where my mouth is too; when their stock dips, we pick up another chunk whenever we can.
∙ Sourcefire, led by Marty Roesch, just received two million dollars in round one venture capital. I need to be honest; I am hardly objective. When the company started and I was given an opportunity to fund the startup, I jumped at it. So read what I say with more than a bit of salt and I will try to stick to the main issues. The facts are simple: Snort is the most widely deployed sensor on the planet and the Snort ruleset and language are the most commonly read and written. This is without debate. However, that is free Snort, and I have watched from the sidelines as my friend Gene Kim and Tripwire have tried to make the transition from free software to commercialware and it is not an easy task. Moreover, Marty is not the only one with the idea of commercializing Snort. My guess is that he has entered the market at the best of times. At a time when it is harder and harder to find a decent stock value, ISS and Enterasys have plummeted, reducing their value, this is now a great opportunity for the tiny Sourcefire.
The bottom line, my guess, is that by the time this book gets into your hands, Cisco and Sourcefire will be stronger, ISS holding its own, Enterasys on the ropes, and NFR, no closer to an IPO than they ever were. Will Tippingpoint, the new Swiss army knife of information security, even be in the running? Probably not, it is most likely still a year or two before users will be ready for integrated firewalls/NIDs, but we will see. The fact that cannot be argued is that the significant competition and innovation is driving the bar up and we all win because of that. One reason that I am so focused on this new generation of consoles is they are the foundation for analysts to maintain situational awareness and one of the most important tools for building active defense in depth.
Defense in Depth
Military history teaches us to never rely on a single defensive line or technique. We have tried to teach you not to rely on your NID alone. When a filter fires, it might be necessary to determine why it fired and the network activity that preceded it. We have been trying to teach you to rely on your ability to decode a packet in addition to using your NID as a tool. This is one small example of defense in depth.
The firewall serves as an effective noise filter, stopping many attacks before they can enter your network. Within your internal net, the router or switch can be configured to watch for signs of intrusion or fraud. When a detect occurs, the switch either can block the session and seal off the host or just send a silent alarm. You can improve your model further by adding the host-based layer of defense. Here, you can detect the insider with a legitimate login (whether or not it is really his) accessing files he shouldn't. Toss in a couple more network-based intrusion-detection systems, including a few stealthy ones, and you have an architecture sufficient to counter the increasing threat. Sadly, this architecture seems to be more likely found in a Jetsons cartoon than real life. So what is possible today and in the near future to implement defense in depth? The five perimeter rules of the road are the first steps, the ones you should put into practice today if you are not already doing them. Please do not start with a lot of talk about a crunchy perimeter and a soft chewy inside; we will get there soon enough. The five rules are all covered in the book and the appendix, but this is the final chapter and needs to be the summary chapter as well as a discussion on the future of intrusion detection. The five rules of the road are as follows:
●Squelch all outgoing ICMP error unreachable messages. You might choose to stop other outgoing ICMP error messages, but do not fail to stop these. Doing this will reduce your site's vulnerability to reconnaissance.
●Split horizon DNS. You might call this by a different name, but the concept is simple. The DNS server(s) that can be reached from the outside should only know about a few of your hosts including your mail server, web server, and you fill in the rest of the blanks. Otherwise, this DNS server can be used for reconnaissance against your site.
●Proxy when possible. Not only are proxies available on your firewall, but they can also be put between the Internet and your Internet facing devices.
●Network Address Translation (NAT). If your site can find the backbone to give up those evil public addresses and move to private addresses, you will instantly find a tenfold benefit in your resistance to attack.
●Implement auto-response. Yes, really. The anti-junk mail world has been doing it for years. The Raptor firewall with its active defense and BackOfficer Friendly haven't melted down the world. There is a place for auto-response and you need to get in the game (as they say in the movie Zorro), as safely as possible.
Defense in depth doesn't stop with the perimeter, of course. It includes configuration management, personal firewalls, anti-virus, content scanning at the perimeter, operating
system patches, and an active vulnerability scanning program.
Large-Scale Intrusion Detection
One of the most fascinating trends in 2001 was the emergence of three large-scale intrusion detection efforts: Aris by SecurityFocus.com, MyNetWatchman (www.mynetwatchman.com), and Dshield (www.dshield.org). Each of these works by providing reporting software to hundreds or even thousands of clients. These clients range from Check Point firewalls and Linksys cable routers to personal firewalls. The data is sent to a central site that allows it to be examined for trends. The aggregation of this much data from all over the world is a powerful tool. Dshield, for instance, was adding about six million records per week. Although there are significant issues with normalization, within the first year of Dshield's operation, the technology was used to discover the Ramen, Lion, and Leaves worms. For instance, the CERT advisory on widespread vulnerabilities with SNMP and ASN.1 was released on February 12, 2002, and you could see the increase in scanning as the month progressed, as shown in Figure 20.1.
Figure 20.1. Dshield data plot.
These are new implementations, and the community is still trying to learn how to make the best use of the tools. Distributed intrusion detection systems like Dshield is such a profoundly significant concept that a number of people I talked with found it hard to understand why it hadn't been done earlier. One of the reasons is that a subtle shift in attitude took place after the turn of the century, and people were willing to share data.
Sharing
I asked the Incidents.org community if anyone wanted to contribute a sidebar for the second edition of the book. It is no less true today, so we will keep it in this edition. The following was submitted by Richard Bejtlich, a skilled intrusion analyst, and I decided to place it here primarily because of the fourth question below.
"I make optimum use of my network intrusion detection system (NIDS) by asking four questions:
●What could cause suspicious traffic to be generated?
●What events could my NIDS miss?
●How does real Internet behavior differ from textbook descriptions?
●Should I share events with the security community?
The first question suggests that packets can be forged, manipulated, and unwillingly solicited, in addition to being routed directly. The second question requires me to understand my NIDS' limitations, and remember it might not explain or even capture every related packet. The third question implies that traffic not matching the norms of RFCs or technical studies is not always malicious. The last question encourages
intrusion detectors to share their questions and discoveries with the security community, whether through www.sans.org or forums like the