IDS Criteria
-
Upload
jbormey1976 -
Category
Documents
-
view
225 -
download
0
Transcript of IDS Criteria
-
7/29/2019 IDS Criteria
1/31
2002DetmarLiesen [email protected] -1-
RequirementsforEnterprise-WideScalingIntrusionDetectionProducts
ACriteriaCatalogforITExecutives,IDSUsersandVendors (Version:2002-06-19rev3)
Abstract:
ThistextdefinescriteriathataresubstantialforIntrusionDetectionSystemstobechosenforenterprise-widedeployment.
Itissupposedtobeusedforplanningandevaluationpurposesandcouldalsobe
usedasalistofquestionsthatyoushouldaskyourIDSvendor.
-
7/29/2019 IDS Criteria
2/31
2002DetmarLiesen [email protected] -2-
DISCLAIMER:THISTEXTMAYBECOPIEDANDDISTRIBUTEDFOREDUCATIONALANDNON-COMMERCIALPURPOSESONLY.
ANYALTERATIONTHATISNOTEXPLICITLYALLOWEDBYTHEAUTHORISSTRICTLYPROHIBITED.THEAUTHORISBYNOMEANSRESPONSIBLEFORANYDAMAGEORLOSSOFPROFITTHATMIGHTOCCURBYFOLLOWINGTHERECOMMENDATIONSOFTHISDOCUMENT.Ifyouhavequestionsorsuggestionspleasecontactmeviaemail:
-
7/29/2019 IDS Criteria
3/31
2002DetmarLiesen [email protected] -3-
Contents
1.Introduction ...........................................................................................4
2.System....................................................................................................... 5
2.1.Functionality ................................................................................................. 5
2.2.Levelofimportance...................................................................................... 5
2.3.Definitionofagenericconceptforenterprise-wideIDSdeployment.......... 7
2.3.1.Short-termdeployment.......................................................................... 8
2.3.2.Mid-termdeployment............................................................................ 8
2.3.3.Long-termdeployment .......................................................................... 8
3.CriteriaDefinitions ....................................................................... 103.1.CriteriaforInstallation,ConfigurationandManagement .......................... 10
3.1.1.MustCriteria........................................................................................ 10
3.1.2.ShallCriteria........................................................................................ 11
3.1.3.ShouldCriteria..................................................................................... 123.2.CriteriaforDetectionTechnology..............................................................12
3.2.1.MustCriteria........................................................................................ 12
3.2.2.ShallCriteria........................................................................................ 13
3.2.3.ShouldCriteria..................................................................................... 13
3.3.CriteriaforResponse-Mechanisms,ReportingandForensicAnalysis.... 13
3.3.1.MustCriteria........................................................................................ 13
3.3.2.ShallCriteria........................................................................................ 14
3.3.3.ShouldCriteria..................................................................................... 16
3.4.CriteriafortheSecurityofIDSs................................................................. 16
3.4.1.MustCriteria........................................................................................ 16
3.4.2.ShallCriteria........................................................................................ 18
3.4.3.ShouldCriteria..................................................................................... 18
IDSLiterature ..........................................................................................19Credits ............................................................................................................30TheAuthor.................................................................................................. 31
-
7/29/2019 IDS Criteria
4/31
2002DetmarLiesen [email protected] -4-
1.IntroductionThetextwasdevelopedwithinthescopeofapilotprojectforIDSdeployment
withinthenetworkofaworldwideoperatingcompany.Theprojectproceededin
threebasicsteps:
1.)AllavailableinformationaboutcapabilitiesofmodernIntrusionDetection
Systemswasgathered,whichresultedinalistoffeaturesandrequirements
withoutanyspecialorderofprioritiesorpracticalaspects.
2.) ThreewidelyusedIntrusionDetectionSystemswereevaluatedinatesting
environment.Thetestscomprisedgeneralinstallationissues,easeof
managementandconfiguration,presentationofevents,andhelpon
interpretingthoseevents.
Thesetestswerebynomeansabenchmark,butatestonhowthesystems
wouldbemanageablewithinalargenetworkwithlimitedpersonnelresources,
e.g.iftheunderlyingarchitecturefulfillscertaincriterial,whatmanagement
featuresareprovidedetc.
SecurityoftheIDScomponentsthemselvesalsowasanimportantissue.
3.) AnIDSwasplacedoutsideaproductiveinternetfirewallinordertocollect
real-lifedataandtoevaluatehowmanyfalsepositivesoccurandhowthose
canbeidentifiedandreduced.
Oneoftheresultsoftheseeffortsisthiscriteriacatalog,whichisorderedby
priorities.
Note:Tomyknowledge,nosystemcurrentlyexiststhatfulfilsallthecriteria-
noteventhosecriteriathatareconsideredcompulsory.
Nowyoucouldargue:whatgoodisamustcriterionthatisnotfulfilledbyany
system?
Theansweris:Ihavetriedtofindoutwhatcapabilitiesandfeaturesaremost
importantforenterprise-widedeployment,notwhatiscurrentlyprovidedbythe
systems.Inmyopinion,thecriteriainthistextdoreflectthepracticalneedsofthosewho
willhavetoworkwithIDSystemseverydayefficiently,andeffectively.
-
7/29/2019 IDS Criteria
5/31
2002DetmarLiesen [email protected] -5-
2.System
Theaimofthepaperistocompilerelevantcriteriaandfeaturesandtogroupthose
criteria.Youcanusethiscatalogforvendorquestionnairesandforyourownevaluations.Theconceptissupposedtoapplytomostlargerandmedium-size
companieswhoplantodeployIDSs.
Thecriteriaarestructuredasfollows:
2.1.Functionality
Installation,configuration,management
oEaseofinstallation
oQualityoftheuserinterface(lucidity,intuitiveness)
oScalabilityoUpdatingcapabilities,updateautomation
oCustomization(policies,signatures)
oHelp/support
Detectiontechnology
oMethodsofattackdetectionandbreadthofattackdetection
oPerformance(i.e.speed,droppingnopackets)
oAccuracy(i.e.fewfalsepositivesandevenfewerfalsenegatives)
IntrusionResponse,reportingandforensicanalysiso Countermeasures
o Reportingandeventpresentation
o Eventcorrelation,aidatanalyzingevents
Security
o MethodofauthenticationandcommunicationbetweenthevariousIDS
components.
o ResistanceagainstattacksthatareaimedattheIDSitself,e.g.
flooding,DoSandothers.
o Stealth,i.e.providingpotentialhackerswithaslittleinformationas
possible
2.2.Levelofimportance
MustCriteria: Attributesorfeaturesthatarecompulsory.
ShallCriteria: Attributesorfeaturesthatareconsideredimportantandthus
aredecisiveforthechoiceofacertainIDSproduct
(differentiators).
ShouldCriteria:Attributesorfeaturesthataremorethannicetohave,butare
notnecessarilydecisiveinordertobechosen.
-
7/29/2019 IDS Criteria
6/31
2002DetmarLiesen [email protected] -6-
EvaluationofIDSproductshastotakeintoaccountthepurposeoftheproduct,
i.e.someproductshavebeendesignedtosecurelargecorporatenetworksintheir
entirety,somehavebeendesignedforsmallernetworksorascomplementary
devicesforanexistingsecurityinfrastructure.Thiscriteriacatalogdescribesthe
requirementsforanenterprise-widescalingproduct.
References:Footnotesinbrackets,suchas[Graham01]indicatewhereadditional
informationcanbeobtained.ThereferencescanbefoundinthesectionIDS
Literature.
TechnicalTerms:
Aneventorincidentisanoccurrenceonthenetworkthatisassumedto
berelevant.
HostAgentsorHostIntrusionDetectionSystemsmonitorsystem
logfiles,fileintegrityandsometimesalsoincludekernel-levelprotection
(system-andAPIcallsurveillance).
NetworkNodeIDSs(NNIDS),sometimesalsocalledstackbasedIDSsmonitorallthedatapacketsthataresenttothehosttheyresideonand
thosepacketsthataretransmittedbythathost.ThusNNIDSarealso
hostbasedIDSs.
NetworkIDSs(NIDS)monitorthenetworksegmentswhichtheyareconnectedtoinpromiscuousmode,i.e.allpacketsonthewireare
analyzed.
InlineIDSs(IIDSs)forwardpacketsafterhavinganalyzedthepacketsforintrusions.ThosesystemsaresometimesalsoreferredtoasGateway
IDS(GIDS).
Ademilitarizedzone(DMZ)istheplacewhereyourpublicserversandproxiesshouldbelocated.Accesstotheserversinthatzoneissecured
byfirewalls,bothfromtheinternetandtheinternalLAN.Accessfrom
theinternettotheDMZserversisnotasrestrictedasaccessfromthe
internettotheinternalLANingeneral.
Asignatureisauniquedata-patternthatcanbeusedtoidentifyan
attack.
-
7/29/2019 IDS Criteria
7/31
2002DetmarLiesen [email protected] -7-
2.3.Definitionofagenericconceptforenterprise-wideIDSdeployment
Thefollowingpartsuggestsageneralconceptasastartingpointformediumand
bigsizeenterprises.Thisconceptdefinesshort-term,mid-termandlong-term
deploymentofIDSs.
Itisassumedthatasecuritypolicyidentifyingandprioritizingnetworkassetsand
theirrelativebusinessimpacthasalreadybeendefined.1
ToknowwhatyouactuallywanttoachievewithIDS,intermsofrequiredscope
ofdeploymentandsystemscalability,isvitalforchoosingtherightsystem.
E.g.youshouldknowifyouonlywanttomonitorpublicservers,internalservers
oralsoclients.Althoughclientsarenotmentionedintheconcept,thereare
tendenciesinthemarkettoincludeclientsurveillanceinanenterprise-wideIDS
conceptforcompletecoverage.
Theauthorassumesthateverymediumsizednetworkandcertainlyeverylarge
networkhasatwo-ormore-stagedfirewallsystemwithoneormoreDMZsfor
publicserversandproxies.
1SeeCommonCriteriaaccordingtoISO/IEC15408
-
7/29/2019 IDS Criteria
8/31
2002DetmarLiesen [email protected] -8-
2.3.1.Short-termdeployment
DeploymentofanetworkIDS(NIDS)outsidetheperimeter-firewallas
anattackdetector(earlywarningsystem).
DeploymentofaNIDSinsidetheperimeter-firewallfordetecting
attacksthatpassthefirewall(i.e.forthemainpurposeofanyIDSdetectingintrusions)
DeploymentofHIDSagentsand/orstackbasedHostIDSs(NNIDSs)onDMZserversandonserverswithhighestsecuritydemands,e.g.e-
commercebackends.
2.3.2.Mid-termdeployment
NIDSsurveillanceofallotherpointswheredataleaveorenterthe
bordersofthecorporatesovereignterritory,i.e.wheresubsidiariesand
partsofthecorporateLANareconnectedvialeasedlinesorwheredialupservicesprovideremoteaccess(e.g.RAS).
NIDSandHIDSdeploymentoninternalserverswithhighsecuritydemands,e.g.EnterpriseResourcePlanning(ERP)systemsandother
importantservers.
2.3.3.Long-termdeployment
HIDS/NNIDSagentsonallserversystemswhicharevitalforcorporatecommunicationandaccesstocorporatedata,e.g.MSExchangeservers,
domaincontrollers,fileserversanddata-warehouses.
NIDSsurveillanceatcoreswitchesformaximumcoverageatreasonablecost.
Ofcoursethisisonlyaroughconceptandthelong-termdeploymentgoalwillbe
costlytoachieve.Butsecurityneedscontinuity,thusitisimportant,thatan
enterprisegetsthechancetobacktherighthorse,sothatasystemisscalablefor
futurerequirementsandthatanarchitecturebeimplementedthatisnotnecessarily
thrownoverboardiftheIDScompanyisacquieredbyanother-agoalthatseems
nearlyimpossibletoachieverightnow,ifwearetakingintoaccounttherecent
consolidationactivitiesinthemarket.AnIDShastoprovidetheflexibilityneeded
inanevergrowingandchangingenvironment.Thereisnoendstatefordeploying
IDS.Inacorporatesecurityenhancementprocess,systemshavetobeadaptedand
modifiedcontinuallytoreflectnetworkgrowthandchanges.
Itshouldbefurthertakenintoaccount,thattheimpactofvulnerabilitiesdueto
product-specificweaknesses(e.g.softwarebugs)canbelessenedbydeployment
ofcomplementarysystemsthatemployadifferenttechnologyand/ororiginate
fromadifferentprovider/vendor.
Therefore,combineddeploymentofacompany-wide-scaling,easy-to-manage
productwithanotherproductoflowerpriceisstronglyrecommended.Forthecomplementarysolutionanopensourcevariantisrecommended.
-
7/29/2019 IDS Criteria
9/31
2002DetmarLiesen [email protected] -9-
Enterprise-widescalingproductsshouldactuallyprovidetheinterfacesfor
integrationofthirdpartyIDSsinthearchitecture.Someproductsalreadyinclude
suchfeatures,butduetothelackofde-factostandardsforIDSdata-exchange
(IETF/IDWG2isworkingonit),thosecapabilitiesareverybasic.
Incertaincircumstances,athirdpartysolutionwhichcanmanageIDSsof
multiplevendorsmaybeworthyofconsideration.
Foracompany-widescalingproductproduct,amulti-tieredarchitectureis
assumed,thatatleastcomprisesthreetiers-sensortier,proxytierand
managementtier.Thesystemshouldbemodularandflexible,sothattheuseris
abletodecideinwhichdirectionconnectionsshallbeinitiated.Thisisimportant
whenconsideringoutsourcingtheIDSmanagementtoamanagedsecurity
provider(MSP)withoutgrantingtheprovideraccessthrufirewalls.
Complementaryproductswillnothavetofulfillallofthosecriteria,buttheycan
ofcoursealsobeevaluatedaccordingly.
2IntrusionDetectionWorkingGroup
-
7/29/2019 IDS Criteria
10/31
2002DetmarLiesen [email protected] -10-
3.CriteriaDefinitions
Theconceptualcriteriahavealreadybeenaddressedabove,herewelistthe
detailedtechnicalcriteria.
3.1.CriteriaforInstallation,ConfigurationandManagement
3.1.1.MustCriteria
Anintuitivegraphicaluserinterface(GUI)isrequired
Automatedinstallationroutinesforallcore-componentsmustbe
providedforallsupportedplatforms.Thismeansalsothatalladditional
softwarethatisrequiredinordertogetthesystemupandrunningmust
beprovidedbytheinstallationmediumitselforbepartofthestandard
distributionofthesupportedplatform.Itisundesirableforthe
administratortogatherdozensofmodulesfromvariouswebsites,checkingversiondependencies,beforeheisabletoinstallthesystem
andgetitrunning.Thisisundesirablefromthemaintenancestandpoint,
aswell.
Centralizedreinstallation,configurationandupdatingmustbepossible.
Inadistributednetwork,anIDSadministratorcannotphysicallyaccess
eachsensorandserver,andheprobablydoesnothaveadministrative
terminalaccesstoallservers.Thus,mostmanagementoperationsmust
beabletobeexecutedviaacentralIDSmanagementconsole.
Freedefinitionofsecuritypoliciesandalertfiltersisnecessary,aswell
astheexistenceofpredefinedpolicieswhichcanbeeasilycustomized.
o Apolicydefineswhatisallowedandwhatisnot(services,ip
addressesetc.)
o Analertfilterisusedinordertoexcludecertaineventsfrom
beingdisplayed.Thatdoesnotmeantheseeventsarenotbeing
detectedanymore,itmerelymeanstheirdisplayisquieted.
Eventsthatarebeingfilteredononeconsolecouldbe
displayedonanotherconsoleorbestoredsomewhereelse.
Itmustbepossibletodefinecustomsignatures.Forthisfeaturethe
followingminimumrequirementsshouldbefulfilled:
o Definitionofsource-anddestination-IPaddressesoraddress
rangesmustbepossibleo DefinitionofTCP/UDPsource-anddestination-portsand
ICMPtype/code
o DefinitionofanycombinationofIPheaderflagsandoptions
o DefinitionofanycombinationofTCPheaderflagsandoptions
o Definitionofthepayloaddatathatshallbesearched(hexor
ascii)
o Definitionofthestartingpointforthepayloadsearch(offset)
andthesearchdepth
Alerts,headerdataandpayloaddatamustbeautomaticallystoredinacentraleventdatabase.
Thesystemshouldsupportmultiplemanagementconsolesforsplittingorgroupingtasksbetweenmultipleanalystsandforredundancy.
-
7/29/2019 IDS Criteria
11/31
2002DetmarLiesen [email protected] -11-
Ahierarchicaldesigntothearchitectureisnecessarytoprovidethe
scalabilityandgrowththatisrequiredinanenterpriseenvironment.
3.1.2.ShallCriteria
HIDSshallprovidemeansforpredefinitionofthesetupandconfigurationoptions,sothatanunattendedsetupispossible(Itis
extremelydesirabletohaveaninstallationprocesswherethesoftware
maybeinstalledonallserversaspartofaserverbuildorghostimage,
butthesoftwareactivationbelicensed.).Distributionandde-installation
ofHIDSareapttohappenmorefrequentlythanforNIDS.TheIDS
customershouldkeepflexibilityonwheretodeployHIDS,sothe
licensingshallalsotakethisintoaccount.Limitinglicencekeystosingle
hostnamesorIPaddressesisnotsuitableforIDSdeploymentinan
environmentthatgrowsandchangesdynamicallyashappensinreal-life.
Automateddownloadofsignaturesandsoftwareupdatesfromthe
vendorswebsiteshallbeanoptionthatisintegratedintothe
managementGUI.
Definitionofpolicygroupsorsecuritydomainsshallbepossible.
Distributionofsignaturelibrariesandpoliciesshallbepossibleonaper
hostbasis,aswellasonapergroupbasis,sothatthegroupsignatures
andpoliciesdonothavetobepushedtoeachsensorindividually.
Storageofeventdatainadatabaseshallbetieredforoptimizedperformanceandtoeconomizeonstoragevolume.Thereforethesystem
shallstorefullpacketinformationforapredefinedtimeandthenremove
thedatafromtheeventdatabaseandstoreonlythefollowing,reduced
informationinanotherdatabase:o Dateandtime
o Eventname
o Protocol(TCP/UDP/ICMP)
o SourceIP/destinationIP
o SourceportsanddestinationportsorICMPtypeandcode
ThemanagementGUIshallincludetoolsandfunctionsfordatabase
administrationandmaintenance,sothatnodatabasespecialistis
necessaryandtheIDSanalystisabletoconcentrateonthejobinsteadof
archivingdatamanually.
TheHIDSandNNIDSagentsshallbeavailableformostoperating
systems:o MSWindows2000Server/AdvancedServer,NT4,XP,
.NETServer
o Linux(RedHat,Debian,SuSEetc)
o *BSD
o SunSolaris
o HP-UX
o IBM-AIX,VAX-VMS,True64
Easygenerationandmaintenanceofprivateandpublickeysor
certificatesforauthenticationpurposesshallbeprovided.
-
7/29/2019 IDS Criteria
12/31
2002DetmarLiesen [email protected] -12-
3.1.3.ShouldCriteria
Controlofallcomponentsthruacommandlineinterfaceisdesirable,evenifthemaininterfaceformanagementistheGUI.Somefrequently
repeatedtaskscanbedonemoreefficientlyfromtheshellorbeautomatedviacronjobsandscripts.
Integrationofanadditionalvulnerabilityassessmenttoolortoolsfor
eventcorrelationwithNessusreportswouldbegreat.
Itisdesiredthattherebespecializedpoliciesorsetupsforport80
(HTTP),port25(SMTP)andothercommonservices.Maybeitwould
bereasonabletoautodetectrunningserviceswitheachstartupofthe
serverandloadtheappropriatepoliciesandsignature-libraries.
3.2.CriteriaforDetectionTechnology3.2.1.MustCriteria
StatefulInspection(trackingconnectionstate)requires
o Fragment-andpacketstreamreassembly:
FragmentedIPpacketsarereassembledcorrectly,evenif
fragmentsaresentoutoforderorwithoverlapping
fragmentoffsets
TCPsegmentsthataresentoutoforderorwith
overlappingdataarealsocorrectlyreassembled
o Thesystemhastobeabletodeterminewhatpacketsbelongto
whichsession,sothatunsolicitedtrafficcanbedetected(statelessattacks).Somethingequivalentmustalsobe
performedforstatelessprotocols,suchasUDPandICMP,i.e.
thesystemisabletodetectifsuchapacketfitsintothecontext
oftheprevioustraffic.AnICMPecho-replyisdetectedas
suspiciousifnoecho-requesthasbeenseenbefore.UDP
packetsthatflowtoamachineunidirectionallyarealso
consideredsuspicious.
StatefulProtocolAnalysis3forthemostcommonapplicationprotocols
requires
o trafficnormalization(preventsmostevasionandinsertion4
techniques)
o protocoldecodes
o detectionofprotocolviolations(e.g.genericbufferoverflows,
unusualrequestsetc)
Thesystemmustdetectattacksinreal-time,sothatautomatedresponses
arepossible(evenifitisnotrecommendedingeneraltousesuch
automatedresponses).
3[Frederick1]-[Frederick4]4[PN98],[RFP]
-
7/29/2019 IDS Criteria
13/31
2002DetmarLiesen [email protected] -13-
3.2.2.ShallCriteria
Inordertomitigatetheproblemofevergrowingsignaturedatabases,theproductshallbecapableofperformingfull7layerprotocolanalysis
5,or
atleastsomesortofanomalydetection.ThisismostimportantforstackbasedhostIDSs(NNDISs)becauseonproductiveservers,theIDSmust
havelittleimpactontheserversperformance.Themoresignaturesare
inthesignaturedatabase,thegreaterbecomestheimpactontheservers
performance.EvenifprotocolanalysisrequiresmoreCPUcyclesfora
basicinstallation,onalongtermthehungerforCPUandmemory
resourcesincreasesmorequicklyforsignaturebasedIDSs.
Importorintegrationofsignaturesofafree,opensignatureformatshall
bepossible.
Hostbasedsystemsshallprovidefile-integritychecks(filetampering
detection),e.g.bycalculatingMD5checksumsforimportantfilesthat
shallnotbealtered.
3.2.3.ShouldCriteria
Hostbasedsystemsshouldalsoprovidekernellevelprotection,i.e.
detectingandstoppingmalicioussystem-andAPI-calls.
3.3.CriteriaforResponse-Mechanisms,ReportingandForensicAnalysis
3.3.1.MustCriteria
Thefollowingresponsefeaturesmustbeprovidedbyanyenterprise-
widescalingIDSthatclaimstobestate-of-the-art:
o SNMPtraps,emailalerts,pagermessages,syslogmessages
o RealtimealertingmessagesonacentralIDSmonitorconsole
In-depthbacktrackinginrealtimeorbatchmodefromthecentralconsole.Thebacktrackingfeaturehastoprovide:
o DNSnameresolution
o NetBiosnameresolution
o IPaddresseso MACaddresses
ThesystemhastobecapableofloggingsuspiciousTCPsessionscompletely,startingwiththepacketthattriggeredanalert.Stateless
connectionshavenoinformationaboutwhenasessionisover,sothe
systemhastobeconfigurabletosimplylogacertainnumberof
followingpacketswiththesametransportquadinformation(IPsrc/dst;
UDPsrc/dstports).
5[Graham01]
-
7/29/2019 IDS Criteria
14/31
2002DetmarLiesen [email protected] -14-
Thesystemhastoprovidein-depthdrill-downcapabilities,i.e.basedon
acomprehensiveshortmessagetheusercandigintotwoormorelevels
ofmoredetailedinformation.Thisinformationmustbepresentedina
clearmannerandinclude:
o Source-anddestinationIPaddresseso IPheaderdata(flagsandoptions)
o Protocol(TCP/UDP/ICMP)
o NumericsourceanddestinationportsorICMPtype/code
o Applicationprotocol(HTTP,SMTP,TELNET,FTP)intext
format
o TCPheaderdata(flags,options,sequencenumbers)
o Protocoldecodes(asfarasreasonablypossible)
o Payload(storageanddisplayoptional)
ThesystemsGUIhastoprovideinteractivesearchingandanalysisof
datafromeventdatabasesforforensicanalysis,e.g.comparinganalert
toallotheralertsthatweregeneratedbythatsourcepreviously.Thisisveryimportantforimmediatecorrelationandlateranalysis.Thus,it
mustbepossibletodefinethefollowingsearchandcomparisoncriteria
forinformationretrieval:
o Periodoftimeortheexacttimeoftheevent
o Nameoftheevent
o SourceanddestinationIPaddresses
o Protocol(TCP/UDP/ICMP)
o Sourceanddestinationports
o Priorityoftheevent
3.3.2.ShallCriteria
ThesystemshallprovidethecapabilityofstoppingattacksautomaticallythroughTCPreset(NIDS)oractiveblocking(HIDS/NNIDS),although
theauthordoesnotrecommendusageofsuchfeaturesingeneral.
Automaticconfigurationofrouteraccesslistsshallalsobepossible.
Thesystemshouldalsoprovideaninterfacefortriggeringcustom
definedprograms,scriptsorotheractionsoncertainevents.
Thesystemshallalsoprovidecapabilitiestoletthesecuritystaffinteractivelyperformtheabovementionedactions:TCPreset,blocking
andACLupdate.Thisprovidesthepersonnelmorecontroloverresponsemechanisms,sothatautomatedblockingcanbedeactivated
andmisconfigurationduetobadblockingrulesisminimized.Ofcourse,
thiswillnotberealtime.
Inordertogivethesecuritystaffmoretimeforawell-reflectedresponse(whichcanalsobetodonothingatallbutwatchingandlogging)HIDSs
andInlineIDsystemsshallprovidecapabilitiesofslowingdown
suspiciousconnections.Thiscouldbeapre-stagebeforethesecurity
administratorfinallydecidestokilltheconnectionortodecidethata
falsealerthasbeenraisedandthethrottlecanbereleased.
Alltheabovementionedcountermeasuresshallbeabletobeactivated
ordeactivatedonaperrule(signature)basis.
-
7/29/2019 IDS Criteria
15/31
2002DetmarLiesen [email protected] -15-
ThemonitoringconsoleGUIshallbedesignedinsuchaway,thateven
duringhighactivityperiods,individualeventscanstillbeselectedand
analyzed.Ithasbeenfoundduringtests,thatsomesystemsrefreshthe
screentoooftenduringsuchperiodssothatthecontextmenu
disappearedbeforeanitemcouldbeselected.Eitherthesystemshallprovideafreezefunctionforthatpurposeor(preferably)itshould
simplyincrementacounterforeventsofthesametype.
Interoperabilitywithotherinfrastructurecomponents,suchasrouters,firewalls(forreconfiguration)andnetworkmanagementconsoleshas
beendemandedbymanyIDScustomersinthepast.Theauthors
opiniononthisisthat,beingstate-of-theart,thisshallbeprovidedby
anydecententerprise-widescalingIDS,butithasbeenproventhatin
real-lifethisisnotasimportantasconsideredinthepast.AnIDSshould
notcontrolthefirewallandanetworkmanagementadministrator
(infrastructuredepartment)isnotasecurityspecialistinmostcases.
Also,mostnetworkmanagementsystemsarenotreallydesignedtoprovidegoodintrusionanalysiscapabilities.
Thesystemshallprovidesupportforcorrelationofdatafromseveral
IDSs(NIDS,NNIDSandHIDS).Thiscorrelationshouldbedone
dynamicallytominimizethechanceofstaleinformationwhichdefeats
thisfunctionality.Thismeansindetail:
oPortscans:whichportsdidtheattackerscanandwhatmethod
didheuse?Whichopenportsdidheactuallyhitanddetect?
oAggregationandcorrelation6ofsporadiceventsfromdifferent
sources,fordetectionofextremelyslowportscansandsweeps
whichprobablyusedspoofedaddresses
oComparisonofthetypeofattackwiththeservicesthatare
providedbythetargetedsystemandsoftwareversions/known
vulnerabilitiesforbeingabletodetermine,iftheattackcould
besuccessful.
oComparinganalysisofeventsthataredetectedoutsidea
firewallandinsideafirewall.Thatwayyoucandetermineif
thesourceofattacksthataredetectedontheinsidehastried
otherattacksthatwereblockedbythefirewall.Thishelps
makingaprofileofthehacker.Ifyouareseeingvarious
portscansandscriptedattacksoutsideandonlysomeofthem
haveactuallypassedthefirewall,youcanconsiderthisascriptkiddywithminorskillsorautomatedwormactivity(butdonot
underestimatethedanger!).Iftheattackyoudetectedonthe
insidewasadangerousoneandoutsideyoucanseenothing
more,youcanconsiderthisoriginatingfromahackerwho
knowswhathehastodoinordertobypassthefirewall
withoutmuchnoise.
6[SHM]
-
7/29/2019 IDS Criteria
16/31
2002DetmarLiesen [email protected] -16-
3.3.3.ShouldCriteria
SendingalertsviaSMS(shortmessageservice)
IftheHIDS/NNIDSprovidesnofile-integritychecksitself,itshouldprovideaninterfaceforTripwireorsimilartools.
Thesystemshouldprovideprintablereportsofvariousdegreesofdetail,
e.g.chartsandgraphsofhighlevelinformationforexecutives
o Numberofattacksvs.typeofattacks
o numberofattacksvs.priority/severity
o timeanddatevsnumberofattacks
Inadddition,moredetailedreportsforsecuritystaffandadministrators
o Eventnames
o Detailedeventdescriptions
o IPaddressdata
o TCP/UDPportnumbersorICMPtype/code
Generationoftrending-analysisreports
3.4.CriteriafortheSecurityofIDSs
3.4.1.MustCriteria
CommunicationbetweentheIDScomponents(sensors,middletierand
management)mustbeencrypted.
Strongauthentication(viakeyexchangeorchallenge)isrequired
ThemethodofcommunicationmustnotprovideanyinformationabouttypeandversionoftheIDSinuse,beitexplicit(e.g.clear-text
messages)orimplicit(e.g.uniquebehaviourorpatterns).Thus,itcanbe
prevented,thatahackerexploitsproduct/version-specificvulnerabilities
ordrawsamapofthenetworkpartsthathostIDScomponents.
NetworkIDSsmustbehavestealthy,i.e.transmissionofdataviathesniffinginterfaceisprohibited,unlessitisconfiguredintentionally(TCP
resetscouldbetransmittedbythisinterface,whichisnotrecommended
bytheauthor).Inordertoachievestealth,atleastoneofthefollowing
setupsmustbepossible:
o ConfigurationoftheNIC(networkinterfacecard)withoutany
IPaddress
o DisablingTCP/IPfortheNIC
o UnbindingtheNICcompletelyfromtheIPstack
Thisisonlypossible,iftheproductprovidesitsowncapturedriversorif
ithasgotaninterfaceforthelibpcap(winpcap)drivers.
-
7/29/2019 IDS Criteria
17/31
2002DetmarLiesen [email protected] -17-
Usingactiveresponsemechanisms,suchasdynamicfirewall
reconfigurationorTCPresetbytheNIDSandactiveblockingbythe
HIDS/NNIDSisnotrecommendedbytheauthor,unlessyouknow
exactlywhatthepossibleconsequencesareandyoudecidethatitis
worthtakingtheriskforyourindividualdeploymentgoals(youwillhavetocheckthisforeachsignaturethatutilizesactiveresponse).
However,ifyouareconsideringtousesuchresponses,thefollowing
criteriahavetobemet:
o Blockinghastoworkinsuchaway,thatpacketsaresilently
dropped,withoutlettingthehackerknowwhathappened.
o Theprotectingmechanismisonlyallowedtoblockthose
packets,thatbelongtotheattackthemselves,i.e.thepacketsthat
havebeenidentifiedtobeanattackorpartofanattack.Such
packetshavetobeidentifiedviatheirsignature.Thefollowing
packetsthatbelongtotheattackbutcannotbeidentifiedbya
signature(becausesometimes,onlythefirstpacketshaveadistinctivesignature)havetobeidentifiedbyIPaddress,port
numbers(orICMPtype/code)andsequencenumbers(forTCP).
RelyingsolelyontheIPaddressdoesnotsufficeandcouldbean
invitationtoDoSattacks.TheauthorwasabletoDoSaNNIDS-
protectedserverbysimplyfloodingitwithspoofedpackets,
generatedbysnot,atestingtoolforsnort(althoughthe
vulnerableIDSwasnotSnort).TheIDSblockedallspoofedIP
addressesforhalfanhourbydefault.
o Legitimatetrafficmustnotbeaffectedinanyway.
o TCPresetpacketsmustnotonlyspooftheIPaddressesandTCP
sequencenumbers,butalsotheMACaddresses(forsome
operatingsystem,thismightnotbepossible).Otherwisea
hackercouldeasilyidentifywheretheresetpackethascome
from,providedthatheisonthesamesubnet(internalhacker),
andfocushismindonthissystem.Itshouldbeconsideredthat
TCPresetpacketscanbeeasilyignoredbytheattackerifheuses
asoftwarepackagethatfilterssuchpackets.Thus,thereset
featurehastoresetbothclientandserver.Evaluationsbythe
authoryieldedthatTCPresetpacketsofoneIDScontainthe
customerIDbydefault.Ifsuchfeaturesareprovidedbythe
system,itmustbepossibletoswitchthisoff.However,IDSsshallnothavesuchfeaturesactivatedperdefaultinthefirst
place.
-
7/29/2019 IDS Criteria
18/31
2002DetmarLiesen [email protected] -18-
3.4.2.ShallCriteria
Ifacomponentfails,itshallberestartedautomaticallyandthe
managementapplicationshallnotifytheadministratorthataproblem
hasoccurred.
Ifcommunicationbetweenthecomponentsisinterrupted,analertshallberaised.
3.4.3.ShouldCriteria
ItisdesirablethattheIDSautomaticallyasktheadministratortorenewkeysandcertificatesafterapreconfiguredtimeinterval(somemonths).
ItisdesirablethattheIDSprovideshelpforhardeningtheoperating
systemduringinstall-time.
Finally,asaruleofthumb,anIDSshallnothaveanypotentiallydangerous
featuresactivatedbydefault.
-
7/29/2019 IDS Criteria
19/31
2002DetmarLiesen [email protected] -19-
IDSLiterature
books:
[Cox01] Windows2000SecurityHandbook
authors: PhilCox,TomSheldon
organisation: SecurityExperts
ISBN: 0-07-212433-4
Osborne/McGraw-Hill
[Northcutt] IDS:IntrusionDetection-SystemeSpurensucheimInternet(germaneditionofIDSananalystshandbook)
Authors: StephenNorthcutt
JudyNovak
organisation: SANSGIAC
mitp
ISBN: 3-8266-0727-9
date: 2001
[Stevens1] TCP/IPIllustratedVolume1TheProtocols
author: W.RichardStevens
AddisonWesley
ISBN: 0201633469
-
7/29/2019 IDS Criteria
20/31
2002DetmarLiesen [email protected] -20-
[Stoll] Kuckucksei
(germaneditionofcuckoosegg)
Authors: CliffordStoll
Fischer
ISBN: 3-596-13984-8
magazines:
[NC1701] DiedenDiebeinfangen
organisation: NetworkComputing/Real-World-Lab
edition: 17/2001
[RB01] WennderVirenscannernichtmehrreicht
authors: JrgRensmann,MarkusBauer
PCProfessionell
edition: 052001
presentations:
[Graham00] Carnivore-Detailedanalysis
Authors: RobertGraham(CTONetworkICE)
Toorcon`00SanDiego
Link: http://www.robertgraham.com/slides/00toorcon.ppt
[Graham01] SideStepIDSevasionvs.protocol-analysis
authors: RobertGraham(CTONetworkICE,nowISS)
01-march-30CanSecWest/CORE1
link: http://www.robertgraham.com/slides/0103cansec.ppt
-
7/29/2019 IDS Criteria
21/31
2002DetmarLiesen [email protected] -21-
[Roesch01] Snort
bh-usa-01-Marty-Roesch.ppt
authors: MartinRoesch
organisation: Sourcefire.com
date: 2001
otherpublications:
[HK98] Grundlagen,ForderungenundMarktbersichtfr
IntrusionDetectionSysteme(IDS)und
IntrusionResponseSysteme(IRS)
debisITSecurityServices
Rabinstrae8 D-53111Bonn
authors: Dr.JosefvonHelden,
Dr.StefanKarsch
Dok-Ref: IDS-10-03
version: 1.4
date: 19.10.98
link: http://www.bsi.de
[NP99] ExperiencewithEMERALDtoDATE
authors: PeterG.NeumannandPhillipA.Porras
organisation: ComputerScienceLaboratory
SRIInternational
1
st
USENIXWorkshoponIntrusionDetectionandNetworkMonitoring
date: April1999
pages: 7380
-
7/29/2019 IDS Criteria
22/31
2002DetmarLiesen [email protected] -22-
[PN98] Insertion,EvasionandDenialofService:EludingNetwork
IntrusionDetection
authors: ThomasH.Ptacek
TimothyN.Newsham
organisation: SecureNetworks,Inc.
date: January,1998
link: unteranderemerhltlichunter:http://www.snort.org
[NSS00] IntrusionDetection&VulnerabilityAssessment
GroupTest(Edition1)
AnNSSGroupReport
date: firstpublishedDecember2000
TheNSSGroup;
OakwoodHouse,Wennington,
CambridgeshirePE282LXEngland
link: www.nss.co.uk
[NSS01] IntrusionDetectionSystems
GroupTest(Edition2)
AnNSSGroupReport
date: FirstpublishedDecember2000(Edition1)
RevisedDecember2001(Edition2V1.0)
TheNSSGroup;
OakwoodHouse,Wennington,
CambridgeshirePE282LXEngland
link: www.nss.co.uk
[LaPadula00] CyberSecurityMonitoringToolsandProjects-
ACompendiumofCommercialandGovernmentTools
AndGovernmentResearchProjects
authors: LeonardJ.LaPadula
MITRE,CenterforIntegratedIntelligenceSystems,Bedford,
Massachusetts
date: August2000
link: www.mitre.org
-
7/29/2019 IDS Criteria
23/31
2002DetmarLiesen [email protected] -23-
[Poppi02] SnortStatisticsHOWTO
authors: SandroPoppi
link: http://www.lug-burghausen.org/projects/Snort-Statistics/Snort-
Statistics-HOWTO.pdf
[RFP] Alookatwhiskersanti-IDStactics
authors: RainForestPuppy;[email protected]
link: http://www.wiretrip.net/rfp/
[Vigilinx] SecurityMonitoringRealitiesandFutures
AWhitePaperfromVigilinx
link: http://www.vigilinx.com
[Ranum01] ExperiencesBenchmarkingIntrusionDetectionSystems
authors: MarcusJ.Ranum(CTONFRSecurity,Inc.)
NFRSecurity
date: December2001
link: http://www.nfr.com
[Cheung99] TheDesignofGrIDS:
AGraph-BasedIntrusionDetectionSystem
authors: StevenCheung,RickCrawford,MarkDilger,JeremyFrank,
JimHoagland,KarlLevitt,JeffRowe,StuartStaniford-Chen,
RaymondYip,DanZerkle
organisation: DepartementofComputerScience,UniversityofCaliforniaatDavis,CA95616
date: January26,1999
-
7/29/2019 IDS Criteria
24/31
2002DetmarLiesen [email protected] -24-
[Axelsson00] IntrusionDetectionSystems:
ASurveyandTaxonomy
authors: StefanAxelsson
organisation: DepartementofComputerEngineering ChalmersUniversityofTechnology
Gteborg,Sweden
date: 14March2000
[RLM] IntrusionDetectionwithNeuralNetworks
authors: JakeRyan,DepartementofComputerSciences,Universityof
TexasatAustin;
Meng-JangLin,DepartementofElectricalandComputer
Engineering,UniversityofTexasatAustin;RistoMiikkulainen,DepartementofComputerSciences,
UniversityofTexasatAustin;
[HHM] IntelligentAgentsforIntrusionDetection
authors: GuyG.Helmer,JohnnyS.K.Wong,VasantHonavar,Les
Miller
organisation: IowaStateUniversity,Ames,Iowa50011
[Forensics] IntrusionDetectionSystemsandAViewToItsForensic
Applications
organisation: TheUniversityofMelbourne,DepartementofComputer
Science,Parkville3052,Australia
[NBCW] AnIntrusionDetectionSystemtoMobilePhoneNetworks
authors: MirelaSechiAnnoniNotare,FederalUniversityofSanta
Catarina,Brazil
AzzedineBoukerche,UniversityofNorthTexasFernandoAugustodaSilveCruz,FederalUniversityofSanta
Catarina,Brazil
CarlosBeckerWestphall,FederalUniversityofSantaCatarina,
Brazil
-
7/29/2019 IDS Criteria
25/31
2002DetmarLiesen [email protected] -25-
[deCastro] ArtificialImmuneSystems:
TheoryandApplications
authors: LeandroNunesdeCastro
organisation: StateUniversityofCampinasUNICAMP SchoolofComputerandElectricalEngineeringFEEC
VI-BrazilianSymposiumonNeuralNetworks
[CS94] DefendingaComputerSystemusingAutonomousAgents
authors: MarkCrosbie,GeneSpafford
organisation: COASTLaboratory,Dept.ofComputerSciences,
PurdueUniversity,WestLafayetteIN47907-1398
date: 11March,1994
[MT00] BenchmarkingAnomaly-BasedDetectionSystems
authors: RoyA.Maxion,KymieM.C.Tan
organisation: Dept.ofComputerScience,
CarnegieMellonUniversity,5000ForbesAvenue
Pittsburgh,PA15213USA
1stInternationalConferenceonDependableSystems&
Networks:NewYork
June2000
[Frank] ArtificialIntelligenceandIntrusionDetection:Currentand
FutureDirection
authors: JeremyFrank
organisation: DivisionofComputerScience,
UniversityofCaliforniaatDavis, Davis,CA.95616
[Paxson] Bro:ASystemforDetectingNetworkIntrudersin
Real_Time
authors: VernPaxson
organisation: LawrenceBerkeleyNationalLaboratory,
Berkeley,CA
and
AT&TCenterforInternetResearchatICSI, Berkeley,CA
-
7/29/2019 IDS Criteria
26/31
2002DetmarLiesen [email protected] -26-
[JLA] AFaultToleranceApproachtoSurvivability
authors: SushilJajodia,PengLiu,PaulAmmann
organisation: CenterforSecureInformationSystems,
GeorgeMasonUniversity,Fairfax,VA22030-4444
[HF98] ImmunizingComputerNetworks:
GettingAlltheMachinesinYourNetworktoFightthe
HackerDisease
authors: StevenA.Hofmeyr,StephanieForrest
organisation: Dept.ofComputerScience,
UniversityofNewMexico,Albuquerque
date: November2,1998
[KB] TheHumanImmuneSystemandNetworkIntrusion
Detection
authors: JungwonKimandPeterBentley
organisation: Dept.ofComputerScience,UniversityCollgeLondon
GowerStreet,London,UK
[HF] ImmunologyasInformationProcessing
authors: StephanieForrest
StevenA.Hofmeyr
[JMKM00] MobileAgentsInIntrusionDetectionAndResponse
authors: W.Jansen,P.Mell,T.Karygiannis,D.Marks
organisation: NationalInstituteforStandardsandTechnology
Gaithersburg,MD20815
12thAnnualCanadianInformationTechnologySecurity
Symposium,
Ottawa,Canada,June2000
[Bass] IntrusionDetectionSystems&MultisensorDataFusion:
CreatingCyberspaceSituationalAwareness
authors: TimBass
-
7/29/2019 IDS Criteria
27/31
2002DetmarLiesen [email protected] -27-
[Cannady] ArtificialNeuralNetworksforMisuseDetection
authors: JamesCannady
organisation: SchoolofComputerandInformationSciences,
NovaSoutheasternUniversity,FortLauderdale,FL33314
[Axelsson99] ResearchinIntrusion-DetectionSystems:ASurvey
authors: StefanAxelsson
organisation: Dept.ofComputerEngineering,
ChalmersUniversityofTechnology
Gteborg,Sweden
date: December15,1998
revised: August19,1999
[Bschkes] AngriffserkennunginKommunikationsnetzen
authors: Diplom-InformatikerRolandBschkes
VonderFakulttfrMathematikundNaturwissenschaftender
Rheinisch-WestflischenTechnischenHochschuleAachenzur
ErlangungdesakademischenGradeseinesDoktorsder
NaturwissenschaftengenehmigteDissertation.
date: Mai2001
[Allan02] IntrusionDetectionSystems(IDS):Perspective
authors: AntAllan
organisation: GartnerResearch
date: 4January2002
[FV02] AnAnalysisofFastStringMatchingAppliedto
Content-BasedForwardingandIntrusionDetection
authors: MikeFisk,GeorgeVarghese
IEEEINFOCOM2002
-
7/29/2019 IDS Criteria
28/31
2002DetmarLiesen [email protected] -28-
[SHM] PracticalAutomatedDetectionofStealthyPortscans
authors: StuartStaniford,JamesA.Hoagland,JosephM.McAlerney
organisation: Silicondefense,5132ndStreet,Eureka,CA95501
[FV01] FastContent-BasedPacketHandlingforIntrusionDetection
authors: MikeFisk([email protected]),
GeorgeVarghese([email protected])
organisation: Computing,Communications,andNetworkingDivision,Los
AlamosNationalLaboratory
DepartmentofComputerScienceandEngineering,University
ofCaliforniaSanDiego
UCSDTechnicalReportCS2001-0670,May2001[Roesch] Snort-LightweightIntrusionDetectionforNetworks
lisapaper
authors: MartinRoesch
organisation: Snort.org
[Laing00] HowToGuide-ImplementingaNetworkBasedIntrusion
DetectionSystem
authors: BrianLaing([email protected])
organisation: InternetSecuritySystems(ISS)
date: 2000
[Yarochkin00] SnortnetADistributedIntrusionDetectionSystem
authors: FyodorYarochkin
organisation: KyrgyzRussianSlavicUniversity,Bishkek,Kyrgyzstan
date: June26,2000
[Frederick1] NetworkIntrusionDetectionSignatures,PartOne
authors: KarenKentFrederick
organisation: NFRSecurity
date: December19,2001
-
7/29/2019 IDS Criteria
29/31
2002DetmarLiesen [email protected] -29-
[Frederick2] NetworkIntrusionDetectionSignatures,PartTwo
authors: KarenKentFrederick
organisation: NFRSecurity
date: January22,2002
[Frederick3] NetworkIntrusionDetectionSignatures,Part3
authors: KarenKentFrederick
organisation: NFRSecurity
date: February19,2002
[Frederick4] NetworkIntrusionDetectionSignatures,PartFour
authors: KarenKentFrederick
organisation: NFRSecurity
date: March5,2002
[MMM] Adenial-of-serviceresistantintrusiondetectionarchitecture
authors: PeterMell,DonaldMarks,MarkMcLarnon
organisation: ComputerSecurityDivision,NationalInstituteofStandardsand
Technology
ComputerNetworks34(2000)641-658
[Overill] ReactingtoCyberintrusions:Technical,LegalandEthical
Issues
authors: RichardE.Overill
organisation: DepartmentofComputerScienceandInternationalCentrefor
SecurityAnalysis,KingsCollegeLondon
-
7/29/2019 IDS Criteria
30/31
2002DetmarLiesen [email protected] -30-
[Staniford] IntrusionCorrelationASketchoftheproblem
authors: StuartStaniford
organisation: SiliconDefense
date: November,05,2001
Credits
Manythankstothesnortcommunityandthedragoncommunity,whereIhave
learnedquiteabitandwhosemembershavehelpedagreatdealansweringanddiscussingvariousquestions.
TheISSForumandfocus-idsforum(securityfocus.com)areagreatsourceof
informationaswell.
ThanksgoalsotoallIDSvendors/developerswhoprovidefreedownloadof
productpapersanddocumentation,aswellasevaluationsoftware.
Specialthanksto
Myboss(forprovidingtheopportunitytowriteadiplomathesisonIDS)
SandroPoppi(forsomereallycooldiscussionsaboutIDSandhelpon
variousquestions)
ErekAdams(forhiseffortsonthesnort-usersmailinglist)
MartinRoesch(forcreatingandimprovingsnort)
ChrisGreen(forhismailinglist-anddevelopment-efforts)
RobertGraham(forsharinghisknowledgewiththepublic)
NSS(forprovidingfreeevaluation-andbenchmarkreports)
BobWalderofNSS(fordiscussingthefutureofNSSGrouptests,regardinggigabitethernetandNIDSinswitchedenvironments)
AndrewTalisker(foroneofthemostcompletelistsofcommercialand
non-commercialIDSs)
Allpersonswhoreviewedthispapero SandroPoppi(forreadingandcommentingthefirst,germanedition)
o Myfatherandmysister(forcorrectingtypos)
o MariaTeigeiro(correctionsandenhancements)
o LindafromAustralia
Therearealotmorepeoplewhocouldbenamedhere,becauseoftheir
commitmentinthecommunities.
-
7/29/2019 IDS Criteria
31/31
TheAuthor
tux@earth#whoami
DetmarLiesen
o workedasanindustrialmechanic,assemblingspecialmachinesfor
industryautomation(measurementandcalibrationofthermaland
magneticcircuitbreakers)
o gaveupjobforstudyingelectricandelectronicengineeringatthe
RheinischeFachhochschuleKoelnatCologne,Germany
o focusoncommunicationtechnologiesafterthreesemesters
o focusedonITsecurityduringthelastyearofstudies(vulnerability
assessment,firewall,IDS)
o gatheringpracticalexperienceinnetworkingandITsecurityata
germancompanywithover11.000employeesandmorethan80
subsidiariesworldwide.
o February15th:beginofdiplomathesisonConceptionfor
DeploymentofIntrusionDetectionSystemsinaCorporate
Networkforthesamecompanyo Mai15
th:finishofdiplomathesis
o July15th:diplomacolloquium
o futureplans:workingasanIDSadministratorandintrusionanalyst,
becominganexpertforintrusionanalysisandincidenthandling,
developingandimplementingenterprise-widesecurityconcepts