|
Intrusion
Detection System
White
Paper of Numen NET(IDS)
I. Intrusion detection technology and Numen NET
1. Why the product for intrusion detection is required
Presently people in China still take a one-sided approach to
the problem of network information security with many
information security enterprises' understanding of security
defense only within the limits of firewall. Firewall is
undoubtedly a very important link of security. Well-configured
firewall usually can provide a security screen between
internal and external networks. However, the mere application
of firewall is by no means sufficient, because firewall with
filtering system makes detection for packet header only, but
not for content, and because firewall with proxy system
decides handling of inquiry only simply by service type.
Firewall can do nothing for the following cases, for example:
(1) Possibly opened backdoor at the back of firewall:
Firewall can only define whether packets representing some
service can be passed, buy cannot make further decision on
these packets, for instance, the most dangerous CGI offence
faced by WEB server, which firewall cannot make defense at
all. This is because at the angle of firewall, both the
digital packet used for CGI offence and the one created by
normal browse of page get access to port 80 without any
discrimination.
(2) Intruder maybe existing inside firewall: The
defense of firewall is valuable only against external offence,
but can do nothing for internal offence.
(3) Detection requirement with high demand in
real-time: This is the case that firewall can never
accomplish.
Intrusion detection system (IDS) is completely new conception
and technology of network security, which provided real-time
intrusion detection and corresponding defense means. The most
important value of the capability of real-time intrusion
detection for network security lies in its provision of
all-round protection of internal network, which enables
overall defense against external offense, and in all-round
rising of network warming capability against intrusion.
2. Comparison of two intrusion detection products
The current intrusion detection products can be divided into
two types:
Host-based IDS
Network-based IDS
Host-based IDS finds its application in protecting server of
critical application, real-time monitoring of suspected link,
system log detection and intrusion of illegal access, and in
providing protection to typical application, like Web server,
SMTP and POP3 servers.
Network-based IDS is based on interception and applied in
real-time monitoring message of critical network paths or
critical nodes.
Host-based security monitoring system has the following
features: (?¨¬indicates advantage and ?¨¢ for
disadvantage)
?¨¬ Precise judgment of intrusion event
?¨¬ Judgment of intrusion event in application layer
?¨¬ Immediate response of intruded object against intrusion
event
?¨¢ Overloaded with trivial details of design and rule
definition contrapositive to features of different operation
systems
?¨¢ Occupancy of valuable resources of host, causing further
decrease of system efficiency of host-based IDS, especially
for equipment with heavier load
Network-based security monitoring system has the following
features:
?¨¬ Monitoring any activity involved in the network section
?¨¬ Real-time monitoring network
?¨¬ Finer monitoring granularity
?¨¢ Poor precision
?¨¢ Poor anti-deceit of intrusion
?¨¢ Hard configuration for the environment of swap network
3. Description of Numen NET product
Numen NET is a kind of product resulting from combination of
the features of network-based and host- based IDS, that is, it
can protect both sensitive network sections and sensitive
nodes. In this Numen NET is embodied programmers' rich
developing experience and security research group's
accumulation of various security resources. The first internal
testing version was issued in November 2000.
The reason why Numen NET combines the features of host-based
and network-based IDS and introduces its own system is that
both have features enabling user's option according to
different conditions.
II. Main structure, work process and environment of Numen NET
1. Main structure of Numen NET
Numen NET includes three parts:
Numen NET Watch: Distributed intercepting sensor, applied in
implementing network interception and analysis, is fit to be
configured in wide-area network linking, dial-up connection,
exchanger of server group, and other critical paths.
Numen NET Host: Host security system, applied in local
interception and analysis and other security mechanism, is fit
to be configured in servers and other sub-nodes.
Numen NET Center: Control center, which dispatches security
mechanism, makes synthetic information statistic and
distributes rules, is the center of entire intrusion
monitoring system. (inclusive of a management user terminal,
Numen NET Manager)
These parts are composed of a dozen of major modules and
several knowledge bases. The major modules include those of
network interception, rule matching, rule management, rule
distribution, node scanning, process analysis, file
characteristic scanning, log analysis and event audit, and
predefinition configuration. And the knowledge bases include
those of loophole rule, exception behavior weight, Trojan
horse characteristics, and process behavior weight.
2. Structure of network
Numen NET operates in a distributed mode and is under control
by a uniform monitoring center, by which the thought of
"distributed operation, centralized control" is
realized. The operation mode is as follows:
(1) Installation of Numen NET Watch sensor at interception
port of exchanger or linked through HUB share.
(2) Installation of monitoring module Numen NET Host (Numen
NET Host includes the functions of local interception, track
analysis, and detection of Trojan horse) on servers required
for monitoring to report and transmit evidence to management
server and provide scheme for transplatform intrusion
monitoring.
(3) For single node and special condition, Numen NET Host can
work independently from Numen NET Center, while in the case of
user's limited contribution of hardware, Numen NET Watch can
be merged with Numen NET Center.
|
|
