LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 07-21-2005, 09:21 AM   #1
nedianz
LQ Newbie
 
Registered: Mar 2005
Distribution: RedHat
Posts: 7

Rep: Reputation: 0
host based IDS in distributed setting


I have some confusions. Can anybody help me in my project?

1. As far as I understand, you need to have some application running on your system to be able to run a host-based IDS on it (I am particularly interested in anomaly-based IDS). And I assume that IDS needs to be configured on those applications so that it knows the normal characteristics and be able to monitor it. Can anyone correct me if this concept is wrong? If this is right then am I right in saying that in order to protect your system completely all applications running on the node should have corresponding IDS(s) monitoring them?

2. In continuation with the first question, can I have my application (a communication protocol running on distributed nodes) running on that node and an IDS monitoring that appliaction only? (say I am only interested in securing the system as far as my application is concerned so that no intruder can get into the system by attacking my application) Can I customize IDS for my application? any example IDS would be appreciated.

3. I am making some assumption during my work. One of them is that on the synchronous network (e.g. a company's LAN), among the multiple nodes participating in the execution, not all of them are compromised simultaneously. I am assuming that atleast one would remain unaffected/un-intruded atleast for some time. Is it an unrealistic assumption?

4. While designing a distributed architecture of nodes and running a communication protocol on them, I need some mechanism to ensure that nodes on all sites (by sites I mean various LANs participating on internet) are un-intruded when they start participating. Since ensuring this condition is not the focus of my study, can I safely assume that there would be some protection mechanism like IDS, firewall etc and would indicate incase it detects anything suspicious. Will this assumption be overburdening the systems by requiring too much? I guess all the security conscious administrators take security measures anyways.... don't they?

by the way I intend to use either RH or Fedora.

cheers.
 
Old 07-21-2005, 02:40 PM   #2
jonlake
Member
 
Registered: Apr 2004
Distribution: Slackware 11.0, Gentoo
Posts: 252

Rep: Reputation: 31
Ok either I'm reading your post wrong, or your theory is a little off. If you want to run HIDS, you will install the HIDS program on each host you want to monitor traffic and set up rules based on known good traffic.
Quote:
I am making some assumption during my work. One of them is that on the synchronous network (e.g. a company's LAN), among the multiple nodes participating in the execution, not all of them are compromised simultaneously. I am assuming that atleast one would remain unaffected/un-intruded atleast for some time. Is it an unrealistic assumption?
I'm assuming your talking about if someone were to compromise a box on a LAN, would all boxes be compromised instantly or would it take a little time. Well, it depends on the intentions of the person compromising the box. They may not want to compromise all the other boxes, they may just want the one box to obtain data and get out of there. However, if they were trying to compromise all boxes, and they found a flaw in your program that is easily exploitable, then most likely, one box would be compromised, then they would run a script that would compromise the rest of the boxes on the lan, or depending on your network architecture and firewall architecture (or lack of), they may not need to compromise a box on the lan, they could just get them all in one swoop over the WAN.

If you can clear something up, you mention communication protocol and application, but you don't specify what exactly you are running, or is this a theoretical project. You will want to check a list of vulenrabilites of any software you are running, and keep up to date on patches.

To ensure boxes are not already compromised, you will basically have to just installed it from trusted media and never put it on the LAN and have never had anyone else use it. A NIDS or ethereal or tcpdump would be suggested to monitor the traffic on the LAN and this can help you possibly identify if there are any compromised boxes running.

This should get you started. Speak up with anymore questions.
 
Old 07-22-2005, 07:08 AM   #3
nedianz
LQ Newbie
 
Registered: Mar 2005
Distribution: RedHat
Posts: 7

Original Poster
Rep: Reputation: 0
Thanks for your reply. It was quite useful. Here are the "anymore questions"

Do all HIDS analyze traffic? Do some HIDS(s) not monitor other local system characteristics? I had read a couple of survey and research papers on HIDS and they were talking about training the HIDS for normal behaviour of the application and then run it in real environment once the normal behavior is been identified and stored (in some database) by the IDS. So for example they train their system with all possiblr normal runs of applications like Sendmail, lpr etc and then use them in real scenario. So I wrote the above post with that background actually and was wondering whether I can write my own code/application/program and train the system for that to detect any intrusions through my code later. Have you ever come across such HIDS? or am I talking about very rare kind of HIDS? I am not much aware of whats being used commercially but also want to support my research with the products in practice.

I got answer for question #3 that this assumption can be unrealistic as it's possible to compromise all of the boxes on a LAN simultaneously. Thanks for that.

For question #4, I got partial answer. I am sorry for writing an ambigous post without much details but I was trying to pose general questions. Let me try it here. I am trying to implement a communication ordering protocol which involves a number of sites and then a number of boxes in those sites so it involves both asynchronous(internet) and synchronous(LAN) network. All the nodes have some role to play, some active (actually taking decision) and some passive (just listening to the decisions) and the roles keep on changing depending upon the situation. I am adding some measures in this protocol to make it intrusion tolerant.

Now as you said "To ensure boxes are not already compromised, you will basically have to just installed it from trusted media and never put it on the LAN and have never had anyone else use it." I can ensure installation by trusted media but can't keep them disconnected from LAN. The questions are

1. On the nodes with active roles, How can I make sure that they are not being compromised during the execution of my application?

2. The same question for the nodes with passive roles, considering that they will eventually get active role sometime later and if intruded can affect the system by making wrong decisions.

3. As you said "You will want to check a list of vulenrabilites of any software you are running, and keep up to date on patches." How can I do that for my own application? for a java code that I am going to write to implement this protocol?

I don't know does all this make some sense now but your suggestions/questions/criticism are highly appreciated.
 
Old 07-22-2005, 09:58 AM   #4
jonlake
Member
 
Registered: Apr 2004
Distribution: Slackware 11.0, Gentoo
Posts: 252

Rep: Reputation: 31
Quote:
1. On the nodes with active roles, How can I make sure that they are not being compromised during the execution of my application?
Write secure code. There are many books/resources available on how to write secure code. I am not much of a programmer (couple shell scripts here and there) so I'm not to familiar in that arena. You might have a good chance getting answers about writing secure code in the Programming section of this forum.
Install a Host integrity monitoring software like tripwire or osiris.
harden your system. Don't have any services running you don't need. Make sure the systems are behind a firewall, and as an additional layer, use iptables on each host. Do all this before connecting them to the LAN, have a drop all policy and open up as needed.

Quote:
2. The same question for the nodes with passive roles, considering that they will eventually get active role sometime later and if intruded can affect the system by making wrong decisions.
The same above mentioned works on the passive hosts as well. They are only passive because they aren't running an active role with your software, but they are still plugged in, turned on, and vulnerable.

Quote:
3. As you said "You will want to check a list of vulenrabilites of any software you are running, and keep up to date on patches." How can I do that for my own application? for a java code that I am going to write to implement this protocol?
Again, write secure code. Any software that isn't yours, keep up to date on the vulnerabilites and patches. Any software that is yours, test for vulnerabilites (buffer overflows are a big one).

As far as the HIDS, I don't want to steer you in the wrong direction, so this is my opinion/conclusion as I haven't done much with HIDS. If a HIDS can learn software, it can learn software, no matter what software it is. As long as it knows how the software is supposed to behave, it can match against that. Again, once your system is all setup, install tripwire or osiris, it will make sure files on your system aren't tampered with.

I hope this answers the questions you had.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to configure the virtual host based name? gz_xmg Linux - Networking 0 12-28-2004 01:12 AM
Name Based virutal host in apache Inexactitude Linux - Networking 9 04-11-2004 10:11 PM
Host-Based IDS... Linux~Powered Linux - Security 1 03-18-2004 04:58 PM
setting up an IDS box Mugatu Linux - Software 0 01-15-2004 12:31 PM
The remote host uses non-random IP IDs - How to fix this??? ForumKid Linux - Security 1 02-04-2002 01:39 PM


All times are GMT -5. The time now is 06:37 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration