Cover V06, I12
Article
Table 1

dec97.tar


A Comparison of Firewalls and Intrusion Detection Systems

Mario A. Ibanez

The concern of network services disruption (denial of service), information theft, and information sabotage caused by computer network attacks is becoming increasingly apparent as the information era evolves. As Intrusion Detection System (IDS) technology steadily grows and improves, IDSs are becoming more sophisticated and gaining more visibility and attention within the information warfare arena. Although firewalls have been the standard solution to protect organizational networks from the Internet, system administrators and information security managers now face the dilemma of implementing an IDS to supplement or substitute a firewall. This article offers a practical comparison of both systems. The comparison between their capabilities and limitations includes protection, detection, response, audit, design considerations, and security policy implementation. It also includes the different types of IDSs and firewalls being used. The article will conclude with practical recommendations and future trends on IDS and firewalls.

IDSs have been in development for the past several years, and have been rapidly improving. An IDS attempts to identify intrusions, defined as unauthorized uses, misuses, or abuses of computer systems by either authorized or unauthorized users. Some IDSs monitor a single computer, while others monitor a particular network or many networks that form a Wide Area Network. IDSs detect intrusions by analyzing information about processes running in the computer as well as network traffic going in and out of the protected network. This type of information resides in audit trails, system tables, and network traffic summary logs. There are many systems that have been developed in the past decade and are steadily improving. Some examples are Network Security Monitor (NSM), NetRanger[E1] Network Security Management System, Distributed Intrusion Detection System (DIDS), Stalker, Graph-Based Intrusion Detection System (GrIDS), Haystack, Intrusion Detection Expert System (IDES), and Stake Out Network Surveillance.

Firewalls are systems that enforce an access control policy into a protected network. A firewall uses two principal mechanisms: one that blocks traffic and another that permits traffic, according to organizational policy (your organization does have a policy, right?). The difference between various firewalls is the granularity of traffic control and event logging. Each firewall has a rule set, commonly known as the Access Control List (ACL), that allows the administrator to decide which traffic will be allowed or denied.

Conceptually, there are two types of firewalls: network-level and application level. Network firewalls generally make their decisions based on the source and destination addresses and ports in IP packets. A router, with the ability to build ACLs, is often considered a network-level firewall. ACLs use the two principal firewall mechanisms previously mentioned, denying and allowing traffic. Application-level firewalls generally are hosts running proxy servers. Traffic in and out of the protected network must pass through the proxy server. Also, the proxy server will log and audit traffic passing through its network. Since the proxy applications are software components running on the firewall, this is a good place to do lots of logging and access control. An application-level firewall in some cases may impact performance and thus make the firewall less transparent. Application-level firewalls also tend to provide more detailed audit reports and tend to enforce more conservative security models than do network-level firewalls.

Types of Attacks and Intrusions

There are three types of harmful activities that firewalls and an IDS can guard against: information-gathering attacks, intrusive attacks, and denial-of-service attacks. The following is a brief explanation of each.

Information-gathering attacks map out the customer's network and provide the perpetrator with information such as versions and types of systems (e.g., SunOS 4.x, SunOS 5.x, HP/UX, NT 3.51, etc.), utilities (e.g., sendmail version 4.1), and available network services (e.g., rlogin, NIS, NFS, etc.). These types of attacks also exploit vulnerable systems and collect important systems files such as password files, remote access files, and network services files.

Intrusive attacks will attempt to give the perpetrator interactive user and/or administrator access to the target machine. Generally, the results from the information gathering attacks are used to launch the intrusive attacks.

Denial-of-service attacks attempt to deny service in a variety of ways. The perpetrator may launch so-called data bombs in an attempt to bring down a computer, which could be a workstation, router, firewall, or even an IDS. Also, service can be denied by modifying or deleting router tables, crucial system files, and even complete systems.

Comparisons

Protection

Firewalls and IDSs will both protect a network according to configuration. The configuration of the system should be (and in most cases is) done by its future administrator, with the aid of a network security professional, often provided by the vendor.

Firewalls can be configured to permit or deny traffic according to source and/or destination of host address (full IP address), network address (network portion of IP address), and port. Of course, this implies full control - incoming and outgoing - of network services such as mail, Web browsing, ftp, telnet, etc.

Although some IDSs permit or deny traffic much like firewalls, most IDSs are passive devices that merely monitor the network, detect, and alarm on security violations.

Detection

While firewalls' detection capabilities are standard among the most popular firewall systems, detection of IDSs capabilities vary considerably. Some IDSs, whether monitoring a single computer or a network, do only string-matching (also known as atomic or attack-signature) detection, while others do detection on both atomic (attack-signature) and composite (port-sweep) attacks.

Firewalls will detect incoming and outgoing connection requests based on host address, network address, and port. If traffic attempts to go through a denied port, a firewall will detect and block the connection request. Also, if a connection is requested from an allowed host or network, a firewall will detect and allow the connection to go through. Firewalls will not detect activity after a connection (legitimate or not) is made.

IDSs normally exceed firewalls' detection capability, and can also detect intrusion signatures at minimum. Intrusion signatures are encapsulations of the identifying characteristics of specific intrusion techniques. A less elegant but widely used description of intrusion signature detection is string matching. A more sophisticated system will also detect composite intrusive events such as port scans, ping sweeps, and "doorknob" attacks (multiple login attempts), which may indicate unauthorized entry attempt via password guessing or a form of an information-gathering attack.

Response

Firewalls cannot respond to malicious activity; they see only host addresses, network addresses, and ports, then either allow or deny connections. IDSs do respond to malicious activity, but I haven't seen an IDS that deals with network traffic control better than a firewall does.

Firewalls will respond to undesired incoming and outgoing connection requests based on host addresses, network addresses, and ports. If traffic attempts to go through a denied port, or if it is coming from a bad IP address, a firewall will respond by sending the connection request to the bit bucket.

Some IDSs will respond by creating efficient, pertinent, and accurate security-event reports that commonly include different warning levels. In addition to security-event reports, some IDSs can also kill the connection, log the session, alarm through visual alarms, and remote notification via email or beeper message.

Audit Capabilities

Firewalls provide rudimentary audit logs, similar to other machines that support auditing (i.e., those running UNIX or NT). Although firewall audit logs are becoming better, the unattractive (and often undone) job of reviewing audit logs still has to be performed by the system administrator.

Audit records are the main source of information for IDSs. IDSs have a significant advantage on auditing capabilities in the quality, detail, and human-readable audit logs over firewalls. IDSs capture just about all network traffic and perform scrutinizing analyses in an attempt to detect and inform the system administrator of anomalies, misuse, or any type of intrusions as defined within the IDS.

Design

As the name implies, firewalls are designed to block or allow traffic. Firewall technology continues to improve, providing more flexible configuration schemes for setting up which services will be allowed or denied as well as who is privileged all of the time, some of the time, or none of the time. Nevertheless, a firewall is like a gate guard; once it accomplishes identification and authentication, it has nothing to do with the activity performed thereafter.

As the name implies, Intrusion Detection Systems are designed to detect intrusions. Advanced IDSs are designed to respond after detection, while more common IDSs may only detect and notify. Notification may or may not be automatic or realtime; that is, an analyst would have to check the logs produced by the IDS minutes or even hours after an intrusion has been identified.

Security Policy Implementation

The key to the effectiveness of a firewall or IDSs lies in the system's ability to implement a flexible and detailed security policy. Extensive understanding of the characteristics of the protected network's traffic and user activity should be in place before a decision is made on a system's security policy. It should be noted that this knowledge will almost always lie within the administrators and users of the network. Also, an understanding of computer security will inevitably be needed to build an appropriate security policy. In some cases, the vendor will provide the computer security expertise needed; if this is not the case, the employer of the system has no choice but to contract the task through network security professionals.

A firewall security policy should address and control network traffic to include source and destination ports and addresses, and specifications for protocols, services, and direction (inbound and outbound).

An IDS security policy should complement that of the firewall. It should detect and respond to inbound or outbound atomic attacks (e.g., intrusion signatures or dirty strings) and composite attacks (e.g., port sweeps and doorknob attacks).

Conclusion

The information industry is becoming increasingly aware of computer security threats and its implications. Corporations are demanding products that will protect their valuable information against any potential attack. The designs of firewalls and IDSs seem to be taking similar paths. With firewalls attempting to sound the alarm with security-event logs, and IDSs resetting or blocking unwanted traffic, great design and quality improvements on both systems can be expected in the near future. A network is best protected with the correct implementation of both a firewall and an IDS. If a corporation cannot afford the cost involved in acquiring both systems, it should look for a system that offers - at a minimum - detailed, efficient, human-readable audit logs. Easily read logs are extremely important because audit logs go unread 90 percent of the time because they are cluttered and contain superfluous data.

Table 1 summarizes the baseline characteristics that an IDS and a firewall system typically support.

The most important issue to consider when implementing a firewall or an IDS is the construction of its security policy and its periodic review. Also, training the system administrator is crucial; the consequences of inadequate training are often an unfortunate security incident.

About the Author

Mario Ibanez specializes in computer network security and communications. He has a BS in Electronic Engineering from the University of Central Florida and an MS in Computer Information Systems from St. Mary's University in San Antonio, TX. You can contact Mario at ibanezm@stic.net.