Beruflich Dokumente
Kultur Dokumente
Anomaly based intrusion detection is inherently subject to false active, automated Intrusion Response Systems trying to
alarms. Fast and automated intrusion response based on this protect the network by e.g. shutting down suspicious
type of intrusion detection will cause significant usage processes or disabling network connections on affected
restrictions for falsely suspected systems. To avoid these negative systems. In case of a false positive IRSs will cause
effects without sacrificing detection sensitivity or increasing the “collateral damage” by impairing or even deactivating
risk for the production network inadequately, we propose a
scheme combining anomaly-based IDS with Honeynet concepts
“innocent” hosts. For example the peer-to-peer based voice-
and link layer based VLANs. In addition to introducing the over-IP Software Skype [see http://www.skype.com]
concept, we will describe a proof-of-concept implementation and performs regular peer lookups by scanning IP addresses. An
report results from some lab tests confirming the benefits of this IDS will typically rate this as viral or worm-like behavior
approach. unless there is a specific rule set for Skype. Therefore, a
tightly configured IRS would deactivate this
I. INTRODUCTION communication or even disconnect the offending system
Over the last few years mobile computing and wireless from the network.
access has significantly changed the situation in corporate To avoid these negative effects without sacrificing
networks. While some years ago the single entry point, i.e. detection sensitivity, we propose to combine intrusion
the router attaching the network to the public internet, could detection and response with mechanisms known from
be appropriately secured by firewalls, nowadays there are Honeynets [4]. In our approach, suspicious systems are not
multiple, often hard to control entry points to the LAN. disconnected totally but automatically quarantined in a
Moreover, internet worms and viruses [3] have “learned” to special network section – which basically is a Honeynet –
spread over networks within a few minutes. If notebooks, by using VLAN technology. There they can be observed in
tablet PCs, handhelds and smartphones are used in non- a controlled environment before making a final decision.
secured areas, e.g. in home networks or in public networks During quarantine, the suspicious systems are allowed some
on the road, their security cannot be fully controlled by the limited, tightly controlled access to the production network.
corporate system administrator. When exposed to the By defining the allowed level of access to the network, the
internet without tight protection, these systems can be restrictions for falsely suspected systems can be balanced
infected with worms within a couple of minutes [4] [5]. out with the risk generated for the network by quarantined
Attaching an infected device to the corporate network can systems. Our proposed solution thus offers a differentiated
cause rapid spreading of the worm inside the LAN. defense against rapid worm propagation inside local
Therefore, the application of Intrusion Detection (IDS) [1] networks.
and Intrusion Response systems (IRS) in addition to In section II of this paper, this concept is introduced more
classical firewalls has become more and more crucial. detailed. Section III presents a first prototype
IDSs are per definition passive systems. Their task is alarm implementation which demonstrates the feasibility of the
generation rather than system protection by data filtering or concept while section IV provides first results from lab tests
by repairing the file system. Hence, human intervention is and measurements.
required to reinstate network integrity. IDSs either use rule
based detection approaches (misuse detection) or they try to II. THE HONEYNET QUARANTINE
detect deviations from normal operation, also known as
''anomaly detection'' [6]. While the first approach only Typical production networks are not protected by
detects well known attacks based on predefined signatures, sophisticated HIDS installed on every workstation attached
the latter one is also able to detect previously unknown to them – due to the effort that has to be spent and the
attack patterns based on deviations from “normal” system expertise that is required – and therefore intrusions on these
and network behavior. However, as “normal” behavior is end systems will not be detected at first. As a consequence,
not fully defined – and may change dynamically – false autonomous malware may spread without control if a
alarms (false positives) are generated at a certain, mobile, infected system is reconnected to the production
sometimes significant, rate. This limits the usefulness of
A filter logic within the monitoring system now defines III. PROTOTYPE IMPLEMENTATION
how the packets are forwarded in a user-friendly, but
protective manner: Whereas the conceptual approach is quite straight-forward,
All 3 network partitions belong to a common bridge the technical details are more complicated, as first lab trials
Traffic originating from the suspicious system that has demonstrate. In order to show the feasibility of the ideas
been classified as harmless based on predefined rules is that have been outlined above, we set up a small test
allowed back into the production network scenario. There, we attached a first prototype of our
All other (potentially dangerous) traffic generated by the monitoring system and conducted several tests that
suspicious system is diverted to the Honeynet demonstrate that the basic functionality is available and also
Traffic from both production network and Honeynet yielded measurements on the performance of the solution.
destined to the suspicious system is delivered there We used Cisco switch equipment to provide the link layer
All traffic between the production network and the network infrastructure, WindowsXP systems for the clients
Honeynet is blocked. and a Linux system as central monitoring and investigation
system for IDS, rapid isolation and Honeynet quarantine.
In such a scenario, a basic service can be provided to the As illustrated by Figure 1, the production Ethernet network
isolated system during the quarantine period. The potential is in VLAN 2,4 whereas the quarantine VLAN has been
risk for the production network emanating from the given the ID 3.
applications classified as harmless can be further minimized suspicious
quarantine
by using a local Intrusion Prevention System, e.g. network system
snort_inline [15]. With this extension, Snort can modify the monitor & (VLAN3)
investigation
monitored traffic in such a way that specific attack patterns system
are normalized.3 (bridge) trunk
production
F. Quarantine investigation honeypot network
trunk
(VMware) (VLAN2)
The quarantine VLAN is, through the rules described
above, directly connected to the Honeynet, where the
Fig. 1: User-friendly system isolation and intrusion
Honeypots represent typical systems similar to those found
investigation by Honeypot exposure – topological view
in the production network. This reflects the actual threat
level for the production network.
The switches were configured such that trunk ports use
Due to their HIDS sensors which can safely report almost
802.1q VLAN tagging. The monitoring system was also
any activity going beyond the usual internal system
attached to a trunk port, there we set up two pseudo-
maintenance as an intrusion, the Honeypots are able to
interfaces, one belonging to VLAN 2 (eth0.2), the other to
verify the intrusion of the suspicious system quickly and
reliably (as it is the only source of an attack) and will report VLAN 3 (eth0.3). Under normal operation, VLAN 3 is
it to the central monitoring system. It is crucial for the rather inactive as the only system participating in this
effectiveness of the overall concept here that the HIDS VLAN is the monitoring system itself.
should operate with a low latency, i.e. rather than only
performing periodic checks of MD5 checksums [8], tighter
monitoring of local process activity, disk and (system) file
access is necessary. These techniques provide the
4
The reason to use VLAN id 2 instead of the default VLAN (untagged) is
that Linux is not able to bridge between a non-VLAN interface and a
3
This makes sense especially if email is still allowed, to avoid spreading VLAN pseudo-interface if it has the non-VLAN interface as physical
of viruses that use this as transport mechanism. parent.
eth0.2 Ö snort Ö sysklogd Ö /hq/snortreport Ö honidsctl The control program will then, with similar SNMP
messages as used for isolation, move the port back into
B. Arpwatch combination with SNMP VLAN 2. A third named pipe, called “guilty”, will inform
We used the program arpwatch to detect newly activated the control program to shut down the offending system in
systems within the network [20]. When arpwatch sees a case of a confirmed compromise – it is used by the HIDS
new station, we call a script “mac2port” (this is done by observing the Honeypot (see below):
using the “-s” switch available in the Debian version of
grep Ö /hq/guilty Ö honidsctl Ö snmpset
arpwatch) that then automatically extracts the attachment Ø
point, i.e. the port to which the new system has been VMware reboot
attached, by use of SNMP requests to all switches.6 At
worst we have to issue three requests and wait for three D. VMware-based Honeypot and HIDS setup
responses for all switches in the network to obtain a valid Whereas a full-fledged, non-virtualized Honeynet may have
result. We then save the information <MAC-Addr>:<Switch- its benefits, we decided to use a simple VMware Honeypot
IP>:<ifIndex> in a file with the IP address of the system as for our prototype which had the same WindowsXP version
filename for later use by the isolation/rehabilitation installed as our production clients had. Besides simplicity,
function:7 VMware and Usermode Linux provide efficient ways to re-
eth0.2 Ö arpwatch Ö mac2port Ö /hq/<ipaddr> initialize Honeypots after they have been compromised
which was of more importance than forensic investigations
C. Isolation/rehabilitation control with SNMP on the inner workings of a caught virus. We thus used
VMware’s methods to make the working disk of the guest
When Snort/Spade flags a suspicious system, our control
system non-persistent, which means that changes to the disk
procedure can thus look up the switch and the port of the
image made by the guest operation system will not be
offender and move the system into the quarantine VLAN by
written to the original file but to a so-called REDO file.
sending a SNMPv3 “set” request to the switch which
This not only provided us with a mechanism to clean a
contains vmVlan.<ifIndex> as OID and the new VLAN id
compromised Honeypot very easily (by simply rebooting it
“3” as value. A second message has to ensure that the
from the original, write-protected image file), it also made
corresponding MAC address is cleared from the internal
finding unauthorized file access much faster because only
the REDO file had to be investigated for filesystem
5
changes. In order to accomplish this, we had to install the
One could also get a two-threshold Snort system by setting up two WindowsXP that serves as the guest system into a FAT32
Snort/Spade processes with differing threshold configuration: if only one
of them reports an incident, the “suspicious” area is flagged.
filesystem because the NTFS filesystem is not very suitable
6
This is accomplished by issuing three SNMPv3 requests obtaining OIDs for finding differences. In fact VMware writes single
from the Bridge- and Interface-MIBs: the dot1dTpFdbPort.<MAC-Addr> OID sectors that have been changed by the guest to the REDO
will contain the bridge port of the system with the observed MAC address; file, thus it contains not a filesystem but only small parts of
the corresponding ifIndex of the Interface-MIB can be mapped from the it. However, with FAT32 it is possible to observe the
dot1dBasePortIfIndex.<Bridge-Port> and by reading vmVlan.<ifIndex>
from Cisco’s VLAN-MEMBETSHIP-MIB we can assess whether the
names of newly created files within the guest system. We
found port is a trunk port (which is then not the attachment point because it
will never be on a trunk). 8
Many switching products cannot handle the same MAC address in
7
This procedure will have to be refined in the future as spoofing IP and different VLANs because they don’t maintain separate MAC address
MAC addresses by an attacker may currently result in huge file system tables per VLAN. This has to be considered when building such a link
bloat. layer based isolation system.