Interview with Judy Novak, co-author of “Network Intrusion Detection 3/e”

Introduce yourself.

I’m currently a senior security analyst for a consulting firm – Jacob and Sundstrom, but I’ll be changing jobs in about a month to become a research engineer for Sourcefire. I’ve been involved with computer security for about eight years and it’s been the most rewarding time in my career. I’ve worked with computers my entire career as a programmer, systems programmer, administrator, etc. and always enjoyed the work, but I’ve found security, particularly intrusion detection, fascinating.

I’ve been teaching and writing courseware for SysAdmin, Audit, Networking and Security (SANS) for over three years. That has kept me pretty busy and left little spare time, but I still manage to do some cycling in the more clement months. In years past when I was more active and fit, I biked in Colorado, Montana, Arizona, New Mexico, and Vermont in pursuit of finding mountains. I enjoy the challenge of a good climb and the thrill of getting to the top. It’s about the only time my mind isn’t preoccupied with 50 million other annoying thoughts since you pretty much have to concentrate all your effort on being in the correct gear, keeping hydrated, not falling over and taking in the awesome scenery.

How did you gain interest in computer security?

Actually, it was a rather fortunate accident. I’ve been doing computer-related work since graduating from Jurassic Park University years ago. I was doing UNIX system administration about eight years ago at a site that had over forty computers compromised due to lack of security awareness and protection. Computer security wasn’t really an issue back then and the site had a packet-filtering router that was more a sieve and less a barrier to traffic for their perimeter defense. The site only learned of the compromises from a more security-aware site that discovered our compromised computers attacking theirs – how embarrassing. As an aftermath to the whole horrible incident, I was asked to join a computer security team that they formed. We were pretty naive and ignorant at the time, but you can’t stay that way for long and defend your site!

Which are your favourite security tools and why?

We’ll I’m going to show my roots by declaring the Naval Surface Warfare Center (NSWC) Shadow as one of the first and favorite intrusion detection systems I used. I’d installed this at the urging of Stephen Northcutt and discovered a great tool in Shadow and a great friend in Stephen. It is based on tcpdump; and using tcpdump and Shadow required that I become very familiar with TCP/IP otherwise I would be totally clueless. To this day, even though IDS’ have made phenomenal advances, I still like using Shadow along with the more modern IDS’ to collect background traffic.

Snort is another favorite tool since it rivals a lot of commercial IDS’ and is easy to install and configure. It’s pretty easy to write simple or complex rules and I like that you see the offending packet when it alerts. If you don’t have access to the guts of the rule that triggered the alert and the dump of offending packet, you don’t know if an alert is real or a false positive. Too many commercial IDS’ don’t let you see the signatures, rules, etc. and don’t dump the packet. You are at the mercy of the IDS with no way of validating the accuracy of the alert. You can end up crying wolf if you believe the IDS all of the time or you end up simply ignoring it if you don’t.

We just finished up a red team exercise using nothing more than freeware – nmap, nessus, and the Center for Internet Security (CIS) benchmark tools. This gave us a combination of tools to map the network using nmap, expose the vulnerabilities remotely using nessus, and examine host configurations using the CIS benchmark tools.

How long did it take you to co-write “Network Intrusion Detection 3/e” and what was it like?

For my portion of the 3rd edition, it took about 6 months. But, many of the chapters were based on SANS material I’d previously written and chapters from the 2nd edition. It’s a pretty intense experience trying to create material that is useful and coherent without taking yourself too seriously. Luckily, I had Stephen’s footsteps to follow from his solo rendition of the 1st edition. His was one of the first technical books I’d read that had a lot of humor that allowed his light-hearted character show through.

In your opinion, what are the most important things an administrator has to do in order to keep a network secure?

I don’t think I can offer any startling insight into the standard precautions of using VPN’s, stateful packet-filtering or proxy firewalls, IDS, anti-virus, applying patches, etc. Obviously, the administrator(s) have to have management support in supplying strong policies and ample manpower to maintain and watch the network.

Even given these ideal conditions, you sometimes meet the enemy and realize that it is your internal users. I’m not talking about the legendary insider threat; I’m just talking about those users who scoff at policy by trying to circumvent it. I can’t tell you how many times we’ve blocked conventional ports associated with various peer-to-peer software such as Kazaa only to find that users will modify the default ports used. Kazaa, in particular has had some nasty residual offerings such as worms. There isn’t much you can do in instances such as this except to use IDS signatures that don’t specifically focus on port numbers, but instead examine payload for offending peer-to-peer connections.

What’s your take on the full disclosure of vulnerabilities?

If full disclosure includes releasing working source code that exploits the vulnerability, I’m not so sure I support it after what happened to David Litchfield – the release of the recent Sapphire worm that used his code. I think sensible disclosure needs to occur – alerting the vendor/maintainer in advance and giving them an opportunity to address the problem. Unfortunately, aggressive disclosure is sometimes the only motivation to encourage software giants to correct their problems.

Too, you may want to question the motivation and methods behind the disclosure. It sometimes seems that disclosure is not always done for the noblest reason – alerting of vulnerabilities and stimulating fixes. Depending on the visibility and popularity of the software related to the disclosure, there can be a lot of publicity surrounding the individual or company making the disclosure. Ironically, some of these companies sell products or services to aid you in your quest for perfect security.

Based on your experiences, do you find proprietary software or open source software to be more secure?

Truthfully, I don’t know statistically which is more secure – you would tend to say that if Microsoft is representative of proprietary software then proprietary software is less secure than the its open source counterparts. But, is Microsoft considered less secure because everyone and his brother is pounding on it or it is more ubiquitous than other software? I don’t know the correct answer; I just know that I prefer the open source model.

My closest reference to the controversy is Snort, the open source IDS. Snort is in a unique position because it is a collective open source effort that has probably literally hundreds, if not thousands of eyes scrutinizing the code and improving it. I realize that not all open source garners as much attention or interest as Snort, but because of the group development model and intelligent direction provided by Marty Roesch, you have an excellent source code offering. This makes it hard for the proprietary offerings to compete with Snort because of the ready pool of free talent and resources available.

What advice would you give to people starting to learn about intrusion detection?

First learn TCP/IP well since you’ll need it to understand traffic analysis, the foundation of intrusion detection. Learning theory is great, but then you have to put the theory to practice by analyzing traffic. Assuming you have no existing IDS, I would download and install Snort and take a look at the output. There is plenty of documentation available on the Internet that gives you pointers and tips on installing and configuring Snort.

I think you also have to realize that although IDS’ have come a long way, they are still in their infancy of evolution. That said; don’t expect the best IDS to be even close to perfect. And even if you have the most capable IDS, as far as I’m concerned, it is next to worthless unless you have a savvy analyst. The analyst has to understand the traffic on the network before installing and customizing the IDS so that it will give you pertinent alerts and not just spew overwhelming volumes of garbage your way. I think this is one of the areas where management can be quite naive because they believe that running an IDS provides a totally automated solution. In reality, it is only the trained savvy analyst who knows how to customize the IDS, maintain it, and comprehend the output.

I also think that doing intrusion detection can at once be both exciting and very mundane. At first, everything is new and having insight about network traffic can be an eye-opening experience. But, it can soon become very routine just examining the output from the IDS. And, this is where you have to challenge yourself to be curious and explore or become a screen watcher. Some IDS’ have advanced features, rules languages, and optional configurations that will allow you to finely tune the rules, correlate events, and more accurately analyze traffic. So, study the IDS and learn to get the most out of it.