"Safety and Security Oversight of the New National Nuclear Security ...49 Material submitted for the record by: Department of Energy, ... In 1998, Sandia began a network scanning process (using ISS/ CyberCop) almost a year ..."
BY BRIAN ROBINSON
As government concerns about the threat of cyberattacks on critical systems escalate, intrusion-detection technology is poised to become the next line of defense for federal agency computers.
Intrusion-detection technology works much like burglar alarm systems installed in many homes. Just as burglar alarms alert homeowners when someone has broken through a locked window or door, intrusion-detection systems alert systems administrators when hackers have gotten past a firewall, making it possible to thwart the attack and even track down the intruder. The technology resides either on a host computer or at key points on the network (see "How they work").
Deploying intrusion-detection systems in government was a stipulation of Presidential Decision Directive 63 on critical information protection, issued last May, and intrusion-detection systems were a prominent part of President Clinton's January proposal of a $1.46 billion fiscal 2000 program to counter cyberterrorism.
|How they work|
Intrusion-detection systems are used to detect unusual activity in a network of computer systems, to identify that activity as unfriendly or unauthorized and to enable a response to that intrusion. There are two main implementations:
1. Network-based intrusion-detection systems use monitors placed at strategic places on a network to examine data packets to see if they conform to known attack "signatures."
2. Host-based intrusion-detection systems employ intelligent agents to continuously review computer audit logs for suspicious activity, and they compare each change in the logs to a library of attack signatures or user profiles. They also poll key system files and executable files for unexpected changes.
When an intrusion is detected, the intrusion-detection system can react in a number of ways - from alerting a systems administrator and recommending various actions to automatically kicking the intruder off the network.
For the government, the ultimate goal is to link all intrusion-detection systems into a network that will allow all intrusion-detection systems in federal agencies to be instantly updated about attacks that occur at any point on the network.
PDD 63, which many people see as the driving force behind use of intrusion detection in the government, was the result of a study launched by the White House in 1997 of the nation's critical information infrastructure. But its intent was dramatically underscored just a few months before its formal announcement when hackers, using tools and techniques readily available through the Internet, launched the now-infamous Solar Sunrise attack on Defense Department computers.
PDD 63 reflects concern about the growing number of intrusions being reported across the nation. In 1998, the Computer Emergency Response Team (CERT), part of the federally funded Software Engineering Institute, reported that it handled 3,734 incidents in the public and private sectors, compared with 2,134 in 1997 and 2,573 in 1996. Since 1988, when it began operations, CERT has handled a total of 16,096 incidents and has issued 184 advisories and 61 bulletins. These numbers reflect the number of incidents CERT has determined are significant enough to require its analysis.
DOD already has an intrusion reporting system, in which intrusions are reported from lower-echelon commands to higher commands and then to the Defense Information Systems Agency, which collects and collates the information. On the civilian side, the National Infrastructure Protection Center, located within the FBI, also is planning an intrusion-detection reporting system.
"The NIPC has developed an architectural concept to protect the most sensitive of these [federal systems] in real time, providing nearly instantaneous alerts of an ongoing penetration to both the system operator and an NIPC technical analysis center," said Terry Maynard, chief of the NIPC's analysis and warning section, in a recent presentation to the Energy Security Forum. "As mandated in the president's directive, and with the approval and resources from Congress, we plan to begin to deploy that system in fiscal 2000 and expect to protect more than 200 federal systems by fiscal 2003."
In current intrusion-detection technology, most of this intrusion reporting has to be done manually. But the ultimate objective is to put intrusion-detection systems into all government systems and tie them together in a network so that each system will eventually "talk" to the others on the network. In this way, the notification of an attack on one government site instantly would be transmitted to the rest of the government, along with the method of attack and other details that agencies could use to guard their systems from similar intrusions.
There's confidence that this will happen. CERT, located at Carnegie Mellon University's Software Engineering Institute, has been a center for network incident reporting and analysis for the past decade. According to Jed Pickel, a member of CERT's technical staff, there is no way of automatically reporting incidents now. "But absolutely we will see an automated structure in the future," he said.
It is an ambitious goal because agencies already have their hands full dealing with their own networks, observers said. Most agencies are running complex networks that are not plain-vanilla versions from one vendor, said Bill Hadesty, director of security standards and evaluation at the Internal Revenue Service. Agencies have installed a fair number of basic security devices, such as packet sniffers, but networking those across a single organization would impose significant overhead, Hadesty said.
And government agencies have had a great deal of difficulty interfacing with each other "and [difficulty with] easier issues than this," he said. "There are many disparate systems out there, and there's a lot of trusted interfaces between systems that need to be put in place, so I think this [interagency intrusion detection] is still some ways off," Hadesty said.
Getting a handle on exactly how extensively intrusion-detection systems are being used in the government is difficult, however. There is little public information available, and agencies, for obvious reasons, are stingy in releasing information security data. Most agencies refuse to comment on either current or future plans for deploying intrusion-detection systems.
One federal official, who asked not to be identified, likened the situation in government to that in Fortune 500 companies. Neither is that far along, he said, because "after all, it's a brand-new technology, for all intents and purposes."
Paul Proctor, chief technology officer with Centrax Corp., a San Diego-based security provider that opened in September, believes the overall deployment of intrusion-detection systems in the federal government ranges from bad to poor. "I would guess that for network-based intrusion-detection systems, only 5 to 15 percent of government IT sites employ it," he said. "For host-based intrusion-detection systems, the kind that helps most directly in the battle with insider intrusions, it's probably less than 2 percent."
Before joining Centrax, Proctor spent 10 years at Science Applications International Corp., where he oversaw deployment of intrusion-detection systems at several large federal installations.
While still a relatively new technology, agencies have a number of fairly robust commercial intrusion-detection products from which to choose, many of them based on technology originally developed by DOD and turned into commercial products by specialized security companies.
Commercial products include Axent Technologies Inc.'s Intruder Alert, Network Associates Inc.'s CyberCop and Centrax's eNTrax.
As the market for intrusion-detection systems grows - the Boston-based Yankee Group estimates the total market could be worth about $750 million by 2003, compared with just less than $160 million last year - deep-pocketed players such as IBM Corp. and network equipment vendor Cisco Systems Inc. are expected to take a more prominent role.
Cisco, in fact, already is making a play with NetRanger, a product that originated with the WheelGroup Corp., which Cisco acquired from BTG Inc. just over a year ago. WheelGroup commercialized technology initially developed by the Air Force.
NetRanger includes two components, called Sensor and Director. Sensor can be situated anywhere on a network. Using a real-time intrusion-detection engine, it examines the header and the content of each data packet that passes by its position on the network as well as the relationship of those packets to adjacent and related packets. If Sensor notices a violation in the network policy, which sets how the network manages things such as packet flow, it sends an alarm to the centrally located Director console, where the human network administrator can decide what action to take.
NetRanger also can proactively work with Cisco routers on the network. The user can configure the system to automatically shun or eliminate specific connections by changing access control lists on the routers. Any unauthorized traffic from internal users or external intruders can be blocked.
This integral approach to network security is becoming the norm in users' minds, according to Jim Massa, director of Cisco's global government alliance. "There are changing perceptions of what security is," he said. "People used to ask how to bolt security onto networks; now they are looking for secure networks. Security is now one of the first words they utter."
A real-time intrusion-detection product widely used in government is RealSecure, from Internet Security Systems Inc., Atlanta. This product combines network-based and host-based intrusion-detection systems.
RealSecure's network engine runs on dedicated workstations and examines network packets for various attack signatures. When it detects an attack or misuse, it passes an alarm to a network management console for action by an administrator, or it can be configured to automatically terminate a connection, reconfigure firewalls or do anything else the user might want to have happen if an attack occurs.
The RealSecure system agent sits on a host computer and analyzes the logs on that host to determine when an attack is occurring. It also can send an alarm to a central console, or it can automatically reconfigure the Real-Secure engine or firewalls to prevent incursions based on the attack just analyzed.
"In the future, we will probably split the product even further and take intrusion detection down to the application level itself, such as the database," said Mark Wood, product manager for ISS' intrusion-detection products. "We will also take it into 'softer' areas of misuse. In the commercial world, for example, employees could be cutting themselves checks. You can't write a pre-defined signature to protect against that kind of event, but nevertheless you need the protection."
For what they are called on to do, current products work fairly well, but they already are bumping up against obstacles caused by the evolution of network technology, observers said.
One major problem is the creation of switched networks, in which organizations arrange networks into segments with switches that link the segments and direct network traffic along the fastest route to its destination. The increasing use of switched networks in organizations means a network intrusion-detection sensor will be needed for each switched segment, which organizations are unlikely to try if doing so means deploying as many network sensors as desktop systems in a fully switched network.
The arrival of virtual private networks also brings new problems. VPNs allow organizations to establish links between their local-area network and outside users by creating a secure path across the Internet or another public network. Unfortunately, the network traffic largely will be hidden from the intrusion-detection sensors.
One pervasive problem in the future will be the increasing speeds of networks, vendors said.
"Moving from 10 megabits/sec Ethernet speeds to 100 megabits/sec Fast Ethernet and beyond quickly outpaces first-generation network sensor products that were designed several years ago," said Tom Clare, product manager for Network Associates' CyberCop. "At best, they can handle 10 to 20 megabits/sec if traffic is light. On a 100 megabits/sec wire, [first-generation sensor products] have been shown to monitor less than 6 percent of the traffic, which means 94 percent goes by unmonitored."
Vendors are working on fixes to this, including "acceleration" products in software and firm-ware that will allow intrusion-detection systems to suck data packets off the network faster.
NetBoost Corp. has come out with a solution that could go beyond software-based solutions, the company said. The product uses custom silicon - a programmable processor with necessary support systems - to provide a fully programmable subsystem that can run several security applications at once. It enables dynamic reprogramming of applications at almost wire speeds, which, for intrusion-detection systems, means they readily can keep up with the speeds of the networks they monitor.
"[Current intrusion-detection systems] can't even keep up with a T-3 [45 megabits/sec connection], let alone a Fast Ethernet," said Len Rand, president and chief executive officer at NetBoost. "Ten megabits/sec is the maximum speed at which they can operate. You can get higher speeds, but with all of the packet header processing, etc. that needs to be done on the extra data, this can get pushed back onto the host."
The NetBoost product will enable intrusion-detection systems to work with such things as firewalls and VPNs to allow the network administrator to manipulate the system to maintain all the necessary network policies, Rand said. Some firms already have announced their support for NetBoost's product, including ISS.
Disruptive though the current kinds of intrusions may be, top-level government officials worry that a larger threat looms: sustained and systematic attacks by organized forces. For example, early last year the Navy discovered a new kind of intrusion that involved a number of attackers operating from a highly distributed base for a long period of time.
Air Force Lt. Gen. Kenneth Minihan, director of the National Security Agency, took his concerns to the Senate Governmental Affairs Committee last June. While the unstructured threat from people with limited or-ganization and short-term goals always poses a threat, national security is not targeted, he told the Senate committee. But NSA is concerned with the structured threat "since that threatens system survival," he said.
Larry Dietz, director of information security for Current Analysis Inc., a Sterling, Va.-based market analysis firm, sees things moving this way. "Adversaries on network intrusions will evolve from individuals to teams," he said, "and because of that, the target in the future should be seen as the enterprise as a whole rather than individual networks. I don't think people will be able to put up a defense, as such, against these types of attack, so that puts even more emphasis on intrusion-detection systems since folks will want the ability to at least detect these problems so they can minimize the harm done by them."
Attackers use long-term intrusions to get an idea of what the networks are, where they are and how they are developing, according to Mark Fabro, worldwide director of professional services for Secure Computing Corp. Intrusion-detection systems can handle the real-time burst attacks well because these systems can see the attacks and gauge whether they break the attack thresholds of the perimeter defenses. But for now, "intrusion-detection systems are not offering a great amount of resistance to long-term reconnaissance attacks," Fabro said.
Concern about long-term threats is the impetus behind the recent push to deploy intrusion-detection systems as part of a concerted Defense initiative.
The Defense Advanced Research Projects Agency already has begun to work on such a project, with hopes of involving the civilian agencies as well.
The project will link intrusion-detection systems across different organizations so that the signature of an attack registered at one site can be instantly relayed to other sites. Each system should be able to correctly interpret that event information without any knowledge of the specific scenario. The project requires the ability of a sensor from one system to feed the analysis portion of a different system, DARPA said.
DARPA is leading this effort through its Common Intrusion-Detection Framework working group, part of the agency's Information Survivability Program. The agency hopes to have a first demonstration of two or three linked systems in June.
The CIDF also was a starting point for the Internet Engineering Task Force Intrusion-Detection Exchange Format working group, which is working on a commercial standard for interoperability of intrusion-detection systems. A request for comments is expected to be out by the end of this year.
What government users should guard against, industry sources stressed, is thinking of intrusion detection as a "silver bullet" for their security needs, as users tended to do in the early days of firewall deployment.
For starters, said John Negron, federal sales manager for Axent, it already is obvious that the technological problems with the current generation of intrusion-detection products will not easily be overcome. "The solutions in place now may have to be completely re-engineered," he said.
And with that goes the need for expertise within agencies to know where to put intrusion-detection systems and how to interpret their output correctly. But that expertise seems to be in short supply.
"Agency managers have been hard-pressed to find experts inside the agency organizations who really know about all of this," said Terry Weipert, director of the network desktop practice at Unisys Federal. "It's usually put onto the shoulders of the system administrators, but these people have found it difficult to apply security because of the sophistication of the tools that are used."
The bottom line, observers said, is that intrusion-detection systems will be a necessary part of agencies' future security plans. Indeed, they will be a required part. But what they will not be is an easy fix.