Run a Business Network on Linux: Intrusion Detection
If you haven't read part 1 one of this new series you might find it has some helpful goodies. Today we're going to review the important fundamentals of network intrusion detection using Snort, then in our next segment we'll fire up Ubuntu Server Edition and make it go. I know, I said we'd use Voyage Linux, but I changed my mind.
Don't put Snort on some antique weak PC, except for very small networks, because it needs a fair bit of horsepower and lots of disk space to do its job. This is one of those endlessly-debatable subjects, and you're welcome to join the fun on the Snort users' mailing list. To keep this howto manageable, I'm going to assume that your Snort box is going to sit behind your firewall, rather than directly exposed to the Internet. So a reasonable starting point for a smallish network of around 50 users is a 1.5 Ghz CPU, two gigabytes of RAM, a nice fast SATA II hard drive, and two Ethernet interfaces.
Security geeks can never collect enough data, so they recommend putting a Snort box on each side of your firewall. The one on the outside should generate megabytes more data than the one on the inside. This can be useful information- if you have the time and tools to study it. The definitive recommendation is in the Snort FAQ:
DRAGOS RUIU: ``Just pick a spot you're likely to look at the logs for. :-)''
Ubuntu Server Edition
Get the latest release, Ubuntu 8.04 LTS Server Edition. This has a considerable number of improvements and new features over the previous release, including Likewise-Open for easy Active Directory integration (hey, some folks need this, and we shouldn't hold it against them), network UPS (uninterruptible power supply), which allows several machines to share one or more UPS devices and performs graceful shutdowns during power failures, and easier network deployments of new systems. The base installation plus the OpenSSH server uses around 500 megabytes. You can see a list of installed packages with dpkg -l | less.
After installation you have a few important chores. The first one is to run aptitude update && aptitude upgrade to bring your system up-to-date. Then create a real root password, because just like the desktop edition, Ubuntu Server only creates a single all-powerful sudo user. You need "real" root for some commands, such as editing crontabs, and to perform rescues on Ext3 filesystems. Ext3 sets aside 5% of the filesystem exclusively for the root user, so when some process goes berserk and fills up your filesystem the root user has enough wiggle room to make repairs.
If you don't want to have a root password, then sudo su - gets you a real root prompt and environment. exit closes the root session.
Snort is not a file-integrity checker like Tripwire, but a packet sniffer and analyzer. With Tripwire (and similar applications) you start with a clean, new system that you are sure has not been compromised, and then monitor it for file changes. While this sounds like a good idea, in practice it's difficult to tune correctly so that you're not bombarded with false alarms, or missing real problems. It operates on a single host; you can't monitor a network with it. Snort is a lot easier, and is both free software and free of cost. There are many commercial IDS implementations based on Snort. These come with pretty graphs and fat license fees and restrictions. You can have pretty graphs with BASE (Basic Analysis and Security Engine), and other Snort add-ons without paying fat fees.
Another nice thing about Snort is smart people write the rulesets, so all you do is keep a current set downloaded. You need to go through them and disable the ones you don't need; otherwise performance will suffer and your logfiles will be discouragingly huge. You may write your own custom rules as well.
You can stick a Snort box pretty much anywhere you want. For example, you might want a dedicated Snort monitor in front of your DMZ so you can pay it special attention. You could put one at the gateway of every subnet, which is a good way to track down problem hosts. One advantage of having Snort behind a firewall is you'll see the real IP addresses of your LAN hosts, because you catch them before they get mangled by NAT. This is good for catching mischiefs coming from the inside.
Where Does Snort Go?
There are a number of different ways to plug a Snort sensor into your network. We're going to use the cheapskate ways. The problem with switched networks is it's more work to intercept all network traffic, because the whole point of switched networks is to send targeted packets that go directly to their destinations. Unlike the olden days of hubs and collision domains, which sprayed packets about indiscriminately, and network snooping was dead easy. So you can't just plug Snort into a switch port and have it do any good. Let's say your network looks like this:
--| LAN --|switch----router/---Internet --| firewall
If you have a switch with a mirrored or sniffer port, then plug Snort into it:
--| LAN --|switch----router/---Internet --| firewall Snort --| |---|
This shows that Snort has two network interfaces, and both are connected to the switch. The network monitoring interface plugs into the mirrored port, and the other interface is your management interface. This plugs in to any switch port just like any ordinary network client. These days even lower-end smart switches have mirrored ports, and even let you select which one to use. This is a good method, with one possible drawback- on a busy network the link could get saturated, so you could lose data.
Another way breathes new life into old hubs, and removes the load from your switch:
--| LAN --|switch----router/----hub---Internet --| firewall | Snort --| | |--------------------------|
Admins of high-speed networks should investigate using Ethernet taps. You can make your own or buy them ready-made. A tap is a passive device that needs no power and acts like a splitter. Commercial taps seem ridiculously overpriced, typically well over a hundred dollars, as they're just stock Ethernet wiring and connectors in a special wiring order. Taps fit into your network like this:
--| LAN --|switch---tap---router/---Internet --| | | firewall | | Snort
Stealth Mode and Invisible Wires
Snort runs nearly invisibly on the network in stealth mode. This means you put its monitoring interface into promiscuous mode, but don't give it an IP address. This won't protect it from evil ARP (address resolution protocol) geniuses, because ARP reads MAC addresses, so you can go a step further and make a special read-only network cable. See How do I setup a receive-only ethernet cable? to learn how.