Introduction
Computer systems and the internet are arguably the greatest inventions by humankind in the 21st century. Although these two entities are hardly a century old, they have revolutionalized the way in which we carry out our day to day activities and hardly any arena in our lives has escaped the influence of these systems. As our society becomes increasingly dependent on information technology for a myriad of operation, the responsibility to maintain and protect computing systems increases proportionately. This is because with increased use of computers, the cost of system failure becomes significantly higher. While big organizations recognize the need for implementing all the necessary security measures to protect their networks, small businesses and home networks are not as vigilant. One of the security tools which have been underused by small networks is Intrusion Detective Systems (IDS). This is because traditionally, effective IDS has been expensive and therefore off the reach for many small businesses or home networks. Small networks have also failed to consider themselves as valid targets for hackers.
Unauthorized entry into a system is a major issue for all networks; big or small. Joseph and Rod (2008, p.21) revealed that there was a high number of unauthorized security events in the last decade and “70 percent of organizations at least reported a security incident”. Considering the fact that not all unauthorized security events are detected, it can be safely assumed that the percentage of security incidents is even higher. This paper will set out to demonstrate that there is a viable Host based Intrusion Detection System that can be used by small businesses and home networks as an alternative to the off the shelf IDS software. This alternative is the open source system developed by Doug Burks that is currently available as “Security Onion”. The paper will pay special attention to the Sguil portion of the software and its application as an analysis interface for Snort.
Intrusion Detection System: An Overview
The best method for dealing with intruders is to prevent them from gaining access to the network. While desirable, this method does not always work and intruders may find a way to breach the security measures imposed and gain access to the system. Scarfone and Mell (2007, p.2) define intrusion detection as the process of “monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices”. An Intrusion Detection System (IDS) is software designed to automatically carry out the intrusion detection tasks. An IDS is a security solution that protects computers that have been successfully violated by an intruder and it provides the second line of defense for the security administrator.
The importance of IDS comes from the assumption that every network may at one time be compromised despite all the preventive measures taken to protect it. This assumption is in most cases right since as Sundaram (2004, p.24) bleakly notes, “the sophistication of hacker tools has been faster than the technical knowledge required to counter the hacker techniques”. Therefore, when this intrusion happens, the most effective way to deal with the situation is to monitor the system. Without an IDS in place, the network administrator will be oblivious of the fact that his network has been compromised and this may have dire consequences. Using Intrusion Detection System (IDS) the network administrator is in a position to secure the network from sophisticated attacks that would otherwise occur without their knowledge. Intrusion Detection Systems notify the system administrator of suspect activities that may be occurring within the network. Once this detection has been identified, action should be taken to ensure that the threat is removed and future intrusion is prevented.
While small businesses and home networks may deem IDS as unnecessary, research by Meghanathan et al. (2006) demonstrates that use of these tools gives the network security personnel the means to deal with intruders and identify risks. This will have the multiple function of protecting the network from opportunistic intruders who are on the look out for an easy target, preventing access to unauthorized parties and in the event that the system is compromised, early detection and expulsion of the same.
Security Onion
Security Onion is a Linux based system developed by Doug Burks that is made up of software that is used for the installation, configuration and the testing of IDS. The system consists of Snort, Fragrouter, and Sguil, all of which are highly rated IDS systems. Snort is an open-source IDS that delivers its data via the MySQL database. This particular IDS makes use of a rule-driven language that combines signature, protocol, and anomaly-based inspection methods to detect intrusions to the system (Tzeyoung, 2009). Hwang, et al. (2003) states that Snort is the most widely used IDS and it has extensive documentation. Sguil is that graphical interface to snort that functions as an analyzer for the data collected by snort. It should be noted that Sguil is not a fully fledged IDS in itself but rather, it is a graphical user interface (GUI) used for Network Security Monitoring (NSM). Sguil has many inbuilt strengths that make it invaluable for small businesses as well as home networks. These strengths are as follows:
Strengths of Sguil
Arguably the most appealing feature of Sguil for small businesses and home networks is that the software is open source which means that it will not cost the individual(s) dearly to implement it. Most commercially available IDSs with similar capabilities as Sguil are exorbitantly priced making them out of reach for networks with financial constraints. In addition to this, Sguil is developed in such a manner that it can run across different platforms with little modification. This is a major advantage since most commercially available IDS are platform specific which limits their application. Tzeyoung (2009) reveals that Sguil can run on any Linux flavor, FreeBSD, Solaris, WinXP and Win2k. Software which is platform specific obligates a person to make an additional investment on the particular OS that the software runs on before they can enjoy the benefits of the software. The small business or home network administrator can therefore download Sguil for free and begin using it without having to change their OS.
Some networks process huge amounts of data that requires to be monitored and without the use of specialized tools, security administrators “are completely lacking in their ability to analyze such large volumes of data” (Erbacher, et al., 2006, p.3). As such, security personnel may have to randomly decide on what data merits their attention since they are incapable of going through all the data available. Sguil takes care of this through its mechanism which pushes alerts to the console and therefore attracts the attention of the security administrator. In addition to this, Sguil allows the administrator to specify the events which should be given greater consideration. Through “autocat.conf”, the administrator can automatically categorize incoming alerts giving priority to certain events.
The ideal IDS should be able to identify reconnaissance activity which signals an imminent attack. In reconnaissance, the attacker makes attempts to learn about the target system or network (Hwang, et al., 2007). The events from a reconnaissance mission may include port scans, inquiries on the versions of applications installed in the system and DNS transfers to name but a few. The IDS should be able to notify the security administrator of this activity and the administrator can take action that is needed to stop the reconnaissance activity. Sguil has the capability to perform Reconnaissance probes and scans. It does this by flagging any suspect port scans and reporting the same to the administrator who will take a closer look and determine whether the scans constitute an intrusion. The information gathered from a reconnaissance can result in the adoption of more aggressive filters in future as well as highlight key vulnerabilities in the system.
Gathering information on the vulnerability of the system is one of the ways through which the network administrator can strengthen the security of his network (Joseph & Rod, 2008, p.223). Sguil allows the administrator to view and edit the code generated in relation to the detection. From the Sguil interface, the administrator can click on the item of interest and view additional code which includes the programs that carried out the event. Code viewing capabilities are useful since they help the analyst to better determine why particular alerts were generated. The reason why Sguil gives the user permission to view the code is because the software is not proprietary and therefore it is written in a freely available programming language.
Sguil contains tools that can help the analyst to confirm suspicious activity. Confirmation of suspicious activity is important since it enables the administrator to take up appropriate action to curb the threat. For example, Sguil has an automatic WHOIS check function that assists to verify the source of destination IP address of a specific alert (Boman, 2004). Being able to run WHOIS from the Sguil interface is convenient for the administrator since he/she can in a matter of seconds differentiate legitimate from illegitimate traffic.
For IDSs to help in future review of security, they should have the capacity to log abnormal activity and enable the monitoring and analysis of the same in future. Sguil provides log files for the events which taking place which makes it possible to carry out computer forensics. Computer forensics has a close relationship to cybercrime and it assists in computer crime investigation as well as cyber-attack detection and response. Forensics deals with “the collection and analysis of data from computer systems, networks, communication streams and storage media in a manner admissible in a court of law” (Kessler, 2007).
In some situations, the timeliness of the information provided can spell the difference between success and failure. This is because some attackers just require a little time in the system to identify vulnerabilities and perpetrate their attacks. In such cases, a real time alert system will be most desirable. Securix (2011) reveals that Sguil offers real time information on the number of alerts generated through Snort. Monitoring the real time feed that appears through the Sguil console will therefore enable the administrator to identify an intruder immediately and take appropriate action before the intruder can do any real damage to the system.
Sguil is a lightweight application which makes it economical in the small business environment where resource allocation is an important consideration. System resource requirement has always been an issue when installing software products. While big organizations have vast resources and can afford to dedicate entire computer systems to security, small businesses and home network may lack the same capabilities. Sguil comes in handy since it can be run on modest computer systems since it does not require vast amounts of resources. Bruneau (2009) states that the full installation for the sguil console takes up about 400MB of space. For the whole configuration to function efficiently, the author recommends a minimum of 1GB or RAM although the system can also operate with 512MB of RAM albeit with less efficiency. This system resource requirements are modest and small business and home networks can afford them with little trouble.
Sguil enables the security administrator to monitor traffic within the network and therefore enforce network policies. Tzeyoung (2009, p.9) asserts that Sguil is able to “assess the integrity of critical system and data files”. While the network administrator may take appropriate action to safeguard the network from security threats from the outside, failure to monitor internal activity can lead to damages (Kessler, 2007, p.23). This is because users may infect their machines with viruses, worms, and Trojan horses. This may in return compromise the entire system. A tool which enables the administrator to ensure that the policies established are followed can greatly reduce the risk of the network being compromised as a result of individual user actions. By monitoring and analyzing user activity on the network, the administrator is able to observe hosts which are violating the set security policies. Through Sguil, the network administrator can track down, block, isolate and take necessary action against hosts that are not in compliance with security policies of the network.
Without the user of Sguil as a network security monitor, the administrator would be forced to invest in a number of tools to monitor the network. These would include: tools to perform vulnerability assessment, tools to inspect the network for malicious activity, and tools to inspect whether the local hosts have been compromised (Zhou, Carlson, & Bishop, 2005). Even for a small business or a home network, this approach would be both time consuming and expensive. Sguil integrates a number of sources to carry out NSM therefore making it efficient. Specifically, Sguil uses four sources of data: “high level statistical data, session data, full content data, and alert data”. This makes Sguil a robust source of information which can be used to investigate alerts.
Sguil makes use of fingerprinting which is a technique used to identify the specific tool that is being used by the intruder (Pouget & Dacier, 2005). In particular, Sguil depends on the pOF tool to perform OS fingerprinting. Tools fingerprinting is based on the premise that each cluster of attack can be associated to a specific attack tool. By identifying the signatures to frequently used tools of attack, Sguil helps the administrator to extract the well-known attacks and turn attention to rare and strange attacks. Fingerprints can have extended scripts which can help determine whether an attack is automated or manual (Vallis & Al-Lawati, 2010). Such information is very important to an administrator since it can assist in determining the vulnerabilities that malware is targeting.
Sguil makes use of Snort’s signature-based detection methodology. Scarfone and (2007, p.3) defines signature-based detection as the process of “comparing signatures against observed events to identify possible incidents”. This method is hailed as being highly effective in detecting known threats. The straightforward manner in which signature-based detection operates means that the resource overhead is not high therefore increasing the efficiency of sguil. This makes it ideal for small businesses and home networks users who do not want to dedicate a lot of resources to the IDS.
Sguil is designed to enable fast analysis and categorization. Boman (2004) notes that Sguil is classified as one of the less complicated NSM tools by SANS severity rating and it contains functionalities such as: categorizing events by severity, escalating events, and moving events to a no action required category. In addition to this, Sguil requires comments to be inserted when an event is escalated therefore making the log reports understandable should they be reviewed by a different security administrator from the one who escalated the event.
Sguil enables the administrator to flag down Denial of Service attacks. A Denial of Service attack is defined as “an attack designed to render a computer or network incapable of providing normal service” (Kessler, 2009). While a DoS Attack may not result in the damage of hardware, software or data, the fact that these resources are unavailable degrades the productivity of the system. Instead of using brute-force volumes, some DoS attacks make use of application-level attacks that mimic legitimate traffic. This makes it difficult to detect the attack using detection tools. The only means for detecting these attacks is through monitoring by Network Administrators to detect anomaly. Sguil enables the security administrators to detect DOS and take appropriate action.
Limitation of Sguil
A significant limitation with Sguil is that its accuracy is not as high as that of commercially available IDS. Tzeyoung (2009) states that the accuracy of an IDS may be gauged by the manner in which it detects unwanted traffic. Sguil’s limitation comes about from the signature-based detection methodology that it employs. This methodology is highly ineffective in detecting new threats, previously unknown threats, variants to the known threats, and even threats that have been disguised by use of some evasion technique. A more robust methodology makes use of anomaly-based detection. Anomaly-based detection is defined as the process of “comparing definitions of what activity is considered normal against observed events to identify significant deviations” (Scarfone & Mell, 2007, p.4). IDSs that utilize anomaly-based detection make use of profiles that represent what is considered normal behavior within the network and in the event that an “abnormal” behavior is detected, the system issues an alert to the security administrator. An obvious benefit of anomaly-based detection is that it can be used to detect previously unknown threats since it makes use of a profile obtained from observing normal network usage. Nevertheless, an IDS that utilizes both signatures and anomaly detection would be the appropriate since it takes advantage of the strengths of both detection methodologies.
Sguil does not have rule management capabilities. This means that it is impossible for the security administrator to perform changes so as to make the IDS compliant with his security policies using Sguil. Without tuning capabilities, the IDS is bound to generate a high number of false positives. Scarfone and Mell (2007) define a false positive as a situation where an IDS wrongly identifies a benign activity as being malicious. Too many false positives overload the administrator with cumbersome amounts of data to go through and therefore diminish the effectiveness of the IDS since the administrator has to dedicate a lot of time sifting through the data (Tzeyoung, 2009). While large companies may have the resources necessary to employ a number of security administrators who can carry out this analysis, small businesses or home networks cannot afford this. The other erroneous result that an IDS is prone to is false negatives. A false negative is an instance where the IDS fails to identify malicious activity that has/is occurring. By failing to identify malicious events, the IDS allow attackers to infiltrate the system and carry out their attacks undetected. False negatives limit the capability of the security administrator to protect the system since they do not give him/her the opportunity to review the data.
Another major limitation with Sguil is that its development is still ongoing. This being the cause, the maintenance required for the IDS technology is greater that what would be expected from commercially available software. Patches and signatures are constantly being developed and the configurations must be updated to ensure that the tool remains effected in detecting malicious traffic (Securix, 2011). Sguil also has a significant number of bugs which will be a big inconvenience to the security administrator. This means that while all other computer systems require periodic maintenance, the maintenance requirements for Sguil are much higher.
Unlike most commercially available software, Sguil lacks any script writing capabilities. Scripting tools allow the administrator to take the experience obtained from performing an analysis and use the same as a basis for strengthening the defenses in the future (Hwang, et al., 2007). Without this capability, the administrator is not able to make use of his acquired knowledge to build even better security for his network.
Squil makes use of an SQL database to perform its NSM functions. The integrity of the SQL database that is used by Snort should always be guaranteed. Ideally, the database should not be connected directly to the Network Security Monitor if an attacker compromises the NSM, they will gain information to the vast data contained in the database. As it currently stands, the Security Onion sensors connect directly to the database therefore threatening to compromise its integrity.
In some instances, the intruders use encrypted connections to carry out their attacks. Tzeyoung (2009) affirms that the effectiveness of IDS is greatly diminished when attacks are carried out through encrypted connections. Unless the IDS knows how to decrypt and re-encrypt data, encrypted traffic will remain opaque to the system. While the administrator will be able to see the logins and even listen in on the unauthorized traffic, it is at times impossible to decipher the information that is captured from the attacker’s packets. The administrator will therefore be unable to analyze the data from the intruder. This inability to read the attacker’s packets may result in the attacker carrying out actions like taking over the entire system without the administrator realizing it.
As has been stated from the onset, sguil is part of Security Onion which is a popular open-source software. This being the case, sguil does not have the valued added support personnel and free technical support that is inherent in most commercial software. This is a major issue since Sguil is described by some reviewers as “a tool by analysts, for analysts” (Securix, 2011). This implies that some aspects of Sguil will tend to be overly technical and without assistance, a person may fail to make headway.
Recommended Solutions
Lack of user support can be a major issue when using any software. Small businesses and home networks are unlikely to have invested in qualified security professionals who can properly install and run the Security Onion suite and problems are therefore very likely to happen. Online forums and discussion groups present the best source of information on common problems and troubleshooting Sguil. These forums also have messaging boards on which a person can post their problem and have solutions offered by other users. While these help forums are not as fast as the user support systems established by commercial software companies, they provide the individual with valuable and free advice.
As has been noted, one of the major issues with sguil is that one has to keep checking for updates and patches to the system. This is a major inconvenience in an environment where the network administrator has many other obligations. Bruneau (2009) proposes the use of scripts which are available for free online to set rules that make the system check for updates on a daily basis. Such scripts automate the task therefore making the running of Sguil easier for the security administrator.
All IDS technologies (commercial and otherwise) are not able to provide 100% accurate detection and they are prone to errors. As such, the fact that Sguil generates false positives is not a major issue. Scarfone and Mell (2007) assert that while few to no false positives would be ideal, an IDS which produces many false positives is better than one which produces false negatives. A solution to these problem would be tuning the IDS so that the number of false positives is reduced.
Sguil may be unable to perform full analysis when subjected with high loads and the tool might drop some packets. High traffic may also lead to increased latency which refers to delays in the processing of packets by the IDS. Small businesses and home networks are likely to attract only a modest amount of network traffic. Sguil may therefore never have to face the limitations that are associated with handling high traffic loads.
Writing of signatures for IDS is a complex task and it is unlikely that a small business or home network administrator may have the capability or the time and effort resources required to carry out this task. There are also problems inherent in trying to write a signature since one might write an overly specific signature which may be unable to capture most of the attacks or an overly general signature which results in too many false positives. The fact that Sguil does not allow the administrator to write their own signatures may therefore not be relevant since the security administrator may never venture into this even if Sguil had the capabilities. It is better for the administrator to download new signatures which are periodically provided online.
IDS require extensive tuning to improve their accuracy and therefore make them more efficient in intrusion detection. The lack of a code editing feature by Sguil is therefore a major limitation for security administrator. Securix (2011) reveals that Sguil is being continuously improved and it can be expected that in the near future, Sguil will comprise of tuning and customizing capabilities which will improve its power as an IDS even further.
Discussion
Even as the use and reliance on computer systems increases, people are painfully aware of the risks that the systems are exposed to. Network infrastructure is constantly under threat and it is the role of network security personnel to ensure that the system is protected from threats and vulnerabilities. Network administrators should avoid the temptation to leave the security of the network entrusted to firewalls and the installed anti-virus software that come preloaded in the computer systems. Instead, they should make use of NSM tools such as Sguil. From the discussions presented herein, it is clear that Sguil’s viability as an NSM is absolute and it should be implemented by all security conscious administrators who cannot afford commercial IDSs.
Many small businesses and home networks argue that they do not need IDSs since they feel that they do not have information that would be of any use to an intruder. While it may be true that such networks may not have any information of value, the intruder can take over the network resources and use them to undertake attacks on other more valuable targets. An attacker can at times take over the system resources available to him to launch attacks on other systems. These attacks on other networks can result in the damages to a third party’s network (Steve & Yen, 2005). The consequences for such actions can be costly to the owner of the network since they may be held legally liable for the attack and therefore forced to compensate the third party. It is therefore imperative that network administrators invest in an IDS like Sguil to avoid such scenarios.
For all the merits attributed to IDS, Tzeyoung (2009) warns that there is real danger of IDS being used improperly within an organization. While IDS are important tools for detecting intrusions and attacks on a system, they should not be the only security tools utilized. Relying too much on IDS to catch intrusions leads to security administrators focusing on symptoms of network vulnerability instead of fixing the root causes of the security breaches. Tzeyoung (2009, p.15) authoritatively states that “IDS is only one tool in an administrator’s arsenal in properly securing a network”. Security administrators should therefore take an integrated approach in securing the network and make use of a wide variety of tools such as firewalls, honepots, vulnerabilities scanners and many others.
Conclusion
Owing to the critical nature of networks in today’s society, the security of network infrastructure is of great importance. Preventive and detective measures should therefore be employed to improve security. This paper set out to analyze Sguil, the primary NSM in Security Onion, so as to determine its strengths and limitation as a solution for small businesses or home networks. This was from the revelation that while major companies and organizations have the means to acquire the best commercially available software to protect their systems, small companies and home networks may lack the same capabilities. This paper has highlighted that Sguil embodies most of the functions of the ideal IDS which include: monitoring of the system activity, detection of intrusions in a timely manner, presentation of analysis in a readable and easy to understand format, issuing of alerts in the event of any suspicious behavior, and auditing of system vulnerabilities in log files.
While Sguil presents a potent weapon that security personnel can use to monitor a network, this paper has demonstrated that this tool is not without its limitations. These limitations include: lack of user support, need for frequent updates, and inability to handle high traffic. It has also been asserted that IDS should not be used as a sole defense mechanism but rather; it should be used together with other security tools. By employing Sguil as part of the security tools used, the network administrator will be better equipped to protect the network. The small business or home network will therefore thrive from the numerous benefits that computer network presents while avoiding the losses that result from intruder attacks.
References
Boman, M. (2004). Network Security Analysis with Sguil. Web.
Bruneau, G. (2009). Build Securely Snort with Sguil Sensor Step-by-Step Powered by Slackware Linux. Web.
Erbacher, R.F., Christiansen, K., & Sundberg, A. (2006). Visual Network Forensic Techniques and Processes. Department of Computer Science. Utah State University, Logan.
Hwang,K., Cai,M., Chen,Y., & Qin,M. (2007). “Hybrid Intrusion Detection with Weighted Signature Generation over Anomalous Internet Episodes”. IEEE Transactions on Dependable Computing, 4(1):41-55.
Joseph, S and Rod, A (2008). “Intrusion Detection: Methods and Systems”. Information Management and Computer Security, 11(5):222-229.
Kessler, G. (2007). Online Education in Computer and Digital Forensics. Proceedings of the 40th Hawaii International Conference on System Sciences.
Meghanathan, N., Allam, S.R. & Moore, A.L. (2009). “Tools and techniques for network forensics”. International Journal of Network Security & Its Applications (IJNSA), Vol.1,No.1.
Pouget, F. & Dacier, M. (2005). “Honeypot-based Forensics”. Institute Eurécom 2229.
Scarfone, K., & Mell, P. (2007). Guide to Intrusion Detection and Prevention Systems. National Institute of Standards and Technology.
Securix. (2011). NSM Architecture. Web.
Steve, H., David C., Yen and David C. (2005). “Awareness and Challenges of Internet Security”. Information Management and Computer Security. 8(3): 131-143.
Sundaram, A. (2004). An Introduction to Intrusion Detection, Crossroads: The ACM Student Magazine. 2(4).
Tzeyoung, M.W. (2009). Intrusion Detection Systems. IATAC.
Vallis, C. & Al-Lawati, M. (2010). “Developing Robust VoIP Router Honeypots Using Device Fingerprints”. Security Research Center Conferences.
Zhou, J., Carlson, A., & Bishop, M. (2005). Verify Results of Network Intrusion Alerts Using Lightweight Protocol Analysis: Proceedings of the 21st Annual Computer Security and Applications Conference (ACSAC 2005).