An introduction to intrusion detection systems  
and the Dragon IDS suite  
Ensuring systems and network security  

 An Introduction to Intrusion Detection Systems (IDS) Contact Us Front Page
 

Dragon IDS - Functional Description


Introduction

Dragon is the award winning UNIX based Intrusion Detection System from Enterasys - a Cabletron Company - (Previously Network Security Wizards) in the USA. The reason that Dragon is UNIX only is quite simply the fact that the TCP/IP implementation is far more stable, and far more suited for promiscuous mode than that of Microsoft's NT offerings. Portcullis, after two years of research and testing decided to adopt Dragon as its IDS product due to the fact that it encompassed all the aspects required of both a Network Intrusion Detection System (NIDS) and a Host Intrusion Detection System (HIDS). Portcullis has been assigned the European Distribution rights to the Dragon product range, and will be providing support, updates, installation and configuration services together with the April 2001 launch of a Managed Intrusion Detection Service (MIDS).

 

Network Based IDS
The Dragon Sensor is a network monitor. It watches live network packets and looks for signs of computer crime, network attacks, network misuse and anomalies. When it observes an event, the Dragon Sensor can send pager alerts/messages, email messages, and take action to stop the event and record it for future forensic analysis. Typically, Dragon Sensors are deployed on standalone systems in front of firewalls or at key network choke points.

Dedicated Analysis and Alerting Server
The Dragon Server facilitates secure management of all Dragon Sensors and Dragon Squires. It also aggregates all alerts into one central database so that disparate attack information can be correlated. The Dragon Server includes a variety of reporting and analysis tools as well as the ability to customize alerts via email, SNMP or syslog messages.

Secure Web and Console Access
All Dragon products can be administered and analyzed securely through command line and web GUI interfaces. This drastically lowers overall deployment and operation costs from running an enterprise IDS.

Performance
The Dragon Sensor is simply the fastest NIDS available today. It has been tested in real world conditions against many of the other NIDS products on the market today. We encourage you to test it out on your high-speed networks.

Network Integrity
Believe it or not, many network IDS products do not reassemble network streams that occur across multiple packets, out of order packets or that contain fragmented packets. This allows network attacks to scramble their network probes and attacks and avoid detection. Dragon Sensor is not effected by these techniques. Dragon Squire complements and fills in any gaps, which arise from future anti-IDS avoidance techniques.

Scaleable Sensor/Squire Management
The Dragon Server can easily manage thirty Dragon Sensors on heavily loaded 100Mb networks. This minimizes infrastructure costs when deploying IDS consoles. Dragon Server has been tested in laboratory conditions for use in monitoring 100+ Dragon Sensors. This scalability will also allow the Dragon Server to manage fifty Dragon Squire engines in addition to the Dragon Sensors.

Open Signatures
Dragon Sensor and Dragon Squire signatures are contained in ASCII text libraries. They are fully documented with copious references to
CVE and Bugtraq information. More importantly, they can be trivially modified to detect new versions of current attacks. It takes ten minutes for most Dragon Sensor users to learn how to write new signatures. Dragon Squire will have a similar signature language such that end users will not have to learn a completely new language.

 

Dragon Components

 

Dragon's architecture is composed of one or more Dragon Sensors controlled from a central Dragon Enterprise Server. The Dragon Server manages each Dragon Sensor’s configuration and also provides a central repository for all recorded Dragon Sensor events. Each sensor or server node can be configured for remote access via SSH or through a secure web server. Portcullis strongly encourages Dragon Enterprise Servers to be deployed with an Apache web server.

Dragon. This is the program that does the real work. It monitors packets and records anomalous network activity such as hackers, misuse and abuse. It is run on a Dragon Sensor. Each Dragon program also includes a variety of command line tools that can be used to perform analysis of the collected data.

Dragon Rider Client monitors Dragon's database of recorded events. It encrypts the data, and sends it to a Dragon Rider Server on the Dragon Enterprise Server. It also receives configuration information for Dragon from the Server. When new configuration information is received, it will restart Dragon. It is run on a Dragon Sensor.

Dragon Rider Server waits for connections from Dragon Rider Clients that are located on the Dragon Sensors. Dragon events are sent for centralization and aggregate analysis. Dragon Rider Server can also immediately send new configuration information to Dragon Rider Clients.

Dragon Rider Web Interface to Dragon Rider is a convenient set of CGI-BIN scripts which offers an integrated environment for Dragon Sensor management and performance analysis. Dragon Sensor configurations can be viewed by configuration type or by individual sensor. Also, Dragon Sensor signature libraries can be manipulated for custom anomaly detection.

Dragon Fire Web Interface is really a sophisticated front end for the command line tools. It provides Dragon administrators with an environment similar to the Dragon Rider Web Interface to conduct in-depth event analysis.

Secure Shell Server. We recommend that Dragon deployments make use of Secure Shell daemons to ensure secured remote access to the Dragon Sensors and Dragon Enterprise Servers. If possible, the use of firewalls to secure remote access based on IP addresses is also recommended. We also recommend that SSH users employ RSA identity keys for a higher level of remote authentication.

Secure Web Server. We recommend that any of Dragon’s web interfaces have a layered security architecture, such as SSL, to protect it from unauthorized access. Out of band networks, VPNs, firewalls and SSH port forwarding are alternatives to using SSL security.

Dragon (Enterprise) Server. For Dragon implementations with more than one Dragon Sensor, a Dragon Enterprise Server can be used to centralize the event reporting and administration of the Sensors. A Dragon Enterprise Server consists of installing the Dragon Rider Server, Dragon Rider web interface and Dragon Fire web interface.

The Dragon Enterprise Server provides the following features:

  • Centralized Dragon Event Reporting - Dragon Rider can be used to securely forward all event information from one or more remote Dragon Sensors to a centralized Dragon event database. The Dragon Fire web interface can then be used to report from the centralized Dragon event database.
  • Centralized Dragon Sensor Management - Configuration information for each Dragon Sensor can be maintained on a centralized Dragon Rider Server. New configurations can then be securely pushed to each sensor as necessary.



Dragon Squire is a host based IDS product. It uses a signature library to monitor application and system log files for anomalies. It also periodically computes cryptographic checksums on key system files to detect changes. Dragon Squire is designed to have minimal system performance impact and to have easy management from the Dragon Server.

Operation

Event Analysis Tools


Once event data is collected at a Dragon Sensor or at a Dragon Server, a variety of programs may be utilised to analyse it:
sum_db - prints out information about the dragon.db file
sum_event - sorts events by time, number and event group
sum_ip - sorts the IP and CIDR blocks of all events
mkalarm - scores each unique IP address by number and type of events
mkchart - plots all events across a unique Class C CIDR block
mkicmp - analyzes ICMP traffic for backdoors and DOS attacks
mklog - prints event information by line, packet and protocol
mksession - replays suspicious collected network sessions


Alerting Programs

Several flexible programs are available which can customize any Dragon Sensor or Dragon Server with several alert options:
alarmtool - sends SNMP, SMTP and SYSLOG alerts. Options to send alerts can be specified by actual alert name filtered IP addresses and even filtered UDP and TCP ports. An optional list of "pager" email recipients can be specified for terser messaging. If desired, specific commands with dynamic arguments may be specified for execution upon receipt of unique events
diskfree - monitors free disk space and sends SNMP or SMTP alerts


Web Interfaces


With the addition of an Apache web server to either a Dragon Sensor or a Dragon Server, the following web interfaces can be used for operation and analysis:


Dragon Fire - A dynamic HTML based set of PERL scripts which act as a web based "front end" to the analysis tools. It can create graphic views of the collected data. It also heavily hyperlinks the output of one tool into logic queries for other tools. A lightweight messaging/ticketing system named 'mknotes' is also included.

The Screen shot below shows the Dragon Fire console:

 

Dragon Rider - Interface used to manage Dragon Sensor and Dragon Squire configurations, review each engine's performance and to manage signature libraries.

The screen image below shows the 'signature management screen' - Dragon Rider:

 

 


Database Manipulation Tools


Even after data has been collected by Dragon, it can be further manipulated to add value or increase its portability:
drep
- filters any dragon.db file to create a new smaller one
mktcpdump - converts dragon.db files to TCPDUMP binary format
RTU-SQL - automatically feeds Dragon Server events into SQL database

 

Dragon Control

Command Line Support


All Dragon programs start with support for command line operation. This means that 100% remote administration and operation can be achieved through the use of tools such as Secure Shell, OpenSSH and Network Shell. Many of Dragon's functions on the Sensor, Server and Squire can also be scripted with CRON programs. All configuration files are ASCII based and can be manipulated with text editors.


Web Analysis & Management Support


The Dragon family of products includes three dedicated web based tools for operation and control. The Dragon Fire tool can be placed on any Dragon engine such as a Dragon Sensor and analyze live events as they are collected. The same interface could be placed on a Dragon Server and analyze events from multiple different Dragon Sensors and Squires. For control of the various Dragon engines, the Dragon Rider web interface provides configuration and performance options. All web interfaces are designed for operation with Apache web servers.

 

Future Features

Dragon Server

SNMP Security Trap Server
Dragon also has SNMP "analyses" servers, which can intelligently recognize security significant events. In layman's terms, this is a signature language very similar to Dragon Squire's which can intelligently collate events from firewalls such as Cisco's PIX, as input into the events stored on a Dragon Server. We will release this Dragon Server module with handlers for the Checkpoint and PIX firewalls.

3D/2D Event Viewer
In order to visualize the large amounts of data collected at the Dragon Server, we have started development work on several graphical representations of the data. The events from multiple Dragon Sensors, Dragon Squire and SNMP traps from firewalls, can be viewed with a variety of 2D bar charts, circle plots and heat charts. 3D charts will be used to display IPvIP traffic as well as all events, which have occurred in specific time intervals.

5 Dragon Squire Licenses All Dragon Squire sales are bundled with a Dragon Server license. 5 Dragon Squire licenses are included with each Dragon Server purchase so that customers can augment their security monitoring with host based analysis.


penetration-testing


Back to First Page



HOME ~ WEBLINKS ~ CONTACTS


Copyright © 1993-2001   The Intrusion Detection System Group