I believe
that the future for IDS is very good.
Where firewalls were being seen as an absolute necessity beginning about
5 years ago, IDS will do the same in the very near future, especially as
hackers make more and more news around the world. Even Universities who claim that they can not
have a firewall on their system due to their professors’ First Amendment rights
may be required to put in some type of IDS system to stop malicious traffic.
Testimonials
found on IDS vendor’s sites around the web mention a combination of devices
(signature, host and behavior based devices at the minimum) for doing IDS. The consensus seems to be that as different
types of attacks are possible, a multi-layered approach is necessary to
thoroughly protect any system. Checking
both the inside and outside of an organization’s private network is also
mentioned everywhere I have looked. This
can mean multiple devices and/or multi-interfaced devices.
Cost, for
most of the organizations we service, seems to be a deciding factor in what
they will do. Due to a requirement to
have some sort of IDS solutions to comply with privacy regulations by mid 2003,
most want the bare minimum, rather than a useful and truly protective layer
between hackers and their customers’ private data. I believe this is where we should focus our
energy in educating our customer base.
While it
may be true that we can implement a simple system log reporting tool that sends
an alert to pager or email box when an attack causes a certain log line to be
sent, but is that going to stop the private data from being copied, taken,
changed or destroyed? Perhaps offering a
solid solution at the start and then backing up to a minimal solution would be
wise. I would hate for us to be blamed
for selling a weak solution when we know a stronger solution is out there. We can start weak, but must realize that our
clients will be coming to us looking for a stronger solution in the near future
when their data gets hacked.
The Purpose of an IDS
System
The purpose
of IDS is to alert you of intruders in all internal areas of a given network. These attacks can come from anywhere and need
to be watched from everywhere. Our strong recommendation
is to employ IDS services at every ingress point into the critical areas of the
network. These areas will include: the
DMZ, the UNIX host server area, and the standard user networks.
While
detecting and alerting is good, dynamic blocking of harmful network activity is
better. The systems looked into include
Intrusion Protection as well as Detection; meaning, they do not merely log
files and page people when they smell something bad, they also stop the
malicious activities from taking place as they are happening. Intrusion Protection Systems (IPS) are very
proactive, when compared with a human’s reactive nature to stopping such an
attack.
There are a
few different ways to deploy an IPS solution.
The most obvious is to set an IDS appliance in each area of the network
that needs detection and use a centralized management station to configure
them, receive alarms, and generate reports.
Protection of the network comes with TCP resets, and dynamically written
access-lists that are set on firewalls and routers that are tied to the system. For added protection. it will also be
necessary offer a Host based IDS system that specifically identifies and stops
actions on servers that are abnormal and pernicious. The costs of this total solution system can
be very high, but the benefits are priceless.
A secondary
method of deployment is to use a combination of items that lowers cost but
provides a wide footprint of protection.
Specifically, PIX firewalls can have IDS functionality configured and
Cisco routers can have FW/IDS installed, both of which are manageable through a
centralized security system. As these
devices can adjust their own access-lists and spurn harmful traffic, they will
become protectors and not just detectors.
Host based IDS systems should also be deployed on critical servers.
I have
included below four different lists of equipment that offer different levels of
protection. The overall costs may seem
high, but when considered against the threats and potential liabilities of
losing customer privacy and risking their data’s security, they are very worth
while and cost effective.
Cisco IDS Parts,
Pieces and Prices
- Signature Based IDS: $12,300
- IDS-4210 placed in the same
network as the Host Servers, $8,000
- Compaq DL320 placed inside the most secure part of
the network, $2,000
- Windows 2000 Server, $1,000
- VMWare Workstation, $350
- Windows XP Pro (use WinNT 4.0
Workstation), $300
- CSPM 2.3i Lite, $2,000
- Host Based IDS: $24,300
- CWVMS-2.3, $8,000
- HIDS-AGNT-K9, $0
- HIDS-WEB-WIN-K9, $2,150 each
(1 Ultra Access)
- HIDS-STD-WIN-K9, $1,750 each
(3 Citrix, 1 File, 1 Email, 1 Voice Access)
- Compaq DL320 placed inside the
most secure part of the network, $2,000
- Windows 2000 Server, $1,000
- VMWare Workstation, $350
- Windows XP Pro (use WinNT 4.0
Workstation), $300
- Host and Limited Signature
Based IDS: $29,500
- CWVMS-2.3, $8,000
- HIDS-AGNT-K9, $0
- HIDS-WEB-WIN-K9, $2,150 each
(1 Ultra Access)
- HIDS-STD-WIN-K9, $1,750 each
(3 Citrix, 1 File, 1 Email, 1 Voice Access)
- IOS/FW/IDS, $1,500
- Compaq DL320 placed inside the
most secure part of the network, $2,000
- Windows 2000 Server, $1,000
- VMWare Workstation, $350
- Windows XP Pro (use WinNT 4.0
Workstation), $300
- PIX-515-R-DMZ, $3,700 (some
may already have this)
- Host and Intense Signature
Based IDS: $41,150
- IDS-4210 placed in the same
network as the Host Servers, $8,000
- CWVMS-2.3, $8,000
- HIDS-AGNT-K9, $0
- HIDS-WEB-WIN-K9, $2,150 each (1
Ultra Access)
- HIDS-STD-WIN-K9, $1,750 each (3
Citrix, 1 File, 1 Email, 1 Voice Access)
- IOS/FW/IDS, $1,500
- Compaq DL320 placed inside the
most secure part of the network, (need 2) $2,000
- Windows 2000 Server, (need 2)
$1,000
- VMWare Workstation, (need 2) $350
- Windows XP Pro (use WinNT 4.0
Workstation), (need 2) $300
- PIX-515-R-DMZ, $3,700 (some
may already have this)
For those
customers who want to have high level reporting that comes as close as possible
to what the government regulators are looking for, we can suggest they use
Envision (or Private I for small applications).
This program was written with the help of Paul Reyman who helped the
government come up with the privacy regulations. He was hired by Network-Intelligence to teach
them what reports the bureaucrats would be looking for when they show up for an
audit.
Pricing for
this system is as follows:
Private I is a program that is licensed per device
monitored:
Cisco
IDS-4210 $
3,500
Cisco 3600
IOS/FW/IDS $
1,500
Cisco PIX-515E-R-DMZ $
1,500
Cisco PIX-515E-UR $
2,500
Cisco PIX-520-R $ 1,500
Cisco PIX-520-UR $
3,500
Cisco PIX-535-UR $
4,500
Each license allows you to deploy
another server or add it to an existing server.
Examples:
Scotts Valley Bank, for example, will be monitoring a
PIX-515-R for $1500 plus the cost of a W2K Server (hardware and OS).
An organization that wants to monitor a PIX-515-R, an
IDS-4210 and a Cisco 3600 Series router will spend $1500 + $3500 + $1500 =
$6500 plus the cost of a W2K server.
Envision is like Private I, but adds Windows NT/2K logging
and is sold in events per second.
EPS-500 software only $ 8,500
EPS-1000
software only $14,000
EPS-1000 on
hardened W2K 1U Server $19,000
EPS-2000 on
hardened W2K 2U Server $32,000
Additional
1K block on new EPS-X000 (up to 6000) $11,000
Additional
1K block over 90 days after original purchase $15,000
Example:
Customer CU wants to have and IDS that watches a PIX-520-UR,
an
IDS-4210, a WWW server, an email server, and a file
server. He will have to purchase
Envision for $14,000, plus the cost of a W2K server.
Network
Intelligence will allow a trade-in upgrade on all products for up to 90 days to
make sure that the product matches the need.
(The faster the trade-in the better).
Our
discount will start at 25% on appliances and can go as high as 35% if we do
about $200,000 volume in a year.
Software only gets a 10% discount.
To be a
reseller, we must purchase an EPS-1000 at 50% off (we can resell it after 30
days or so). We must complete some WebEx
training classes (no test) and fill out the normal credit applications with
references.
Client Network
Requirements
- Client must use a Cisco PIX-515E-R-DMZ
firewall on their Internet connection.
- Client must allow a Cisco based
VPN from enveloptech into their network for monitoring.
- Unix Host must be in its own
network and isolated by a Cisco router running FW/IDS IOS.
- Management system will be on a
Windows 2000 Server with Administrator terminal services running and a
Windows NT Workstation system hosted on it via VMWare.
- A 24/7 support contract is
required for enveloptech to handle attack reports and reconfigure the
system as needed to allow normal data flow to occur.
Additional IDS Options
In the
world of intrusion detection, there are almost as many companies trying to
detect and protect you as there are successful attackers. Some OEMs make software for detecting
intrusions. Some make appliances with
hardened OSs that
do the same. Along with these are
numerous policy managers, log servers and reporting agents that keep track of
what is considered a threat (in a nice GUI format), record what happened and
alarm, page or email you when a programmed threshold is reached. In the interest of comparisons to the Cisco
supplied solution, I will mention a few that I found below.
Lanscope’s
Stealthwatch, a behavior based IDS is also a potential choice, though it rates
in expense equal to or greater than that of Cisco’s IDS 4210 ($10,000), especially
when you consider the hardware purchase and OS purchase to run the system on.
Snort is
another very well known and well liked program among the Linux crowd. It is freeware under the GNU licensing and
liability agreement. Support for such a
program will be difficult if not impossible to obtain, and thus, we will
probably avoid it.
Kiwi
produces a free and/or low cost log server software package that can output
data to a spread sheet for sorting and review as well as generate emails or
pages when certain alarm thresholds are reached. This would be the most simple, but
potentially labor intensive system for collecting warnings and displaying them. (We should probably test this in house for
one week to see what we get. Don has a
scanner that we can put on the “outside” machine to attack ourselves and see
how hard it is to sort, search and find problems).