General

Security Tools for the Budget Conscious ISP —continued

by Lisa Phifer VP Core Competence, Inc. [January 23, 2004]

Traffic Analysis and Intrusion Detection
It's pretty hard to spot (much less stop) an attack if you don't know what's happening in your network and on your servers. Noticing a new traffic pattern or unusual server activity requires tools that enable observation and create a baseline for comparison.

Network Traffic Analysis tools include traffic capture utilities, protocol parsers, trend analyzers, and expert analysis engines that recognize badly-formed packets and common attack signatures (e.g., WinNuke, Teardrop, Land). Most ISPs use traffic analyzers for connection trouble-shooting, applying filters to examine packets involving specific sources, destinations, protocols, etc.. But traffic analyzers can also be a valuable part of your security toolkit, feeding intrusion detection systems (below) and helping you to investigate possible attacks.

Network Intrusion Detection Systems (NIDS) sit on your network, continuously monitoring passing traffic. NIDS watch for and alert you to policy deviations (e.g., protocols that don't belong on your network), changes in behavior (e.g., sudden surge in off-hours traffic), and defined attacks (e.g., TCP SYN floods, port scans). NIDS can be passive or in-line, with varying levels of event correlation and root cause analysis.

Host Intrusion Detection Systems (HIDS) run on your servers and other critical systems, continuously monitoring local program, file, and user activity. A HIDS can often alert you to unusual behavior (e.g., a surge in "su root" events), security policy violations (e.g., log reset), and defined attacks (e.g., using a remote access trojan). Some can also help you maintain system integrity by flagging (or, in some cases, preventing) unexpected changes to critical files.

Incident Response and Forensics
Ok, so you've spotted an attack in progress, or an attack after the fact. What do you do about it? In principal, every network operator should have an incident response plan to guide them through this process. In practice, many don't. Taking unplanned actions might just save the day—or they might make matters worse by increasing the attack's impact or destroying evidence.

Although tools will never take the place of careful advance planning, getting familiar with forensics tools can be a useful first step. Forensics refers to a rigorous, formalized investigation of events leading up to an attack for the purpose of identifying, tracking down, and (perhaps) prosecuting the individual(s) responsible.

System Forensics tools can help you create a backup of the compromised system and conduct an investigation in a non-intrusive manner. Like a medical autopsy, a system autopsy is designed to identify the culprit and his or her actions in a fashion that preserves evidence and offers foundation for legal action, should that be necessary.

Network Forensics tools have a similar business objective, but do their job by continuously capturing and analyzing network traffic to enable later investigation. Some tools simply capture and record all traffic onto very large storage devices so that it is available for analysis after an attack. Other tools continuously perform basic analysis, storing only summary data for detailed analysis after an attack.

Although the Electronic Communications Privacy Act prohibits eavesdropping on user traffic without permission, limited monitoring is allowed for the purposes of network operation. Because Network Forensics tools record traffic continuously, ISPs that use these tools should probably include user consent in service contracts.

Conclusion
We hope this article gives you a feel for many different kinds of security tools and how these differ from one another. In the next part of this article, we'll identify several commercial, open source, and ready-to-use shareware tools in each category. We'll take a closer look at a few popular free tools to help you better understand what they do and how they can help you. In the meantime, we'll leave you with a few popular security tool lists so that you can do your own digging.

—End