host based IDS in distributed setting
 

I have some confusions. Can anybody help me in my project?

1. As far as I understand, you need to have some application running on your system to be able to run a host-based IDS on it (I am particularly interested in anomaly-based IDS). And I assume that IDS needs to be configured on those applications so that it knows the normal characteristics and be able to monitor it. Can anyone correct me if this concept is wrong? If this is right then am I right in saying that in order to protect your system completely all applications running on the node should have corresponding IDS(s) monitoring them?

2. In continuation with the first question, can I have my application (a communication protocol running on distributed nodes) running on that node and an IDS monitoring that appliaction only? (say I am only interested in securing the system as far as my application is concerned so that no intruder can get into the system by attacking my application) Can I customize IDS for my application? any example IDS would be appreciated.

3. I am making some assumption during my work. One of them is that on the synchronous network (e.g. a company's LAN), among the multiple nodes participating in the execution, not all of them are compromised simultaneously. I am assuming that atleast one would remain unaffected/un-intruded atleast for some time. Is it an unrealistic assumption?

4. While designing a distributed architecture of nodes and running a communication protocol on them, I need some mechanism to ensure that nodes on all sites (by sites I mean various LANs participating on internet) are un-intruded when they start participating. Since ensuring this condition is not the focus of my study, can I safely assume that there would be some protection mechanism like IDS, firewall etc and would indicate incase it detects anything suspicious. Will this assumption be overburdening the systems by requiring too much? I guess all the security conscious administrators take security measures anyways.... don't they?

by the way I intend to use either RH or Fedora.

cheers.

Ok either I'm reading your post wrong, or your theory is a little off. If you want to run HIDS, you will install the HIDS program on each host you want to monitor traffic and set up rules based on known good traffic.
I'm assuming your talking about if someone were to compromise a box on a LAN, would all boxes be compromised instantly or would it take a little time. Well, it depends on the intentions of the person compromising the box. They may not want to compromise all the other boxes, they may just want the one box to obtain data and get out of there. However, if they were trying to compromise all boxes, and they found a flaw in your program that is easily exploitable, then most likely, one box would be compromised, then they would run a script that would compromise the rest of the boxes on the lan, or depending on your network architecture and firewall architecture (or lack of), they may not need to compromise a box on the lan, they could just get them all in one swoop over the WAN.

If you can clear something up, you mention communication protocol and application, but you don't specify what exactly you are running, or is this a theoretical project. You will want to check a list of vulenrabilites of any software you are running, and keep up to date on patches.

To ensure boxes are not already compromised, you will basically have to just installed it from trusted media and never put it on the LAN and have never had anyone else use it. A NIDS or ethereal or tcpdump would be suggested to monitor the traffic on the LAN and this can help you possibly identify if there are any compromised boxes running.

This should get you started. Speak up with anymore questions.

Thanks for your reply. It was quite useful. Here are the "anymore questions"

Do all HIDS analyze traffic? Do some HIDS(s) not monitor other local system characteristics? I had read a couple of survey and research papers on HIDS and they were talking about training the HIDS for normal behaviour of the application and then run it in real environment once the normal behavior is been identified and stored (in some database) by the IDS. So for example they train their system with all possiblr normal runs of applications like Sendmail, lpr etc and then use them in real scenario. So I wrote the above post with that background actually and was wondering whether I can write my own code/application/program and train the system for that to detect any intrusions through my code later. Have you ever come across such HIDS? or am I talking about very rare kind of HIDS? I am not much aware of whats being used commercially but also want to support my research with the products in practice.

I got answer for question #3 that this assumption can be unrealistic as it's possible to compromise all of the boxes on a LAN simultaneously. Thanks for that.

For question #4, I got partial answer. I am sorry for writing an ambigous post without much details but I was trying to pose general questions. Let me try it here. I am trying to implement a communication ordering protocol which involves a number of sites and then a number of boxes in those sites so it involves both asynchronous(internet) and synchronous(LAN) network. All the nodes have some role to play, some active (actually taking decision) and some passive (just listening to the decisions) and the roles keep on changing depending upon the situation. I am adding some measures in this protocol to make it intrusion tolerant.

Now as you said "To ensure boxes are not already compromised, you will basically have to just installed it from trusted media and never put it on the LAN and have never had anyone else use it." I can ensure installation by trusted media but can't keep them disconnected from LAN. The questions are

1. On the nodes with active roles, How can I make sure that they are not being compromised during the execution of my application?

2. The same question for the nodes with passive roles, considering that they will eventually get active role sometime later and if intruded can affect the system by making wrong decisions.

3. As you said "You will want to check a list of vulenrabilites of any software you are running, and keep up to date on patches." How can I do that for my own application? for a java code that I am going to write to implement this protocol?

I don't know does all this make some sense now but your suggestions/questions/criticism are highly appreciated.

Write secure code. There are many books/resources available on how to write secure code. I am not much of a programmer (couple shell scripts here and there) so I'm not to familiar in that arena. You might have a good chance getting answers about writing secure code in the Programming section of this forum.
Install a Host integrity monitoring software like tripwire or osiris.
harden your system. Don't have any services running you don't need. Make sure the systems are behind a firewall, and as an additional layer, use iptables on each host. Do all this before connecting them to the LAN, have a drop all policy and open up as needed.

The same above mentioned works on the passive hosts as well. They are only passive because they aren't running an active role with your software, but they are still plugged in, turned on, and vulnerable.

Again, write secure code. Any software that isn't yours, keep up to date on the vulnerabilites and patches. Any software that is yours, test for vulnerabilites (buffer overflows are a big one).

As far as the HIDS, I don't want to steer you in the wrong direction, so this is my opinion/conclusion as I haven't done much with HIDS. If a HIDS can learn software, it can learn software, no matter what software it is. As long as it knows how the software is supposed to behave, it can match against that. Again, once your system is all setup, install tripwire or osiris, it will make sure files on your system aren't tampered with.

I hope this answers the questions you had.