Free Help For Intrusion Detection

By Jason Levitt

long time ago, some smart person noticed an inverse security relationship like this: The easier an operating system is to use, the easier it is to compromise. Another smart person (no doubt a burned-out security expert) noticed that the only truly secure computer system is the one locked in a vault with the po wer off. Until the Internet came along and made these pithy observations cliché, the only place you'd find anything close to a secure operating system was in the cloistered computer rooms of the U.S. military. These days, even those heavily guarded systems are suspect.

In today's Internet environment, IT administrators must assume their LANs can be compromised. Today's firewall systems are a first line of defense, but they generally don't help much when new attacks are constantly being devised to thwart them. CERT (Computer Emergency Response Team) advisories periodically reveal the new attacks, but generally only after they've done their damage. What many sites need is a customizable intrusion detection system that can help identify intruders and their attacks. Such a system can help your site quickly respond to attacks by revealing the exact nature of the attack and thus giving you the necessary information to modify your defenses.

Alth ough there are sophisticated intrusion detection capabilities in products from companies such as CheckPoint Software Technologies Ltd. and Haystack Labs Inc., there is also a free product being cooperatively developed that is worth looking at, especially if you're just getting your feet wet with intrusion detection systems. The new set of public domain tools is called CID, which stands for Cooperative Intrusion Detection (see Table 1 below). It is being developed under the auspices of the SANS Institute and will be officially unveiled at the 7th SANS (System Administration Networking Security) conference, May 7th through 15th, in Monterey, Calif.

Table 1.

Cooperative Security
The widespread level of ignorance about network security wasn't really understood until April of 1995 when Dan Farmer and Wietse Venema released SATAN (Security Administrator's Tool for Analyzing Networks), a tool that probed LANs for major security holes. Suddenly, anybody with a Unix box and a modem could expertly probe an Internet-connected site for security flaws. It quickly became obvious that many sites were vulnerable to attacks. SATAN, an unusually fine example of open-source security software, opened a lot of eyes to the global security issues raised by Internet connectivity. It also showed how group collaboration, combined with some technology, could help sites quickly identify security issues.

CID won't be making the big splash that SATAN did, but, like its predecessor , it's free software that should help some sites identify how intruders are penetrating their security perimeter, and provide clarity as to how intrusion detection systems operate. The goal of CID is to combine the expertise of "dozens of sites" in order to provide a highly useful tool for detecting system intrusion.

What exactly is CID? CID is essentially the venerable tcpdump (a customizable filtering program that can grab every network packet that traverses over an Ethernet interface), a set of tools written in Perl to arrange and analyze the results of the filtering, and some shell scripts to manage the whole process.

The price of secure computing is eternal vigilance. Though the best solution to keeping intruders out is to have one finger dexterously poised on the big, shiny red "off" button at all times, the next best thing is to have virtual video surveillance on all the time. That's the sort of peace of mind that CID can offer.

Note: Other useful freeware intrusion detection tools a re being developed as part of the Abacus Project at www.psionic.com .

AuthorITies Archive

Send Us Your Feedback

Top of the Page

Rich Levin: Run Time Rich fills you in on all of the latest products, issues, and trends in application development.		Stuart J. Johnston: Redmond Watch As our eyes and ears in Redmond, Stuart gives his perspective on the latest events at Microsoft.		Charles Pelton: Eye On I.T. Charles explores IT management issues and strategies that business and technology managers face.