Dave
There are very few things I own or do each day that do not involve the use of or reliance on a computer. This growing dependence on technology makes security that much more important. If a mission critical system at work is compromised, how does that affect me or my company? What happens if the account information in my bank's computer systems is hacked and all my funds are transferred (stolen)? What about air traffic control, utility, or national defense systems? If the bulk of revenue of my company comes from users accessing an online database, what happens if our web server is compromised or DDOS'ed, or our databases are corrupted?
Today's Approach: Intrusion Detection
Layers of security are implemented to prevent such compromises, but the possibility of a security breach persists. Today, we try to be proactive in monitoring our networks, not only to prevent unwarranted access when an attacker touches our perimeter defenses, trusted internal networks and systems, but to learn the nature of attackers and their intended targets and ambitions The solution de jour is to use an intrusion detection system, whether it be host based or network based, or a file integrity checker such as Tripwire. But Intrusion detection systems (IDSs) in the hands of staff that lacks expertise in network intrusions creates another problem: dealing with too many or too few alarms, false positives and false negatives, and how to respond. And most IDSs today can only look for attacks they know about. In general, both IDS and file integrity checkers are historical security solutions, alerting you of any problems after the fact. That new exploit posted on Bugtraq today? Your intrusion detection system in all likelihood has no way of detecting it unless the product vendor was able to release a signature update almost immediately after the vulnerability was reported, a highly unlikely scenario.
What happens if your IDS is triggered and sends you an alarm? The attacker is already on your network or system and the damage has been done. Do you take the system(s) offline and investigate what happened, find what damage has been done, what data were corrupted, and figure out how to fix it? Can you really afford this much downtime?
An emerging approach: intrusion prevention
Development began on a new way to deal with this issue, a more proactive approach that would allow a system to thwart attacks and continue functioning correctly in the face of intrusion attempts, a technology coined intrusion prevention. Being the new buzzword, vendors jumped on the intrusion prevention bandwagon claiming their product fit in this category, too. I have seen distributed firewall vendors market their product as intrusion prevention as well as a combination of intrusion detection/intrusion prevention. I find the term a bit deceiving since about 50% of the security market deals with intrusion prevention. Firewalls, access control, and file integrity applications are just a few of the existing products that can fall under this umbrella. Some might even argue that almost 100% of security products can be included. Isn't the act of keeping unauthorized individuals from accessing system resources and maintaining the integrity, availability, and confidentiality of information one of the main goals of security?
A few products have been developed that perform functions originally intended as intrusion prevention technology. They can still be classified as intrusion prevention solutions, but I think they belong in their own niche, whether you call them preemptive, intrusion resistant, or intrusion resilient products. Take your pick; all terms have been used. I will use the term intrusion resistant for the remainder of this article. The approach intrusion prevention takes is to wrap themselves around the kernel of an operating system and intercept system calls, allowing approved calls to go through, denying forbidden calls, and making judgments on undefined calls. These products do not all contain completely new technology. Some of them take old ideas, such as sandboxes and file integrity checkers, and combine them with some new approaches and other existing technologies to create new functionality.
Benefits of Intrusion Resistant solutions
The benefits of these new products over traditional IDSs are enormous: they are proactive, not completely reliant on (attack) signature databases, and easier to administer. Intrusion resistant products seek to thwart attacks before they can do much real harm to a system, eliminating the excessive amounts of downtime caused by current IDS technology in researching what was compromised on a system. With intrusion resistant solutions, you get a log entry stating what was attempted, possibly where the attack appeared to originate, and what the system did. You can follow-up on the attack now or later, but you do not need to take the system offline for inspection.
Even though intrusion resistant solutions greatly improve the ease-of-use and administration of host security, they are still not singly the ultimate security solution. As always, the best approach is a layered infrastructure with a strong policy foundation. Some Administrators may be prone to configuring an intrusion resistant solution and leaving it alone to do its job. Even though it can function without much user interaction, the rules and policies still need to be reviewed and updated on a regular basis.
There are a lot of possibilities for this type of solution. Besides securing enterprise servers, a product can be developed for home systems to help secure the systems of broadband Internet users. Personal firewalls are the current technology of choice, but I see this trend waning, or at least joining forces with intrusion resilient systems to help mitigate the risks of Trojans and other malicious activity.
Early product development
Several intrusion resistant products are currently available, some commercial and some open source. ClickNet's entercept (http://www.clicknet.com) is available for Windows NT, 2000, and Solaris systems. entercept catches calls at the OS and kernel level and takes action as defined by the Administrator such as allow process, log event, or terminate process. This program does contain a database of attack signatures for well-known tools, Trojans, and exploits, as well as generic attack signatures for things such as buffer overflows. This provides the capability of preventing an unknown attack, such as a new exploit that has not been fixed by a vendor patch.
SMART Watch by WetStone Technologies (http://www.smart-watch.com/) is another intrusion resistant solution available for Windows 98, NT, and 2000. Whereas entercept adds a proactive twist to IDSs, SMART Watch does the same for file integrity checkers. SMART Watch runs in the background, monitoring system files. When a change is detected, such as a change in Windows Registry settings, system resource files, web server files, log files, or the addition of utilities and Trojans, SMART Watch replaces the modified file with the original, trusted version and sends an alert to the appropriate Administrator explaining what is happening on the system. The combination of entercept and SMART Watch on a system would provide a very strong level of intrusion resistance.
A new open source product that deserves consideration is StJude for Linux (Solaris version in the works), named after the Patron Saint of Hopelessness and developed by Tim Lawless (http://sourceforge.net/projects/stjude). StJude wraps itself around the LINUX kernel and intercepts system calls, comparing them to a defined rule base for execution permission. Initially, you run StJude in learning mode with its default rule base to see what actions do and do not trigger events. In learning mode, all events are recorded in /var/log/messages, but no action is taken. Once an appropriate rule set is defined and StJude is running in production mode, calls that trigger a rule terminate the event and can launch Administrator defined applications. StJude is still in its infancy, but it promises to become a true intrusion resistant solution that in no way relies on a database of attack signatures.
Intrusion resistance is an emerging technology with various groups looking into the issue, including the US government. The government is looking to ultimately develop intrusion resistant systems that continue "to function correctly and provide the intended user services in a timely manner, even in the face of an information attack." The main focus will be to develop a solution that will "maintain integrity in the face of intrusions and malicious faults" as well as "counter denial of service attacks and maintain high system availability." Intrusion resistant solutions are the first step toward that goal. To find more information about the government's project, visit http://www.darpa.mil/iso/ITS/BAA0015PIP.html.
With so much research and development being focused on this area, I am interested to see what new approaches and technologies are developed. I see the next step being the development of more advanced recognition engines and the ability to provide more real-time analysis and system modification performed on an as needed basis. The ultimate, though slightly unrealistic, goal, of course, is to have a system that continually fixes itself with no Administrator intervention.
© 1999 - 2006 Core Competence & Mactivity, Inc.