i NAT'L INST. OF STAND & TECH ill Mist' NIST Special Publication 800-31 Intrusion Detection Systems NO" Rebecca Bace and Peter Mell National Institute of Standards and Technology Technology Administration U.S. Department of Commerce COMPUTER SECURITY NIST CINTINNI«ll rhe National Institute of Standards and Technology was established in 1988 by Congress to "assist industry in thedevelopmentoftechnology neededtoimproveproductquality,tomodernizemanufacturingprocesses, . . . to ensure product reliability . . . and to facilitate rapid commercialization ... ofproducts based on new scientific discoveries." NIST, originally founded as the National Bureau of Standards in 1901, works to strengthen U.S. industry's competitiveness; advance science and engineering; and improve public health, safety, and the environment. One of the agency's basic functions is to develop, maintain, and retain custody of the national standards of measurement, and provide the means and methods for comparing standards used in science, engineering, manufacturing, commerce, industry, and education with the standards adopted or recognized by the Federal Government. As an agency of the U.S. Commerce Department's Technology Administration, NIST conducts basic and applied research in the physical sciences and engineering, and develops measurement techniques, test methods, standards, and related services. The Institute does generic and precompetitive work on new and advanced technologies. NIST's research facilities are located at Gaithersburg, MD 20899, and at Boulder, CO 80303. Major technical operating units and their principal activities are listed below. For more information contact the Publications and Program Inquiries Desk, 301-975-3058. Office of the Director Chemical Science and Technology • National Quality Program Laboratory • International and Academic Affairs • Biotechnology • Physical and Chemical Properties^ Technology Services • Analytical Chemistry • Standards Services • Process Measurements • Technology Partnerships • Surface and Microanalysis Science • Measurement Services Physics Laboratory • Information Services • Electron and Optical Physics Advanced Technology Program • Atomic Physics • Economic Assessment • Optical Technology • Information Technology and Applications • Ionizing Radiation • Chemistry and Life Sciences • Time and Frequency' • Materials and Manufacturing Technology • Quantum Physics' • Electronics and Photonics Technology Manufacturing Engineering Laboratory Manufacturing Extension Partnership Program • Precision Engineering • Manufacturing Metrology • Regional Programs • Intelligent Systems • National Programs • Fabrication Technology • Program Development • Manufacturing Systems Integration Electronics and Electrical Engineering Building and Fire Research Laboratory Laboratory • Microelectronics • Applied Economics • Law Enforcement Standards • Structures • Electricity • Building Materials • Semiconductor Electronics • Building Environment • Radio-Frequency Technology' • Fire Safety Engineering • Electromagnetic Technology' • Fire Science • Optoelectronics' Information Technology Laboratory Materials Science and Engineering • Mathematical and Computational Sciences^ Laboratory • Advanced Network Technologies • Intelligent Processing of Materials • Computer Security • Ceramics • Information Access • Materials Reliability' • Convergent Information Systems • Polymers • Information Services and Computing • Metallurgy • Software Diagnostics and Conformance Testing • NIST Center for Neutron Research • Statistical Engineering CO 'At Boulder, 80303. ^Some elements at Boulder, CO. Intrusion Detection Systems NIST Special Publication 800-31 Rebecca Bace^ and Peter Mell^ CA 'infidel, Inc., Scotts Valley, National Institute ofStandards and Technology COMPUTER SECURITY Computer Security Division Information Technology Laboratory National Institute of Standards and Technology MD Gaithersburg, 20899-8930 November 2001 U.S. Department ofCommerce DonaldL. Evans, Secretary Technology Administration Phillip J. Bond, UnderSecretary ofCommercefor Technology National Institute ofStandards and Technology Karen H. Brown, Acting Director Reports on Computer Systems Technology The Information Technology Laboratory (ITL) at the National Institute ofStandards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the Nation's measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analyses to advance the development and productive use of information technology. ITL's responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer systems. This Special Publication 800-series reports on ITL's research, guidance, and outreach efforts in computer security, and its collaborative activities with industry, govemment, and academic organizations. National Institute of Standards and Technology Special Publication 800-31 Natl. Inst. Stand. Technol. Spec. Publ. 800-31, 48 pages (October 2001) CODEN: NSPUE2 GOVERNMENT PRINTING OFFICE U.S. WASHINGTON: 2001 For sale by the Superintenden—t ofDocuments, U.S. Gov—emment Printing Office Internet: bookstore.gpo.gov Phone: (202) 512-1800 Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001 NIST Special Publication 800-31, Intrusion Detection Systems Intrusion Detection Systems L Introduction 1 2. Overview of Intrusion Detection Systems 1 2.1. What Is Intrusion Detection? 1 Why 2.2. Should I use Intrusion Detection Systems? 1 2.2.1. Preventing Problems by Increasing the Perceived Risk ofDiscovery and Punishment of Attackers 2 2.2.2. Detecting Problems that Are Not Prevented by Other Security Measures .2 2.2.3. Detecting the Preambles to Attacks (Often Experienced as Network Probes and Other Tests for Existing Vulnerabilities) 3 2.2.4. Documenting the Existing Threat 3 2.2.5. Quality Control for Security Design and Administration 3 2.2.6. Providing Useful Information about Actual Intrusions 4 2.3. Major Types of IDSs 4 2.3.1. Process Model for Intrusion Detection 4 2.3.2. How Do I Distinguish Between Different Intrusion Detection Approaches? 4 2.3.3. Architecture 4 2.3.4. Goals 5 2.3.5. Control Strategy 5 2.3.6. Timing 8 2.3.7. Information Sources 9 2.3.8. IDS Analysis 12 2.3.9. Response Options for IDSs 14 2.4. Tools that Complement IDSs 17 2.4.1. Vulnerability Analysis or Assessment Systems 17 2.4.2. File Integrity Checkers 20 2.4.3. Honey Pot and Padded Cell Systems 21 3. Advice on Selecting IDS Products 22 3.1. Technical and Policy Considerations 22 3.1.1. What Is Your System Environment? 22 3.1.2. What Are Your Security Goals and Objectives? 23 3.1.3. What Is Your Existing Security Policy? 24 3.2. Organizational Requirements and Constraints 24 3.2.1. What Are Requirements that are Levied from Outside the Organization?25 3.2.2. What Are Your Organization's Resource Constraints? 25 iii NIST Special Publication 800-31, Intrusion Detection Systems 3.3. IDS Product Features and Quality 26 3.3.1. Is the Product Sufficiently Scalable for Your Environment? 26 3.3.2. How Has the Product Been Tested? 26 3.3.3. What Is the User Level ofExpertise Targeted by the Product? 26 3.3.4. Is the Product Designed to Evolve as the Organization Grows? 26 3.3.5. What Are the Support Provisions for the Product? 27 4, Deploying IDSs 28 4.1. Deployment Strategy for IDSs 28 4.2. Deploying Network-Based IDSs 29 DMZ 4.2.1. Location: Behind Each External Firewall, in the Network 29 4.2.2. Location: Outside an External Firewall 30 4.2.3. Location: On Major Network Backbones 30 4.2.4. Location: On Critical Subnets 30 4.3. Deploying Host-Based IDSs 30 4.4. Alarm Strategies 31 5, Strengths and Limitations of IDSs 31 5.1. Strengths of Intrusion Detection Systems 31 5.2. Limitations of Intrusion Detection Systems 32 6, Advice on Dealing with IDS Output 32 6.1. Typical IDS Output 32 6.2. Handling Attacks 33 7, Computer Attacks and Vulnerabilities 33 7.1. Attack Types 33 7.2. Types of Computer Attacks Commonly Detected by IDSs 34 7.2.1. Scanning Attacks 34 7.2.2. Denial of Service Attacks 35 7.2.3. Penetration Attacks 36 7.2.4. Remote vs. Local Attacks 36 7.2.5. Determining Attacker Location from IDS Output 37 7.2.6. IDSs and Excessive Attack Reporting 37 7.3. Types of Computer Vulnerabilities 38 7.3.1. Input Validation Error: 38 7.3.2. Access Validation Error: 39 7.3.3. Exceptional Condition Handling Error: 39 7.3.4. Environmental Error: 39 7.3.5. Configuration Error: 39 7.3.6. Race Condition: 39 8, The Future of IDSs 40 iv NIST Special Publication 800-31, Intrusion Detection Systems 9. Conclusion 40 Appendix A - Frequently Asked Questions about IDSs 41 Appendix B - IDS Resources 43 V NIST Special Publication 800-31, Intrusion Detection Systems Intrusion Detection Systems Rebecca Bace\ Peter Mell'' Introduction 1. Intrusion detection systems (IDSs) are software or hardware systems that automate the process ofmonitoring the events occurring in a computer system or network, analyzing them for signs ofsecurity problems. As network attacks have increased in number and severity over the past few years, intrusion detection systems have become a necessary addition to the security infrastructure ofmost organizations. This guidance document is intended as a primer in intrusion detection, developed for those who need to understand what security goals intrusion detection mechanisms serve, how to select and configure intrusion detection systems for their specific system and network environments, how to manage the output ofintrusion detection systems, and how to integrate intrusion detection functions with the rest ofthe organizational security infrastructure. References to other information sources are also provided for the reader who requires specialized or more detailed advice on specific intrusion detection issues. 2. Overview of Intrusion Detection Systems What 2.1. Is Intrusion Detection? Intrusion detection is the process ofmonitoring the events occurring in a computer system or network and analyzing them for signs of intrusions, defined as attempts to compromise the confidentiality, integrity, availability, or to bypass the security mechanisms of a computer or network. Intrusions are caused by attackers accessing the systems from the Internet, authorized users ofthe systems who attempt to gain additional privileges for which they are not authorized, and authorized users who misuse the privileges given them. Intrusion Detection Systems (IDSs) are software or hardware products that automate this monitoring and analysis process. Why 2.2. Should I Use Intrusion Detection Systems? Intrusion detection allows organizations to protect their systems from the threats that come with increasing network connectivity and reliance on information systems. Given the level and nature ofmodem network security threats, the question for security professionals should not be whether to use intrusion detection, but which intrusion detection features and capabilities to use. IDSs have gained acceptance as a necessary addition to every organization's security infrastructure. Despite the documented contributions intrusion detection technologies make to system security, in many organizations one must stilljustify the acquisition ofIDSs. There are several compelling reasons to acquire and use IDSs: 1. To prevent problem behaviors by increasing the perceived risk ofdiscovery and punishment for those who would attack or otherwise abuse the system, 2. To detect attacks and other security violations that are not prevented by other security measures. CA ^ Infidel, Inc., Scotts Valley, National Institute ofStandards and Technology I NIST Special Publication 800-31, Intrusion Detection Systems 3. To detect and deal with the preambles to attacks (commonly experienced as network probes and other "doorknob rattling" activities), 4. To document the existing threat to an organization 5. To act as quality control for security design and administration, especially of large and complex enterprises 6. To provide useful information about intrusions that do take place, allowing improved diagnosis, recovery, and correction ofcausative factors. 2.2.1. Preventing Problems by Increasing the Perceived Risk of Discovery and Punishment ofAttackers A fundamental goal ofcomputer security management is to affect the behavior ofindividual users in a way that protects information systems from security problems. Intrusion detection systems help organizations accomplish this goal by increasing the perceived risk ofdiscovery and punishment of attackers. This serves as a significant deterrent to those who would violate security policy. 2.2.2. Detecting Problems that Are Not Prevented by Other Security Measures Attackers, using widely publicized techniques, can gain unauthorized access to many, ifnot most systems, especially those connected to public networks. This often happens when known vulnerabilities in the systems are not corrected. Although vendors and administrators are encouraged to address vulnerabilities (e.g. through public services such as ICAT, http://icat.nist.gov) lest they enable attacks, there are many situations in which this is not possible: • Li many legacy systems, the operating systems cannot be patched or updated. • Even in systems in which patches can be applied, administrators sometimes have neither sufficient time nor resource to track and install all the necessary patches. This is a common problem, especially in environments that include a large number ofhosts or a wide range ofdifferent hardware or software environments. • Users can have compelling operational requirements for network services and protocols that are known to be vulnerable to attack. • Both users and administrators make errors in configuring and using systems. • In configuring system access control mechanisms to reflect an organization's procedural computer use policy, discrepancies almost always occur. These disparities allow legitimate users to perform actions that are ill advised or that overstep their authorization. In an ideal world, commercial software vendors would minimize vulnerabilities in their products, and user organizations would correct all reported vulnerabilities quickly and reliably. However, in the real world, this seldom happens thanks to our reliance on commercial software where new flaws and vulnerabilities are discovered on a daily basis. 2