Patrolling Networks For Insecurities 47
Mojo Jojo writes "There's a story on developerWorks about DARPA-funded work being done at Stanford Research Institute (aka SRI International) to develop soemthing called Event Monitoring Enabling Responses to Anomalous Live Disturbances (EMERALD) -- software components that are capable of providing anomaly and misuse detection for networks. EMERALD components monitor local activity, then work in conjunction with analysis engines for visualization, response, correlation, and
data logging to provide a global picture of what's occurring throughout the network. Sort of like having beat cops and police call boxes throughout your network (or something)."
An opensource IDS (Score:2)
Re:I dunno about this (Score:1)
Finger a friend for world peace (Score:2)
Today, it seems finger is the product of a smear campaign to further the evils of ICQ and that AOL chat thingie or whatever they are called these days. Today's pop chat technology is a step backwards in the dark ages.
PORTMAN (Score:1)
The Patriotic Organisation for Reliable Transmission of Mysterious Additional iNformation.
--
DIAMOND (Score:1)
Distributed
Incoming
Anomaly
Monitor
Observing
Network
Disturbances
Re:Such Old "News" (Score:1)
Not every IDS can be bypassed by using the hex escape characters. Those that can be should be dragged out into the street and shot. They're doing the equivalent of selling a door lock and saying "No one can possibly ever pick this lock. Unless they wiggle the doorknob."
Where's the value in an IDS if bypassing it is this trivial?
Such Old "News" (Score:5)
EMERALD is not an evil government plot, nor is it interesting new technology that will change anyone's life. It's simply another research intrusion detection system, and it's been around for years. The people working on it are smart (I met and talked to Philip Porras at a Common Intrusion Detection Format meeting), but the project itself is less far-reaching than any of the commercial systems already on the market.
EMERALD is interesting primarily as a framework for building intrusion detection systems. It's component-based and designed to allow different "event generators" to be combined for analysis. This is a goal of a large number of research projects. The reason EMERALD comes up alot is that it has a relatively well-defined and powerful rule-based analysis engine to process events.
This framework differs from commercial systems like ISS RealSecure in that the sensors, which collect information from the network (or logs, or whatever) don't do the bulk of the analysis work. Unlike RealSecure, in which the raw network sniffing code is also responsible for knowing about almost every vulnerability the system detects, EMERALD allows the sniffer system to forward low-level "events" to an analysis engine that can detect attacks.
The two basic advantages to this approach is that you can more scaleably detect simple attacks and you can detect a wider range of intrusion scenarios. The system scales better because it splits the load of event generation (sniffing) and analysis (attack detection) into two components, instead of coupling them into one component like RealSecure. The system can detect more interesting attacks because it offloads analysis into a rule-based engine (basically, an "intrusion detection programming language"), so it can flexibly do things like statefully correlate different events from different event generators.
This is all nice and good, but the fact is that EMERALD is (at least, until recently) a research project with very little real-world usage. It's a nicer architecture than RealSecure, but in terms of real-world impact, RealSecure is more important; RealSecure has a fairly mature "sniffing" engine, a large database of attack signatures, and an interface that makes it easy for network operators to violate your privacy.
Anyone (the NSA, your ISP, your mother) can buy RealSecure if they have the cash. It's been available for years and years. You can deploy a RealSecure system to do everything EMERALD can currently do. And most of the interesting new capabilities EMERALD promise IMPROVE the privacy aspects of the system. You can't get a whole lot more intrusive than the "snoop every packet" semantics RealSecure already has.
So, what's the news here?
Re:Decrypting SSL? (Score:1)
But I wonder... How many intruders connect to webservers over SSL when they're trying to hack into it? I guess it could help hide their tracks because external-to-the-web-server intruder detection tools wouldn't be able to see what they're doing. Maybe?
--
Re:Non-Profit Corp (Score:1)
GPG password (Score:1)
Are there living people still working on this project? Was anyone able to get the #@%@!$ password out of them, and if so what the #$%#@ is it?
Slow down (Score:1)
This has been a concept for some time and in fact I tossed around the idea of a "Distributed Protection of Services" plan a while back in February to be exact and heres why most won't work.
Lazy or busy Admins
Try getting your lazy or busy admin to try and delegate programs such as this over +1000 machines and then tell him he has to trust someone else sharing this information.
Updates Updates
Name a single source entity to poll information from, it definitely shouldn't be one source since last I recalled SecurityFocus and MS had issues as does collaboration between CERT, HERT, SANS, and every other acronymed advisory board on a one shot Advisory system. (everyone wants their last words in somehow)
Policing
Who would be in overall charge of this system, the admins of the network or should they trust some shared information with others, or should we just give all trust to big brother?
Providers, ISP's, Co-lo providers
Yes competition is in a rush to share information with each other. What makes anyone think there would be uniformity when half of all ISP's, Co-lo's, and misc. providers, can't even create simple access lists on their routers let alone join together on a massive project.
Salesman Mumbo Jumbo
What about those who would take a semi nice idea and create a 'for-profit' product only to become somewhat of a PKI'ish joke where everyone thinks they need this "NEW" thing whereas theu could do fine with some other Managed Intrusion Detection Service?
DAMN!@ I bitched about nothing sign me up for 2!
Firestone Tires Spoof [antioffline.com]
Re:Hmmm... Sounds a little like 'Carnivore'... (Score:3)
So by your logic, they are also in the DOD, FBI, and NSA's best interest.
The tcpdump utility uses the libpcap, which was developed at Laurence Berkeley NATIONAL LABORATORY!
I suppose you will just have to balance the risk of being cracked by non-government individuals versus the risk of using US government developed network monitoring tools to protect yourself.
Nice but cumbersome, (Score:4)
1. Place multiple hosts into a single collision domain for monitoring of unicast traffic. This has serious performance ramifications.
2. Use an inline monitor in each collision domain where you want to monitor unicast frames.
This can be very expensive, and would get cumbersome to maintain if you have a dozen or more servers to watch.
3. Use Tap ports (available on some switches) to direct all unicast frames to a designated switch monitoring port.
This also has issues, as the tap ports are generally a low priority process in the swithcing engine, and often a simple DOS can cause the switching engine to drop packets rather than forward them to the tap port. I have also done some testing and have found that many (most) tap port services on switches are broken or selective in what traffic they forward to the tap. I can't speak for them all, but I have tested several top vendor products. I ahve a multi-homed (8) interface box that I have designed and abandoned in developing (no time) which runs linux. It's basically an 8 interface sniffer so that I can sniff up to 8 segments at a time. Even this sort of approach is really limited. Maybe they should look at a way to piggy-back patch panels in the comms room, and run a split back to an agregator so they can sniff 'everything at once' without having to deploy many, many monitors. Hey, that's a cool idea.
Re:Hmmm... Sounds a little like 'Carnivore'... (Score:2)
This is silly. An IDS like this monitors the nature of the traffic into/on the network, not the content of the data.
It's the difference between the network of infrared, motion, and doorway sensors of a home alarm system and a pervasive network of microphone & cameras.
NOT Already bein' done by Captus (Score:2)
From the SRI EMERALD synopsis:-
EMERALD
Captus' IDS component only utilizes a statistical analysis, and only only gathers data from the traffic stream it sees (vs. EMERALD's distributed sensors.)
That's not to say the concepts in EMERALD aren't being used elsewhere. I know ISS' IDS solution has something similar in terms of distributed sensors and central reporting. I'm not sure what methods the use for analysis, though.
hmmm (Score:1)
"URL ExchangeTM"
apparently... they have a product based on the absolute nexissity that businesses have to SHARE BOOKMARKS...
didnt know there was a market for that...
tagline
I dunno about this (Score:1)
Is that really that hard to do? Detection is easy, dealing with it is the hard part. There isn't a whole lot that detection will help you with. Just sounds like a bunch of hype to me, to lure business executives.
Jr
Hmmm... Sounds a little like 'Carnivore'... (Score:4)
EMERALD (They must have *really* worked to put this acronym together) seems on the surface to be quite a bit less scary than Carnivore. It monitors your network and reports back to you, but the project *is* DARPA funded, and ultimately serves the DOD's (and therefore the FBI and NSA's) best interests. This is the line that has me really concerned:
Plus, with resolver, an additional EMERALD software component, alerts are consolidated across multiple network domains within a single reporting console.
Does this mean that there are ways built into the software to monitor one firewalled network from another? They had better release the source for all components for reveiw, or I ain't touchin' it with a ten-foot pole. If there are backdoors in Windows, then it's just too-too easy to put a DOD or NSA back-door into something like this.
general network monitoring (Score:4)
Emerald fits into a subset of the network monitoring that is coming of age as we speak. The IETF [ietf.org] has already begun to try and standardize protocols for use in this area...check out the Intrusion Detection Working Group [ietf.org] for more info (the results produced by the IDWG would standardize the transfer from producers to consumers mentioned in the article).
-GregA Screenshot (Score:2)
SRI Screenshot [packphour.com]
Decrypting SSL? (Score:4)
EMERALD security components can also help users analyze communications traffic, collecting Simple Mail Transfer Protocol (SMTP), File Transfer Protocol (FTP) and Web server data directly from the Transmission Control Protocol (TCP) traffic stream. "For Web traffic where we deal with Secure Socket Layer (SSL) and cryptography, we've created an embedded component to decrypt Apache Web server traffic, and we're extending it over to Netscape's Web server," Porras said.
Are they really saying that, for the purposes of intrusion detection, they will be decrypting SSL traffic off the wire and on the fly? More to the point, they're saying that this can be (relatively) easily done?
Or, is it that they're talking about an Apache module which will examine the traffic on the other side of the tunnel? The wording is a little confusing.
some stuff available (Score:3)
At Least someone with some brains and experience will be able to look at it and give it a thumbs up or thumbs down.
Re:Beta Testing a New IDS (Score:1)
Re:Beta Testing a New IDS (Score:1)
Even though you were trolling here.
Re:Such Old "News" (Score:2)
Any IDS that you come up with, no matter what it's features are, what it can look for, how many packets it can sniff in an hour, it is still just an IDS.
It can be bypassed easily. for ex. using %74%65%73%74-%63%67%69 in a URL rather than test-cgi.
That majority of IDS's that I have seen (including Real Secure, not sure about EMERALD though) will not detect that whatsoever.
IDS's only represent a small percentage of security and should never be relied on. The majority of security lies in Network Structure, Firewalling, keeping up to date with patches for vulnerabilities, and the KISS rule (Keep It Simple, Stupid).
Networks have insecurities just like all of us (Score:3)
Have you hugged your network today?
SRI is not Stanford Research Institute (Score:1)
Re:Already bein' done (Score:1)
Re:Beta Testing a New IDS (Score:2)
I know there are those out there who resent the presence of the A.C. posting privledge, and that some of them will do whatever they can to terrorize the people who read this site into not looking at A.C. posts.
It's a 'tragedy of the commons' situation, and just a smaller version of the breakdown of the consensus model on which the 'Net as a whole is based.
SRI's patented EMERALD technology (Score:1)
Re:NATALIE (Score:2)
Clearly (Score:3)
If we can keep it from becoming (Score:1)
EMERALD's intrusion detection architecture is based on software components that address real-time detection, analysis, and response for a broad range of external and internal threats. What's more, EMERALD components were designed to be independent, dynamically deployable, easily configurable, reusable, and broadly interoperable, Porras said
What year is it? (Score:1)
Dancin Santa
NATALIE (Score:1)
The National Association for the
Termination of Acronym Labels by Idiotic Entities.
Anybody else sick of all the acronyms?
--
caution! subliminal trolling!
really... (Score:1)
Back when we didn't have network security problems (Score:2)
What was I saying? Oh yeah, I'll just reread what I wrote (how much more convenient than talking, where you don't get that option!). I remember now. Network security is a tough nut to crack, because you have to plan ahead and anticipate new attacks. No matter how much you think you're on the ball, some wiseguy will come along and show you what-for. It's like politics that way, except the stakes are more personal, since it's your own coin collection they're trying to steal. Or was it your wheel password? I can't remember.
No, wait, it's your wheel password. You kids call it "root", these days, but I like to think that not everything old should be thrown away. Where would that leave me? It's so lonely.
Already bein' done (Score:2)
Captus Networks [captusnetworks.com]. Damn, wish I'd actually accepted now...
Re:Acronyms (Score:1)
Then you must love the new RAM I invented! Primary Access Redundant Array Linear Logic Extended Life Overclocking Gigahertz Random Access Memory
looks familiar (Score:1)
Re:Beta Testing a New IDS (Score:1)
*ATTENTION* Please, if you value you eyes, don't click on the link above. Especially if you run Opera that saves the last open windows when closed.
You sir are EVIL!
All the "network analysis" that I need...... (Score:2)
Sniffers Rule
just an IDS (Score:3)
Maybe the big thing is that they're trying to replace the intrusion detection analyst with software... which might not be such a great idea since all (unless broken
Good Cop - Bad Cop (Score:1)
Just to be a pain, this seems to be a good idea.
How do you tell a benvolent port scan from some script kiddy.
Beat cops usually wear a uniform and say hi before they strip search your car.
Re:Beta Testing a New IDS (Score:1)
Here is an amusing thought.. (Score:2)
I wonder if they are going to cause a major fuss over the fact that this software infringes on their trademark and copyright of the name, and their software also does alot of network monitoring stuff, while it certainly isn't as advanced... this new EMERALD might have to change their name to DINTCTNDBIMABB (Damn I need to check the name database before I make a big booboo)
(grin)
Re:Decrypting SSL? (Score:1)