|
Introduction
Dragon is the award winning
UNIX based Intrusion Detection System from Enterasys - a Cabletron Company - (Previously Network Security Wizards) in the USA. The reason that Dragon is UNIX only is quite simply the fact that the TCP/IP implementation is far more stable, and far more suited for promiscuous mode than that of Microsoft's NT offerings. Portcullis, after two years of research and testing decided to adopt Dragon as its IDS product due to the fact that it encompassed all the aspects required of both a Network Intrusion Detection System (NIDS) and a Host Intrusion Detection System (HIDS). Portcullis has been assigned the European Distribution rights to the Dragon product range, and will be providing support, updates, installation and configuration services together with the April 2001 launch of a Managed Intrusion Detection Service (MIDS).
Network Based IDS
The Dragon Sensor is a network monitor. It watches live
network packets and looks for signs of computer crime, network
attacks, network misuse and anomalies. When it observes an event,
the Dragon Sensor can send pager alerts/messages, email messages,
and take action to stop the event and record it for future
forensic analysis. Typically, Dragon Sensors are deployed on
standalone systems in front of firewalls or at key network choke
points.
Dedicated Analysis and Alerting Server
The Dragon Server facilitates secure management of all Dragon
Sensors and Dragon Squires. It also aggregates all alerts into
one central database so that disparate attack information can be
correlated. The Dragon Server includes a variety of reporting and
analysis tools as well as the ability to customize alerts via
email, SNMP or syslog messages.
Secure Web and Console Access
All Dragon products can be administered and analyzed securely
through command line and web GUI interfaces. This drastically
lowers overall deployment and operation costs from running an
enterprise IDS.
Performance
The Dragon Sensor is simply the fastest NIDS available today.
It has been tested in real world conditions against many of the
other NIDS products on the market today. We encourage you to test
it out on your high-speed networks.
Network Integrity
Believe it or not, many network IDS products do not
reassemble network streams that occur across multiple packets,
out of order packets or that contain fragmented packets. This
allows network attacks to scramble their network probes and
attacks and avoid detection. Dragon Sensor is not effected by
these techniques. Dragon Squire complements and fills in any gaps,
which arise from future anti-IDS avoidance techniques.
Scaleable Sensor/Squire Management
The Dragon Server can easily manage thirty Dragon Sensors on
heavily loaded 100Mb networks. This minimizes infrastructure
costs when deploying IDS consoles. Dragon Server has been tested
in laboratory conditions for use in monitoring 100+ Dragon
Sensors. This scalability will also allow the Dragon Server to
manage fifty Dragon Squire engines in addition to the Dragon
Sensors.
Open Signatures
Dragon Sensor and Dragon Squire signatures are contained in
ASCII text libraries. They are fully documented with copious
references to CVE and Bugtraq information. More importantly, they can be
trivially modified to detect new versions of current attacks. It
takes ten minutes for most Dragon Sensor users to learn how to
write new signatures. Dragon Squire will have a similar signature
language such that end users will not have to learn a completely
new language.
Dragon
Components
Dragon's architecture is
composed of one or more Dragon Sensors controlled from a central
Dragon Enterprise Server. The Dragon Server manages each Dragon
Sensor’s configuration and also provides a central
repository for all recorded Dragon Sensor events. Each sensor or
server node can be configured for remote access via SSH or
through a secure web server. Portcullis strongly encourages
Dragon Enterprise Servers to be deployed with an Apache web
server.
Dragon. This is the program that does the real work. It
monitors packets and records anomalous network activity such as
hackers, misuse and abuse. It is run on a Dragon Sensor. Each
Dragon program also includes a variety of command line tools that
can be used to perform analysis of the collected data.
Dragon Rider Client monitors Dragon's database of
recorded events. It encrypts the data, and sends it to a Dragon
Rider Server on the Dragon Enterprise Server. It also receives
configuration information for Dragon from the Server. When new
configuration information is received, it will restart Dragon. It
is run on a Dragon Sensor.
Dragon Rider Server waits for connections from Dragon
Rider Clients that are located on the Dragon Sensors. Dragon
events are sent for centralization and aggregate analysis. Dragon
Rider Server can also immediately send new configuration
information to Dragon Rider Clients.
Dragon Rider Web Interface to Dragon Rider is a convenient
set of CGI-BIN scripts which offers an integrated environment for
Dragon Sensor management and performance analysis. Dragon Sensor
configurations can be viewed by configuration type or by
individual sensor. Also, Dragon Sensor signature libraries can be
manipulated for custom anomaly detection.
Dragon Fire Web Interface is really a sophisticated front
end for the command line tools. It provides Dragon administrators
with an environment similar to the Dragon Rider Web Interface to
conduct in-depth event analysis.
Secure Shell Server. We recommend that Dragon deployments
make use of Secure Shell daemons to ensure secured remote access
to the Dragon Sensors and Dragon Enterprise Servers. If possible,
the use of firewalls to secure remote access based on IP
addresses is also recommended. We also recommend that SSH users
employ RSA identity keys for a higher level of remote
authentication.
Secure Web Server. We recommend that any of Dragon’s
web interfaces have a layered security architecture, such as SSL,
to protect it from unauthorized access. Out of band networks,
VPNs, firewalls and SSH port forwarding are alternatives to using
SSL security.
Dragon (Enterprise) Server. For Dragon
implementations with more than one Dragon Sensor, a Dragon
Enterprise Server can be used to centralize the event reporting
and administration of the Sensors. A Dragon Enterprise Server
consists of installing the Dragon Rider Server, Dragon Rider web
interface and Dragon Fire web interface.
The Dragon Enterprise Server provides the following features:
- Centralized Dragon Event
Reporting - Dragon Rider can be used to securely
forward all event information from one or more remote
Dragon Sensors to a centralized Dragon event database.
The Dragon Fire web interface can then be used to report
from the centralized Dragon event database.
- Centralized Dragon Sensor
Management - Configuration information for each
Dragon Sensor can be maintained on a centralized Dragon
Rider Server. New configurations can then be securely
pushed to each sensor as necessary.
Dragon Squire is a host based IDS product. It uses a
signature library to monitor application and system log files for
anomalies. It also periodically computes cryptographic checksums
on key system files to detect changes. Dragon Squire is designed
to have minimal system performance impact and to have easy
management from the Dragon Server.
Operation
Event Analysis Tools
Once event data is collected at a Dragon Sensor or at a
Dragon Server, a variety of programs may be utilised to analyse
it:
sum_db - prints out information about the dragon.db file
sum_event - sorts events by time, number and event group
sum_ip - sorts the IP and CIDR blocks of all events
mkalarm - scores each unique IP address by number and type
of events
mkchart - plots all events across a unique Class C CIDR
block
mkicmp - analyzes ICMP traffic for backdoors and DOS
attacks
mklog - prints event information by line, packet and
protocol
mksession - replays suspicious collected network sessions
Alerting Programs
Several flexible programs are
available which can customize any Dragon Sensor or Dragon Server
with several alert options:
alarmtool - sends SNMP, SMTP and SYSLOG alerts. Options to
send alerts can be specified by actual alert name filtered IP
addresses and even filtered UDP and TCP ports. An optional list
of "pager" email recipients can be specified for terser
messaging. If desired, specific commands with dynamic arguments
may be specified for execution upon receipt of unique events
diskfree - monitors free disk space and sends SNMP or SMTP
alerts
Web Interfaces
With the addition of an Apache web server to either a Dragon
Sensor or a Dragon Server, the following web interfaces can be
used for operation and analysis:
Dragon Fire - A dynamic HTML based set of PERL scripts
which act as a web based "front end" to the analysis
tools. It can create graphic views of the collected data. It also
heavily hyperlinks the output of one tool into logic queries for
other tools. A lightweight messaging/ticketing system named 'mknotes'
is also included.
The Screen shot below shows the
Dragon Fire console:
Dragon Rider - Interface
used to manage Dragon Sensor and Dragon Squire configurations,
review each engine's performance and to manage signature
libraries.
The screen image below shows the 'signature
management screen' - Dragon Rider:
Database Manipulation Tools
Even after data has been collected by Dragon, it can be
further manipulated to add value or increase its portability:
drep - filters any dragon.db file to create a new smaller one
mktcpdump - converts dragon.db files to TCPDUMP binary
format
RTU-SQL - automatically feeds Dragon Server events into
SQL database
Dragon
Control
Command Line Support
All Dragon programs start with support for command line operation.
This means that 100% remote administration and operation can be
achieved through the use of tools such as Secure Shell, OpenSSH
and Network Shell. Many of Dragon's functions on the Sensor,
Server and Squire can also be scripted with CRON programs. All
configuration files are ASCII based and can be manipulated with
text editors.
Web Analysis & Management Support
The Dragon family of products includes three dedicated
web based tools for operation and control. The Dragon Fire tool
can be placed on any Dragon engine such as a Dragon Sensor and
analyze live events as they are collected. The same interface
could be placed on a Dragon Server and analyze events from
multiple different Dragon Sensors and Squires. For control of the
various Dragon engines, the Dragon Rider web interface provides
configuration and performance options. All web interfaces are
designed for operation with Apache web servers.
Future
Features
Dragon Server
SNMP Security Trap Server
Dragon also has SNMP "analyses" servers, which can
intelligently recognize security significant events. In layman's
terms, this is a signature language very similar to Dragon Squire's
which can intelligently collate events from firewalls such as
Cisco's PIX, as input into the events stored on a Dragon Server.
We will release this Dragon Server module with handlers for the
Checkpoint and PIX firewalls.
3D/2D Event Viewer
In order to visualize the large amounts of data collected at the
Dragon Server, we have started development work on several
graphical representations of the data. The events from multiple
Dragon Sensors, Dragon Squire and SNMP traps from firewalls, can
be viewed with a variety of 2D bar charts, circle plots and heat
charts. 3D charts will be used to display IPvIP traffic as well
as all events, which have occurred in specific time intervals.
5 Dragon Squire Licenses
All Dragon Squire sales are
bundled with a Dragon Server license. 5 Dragon Squire licenses
are included with each Dragon Server purchase so that customers
can augment their security monitoring with host based analysis.
HOME ~ WEBLINKS ~ CONTACTS
Copyright © 1993-2001 The Intrusion Detection System Group
|
