Project: Linux Howtos

Intrusion Detection Systems for your network: Part I

By Trevor Warren <trevor@freeos.com>
Posted: ( 2001-01-29 03:21:10 EST by )
Last week, we carried some news clips on security intrusions in the Open Source world. For those of you, whose business requires you to be connected to the Internet, we hope this series will help you field yourself against the imminent dangers that you will have to face when you decide to open up your business to the anarchy of the Internet.

The Prince of darkness is a gentleman- Shakespeare, King Lear, III, 4

We have in the past covered some topics on security, namely: how insecure can a stock Linux installation be and what measures you should take to plug those unwanted holes and how to setup a firewall to secure your S.O.H.O. network from the anarchy of the internet. In this series, we will lay a framework that will help you understand the need for an Intrusion Detection System (IDS) and what security measures it would put in place. This includes measures that will help you conduct a postmortem on your system in case of breach of security measures either internally or externally.

As a System administrator of a *NIX network it is your responsibility to ensure that your *NIX machines are running in perfect condition and to see to it that valuable customers and transactions are not lost, by minimizing the down time. This responsibility becomes even more pressurizing when we talk about today's scenario wherein smooth flow of high volume traffic is the need of the hour in most environments. It is a known fact that most big names in the business of E-Commerce hardware / software solutions, expect 99.99999 %(that's the five 9 concept) uptime.

Fundamental concepts of protecting your digital enterprise:

In general, there are various options that you could choose from to sanitize your network. It may be a Firewall on your corporate gateway with a DMZ( De - Militarized Zone ) hosting your Web, Mail servers and databases or simply speaking it could be just a simple packet filtering Firewall.

These security measure are meant to prevent unlawful entry into the local network and last but not the least, to also prevent unwanted access to your personal resources. Therefore, these measures only help by warding away the threats to your network. However, what about breaches in security measures that you already have put in place. Have you ever wondered as to how would you carry out a postmortem analysis of your infected system or your network whose security was just breached?

Of course you would say there are firewall logs and the various system logs that you have meticulously configured through /etc/syslog.conf. Yes, these logs are keeping a tab and recording unwanted login attempts and File accesses. Nevertheless, what if your cracker managed to get around your file permissions that you erroneously set on the logs and edited the logs leaving no trace of the security breach. In such a situation, the only clue to the security breach would be the probable loss of data or failure of the running services, which had been the main aim of the cracker. Here is where your existing Security measures take a back seat and Intrusion Detection Systems take front stage.

We are not saying that your existing security systems are flawed or such. However, each Security system has been put in place with a different priority for its implementation and thus as a good security architect you would mix and match the best of both worlds, i.e. A good Firewall and a IDS system to take care of the baddies. There are various Intrusion Detection Systems available out there, to name a few good ones, Tripwire and Snort.

The UNIX security software product Tripwire is an effective tool for monitoring various file-system changes. Tripwire, as a security product is very portable, very useful and free. The use of an IDS along with a Firewall provides an effective baseline level of security. We not suggesting that these products alone will keep out any intruder, but they will keep out novices and provide important proof that a system has been hacked, if even by an expert.

What is Tripwire?
Tripwire gives you the ability to confidently determine system integrity. When initialized, Tripwire creates a file signature database, which it will compare to subsequently generated Tripwire databases producing a file-system modification report every time you run it to determine whether your System Security has been compromised.
It is recommended that a Tripwire snapshot be taken when you are confident of system integrity, for instance when an operating system installation or upgrade is performed. A digital signature is computed for every file and directory under the watch of Tripwire. Many signature algorithms are available to choose from. There are eight signature functions bundled into Tripwire and you can even add your own if you wish. Several of the provided signatures however are fairly simple to spoof, all of the 16-bit checksum, 16 and 32 bit CRC algorithms can be reversed with publicly available software running on a desk-top computer. The Tripwire documentation recommends using these only if you are concerned with the time required to compute the signatures: when you run Tripwire every hour for example. Instead, the authors recommend using message-digest algorithms (MD4, MD5, and Snefru), that produce larger, 128 bit signatures, which they claim, are computationally infeasible to reverse.

Does Tripwire keep out intruders?
Sadly speaking no, but pals the whole essence of this system is to put into place invisible cameras on your system that are completely invisible to the intruder who manages to bypass your existing security framework. Thus Tripwire running stealthily on your system, just sits and waits for something to go wrong. As soon as a violation occurs it throws a detailed postmortem, having analyzed the crime scenario. Thus Tripwire will help you determine damage to any of your data, whether it is corrupted, what is the extent of damage over the network, what System files have been replaced (possible placement of TROJANS on you System binaries) and in general, the extent of damage. Thus once you have initialized the database, each time you run Tripwire, you will be verifying the File System for consistency checks as mentioned in a POLICY file that we will be discussing about later.
Tripwire is not limited to tracking system file modifications, it can be configured to monitor any file or directory tree on your *NIX host, and you don't need any special privileges to run it. Any user can create their own tripwire configuration file and produce a change report for file-systems that they have read access on. In addition to file signatures, inode information can be examined by tripwire, permission and modes, inode number, number of links, user id, group id, file size, modification time stamp and the access tim e stamp can all be examined.

Is it Open Source?
"Our decision to create an open source model for our Linux product, allows us to extend our award-winning, integrity assessment capabilities across the thousands of additional Linux enterprises that are playing a key role in today's eCommerce and eBusiness markets" says W. Wyatt Starnes, President, CEO and co-founder of Tripwire, Inc.
In many ways, Tripwire, Inc.'s open sourcing of its Tripwire product is a return to its roots. With origins in academia and the fact that the source code for Tripwires Academic Source Release (ASR) has been widely available since 1992, Tripwires move to open source its significantly enhanced commercial version is perhaps less dramatic than similar moves by other companies. But one of the especially significant aspects of the Tripwire announcement is that the company is providing source code for its flagship product, as opposed to merely open sourcing older versions of outmoded or even virtually obsolete software. This backhanded open sourcing strategy, unfortunately, has been popular among some companies hoping to earn a little positive open-source karma without exposing their precious proprietary software to the powerful currents of open-source development.

Tripwire was originally developed for the Computer Operations Audit and Security Technology (COAST) at Purdue University in Indiana. Available in C source code form, Tripwire has been available commercially since January 1999. Locations for downloading the older, pre-commercial version of Tripwire include comp.sources.unix (Usenet), /pub/spaf/COAST/Tripwire (anonymous FTP) and by e-mail. The company's new moves, which it refers to as Tripwire everywhere, are to extend the software's integrity assessment beyond the operating system to encompass as much as an entire network--including databases and network devices. While only one of a number of security tools used by *NIX administrators, Tripwire is considered by many to be a significant piece of software when it comes to intrusion detection.

Tomorrow we will take a look at installing, configuring and using Tripwire.

Securing Linux Part 1

Other articles by Trevor Warren

Current Rating: [ 5.52 / 10 ] Number of Times Rated: [ 33 ]

Contents Articles   Howtos   Interviews   News   Opinions   Reviews Comparison Links   Articles   Howtos   Interviews   Opinions   Reviews   Websites News

Linux About Linux

Print It! Printer Friendly Version