Re: Low cost HID based IDS system

[Krzysztof Zaraska <kzaraska () student uci agh edu pl>]

On Fri, 16 May 2003 15:17:24 +1000
"Zach Forsyth" <Zach.Forsyth () kiandra com> wrote:

> Hi,

Hello,

> I just wanted to ask if anyone out there had some ideas in regards to
> deploying a low cost HID based IDS system. 
> The problem I have is that a few of our clients are quiet small and
> whilst I would love to deploy a NID out to all of them they just can't
> justify that sort of cost. 
> I need to set up a managed type of IDS service that is centrally
> controlled by us and has a low cost per month to all of our clients.
>
> My plan would be to use HID type server sensors where needed and have
> them all feeding information back to a console that is centrally
> managed. 

<Disclaimer: I am a Prelude developer>

I have absolutely idea if it would suit your needs, but you could consider
using Prelude (http://www.prelude-ids.org/) in the following setup:

- At a central site, you deploy Prelude Manager + database + frontend

- At each client site, you deploy:

  + Prelude Manager configured to relay alerts to Manager on central site

  + Sensors configured to send alerts to site's Prelude Manager

This way alerts are transmitted sensor -> site manager -> central manager,
where you can process them any way you want. Connections are SSL'd and
authenticated, so the alert transmission over the Internet should be
relatively secure ;). Alert transmission system is also designed to avoid
losing alerts in case of failure
(http://www.prelude-ids.org/download/misc/pingwinaria/2003/html/img27.htm
l). 

The system would be similar to this one:

http://www.prelude-ids.org/download/misc/pingwinaria/2003/html/img21.html

(your site being Tier-1, clients being Tier-2 and possibly without
databases)

Another graphic presentation you could find useful:

http://www.prelude-ids.org/download/misc/pingwinaria/2003/html/img19.html

(client's network at the bottom-right of the image). 

Concerning the HIDS sensor(s): you may of course want to use something
that does not have a possibility of direct logging to Prelude. However, if
the HIDS product in question is capable of logging to a text file or to
syslog, you can simply use Prelude LML to parse these logs and send to
Prelude Manager in the format Prelude uses. If you were logging via
syslog, you could do with one LML daemon per network (LML has its own
syslog server). So the data flow would be: sensor -> Prelude LML (local)
-> Prelude Manager (local) -> Prelude Manager (central). 

It may be a problem that Prelude does not run on Win32, but the system can
still be deployed if client can have one Linux/*BSD box on site to
run Prelude Manager + Prelude LML on it. 

And, BTW, you could deploy Prelude NIDS sensors at clients' sites as
well... 

> The per server cost is then low enough to keep clients interested and
> the centralized console cost is split over multiple clients on a monthly
> basis. 
> I can see that they would all be happy paying those sorts of costs.
>
> Although, I don't want to deploy this if it is not likely work in a full
> production environment, and provide accurate timely results to the
> central console.

Hm, Prelude is used in production environments (at least from what we are
told ;)). And we aren't aware of any large delays being introduced by the
alert relaying system...

Just my PLN 0.02 ;)

Krzysztof

-- 
// Krzysztof Zaraska * kzaraska (at) student.uci.agh.edu.pl
// http://mops.uci.agh.edu.pl/~kzaraska/ * http://www.prelude-ids.org/
// A dream will always triumph over reality, once it is given the chance.
//              -- Stanislaw Lem

Attachment: _bin
Description: