Chapter 5. Intrusion-Detection Systems

Chapter Objectives

After reading this chapter and completing the exercises, you will be able to do the following:

Image Explain how intrusion-detection systems work.

Image Implement strategies for preventing intrusion.

Image Identify and describe several popular intrusion-detection systems.

Image Define the term honey pot.

Image Identify and describe at least one honey pot implementation.

Introduction

Chapter 4 discussed several firewall solutions that have built-in Intrusion-Detection Systems (IDS). An IDS is designed to detect signs that someone is attempting to breach a system and to alert the system administrator that suspicious activity is taking place. This chapter analyzes how an IDS works and how to implement some specific IDS solutions.

IDS has become much more widely used in the last few years. An IDS inspects all inbound and outbound port activity on a machine/firewall/system and looks for patterns that might indicate an attempted break-in. For example, if the IDS finds that a series of ICMP packets were sent to each port in sequence from the same source IP address, this probably indicates that a system is being scanned by network-scanning software such as Cerberus (scanners are discussed at length in Chapter 12). Since this is often a prelude to an attempt to breach a system’s security, it can be very important to know that someone is performing preparatory steps to infiltrate a system. The IDS may also detect an abnormally large flow of packets from the same IP address, all in a brief period of time. This may indicate a DoS attack. In either case, these are situations the network administrator should be aware of and should take steps to prevent.

Understanding IDS Concepts

A full discussion of intrusion-detection systems, the subject of entire books, is beyond the scope of this section. However, this section provides an overview of IDS to explain how these systems work. There are six basic approaches to intrusion-detection and prevention. Some of these methods are implemented in various software packages, and others are simply strategies that an organization can employ to decrease the likelihood of a successful intrusion. The following paragraphs describe and examine each.

Let’s begin our discussion of intrusion-detection systems with a look at the concepts. How do IDSs work? Well to explore this, we must first review how networks function. After a packet has travelled from its source network to the destination network (being routed by its destination IP address) it finally arrives at the network segment on which the target is located. After it gets to that final segment, the MAC address is used to find the target. All the computers on that segment can see the packet, but because the destination MAC address does not match the MAC address of their network card, they ignore the packet.

At some point, enterprising individuals realized that if they simply chose not to ignore packets not destined for their network card, they could see all the traffic on the network segment. In other words, one could look at all the packets on that network segment. Thus the packet sniffer was born. After that it was just a matter of time before the idea came about of analyzing those packets for indications of an attack, thereby giving rise to intrusion-detection systems.

Preemptive Blocking

Preemptive blocking, sometimes called banishment vigilance, seeks to prevent intrusions before they occur. This is done by noting any danger signs of impending threats and then blocking the user or IP address from which these signs originate. Examples of this technique include attempting to detect the early foot printing stages of an impending intrusion, then blocking the IP or user that is the source of the foot printing activity. If you find that a particular IP address is the source of frequent port scans and other scans of your system, then you would block that IP address at the firewall.

This sort of intrusion-detection and avoidance can be quite complicated, and there is the potential of blocking a legitimate user by mistake. The complexity arises from distinguishing legitimate traffic from that indicative of an impending attack. This can lead to the problem of false positives, in which the system mistakenly identifies legitimate traffic as some form of attack. Usually, a software system will simply alert the administrator that suspicious activity has taken place. A human administrator will then make the decision whether or not to block the person. If the software automatically blocks any addresses it deems suspicious, you run the risk of blocking out legitimate users. It should also be noted that nothing prevents the offending user from moving to a different machine to continue his or her attack. This sort of approach should only be one part of an overall intrusion-detection strategy and not the entire strategy.

Infiltration

Infiltration refers to proactive efforts on the part of the administrator or security specialist to acquire information from various illicit sources about potential threats. This is usually done to supplement vendor bug reports and security warnings. In other words, it is not a software or hardware implementation, but rather a process of infiltrating hacker/cracker online groups in order to keep tabs on what sort of vulnerabilities are currently being exploited by these groups and what systems are considered attractive targets.

This form of intrusion-detection has two main drawbacks. The first is that it is quite time-consuming, and most network administrators have a very full schedule. The second is that most IT professionals are not trained in gathering intelligence or doing detective work, so there is the very real possibility that the information gathered could be inaccurate or incomplete. This strategy should only be used in cases in which an extraordinary level of security is required. Furthermore, this cannot be the only method of intrusion-detection; it must be coupled with other methods.

Anomaly Detection

Anomaly detection involves actual software that works to detect intrusion attempts and notify the administrator. This is what many people think of when they talk about intrusion-detection systems. The general process is simple: the system looks for any anomalous behavior. Any activity that does not match the pattern of normal user access is noted and logged. The software compares observed activity against expected normal usage profiles. Profiles are usually developed for specific users, groups of users, or applications. Any activity that does not match the definition of normal behavior is considered an anomaly and is logged. Sometimes we refer to this as ‘trace back’ detection or process. We are able to establish from where this packet was delivered. The specific ways in which an anomaly is detected include:

Image threshold monitoring

Image resource profiling

Image user/group work profiling

Image executable profiling

Threshold Monitoring

Threshold monitoring presets acceptable behavior levels and observes whether these levels are exceeded. This could include something as simple as a finite number of failed login attempts or something as complex as monitoring the time a user is connected and the amount of data that user downloads. Thresholds provide a definition of acceptable behavior. Unfortunately, characterizing intrusive behavior solely by the threshold limits can be somewhat challenging. It is often quite difficult to establish proper threshold values or the proper time frames at which to check those threshold values. This can result in a high rate of false positives in which the system misidentifies normal usage as a probable attack.

Resource Profiling

Resource profiling measures system-wide use of resources and develops a historic usage profile. Looking at how a user normally utilizes system resources enables the system to identify usage levels that are outside normal parameters. Such abnormal readings can be indicative of illicit activity underway. However, it may be difficult to interpret the meaning of changes in overall system usage. An increase in usage might simply indicate something benign like increased workflow rather than an attempt to breach security.

User/Group Work Profiling

In user/group work profiling, the IDS maintains individual work profiles about users and groups. These users and groups are expected to adhere to these profiles. As the user changes his activities, his expected work profile is updated to reflect those changes. Some systems attempt to monitor the interaction of short-term versus long-term profiles. The short-term profiles capture recent changing work patterns, whereas the long term profiles provide a view of usage over an extended period of time. However it can be difficult to profile an irregular or dynamic user base. Profiles that are defined too broadly enable any activity to pass review, whereas profiles that are defined too narrowly may inhibit user work.

Executable Profiling

Executable profiling seeks to measure and monitor how programs use system resources with particular attention to those whose activity cannot always be traced to a specific originating user. For example, system services usually cannot be traced to a specific user launching them. Viruses, Trojan horses, worms, trapdoors, and other such software attacks are addressed by profiling how system objects such as files and printers are normally used not only by users, but also by other system subjects on the part of users. In most conventional systems, for example, any program, including a virus, inherits all of the privileges of the user executing the software. The software is not limited by the principle of least privilege to only those privileges needed to properly execute. This openness in the architecture permits viruses to surreptitiously change and infect totally unrelated parts of the system.

Executable profiling enables the IDS to identify activity that might indicate an attack. Once a potential danger is identified, the method of notifying the administrator, such as by network message or e-mail, is specific to the individual IDS.

Understanding and Implementing IDS Systems

Many vendors supply IDS systems, and each of these systems has its own strengths and weaknesses. Deciding which system is best for a particular environment depends on many factors including the network environment, security level required, budget constraints, and the skill level of the person who will be working directly with the IDS. This section discusses the most common IDS systems.

Snort

Snort is perhaps the most well known open-source IDS available. It is a software implementation installed on a server to monitor incoming traffic. It typically works with a host-based firewall in a system in which both the firewall software and Snort run on the same machine. Snort is available for Unix, Linux, Free BSD, and Windows. The software is free to download, and documentation is available at the Web site: www.snort.org/.


FYI: What Is Open Source?

Open source is a way of licensing software. It means that the software is freely distributable and contains the source code. This means that users can make copies, give them to friends, and even get a copy of the source code. Users can even modify the source code and then release their own version (though that release must also be open source).

The idea behind open source is to encourage users to examine the source code for a product and, if possible, to improve it. The belief is that through review and improvements by so many people, a product will reach a higher level of quality faster than commercial ones. There are a number of products available via open source licenses besides Snort, including products such as Open Office (www.openoffice.org), Linux (www.linux.org), and Gimp (www.gimp.org).

More details about open source software are available at www.opensource.org/docs/definition.php.


Snort works in one of three modes: sniffer, packet logger, and network intrusion-detection.

Sniffer

In packet sniffer mode, the console (shell or command prompt) displays a continuous stream of the contents of all packets coming across that machine. This can be a very useful tool for a network administrator. Finding out what traffic is traversing a network can be the best way to determine where potential problems lie. It is also a good way to check whether transmissions are encrypted.

Packet Logger

Packet logger mode is similar to sniffer mode. The difference is that the packet contents are written to a text file log rather than displayed in the console. This can be more useful for administrators who are scanning a large number of packets for specific items. Once the data is in a text file, users can scan for specific information using a word processor’s search capability.

Network Intrusion-Detection

In network intrusion-detection mode, Snort uses a heuristic approach to detecting anomalous traffic. This means it is rules-based and it learns from experience. A set of rules initially governs a process. Over time Snort combines what it finds with the settings to optimize performance. It then logs that traffic and can alert the network administrator. This mode requires the most configuration because the user can determine the rules she wishes to implement for the scanning of packets.

Snort works primarily from the command line (Shell in Unix/Linux, command prompt in Windows). Configuring Snort is mostly a matter of knowing the correct commands to enter and understanding their output. Anyone with even moderate experience with either Linux shell commands or DOS commands can quickly master the Snort configuration commands. Perhaps Snort’s greatest advantage is its price: It is a free download. For any organization to not be using some IDS is inexcusable when a free product is available. Snort is a good tool when used in conjunction with host-based firewalls or as an IDS on each server to provide additional security.

Cisco Intrusion-Detection

The Cisco brand is widely recognized and well respected in the networking profession. As with their firewalls and their routers, Cisco has several models of intrusion-detection, each with a different focus/purpose. We will focus our attention on two of those products, the Cisco IDS 4200 Series Sensors and Cisco Catalyst 6500 Series Intrusion-Detection System (IDSM-2) Services Module. Information about all Cisco IDS solutions is available at: www.cisco.com/warp/public/cc/pd/sqsw/sqidsz/index.shtml.

Cisco IDS 4200 Series Sensors

These devices are a bit different from what many people think of as IDS. Rather than being deployed at the perimeter in conjunction with a main firewall, the product is deployed anywhere in the network. That means that it can be used with the perimeter firewall or between any two subnets on a network. It utilizes heuristic methods and anomaly detection to detect potential attacks.

The purpose of these sensors is to provide protection within the network. Most IDS are designed with the perimeter of the network in mind. Having IDS inside the network provides a much more robust defense. Recall from Chapter 1 that a layered defense is always preferred over a perimeter defense. However, many organizations simply cannot afford to place sensors on every subnetwork, and this level of protection is beyond the needs of most organizations. Figure 5.1 shows an example of the deployment of such sensors.

Figure showing Cisco sensor deployment. There are two Cisco IDS sensors in this figure - one immediately after the firewall, and another after the router before a set of servers.

FIGURE 5.1 Cisco sensor deployment.

It must be stressed that the configuration shown in Figure 5.1 is only one possible deployment. The sensors can be placed anywhere on a network.

These sensors also protect the communication between the administration software and the sensor itself. All communication with the sensor is secured either with SSH (Secure Shell, a protocol for securely logging into a remote Unix or Linux machine) or IPSec (Internet Protocol Security, a protocol used with Virtual Private Networks). Both technologies are discussed at some length in Chapter 6.

Perhaps the most interesting feature of the IDS 4200 is that when a sensor is set to monitor the firewall, it monitors for any change in the firewall policy or access control list (ACL). This is particularly important because a more talented hacker may attempt to compromise the firewall, thus making further incursions into the network much easier.


FYI: ACL

An Access Control List defines which users can access a device as well as which ports can be used for communication. Firewalls and routers use ACLs to determine who has what rights on that device. They also define what ports should be open for communication and which ones are blocked. If skilled hackers gain initial entry into a system, they will attempt to modify the ACL to allow them to re-enter with less difficulty in the future.


You can monitor the sensors through a relatively user-friendly Web interface. You can also configure them to send alerts about potential threats via many different methods, such as through an e-mail or pop up alert.

Cisco Catalyst 6500 Series Intrusion-Detection System (IDSM-2) Services Module

This product is a rack-mounted hardware module that plugs into the network and monitors packets. Figure 5.2 shows this model.

Photo of the Cisco Catalyst 6500 IDS.

FIGURE 5.2 The Cisco Catalyst 6500 IDS.

The hardware uses Red Hat Linux as its operating system. This IDS solution monitors packets and logs anomalous activity. It also can be configured to alert the system administrator that some anomaly has occurred. This device is a traditional IDS designed to be used as part of a complete Cisco security solution, but it can certainly be used in conjunction with non-Cisco products.

One of the chief benefits of using Cisco security products is their widespread use across the industry and the availability of good training. The fact that so many organizations use Cisco indicates a high level of successful field testing, which generally indicates a reliable product. Cisco also sponsors a range of certifications on its products, making it easier to determine whether someone is qualified on a particular Cisco product.

Understanding and Implementing Honey Pots

A honey pot is a single machine set up to simulate a valuable server or even an entire subnetwork. The idea is to make the honey pot so attractive that if a hacker breaches the network’s security, she or he will be attracted to the honey pot rather than to the real system. Software can closely monitor everything that happens on that system, enabling tracking and perhaps identification of the intruder.

The underlying premise of the honey pot is that any traffic to the honey pot machine is considered suspicious. Because the honey pot is not a real machine, no legitimate users should have a reason to connect to it. Therefore, anyone attempting to connect to that machine can be considered a possible intruder. The honey pot system can entice him to stay connected long enough to trace where he is connecting from. Figure 5.3 illustrates the honey pot concept.

Figure illustrating the honeypot concept. Both the honeypot and the real network are behind the firewall.

FIGURE 5.3 Honey pots.

Specter

Specter is a software honey pot solution. Complete product information is available at www.specter.com. The Specter honey pot is comprised of a dedicated PC with the Specter software running on it. The Specter software can emulate the major Internet protocols/services such as HTTP, FTP, POP3, SMTP, and others, thus appearing to be a fully functioning server. The software runs on Windows 2000 or XP, but can simulate AIX, Solaris, Unix, Linux, Mac, and Mac OS X. Figure 5.4 shows the primary configuration window for Specter.

Screenshot of the Specter configuration window.

FIGURE 5.4 The Specter configuration window.

Specter works by appearing to run a number of services common to network servers. In fact in addition to simulating multiple operating systems, it can also simulate the following services:

Image SMTP

Image FTP

Image TELNET

Image FINGER

Image POP3

Image IMAP4

Image HTTP

Image SSH

Image DNS

Image SUN-RPC

Image NETBUS

Image SUB-7

Image BO2K

Image GENERIC TRAP

Even though Specter appears to be running these servers, it is actually just monitoring all incoming traffic. Because it is not a real server for your network, no legitimate user should be connecting to it. Specter logs all traffic to the server for analysis. Users can set it up in one of five modes:

Image Open—In this mode the system behaves like a badly configured server in terms of security. The downside of this mode is that you are most likely to attract and catch the least skillful hackers.

Image Secure—This mode has the system behaving like a secure server.

Image Failing—This mode is interesting in that it causes the system to behave like a server with various hardware and software problems. This might attract some hackers because such a system is likely to be vulnerable.

Image Strange—In this mode the system behaves in unpredictable ways. This sort of behavior is likely to attract the attention of a more talented hacker and perhaps cause her to stay online longer trying to figure out what is going on. The longer the hacker stays connected, the better the chance of tracing her.

Image Aggressive—This mode causes the system to actively try and trace back the intruder and derive his identity. This mode is most useful for catching the intruder.

In all modes, Specter logs the activity, including all information it can derive from the incoming packets. It also attempts to leave traces on the attacker’s machine, which can provide clear evidence should civil or criminal action later be required.

Users can also configure a fake password file in all modes. These are particularly useful because most hackers attempt to access a password file to crack the passwords. If they are successful they can then log on as a legitimate user. The holy grail of hacking is getting the administrator’s password. There are multiple ways to configure this fake password file:

Image Easy—In this mode the passwords are easy to crack, leading a would-be intruder to believe that she has actually found legitimate passwords and usernames. Often a hacker with a legitimate logon will be less careful covering her tracks. If you know that logon is fake and the system is set up to monitor it, you can track it back to the hacker.

Image Normal—This mode has slightly more difficult passwords than the easy mode.

Image Hard—This mode has even harder passwords to crack. There is even a tougher version of this mode called mean, in which the passwords are very difficult to break so that the hacker can be traced while he is taking time to crack the passwords.

Image Fun—This mode uses famous names as usernames. In my opinion this one, and the related one named Cheswick, have dubious security value.

Image Warning—In this mode the hacker gets a warning telling him he has been detected if he is able to crack the password file. The theory behind this mode is that most hackers are simply trying to see if they can crack a system and do not have a specific objective. Letting this sort of hacker know he has been detected is often enough to scare him off.

The cost of this software system is about $900, and it requires a PC to install it on. The purpose of honey pots like Specter is not preventing intrusion. Instead, they minimize the damage once someone is in. They serve to direct the hacker’s attention away from critical systems. They also can be very helpful in tracking down hackers.

Symantec Decoy Server

Because Symantec is such a prominent vendor for both antivirus software and firewall solutions, it should come as no surprise that it also has a honey pot solution. The Symantec product, Decoy Server, simulates being a real server by simulating many server functions, such as incoming and outgoing e-mail traffic. Full details about this product are available at http://www.symantec.com/press/2003/n030623b.html

As the Decoy Server works as a honey pot, it also works as an IDS monitoring the network for signs of intrusion. If an attack is detected all traffic related to that attack is recorded for use later in whatever investigative, criminal, or civil procedures that may arise.

Decoy Server is designed to be part of a suite of enterprise security solutions that work together, including enterprise versions of Symantec’s antivirus software, firewall software, and antispyware. The product is usually purchased as part of a volume licensing agreement for a complete security package.

Preemptive Blocking

Preemptive blocking, sometimes called banishment vigilance, seeks to prevent intrusions before they occur. This is done by noting any danger signs of impending threats and then blocking the user or IP address from which these signs originate. Examples of this technique include attempting to detect the early footprinting stages of an impending intrusion, and then blocking the IP or user that is the source of the footprinting activity. If you find that a particular IP address is the source of frequent port scans and other scans of your system, then you would block that IP address at the firewall.

This sort of intrusion detection and avoidance can be quite complicated, and the potential exists of blocking a legitimate user by mistake. The complexity arises from distinguishing legitimate traffic from that indicative of an impending attack. This can lead to the problem of false positives, in which the system mistakenly identifies legitimate traffic as some form of attack. Usually, a software system will simply alert the administrator that suspicious activity has taken place. A human administrator will then make the decision whether or not to block the person. If the software automatically blocks any addresses it deems suspicious, you run the risk of blocking out legitimate users. Also note that nothing prevents the offending user from moving to a different machine to continue his or her attack. The preemptive blocking approach should only be one part of an overall intrusion-detection strategy and not the entire strategy.

Intrusion Deflection

Intrusion deflection is becoming increasingly popular among security-conscious administrators. The essence of it is quite simple. An attempt is made to attract the intruder to a subsystem set up for the purpose of observing him. This is done by tricking the intruder into believing that he has succeeded in accessing system resources when, in fact, he has been directed to a specially designed environment. Being able to observe the intruder while he practices his art will yield valuable clues and can lead to his arrest.

This is often done by using what is commonly referred to as a honey pot. Essentially, you set up a fake system, possibly a server that appears to be an entire subnet. The administrator makes that system look attractive to hackers, perhaps making it appear to have sensitive data, such as personnel files, or valuable data, such as account numbers or research. The actual data stored in this system is fake. The real purpose of the system is to carefully monitor the activities of any person who accesses the system. Because no legitimate user ever accesses this system, it is a given that anyone accessing it is an intruder.

This sort of system can be difficult to set up and maintain. It also presupposes that someone is able to successfully compromise security. Intrusion deflection systems are typically only employed at sites requiring very high security. They should only be a part of the overall IDS strategy—not the entire strategy.

Intrusion Deterrence

Intrusion deterrence involves simply trying to make the system seem like a less palatable target. In short, an attempt is made to make any potential reward from a successful intrusion attempt appear more difficult than it is worth. This approach includes tactics such as attempting to reduce the apparent value of the current system’s worth through camouflage. This essentially means working to hide the most valuable aspects of the system. The other tactic in this methodology involves raising the perceived risk of a potential intruder being caught. This can be done in a variety of ways, including conspicuously displaying warnings and warning of active monitoring. The perception of the security of a system can be drastically improved, even when the actual system security has not been improved.

Because this approach costs almost nothing to implement and is relatively easy to set up, it is a good option for any system when used in conjunction with other strategies.

To implement this strategy, warn the user at every step in the process of connecting that her activities are being closely monitored, whether they are or are not. In addition, avoid advertising that the system or machine contains sensitive data by giving it an innocuous name. For example a database server that contains research material might be named “print_server 1” rather than “research_server” to make it less attractive. When using this type of naming approach, maintaining a master list and developing a naming scheme is important. For example, all real print servers might end with X and all false print server names end in Y so that staff know that “print_server1x” is a real print server and “print_server1y” is actually a sensitive server being hidden from intruders. Some way must exist for keeping track of the real purpose of the servers.

The purpose of the multiple warnings is to scare off less skilled hackers. Although such people might not have a great deal of technical prowess, their attempts to invade a system are a nuisance and can cause problems. Many of these attackers are new to hacking and appropriate warnings can scare off a significant percentage of them.

Summary

A variety of IDS are available. Some are designed to run on the perimeter with the perimeter firewall, often in a host-based configuration. Others are designed to be sensors throughout your network or are a router-type appliance. Honey pots entice hackers to explore phantom servers with the goal of keeping them long enough to identify them.

A complete IDS solution should have a perimeter IDS working in conjunction with a perimeter firewall. The most complete IDS solution includes multiple sensors for each subnet. Ideally, an administrator places some IDS on each major server and implements a honey pot solution.

Clearly, such a level of expenditure and complexity is not possible in all circumstances. This level certainly provides the greatest security, but many organizations do not require, nor can they afford, this level of security. At a minimum, an organization should have an IDS running with the perimeter firewall. Because free IDS solutions are available, there is no reason not to have one.

Test Your Skills

Multiple Choice Questions

1. IDS is an acronym for:

A. Intrusion-detection system

B. Intrusion-deterrence system

C. Intrusion-deterrence service

D. Intrusion-detection service

2. A series of ICMP packets sent to your ports in sequence might indicate what?

A. A DoS attack

B. A ping flood

C. A packet sniffer

D. A port scan

3. What is another term for preemptive blocking?

A. Intrusion deflection

B. Banishment vigilance

C. User deflection

D. Intruder blocking

4. Which of the following is not a reason to avoid choosing infiltration as part of an IDS strategy?

A. It can be time consuming.

B. It requires knowledge of the target group.

C. The group might retaliate.

D. It can be expensive.

5. Attempting to attract intruders to a system set up to monitor them is called what?

A. Intrusion deterrence

B. Intrusion deflection

C. Intrusion banishment

D. Intrusion routing

6. A system that is set up for attracting and monitoring intruders is called what?

A. Fly paper

B. Trap door

C. Honey pot

D. Hacker cage

7. Attempting to make your system appear less appealing is referred to as what?

A. Intrusion deterrence

B. Intrusion deflection

C. System camouflage

D. System deterrence

8. Which of the following is not a profiling strategy used in anomaly detection?

A. Threshold monitoring

B. Resource profiling

C. Executable profiling

D. System monitoring

9. Setting up parameters for acceptable use, such as the number of login attempts, and watching to see if those levels are exceeded is referred to as what?

A. Threshold monitoring

B. Resource profiling

C. System monitoring

D. Executable profiling

10. Which of the following is a problem with the approach described in Question 9?

A. It is difficult to configure.

B. It misses many attacks.

C. It yields many false positives.

D. It is resource intensive.

11. A profiling technique that monitors how applications use resources is called what?

A. System monitoring

B. Resource profiling

C. Application monitoring

D. Executable profiling

12. Snort is which type of IDS?

A. Router-based

B. OS-based

C. Host-based

D. Client-based

13. Which of the following is not one of Snort’s modes?

A. Sniffer

B. Packet logger

C. Network intrusion-detection

D. Packet filtering

14. Which type of IDS is the Cisco Sensor?

A. Anomaly detection

B. Intrusion deflection

C. Intrusion deterrence

D. Anomaly deterrence

15. Why might you run Specter in strange mode?

A. It may confuse hackers and deter them from your systems.

B. It will be difficult to determine the system is a honey pot.

C. It might fascinate hackers and keep them online long enough to catch them.

D. It will deter novice hackers.

16. What is the purpose of the warning configuration for Specter’s e-mail file?

A. To track hackers back to their source IPs

B. To scare off at least novice hackers

C. To keep your normal users honest

D. To deter highly skilled hackers

Exercises

Exercise 5.1: Using Snort

Note: This is a longer exercise appropriate for groups. Refer to the chapter text for an explanation of the Snort product and features.

1. Go to the Snort.org Web site (www.snort.org).

2. Download Snort.

3. Using the vendor documentation or other resources, configure Snort as a packet sniffer. Use that resource to observe traffic on your network.

4. Compile statistics about your network’s normal traffic. These statistics include mean packets per minute, top five destination IP addresses, top 10 source IP addresses, etc.

Exercise 5.2: Using Snort as an IDS

1. Using the Snort installation from Exercise 5.1, configure Snort to do network intrusion-detection.

2. Set up rules for alerts by Snort.

Exercise 5.3: Open Source Honey Pots

Note: This exercise requires you to use an open source honey pot. One such free solution can be found at www.projecthoneypot.org, but feel free to use any solution you like. In fact, if possible, it is best to test out multiple solutions in order to compare results.

1. Install the honey pot on a lab machine.

2. Configure it according to the vendor documentation.

3. Have one student pose as a hacker attacking the honey pot.

4. The other student(s) should use the honey pot to detect that intrusion

Exercise 5.4: Infiltration

Note: In this exercise students should conduct only the preliminary steps and not the actual infiltration.

1. Identify an online group that would be a valuable target for infiltration.

2. Identify information that would assist in successfully intruding.

3. Create a fake identity that could be used for such an infiltration.

Exercise 5.5: Recommend an IDS

1. Assume you are working for a small organization that has a moderate security budget.

2. Select a particular IDS solution you would recommend for that organization.

3. Write your recommendations, including your reasons, in a memo format as if submitting them to a CIO or other decision maker.

Projects

Project 5.1: IDS Strategy

Using Web sites and vendor documentation create a document that outlines a complete IDS plan for a network. Plan your entire IDS strategy assuming a budget of $2,000.

Project 5.2: Firewall-Based IDS

Using Web resources, books, or other resources as well as your own opinions, determine whether you think a firewall-based IDS or a separate IDS is a better solution. Write a memo (as if you were submitting it to a CIO or other decision maker) explaining your position, including your reasons for coming to this conclusion.

Project 5.3: How to Improve Honey Pots

By now you should have a good understanding of how honey pots work, and you should have actually used at least one honey pot. But like all security technology, honey pots are evolving. Describe, in detail, at least two improvements you would like to see in honey pot technology. This could include features not currently available, improved detection, or more aggressive responses. The following sites describe current honey pot technology and might be of use to you.

Image www.projecthoneypot.org/

Image www.giac.org/practical/gsec/Michael_Sink_GSEC.pdf

Image www.tracking-hackers.com/papers/honeypots.html