Ease of Set Up

Both Stalker and CMDS are distributed, client-server products. Depending on your network configuration, the installation and setup can be simple or complex. The usual rule of “your mileage may vary” is a good one to keep in mind. Agent code must be installed on each CMDS target or Stalker agent. Although some autodiscovery is provided, the Server or Manager will need to be made aware of which nodes to monitor. The time it takes to configure nodes is a small constant value in most cases, but you need to multiply this value by the number of nodes you have.

As with most systems that rely on host names and IP addresses for identification, the use of dynamic host configuration protocol (DHCP) or regular changes to host identifiers will require additional administration. If you treat all monitored nodes uniformly, administration is simpler. However, if you want to analyze different statistics or attack patterns on each node, your administrative workload also will increase. Any variability in your monitoring requirements per node naturally will drive configuration changes on either agents or servers/managers.

Distributed Intrusion Detection

Neither Stalker nor CMDS track the activities of a given user across multiple systems unless the assumption is that a person will have the same UID across all systems in the enterprise. Because this assumption is highly unlikely—even though the login name might be the same, the UIDs across systems may not be equivalent—tracking the activities of a single user throughout the enterprise is not straightforward.

One solution would be to add to each audit record, when consolidated on the server, with the originating host IP address. Unfortunately, this solution does not work for systems with multiple network adapters because the node will have several IP addresses. Also, in sites where IP addresses are assigned dynamically with DHCP, relying on an IP address to be meaningful would be a mistake because it could be reassigned at a future time. The host’s name would probably be more reliable. When consolidating activities across systems, CMDS relies on the host’s name and UID paired together to uniquely identify a user.

Distributed systems management framework vendors, such as Tivoli, are all too aware of this identity problem in networked environments. The favored approach is to assign a framework-specific host identifier that is persistent across changes in IP addresses or other system parameters, such as the planar ROM ID. Assigning a network user name that is independent of the system on which a user operates also would be useful. However, such an extension would require changes in core parts of the OS, such as the login process and the generation of audit records, in order to track user activities across multiple systems. One research project prototyped this approach for intrusion detection across systems (Snapp et al., 1991).

Monitoring and Privacy

Keystroke monitoring has not been a fruitful approach to intrusion detection. As with many other computer science endeavors, context-sensitive analysis of data is one of the most difficult reasoning challenges for a program. Therefore, no commercial IDSs rely on keystrokes for determining misuses or intrusions. If such a tool were to exist, how would you handle privacy issues?

Most companies own the intellectual property of employees and also legally restrict computer activities to only those approved by management. A common practice is to present this warning to all computers users as part of the normal login message. This does not mean that all managers in a company own all of the correspondence of all of the employees. Especially unclear is how to handle the conflict that arises between privacy and monitoring. For example, if your IDS does monitor keystrokes, then someone is capable of reading the e-mail of employees. Sure, the company owns the content of these messages anyway. But, what if the message is from an employee to a superior complaining about harassment on the job. Is this something from which an IDS might generate alerts or message excerpts?

Unfortunately, you should be worried about privacy and IDSs even though they do not perform keystroke analysis. What if someone is filling out a medical form online and enters words such as “attack,” “weakness,” and “confidential?” Many network sniffers would look for these as part of a standard set of watch words. Ideally, you could configure the sniffer to ignore these words when the user was in the context of a medical application online, but it’s unlikely the tool supports this because it is a difficult algorithm to generalize.

System monitoring tools also require caution. Audit trail reports contain the full command and its parameters in most cases. Knowing that an employee is suddenly sending several mail messages to someone in personnel could be confidential. This situation particularly becomes a problem if the manager is receiving IDS usage reports (to look for misuse problems), and the employee is documenting improper behavior by that manager. In this particular case, the best advice is to document the problem on a home computer rather than risk discovery by unauthorized sniffers being used at your site.

By the way, these privacy problems are not limited to intrusion detection. In plenty of cases, developers use network sniffers to capture packets that are needed to debug a problem. Separating confidential information from test environments is the right approach for solving this dilemma. An interesting legend has gone around about how some user IDs and passwords from a reputable company found their way into one distribution of Crack when the software was tested in a production environment.

If you run a scanner and configure it to mail reports, verify your configuration so that you are not mailing the list of easily guessed passwords to everyone at your site, or even worse to your favorite newsgroup on the Internet. In some instances, someone mailed the output of a scan to a personal account outside the company, and the mail message flowed in the clear across the Internet. Remember, without encryption the Internet is like one big party line that many people share.