 | Level: Introductory Claude Bauer (claudebauer@claudebauer.com), Technology journalist, Freelance
01 Jan 2001 Programmers and software developers interested in security applications for component technology should keep tabs on work underway at Stanford Research Institute (SRI) International, a nonprofit research institute based in Menlo Park, California. Stanford Research Institute (SRI) has been tasked by the Defense Advanced Research Projects Agency
(DARPA) to develop ways to use component technology to distribute real-time
security monitoring throughout enterprise networks. According to Phillip Porras, program director of network security for
SRI, the components emerging from DARPA's project, aptly named the Event
Monitoring Enabling Responses to Anomalous Live Disturbances (EMERALD), are
capable of providing anomaly and misuse detection for networks of all
sizes. EMERALD's intrusion detection architecture is based on software
components that address real-time detection, analysis, and response for a
broad range of external and internal threats. What's more, EMERALD
components were designed to be independent, dynamically deployable, easily
configurable, reusable, and broadly interoperable, Porras said. "We developed the methodology for EMERALD ourselves, as a way of
decomposing the intrusion detection process," Porras noted. "There are really no products commercially available that use component-based design for this type of
problem," he said. "Most vendors out there aren't taking this approach.
They want you to buy a single product. DARPA has been leading the effort in
this area." As part of the effort, SRI is also building a component-based
correlation engine that can sit anywhere in the network and subscribe to
the alerts being produced by the independent component-based sensors. "You
can then build models for correlating that information, as well as look for
relationships inside the alerts, and discover meta problems by analyzing
the attributes inside the alert stream," he observed. Where EMERALD shines
Whether conducting information warfare on an international scale or
simply trying to keep youngsters from running "kiddie scripts" on corporate
networks, programmers can deploy EMERALD components throughout a network to
generate alarms, prevent denials of service and loss of availability, as
well as analyze data collected from security violations and intrusion
events. "For example, one can install our lightweight Host-IDS component on any
number of Solaris machines. Each sensor operates as a local security
daemon, protecting its host from internal misuse, while simultaneously
allowing remote subscriber components to provide domain-layer analysis and
response," Porras said. Once in place, EMERALD components work independently with application
logs and network services to monitor events at the operating system and
network layers. "They can be placed strategically in your network, as
opposed to sitting at the highest level of the network, where they would be
swamped by all the central traffic coming in," Porras said. EMERALD
security components can be embedded in applications that communicate with
the outside world, enabling network administrators to draw on information
from a large suite of small sensors deployed throughout the network. EMERALD security components can also help users analyze communications
traffic, collecting Simple Mail Transfer Protocol (SMTP), File Transfer
Protocol (FTP) and Web server data directly from the Transmission Control
Protocol (TCP) traffic stream. "For Web traffic where we deal with Secure
Socket Layer (SSL) and cryptography, we've created an embedded component to
decrypt Apache Web server traffic, and we're extending it over to
Netscape's Web server," Porras said. EMERALD components are designed to
run on UNIX-like operating systems, such as Solaris and Linux.
Why components
According to Porras, enterprise networks have traditionally relied on
a monolithic architecture for intrusion detection systems that focused on
centralized analysis of TCP packets or audit log trails. This approach
dominated until the 1990s because the intrusion detection community was
working primarily with mainframes. However, once distributed computing
environments emerged, problems with the monolithic approach began to
surface. "The monolithic approach doesn't scale very well for real-time
monitoring, because it implies that you have to somehow centrally locate
all of the data you need to run intrusion detection algorithms," Porras
said. "It's really difficult to keep up with real-time data, especially
when you're dealing with cryptography and switched networks," he said. For Porras and his colleague Peter Neumann, EMERALD's component
approach offered the ideal alternative to the monolithic strategy because
it allows programmers to introduce lightweight, embeddable security
components into the network and collect data from a variety of sources.
Besides providing a more comprehensive approach to intrusion detection,
EMERALD components help ease the burden of upgrading and maintaining
network security features. "When new sensors come out, you can replace old
sensor [components] much more easily than replacing an entire system,"
Porras observed.
Thinking globally
While Porras and Neumann found that EMERALD's distributed component
approach excelled at monitoring local activity, they also realized that the
wealth of information generated could sometimes make it difficult to obtain
a global picture of network activity. This led them to devise a solution
where the security components work in conjunction with independent analysis
engines. "As the analysis engines produce intrusion reports and alarms,
the security components forward the reports and alarms to other components
for visualization, response, correlation, and data logging, which provides
a global picture of what's occurring throughout the network," Porras said.
"We've moved to kind of a 'subscription model' where you have 'subscribers'
[within the network] that want to hear about the alarms being generated,
and 'producers,' or sensor components, that generate the intrusion alarms,"
he said. Porras believes the subscriber/producer paradigm may also hold promise
for other applications, such as network management and
performance/availability management. For example, companies acting as
managed service providers, or operating a remote MIS group, could gain
insight into activity that occurs at the local administrative domain level
by collecting data from distributed components. They would also be able to
view that activity across organizations and compare activity in one domain
with activity in another. This capability would help them isolate trends and common
problems. "This type of component-based design could benefit any
application where you want to distribute local sensors that collect
information and propagate it up, allowing you to gain a more global view of
what's happening layer to layer," he said.
What's available
SRI plans to gradually release selected EMERALD components to the
public domain. One such component, eXpert-BSM, is currently available for
download from SRI's Web site (see Resources). eXpert-BSM, a small, host-based sensor that acts as a security daemon, is "particularly good for detecting misuse on
Solaris operating systems," Porras said. Since SRI is a nonprofit research
institute, the components made available on its Web site are released
without charge to the public domain. "If we don't make certain components
available on the Internet, we will still make them available to [government organizations] and to
the entire DoD research community," Porras remarked. SRI is also contemplating the release of its eBayes-TCP component,
which is based on a probabilistic reasoning engine that can be used to
detect network phenomena that indicate failures or probes of a system.
"It's good against stealth probes and unexpected or malicious [data] floods
of the network," Porras said. The eBayes-TCP component can also detect
losses of system services and the creation of new services and
communications channels within a network. In addition, it acts as an
availability monitor, detecting when systems come on line and go off line. eXpert-Net is an EMERALD component SRI will release to academic
institutions early next year. SRI will also make it available to "any
government organization that wants to run it," Porras said. eXpert-Net is a
"signature-based" component designed for intrusion detection on Hypertext
Transfer Protocol (HTTP), FTP, SMTP, low-level TCP, User Datagram Protocol
(UDP) and Internet Control Message Protocol (ICMP) traffic. "eXpert-Net is
a small component that can be added to an FTP or Web server to generate
alarms on just about any HTTP or FTP data," Porras said. eXpert-Net can
also perform security monitoring on SSL-protected HTTP traffic. "This is a
rather unique capability, and I'm not aware of anyone else doing it,"
Porras noted. "We've integrated extensions into a Web server and provided,
with those extensions, the ability to pass their transactions on to an
intrusion detection engine."
Porras predicts that in the years to come "you will see more activity
in the security space toward the componentization of monitoring and
security services, as well as toward the development of visualization
products for network security." As a security expert should, he also
cautions that in today's network environments "you're going to need
applications and operating systems that are capable of identifying when
someone is misusing them. That's what EMERALD is all about."
Resources
About the author | | | Claude J. Bauer is a freelance technology journalist located in Middletown, MD. His work appears in numerous technology-oriented publications and on a variety of Web sites. Visit Mr. Bauer's home page or contact him at claudebauer@claudebauer.com. |
Rate this page
| |
