Intrusion detection systems

2011-03-02

in Bombs and rockets, Geek stuff, Internet matters, Rants, Security

One side of computer security is keeping people from getting unauthorized access: choosing good passwords, patching software to protect against known exploits, etc. But when you reach a more advanced level than that, intrusion detection systems (IDS) become an important way of detecting and mitigating attacks. These systems monitor the functioning of a computer system or account and produce some sort of alert if suspicious activity is ongoing.

For example, GMail includes a rudimentary IDS. It allows users to check whether anyone is logged into their account from another location. If you check the list and see only your home IP address and your phone, everything is probably fine. If some random IP address from Berlin or Mumbai or Tokyo is on there, someone has probably compromised your account.

IDS can be much more sophisticated than this. While GMail calls upon the user to keep an eye on things manually, automated systems can flag suspicious activity and produce warnings. A classic example would be a computer in a distant country accessing your GMail via POP3 and starting to download the entire contents of your archive. That is super suspicious and – if you are someone like Sarah Palin – potentially career-ending.

The same goes, naturally, for a situation where some random army private starts accessing and downloading thousands of diplomatic cables. Say what you will about the ethics of Wikileaks, but from a computer security perspective there should have been an IDS that spotted that aberrant pattern.

Attackers always get more sophisticated and their attacks always improve. As a consequence, those who want to defend computer systems must keep raising their own game by implementing sophisticated security strategies. Deploying IDS both on personal computers and within cloud services like GMail is one way in which people can become aware of breaches in time to stop them from becoming too severe. It’s never comfortable to learn that you are dealing with an intruder, but it is much better to have that awareness than to continue blindly forward while they persist in nefarious activities.

P.S. Does anyone know of a good IDS for Macs? Given how many people are on always-on internet connections these days, and given that all operating systems have security flaws that take time to fix, operating an IDS on one’s personal computer is probably a good security trade-off. Indeed, I am planning to set up a second system unconnected to the internet, next time I buy a new desktop machine. It is axiomatic that any computer connected to the internet is vulnerable.

Report a typo or inaccuracy

{ 7 comments… read them below or add one }

Matt March 2, 2011 at 12:04 pm

That is super suspicious and – if you are someone like Sarah Palin – potentially career-ending.

It is surprising to me what hasn’t ended Sarah Palin’s career.

Indeed, I am planning to set up a second system unconnected to the internet, next time I buy a new desktop machine.

In a modern context, what good is a computer that isn’t hooked up to the internet? I’ve had continuous access to a computer since 1984, and I remember in 1991-1992 discovering BBSes (such as Vancouver’s dial-a-file and EdNet run by the school board). Computers became much more interesting when connected to other computers.

Milan March 2, 2011 at 1:36 pm

It would be an air gap system, intended for secure storage. It would not be much fun.

Ideally, it would be physically incapable of going online.

BuddyRich March 2, 2011 at 10:38 pm

Plenty of computers should not be on the ‘net. Ie. most of the computers that run the power grid.

Really if there is no net benefit for a system for being on the net, why put it on there? Many systems, while run on PC or Unix hardware are really dumb machines whose sole pupose is to run a specific app. Unless internet access is paramount to the function of that app, it is best it is not put on the net (a LAN might be another story)

I have a Linux XBMC HTPC that is on my local LAN but is not on the net. No need for it to be so, so its not.

As for OSX, you’ll want more than an IDS but the only freely available IDS utility is Snort though it is a bit complex to learn (and setup, you have to compile it from source for the latest version, though I think an older precompiled macports version is available, but it is not the latest). In effect its not just the application itself but a lot like an MAMP stack as it leverages a mysql database and a few other OSS packages to function so the install can be time consuming since there are base dmg packages to install via command line.

In addition to a good IDS, a good firewall is essential. Leopard and Snow Leopard included an application firewall but you can’t beat ipfw scripts, which is still included AND takes precedence over the appfirwall. You can edit ipfw via hand, but there are a few good frontends (I recommend WaterRoof).

Milan March 3, 2011 at 12:08 am

That sounds really complicated, and way over my head.

This is why I think having an isolated computer to store sensitive files makes sense – so I don’t need to worry as much about the ever-changing details of computer security.

If it is in a controlled space, disconnected from all networks, and has an encrypted hard drive, it seems like it would be reasonably secure. Certainly more so than my iMac, which is connected to an ADSL line via WiFi (WPA2 encrypted).

. April 14, 2011 at 9:21 pm

As a result, cyber-security analysts say advanced persistent threats are often only identified after they penetrate computer networks and begin to send stolen data to the computer responsible for managing the attack. “You have to look for the ‘phone home,’” says Roger Nebel, managing director for cyber-security at Defense Group Inc., a consulting firm in Washington, DC.

It was evidence of malicious code phoning home to a control server – a computer that supervises the actions of code inside other computers – that provided confirmation to U.S. cyber-sleuths that Chinese hackers were behind Byzantine Hades attacks, according to the April 2009 State Department cable.

. May 22, 2012 at 10:17 am
. May 24, 2014 at 12:15 pm

Bro (software)
From Wikipedia, the free encyclopedia

Originally written by Vern Paxson, Bro is an open source Unix based network monitoring framework. Often compared to a Network intrusion detection systems (NIDS), Bro can be used to build a NIDS but is much more. Bro can also be used for collecting network measurements, conducting forensic investigations, traffic base lining and more. Bro has been compared to tcpdump, Snort, netflow, and Perl (or any other scripting language) all in one. It is released under the BSD license.

Leave a Comment

You can use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Previous post:

Next post: