LinuxPlanet - Print - Network Intrusion Detection, Neighborhood Watch Style

Network Intrusion Detection, Neighborhood Watch Style

By: Rob Reilly
Monday, October 11, 2004 12:35:29 PM EST
URL: http://www.linuxplanet.com/linuxplanet/reports/5605/1/

Sophisticated New Methods

Keeping an eye on the valuables stored away in your network is a tough job these days. Thugs and criminals are trying to jimmy your ports. Terrorists are lurking around your network neighborhood. And stealthy email spy-ware may already be in employee mailboxes, just waiting to silently ship secrets out to the cyber underworld.

Conventional programs like Tripwire and Snort do a great job of looking for sneaky file timestamp changes and malicious code signatures. Unfortunately, these don't provide complete solutions.

Global DataGuard takes up where Tripwire and Snort leave off. You can put a Global DataGuard sensor on your network and, after a week or two, a unique profile of your network and server behaviors will develop. That profile will then serve as the starting baseline to watch for funny programs, strange access requests and outbound activity that might indicate some sinister force is at work. It will correlate those activities over time to identify trends that would be impossible to connect using normal attack signature review or log reading methods.

"With Snort, if it doesn't have a signature you can't see it," said Mike Stute, co-founder and Chief Technology Officer. "ESP (Empirical Surveillance Program) is behavioral based. It looks at traffic, hosts, types of protocols, the time of day, etc. and then makes predictions. If something is wrong, it goes to find out what's different," Stute continued. "Actually, ESP has a memory."

The Global DataGuard system is really a collection of components, consisting of Linux-based client site sensors, a MySQL database, a Linux cluster, and proprietary behavioral analysis software--all with web-based reporting and management programs.

The client site sensor (a one- or two-processor 1U Intel-based machine)passively sits on a client's network and grabs packet data on everything that goes by. "The best place is right before the firewall. It's a good place for a lot of different data," said Stute.

Scanning is done with Nessus. The sensor has a one-way VPN connection that sends the packet data back to GDG servers. Customers can take comfort in knowing that the heavily encrypted data only flows to the GDG servers without any remote external access back into the sensor appliance. Each sensor is equipped with an extensively developed self diagnostics suite, to keep itself healthy. It can even reboot itself, if needed.

As you might guess, a cluster of Linux machines are a necessity to process the volumes and volumes of packet data that can be collected on a 100 Mb/s or 1000 Mb/s Ethernet leg.

"Our cluster is a cluster in the sense that each component is virtual, meaning that one function is spread across multiple systems and each system can perform any job in the machine. For example, the packet analysis is a function that can be performed by one or more systems and will be farmed to the system with the most available resources. This is more like load balancing each individual component in a distributed system," Stute said.

Global DataGuard uses an internal messaging system that controls the direction of the cluster, rather than Mosix, Beowulf, or one of the other Linux cluster solutions.

Even with the processing power of multiple machines, developing a baseline profile can take a little time.

"It takes about 2 to 4 weeks for the system to be pretty well tuned," Stute said.

Over time, the Global DataGuard adapts to the client network's behavior, continuously updating the profile database to allow for recognition of new threats.

If something is amiss, operators in the Global DataGuard monitoring center are alerted. Since the reporting and management software are web based, a monitoring operator could be physically located anywhere.

Even Further Into The Future

Global DataGuard CEO Scott Paly sees new opportunities for his company's unique approach to intrusion detection.

Taking advantage of the technology is currently only available as a contracted service through Global DataGuard.

Pretty soon, Paly said that GDG will begin selling the client software and authentication needed, so an ASP can open up their own monitoring service. Clients will also be able to purchase versions that allow their own security and operations staff to monitor network behavior and alerts. Using a web based interface has greatly facilitated those markets.

By Q2-2005, Paly anticipates that customers will be setting up their own analysis engines, including clusters to do all their own in-house monitoring.

"We wanted to make it as flexible as possible," Paly said. He also emphasized that the company is "not selling anything we don't use daily."

Other future directions for the 20 person company include distilling multiple data sources to a behavioral based integrated security management dashboard and offering an on-demand feature. The on-demand feature is interesting in that it will allow GDG or ASPs to take over monitoring duties for temporary periods when a company's in-house monitoring staff may not be available.

Paly also wants to be able to add in other vendor data, analyzing it through the behavioral engine software and enhance the overall threat picture even further.

When asked about their participation in the Open Source Software world, Stute said that they've enhanced some of the standard network diagnostic tools like tcpdump, cpan and whois, and have routed their suggestions back into the community.

Stute couldn't say if they would ever offer a publicly released version of their analysis software, because the technology is patent pending and proprietary.

Global DataGuard offers a comprehensive threat detection and alerting package that works in ways that other systems are not able to do. Using a sophisticated combination of behavioral analysis software and multi-machine processing to help you "connect the dots," it can help keep the criminals and terrorists out of your cyber neighborhood.

Rob Reilly is a consultant, who advises clients in the area of business and technical communication. He regularly writes Linux, presentation technology and portable computing related articles that appear in various high-end Linux and business media outlets. Visit his web site at http://home.earthlink.net/~robreilly.