V. Paxson, Bro: A System for Detecting Network Intruders in Real-Time, In the ACM Workshop on Hot Topics in Networks (HotNets), Dec 1999/Nov 2005
Summary of Paper
A standalone system for network intrusion detection Bro is described. Bro passively monitors a network link and is characterized by high speed monitoring, real-time notification, clear separation between mechanism and policy, and extensibility. Bro is divided into “event engine” converting network traffic to events, and “policy script interpreter” which runs event handlers on those events.
A number of attacks is discussed, as well as the use of Bro for the six common protocols: Finger, FTP, Portmapper, Ident, Telnet, and Rlogin.
M. Handley and V. Paxson, Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics, USENIX 2001
Summary of Paper
Authors suggest introduction of a new network element they call “traffic normalizer” that would filter traffic and resolve all protocol ambiguities to improveĀ NDIS monitor chances of detection of an attack. End-to-end semantics are discussed in the presence of normalizer, as well as possible attacks on normalizer, and the problem of “cold start”, where the current state of the connections is not known. Full table of normalizations is supplied, and a software implementation called “norm” is mentioned as a proof-of-concept justifying the need for the hardware implementation. Stealth port scanning is described and normalizer is suggested as a possible defense.
Summary of Class Discussion
- Internet was not designed for security, rather to facilitate cooperation
- Performance gains can be achieved by non-cooperation
- DNS is not secure and can be attacked in various ways
- BGP is not secure and can be attacked by guessing TCP sequence number
- ARP is not secure but can be secured by using static tables
- Balance between security and ease of management was shifted towards flexibility in TCP/IP networks
- Packet filters are a standard defense mechanism, inspecting packet headers for suspicious contents
- Stateless filters are not sufficient
- NDISs are generally not aware of the situation at end hosts, so some attacks may still make it through (e.g. application level attacks)
- Bro is a nicely organized study of network vulnerabilities
- Network normalizer is a better idea than MITM-type setup due to the single point of failure and having to keep the state in the latter case.
- “To erode but not brutally violate” end-to-end semantics is no big deal
- Normalizer looks through all the headers and uses predefined rules (“systematic approach”) to find and fix vulnerabilities
- Stealth port scan made it into the paper because it was cool at the time
- Normalizers are not an encompassing solution, e.g. urgent pointer problem is not solved
Opinion/Critique
These papers present an interesting attempt at staging a cleaning pipeline for network traffic that attempts to fix up all known traffic ambiguities first and later control resulting fully-unambiguous traffic flow with a set of rules. Along the way nice formal rule language is introduced and standard tools like libpcap and bpf are incorporated. Despite various shortcomings in the face of real-life network attacks, this system seems usable in day-to-day practice (and is indeed available for Linux as a package) and can be used as one of the elements in securing a network. Of course, continuous updates to the rules and cleanup logic would be required.
