Part One: Management Issues
Your goal is to show management that this is part of an overall integrated informationassurance strategy that has tangible benefits to the organization. The key to doing this is to show that your proposed solution has the following characteristics:
●Bang for the buck.
●The expenditure is finite and predictable.
●The technology will not destabilize the organization.
●This is part of a larger, documented strategy.
Bang for the Buck
You need to be realistic. Intrusion detection is fairly costly. You need two fast computers ($2.5k each). If you choose commercial intrusion-detection solutions, the software license ($10k, to start), means that it costs $15k just to say intrusion detection. The network might need to be altered and there is the __ work-year salary and overhead for the intrusion-detection analyst; you could easily be talking $100k. But wait, there is more, bandwidth is increasing, so you need six sensors and a Top Layer switch just to watch the web farm, add another $100K. You need a database to search for slow speed scans and a correlation engine with a hardware RAID to hold all this data, add another $150K easily. In an environment focused on cost reduction, you are going to have to show a significant benefit to justify this expense.
The good news is that you can do exactly that. Risk is part of the business equation. In fact, there are markets that buy and sell denominated risk every day. Did you skip over the risk chapter? What is one way an intrusion-detection system helps reduce the annualized loss expectancy (ALE)? By observing the attacks against your organization, the analyst can assist the organization in fine-tuning its firewall and other defenses to be resistant to these attacks. Is that worth $100k - $350k? If not, here is another way an intrusion-detection system helps reduce loss. To conduct business, you might find that certain applications, or situations, require that some vulnerabilities need to be left on systems. A common example is that when you apply the recommended security patches to a system, it breaks some application. The intrusion detection can be focused on that particular vulnerability. In fact, this is an ideal opportunity to use that Reset kill you have been itching to try. There is a bang for the buck using intrusiondetection systems.You can show it, and you can quantify it.
Intrusion Detection Using Firewalls
One of the incredible changes on the market has been firewalls that log full binary data. OpenBSD's IPFilter and the commercial Raptor firewall can log data in BPF format. This binary logging allows you to run Snort or TCPdump filters against this information. This is incredible! I have already mentioned hogwash and UnityOne, firewall appliances with an IDS capability built in. My personal preference is to use two devices—if one fails the other continues to run.
Also, firewalls that do not have a binary logging capability can still be used in intrusion detection. As an example, Dshield (www.dshield.org), the technology that powers incidents.org, uses firewall data for its large-scale intrusion-detection capability. Firewalls certainly can be sensors. To be sure, firewalls that do not log most of the TCP header field values, such as TCP flags, only allow for very limited analysis. If you have a firewall with the fidelity of a Linux firewall (such as IPtables, for example), however, you can do a lot of the traffic-analysis techniques you have learned in this book.
If you do not have an IDS available, you can and should begin to apply what you have learned from this book by reviewing your organization's firewall logs. Needless to say, get permission first and be slow to raise alarms!
The Expenditure Is Finite
You know the old adage about a boat being a hole in the water you throw money into. I was
reading a Sunday paper column recently titled, "Ten Tips on How to Increase Your Personal Wealth." One of the tips was don't buy a boat; if you have a boat, sell it. I am not so interested in wealth that I am ready to ditch my boats, but they do keep costing money (and they are mostly sea kayaks).
Here is one more house story that will help you understand a senior manager's concerns about containing expense. One day, I realized that everything I did was done on a small fleet of laptops and a cell phone with a trillion monthly minutes. In that moment, I realized I could live anywhere I want as long as the area has cell towers and DSL or better. My wife and I settled on Hawaii, and as luck would have it, DoD called the next day and asked me to do two weeks of consulting on an IDS visualization project on Oahu, so Kathy and I flew down to the islands. Two weeks later, we bought a dream house on Kauai on the rim of a canyon overlooking the Wailua River halfway between the rainforest and the beach. A month after we moved in, the dream house became a nightmare house as it suddenly settled into the soft earth of what had formerly been a pineapple field. A parade of insurance agents came through claiming it was not covered, followed by structural engineers saying they had never seen this before. Finally, a wise local pointed me to the best contractor on the island, Luis Soltren—truly the best contractor I have ever seen—but the house was totaled. Luis, like anyone who is the best at what he does, is not cheap. It was the money pit, (never watch that movie if you are remodeling), up close and personal. Every time they pulled a piece of sheetrock or a tile, we would find more problems. Luis would shout for one of us and we would look and shudder. I did remodeling in college, have built a house, and roofed dozens, so I know a bit about the trade, and Luis was spot on—these were all must-do repairs. The bill kept getting higher and higher. When it crossed, no joke, $200k, I was sick to my stomach, and it kept going. We are finally done, and I learned a very important lesson. The phrase total cost of ownership is very popular in information technology, and I never really considered it until I was caught in a project, my house, where it wasn't possible to calculate what the final costs were going to be; they just kept going up.
Now, let's apply what we have learned from this story to intrusion detection and your organization's senior management. Keep in mind that good managers treat every dollar as if it is their own, and uncontrollable costs make them feel the way my house made me feel.
When it comes to intrusion detection, management might well be willing to pay the $100k or whatever, but management needs to be shown why the expenses you propose in your plan are probably correct and that you aren't going to have to come back for more and more money. For instance, a classic error is to plan on using older, last-generation PCs for the intrusion system. I propose the opposite. Buy the latest-generation PCs for intrusion detection, and after six months to a year, roll them out as desktop machines.
Management will appreciate this as an honest and workable approach. It gives the organization the best possible intrusion-detection capability and the hardware upgrades are essentially free
because buying new desktops is part of the computing life cycle.
Technology Used to Destabilize
The signature line of the hymn "Amazing Grace" is "I once…was blind, but now I see." This is what an intrusion-detection system does: It helps an organization go from a blind state to a seeing state. Time and time again, students who take the intrusion-detection curriculum we teach at SANS go back and start looking at their data and they realize they really need to change the way they do business. This is a good thing! However, it is a change, and people are suspicious of and resistant to change. When you propose intrusion detection, you must be sensitive to the potential for organizational change and make every effort to show that the IDS will "fit in." Some of the potential impacts to the organization are the configuration of the network, the effects on behavior of employees, and the need for additional policy support.
Network Impacts
We have discussed the challenges of deployment on switched networks. This needs to be carefully coordinated with the network operations people before the purchase order for the IDS is cut. The best thing to do is to get the spanning port working with a protocol analyzer; most
network operations groups have one or more protocol analyzers. If the spanning port is difficult for your networks operations people to configure and maintain, network taps should be considered for the listening ports on the IDS. Many people feel that good practice for an IDS sensor is to be provisioned with multiple interface cards:
●Listening ports in promiscuous mode but without IP addresses. This makes it hard for attackers to find the sensor's listening ports.
●One interface, with an IP address, is used to communicate with the sensor.
The IDS will almost certainly require a firewall modification. Commercial vendors all seem to think that writing their own proprietary protocol for communications among their IDS consoles, sensors, and databases sets them apart from their competition. And of course, they are literally correct. Do your homework and research what ports need to be opened. If the IDS can be modified to use an existing hole in the firewall, use that. Even proxy-based firewalls often have a pass-through hole; a "suck-and-spit" proxy with no protocol knowledge already running to support some application or another. It will be great when the Intrusion Detection Working Group (IDWG) finishes its work and there is a standard transport protocol based on beep
(www.beepcore.org/beepcore/docs/profile-idxp.html) for intrusion-detection systems.
IDS Behavioral Modification
Behavioral modification is another aspect of running an IDS. You already know that I have concerns about using the IDS as big brother, even though many organizations are losing a lot of money to wasteful activities. The IDS is a data collection and analysis tool, however; so even if you aren't looking for trouble, you might still find it. You need to be prepared as an organization to deal with what you find now that you are no longer blind to network traffic. Let's use an IRC server as an example scenario.
You turn the IDS on and soon realize that a bright young kid in the computer operations department has set up one of your internal systems as an IRC server. How did you find this out if you weren't monitoring for IRC? We have discussed the fact that DNS, web, and email servers draw a lot of fire. That is nothing compared to the fire IRC servers draw! What the analysts see is a ba-zillion attacks and probes directed at a system in computer operations. When you look into it further, you find out the rest of the story. Obviously, the organization wants to turn this around and get the problem cleaned up. The wise analyst and organization will have established policy before the IDS was powered on to handle these things.
The Policy
I suggest that the organization consider an initial amnesty policy. By this, I mean the first 10 or so violations of the organization's acceptable-use computer policy be dealt with quietly and in a lenient fashion. A memo can be sent out that doesn't name anyone, but lists some of the examples and warns that in the future these activities will not be tolerated. I know of organizations that have turned on their shiny new IDS and examined their traffic for the first time. Imagine their surprise when they see things they do not approve of entering and leaving their network. They are now at an important decision point. If the organization reacts in a kneejerk fashion and walks the employee straight to the door, the IDS will always be viewed with suspicion and hatred. Be especially careful with the way you deal with systems and network administrators; they are used to doing whatever they want. If you walk someone from the computer or network operations group to the door because they broke an acceptable-use policy you just started enforcing, your IDS might break down or suffer blindness caused by loose cables a lot in the future!
Management knows all about firestorms—hate and discontent and the interactions between folks with strong personalities. Managers deal with this kind of stuff every single working day. If your implementation plan shows that you are sensitive to the other players in the organization and that the IDS is not guaranteed to produce Excedrin headache number 36, they will be far more supportive of your plan.