Network Anomaly Detection Takes a NAP

Monday, May 07, 2012

Marc Quibell


First, let me just say I was saddened today to hear the news that Goober (George Lindsey) died. And of all days, it happens to be on a Monday... meh.

I've been trying to read the blogs here on Infosec Island, and came across a few that talked about firewalls and AV and whether or not they are necessary anymore.

The only thing I can say is to go ahead and remove these if you think they are irrelevant, and then sit back and watch what happens.

I've also been thinking a lot about anomaly detection, or network anomaly detection systems (they insist on calling these ADS), IPS, and better ways of protecting web servers.

From what I can recall, ADS are still used for investigative purposes; a service that runs after the data has passed - taking correlated log data and running an analysis against historical data to see if anything abnormal happened. Well that's cool, except it already happened - the damage is already done in most cases.

A couple of years ago, I created an anomaly detection system for my company. All it did was watch users log in to the Terminal servers from all over the US and it reported anomalies from those logins; ie:who logged in after midnight, from a different IP, or who logged in from another country.

Whenever someone logged in from another country, it would send me an email, because we didn't have people in any other country. It worked flawlessly, not a single false positive, and I got to see who logged in from a different country while they were on vacation! 

Long story short, I used the LADS (Login Anomaly Detection System) to help us mitigate against stolen login credentials. Again, another investigative tool, after-the-fact. But at least it helps prevent further damage. And I gained just a little more peace of mind.

This brings me to the next level of Intrusion Protection - Network Anomaly Protection. How would a NAP appliance function, in your mind? My idea for NAP would be a proactive system that functions as an incoming web proxy while it watches traffic to your server farm (as opposed to any of your client web traffic).

As a NAP proxy server it will serve to intercept incoming web traffic to your servers and pass data only as long as it is deemed "normal". I realize this is a very simplified view and there are a lot of technical details left out, but think of this as a brainstorming session. I can also see this NAP functioning as a tool to use against SYN attacks.

We all know firewalls let web traffic through to your web servers, IDSs just watch the traffic, IPSs block some of the known web traffic exploits and tells us they can block some of the unknowns - but wouldn't you feel better if you had an appliance that reported to you - "Blocked unknown exploit attempt" or "Blocked unusual traffic and/or from an unusual source"?

Possibly Related Articles:
Information Security
Tools Log Management NAP Intrusion Detection IDS/IPS Network Security Monitoring IP Blocking Network Anomaly Detection Login Anomaly Detection Syste
Post Rating I Like this!
Phil Klassen As you proved ADS can be a very useful tool - most of the leading IPS and WAF solutions use ADS - the reason you dont see more about how ADS stoped this or blocked that is the fear of false positives - almost forgot SIEMS also use ADS - anyway as they pefect these systems I think you will see more and more about proactive ADS
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.