Embed Size (px)
Citation preview
High-speed IDS
The search for the Holy Grail….
Agenda
• The Problem
• Types of IDS’
• The Problem
• Drawbacks
• Testing
• Assumptions
• Conclusions
The Problem
• Present network speeds and topology have made it difficult and expensive to deploy a pervasive IDS.
Types of IDS’
• Plain Hard Work
• Host Based
• Network Based
• Log Based
• Target Monitoring
Plain Hard Work
• Freeware
• Sniffers
• Log analysis
• Lots of time
• Very exciting work
• Log aggregation is a pain
Host Based
• Lives on Host
• Uses CPU Cycles
• Uses Disk Cycles
• Real-time Alerts
• Many Vendors
• Thresholds
Network Based
• Listens to All Traffic on Segment
• Must Live on Target Net
• Has Throughput Limitations
Log Based
• Reviews syslog
• Reviews SNMP
• Not Real-time
• Forensics Tool
Target Monitoring
• Watches the OS
• Lives on Box
• Watches Files
• Scheduled Runs
• Near Real-time
Possible Solutions
• New, Fast Gig Sensor• Use Application Switch
– Separate on ‘streams’
• Distribute IDS Functions– Close the Loop between functions
• Use Faster Sensors– Expensive
• Give up
Drawbacks
• Each System has Drawbacks
• Some are not Fast Enough
• Some are not Real-time
• Some Intrude on OS
• Others Can Cause Application Compatibility Problems
Testing
• Looking at High-speed IDS• Separate Test Network• Used Sanitized ‘Tools’• Captured Test Results• Postulated Possible Outcome• Ran Tests Multiple Times• Had Vendor ‘In the loop’ and Sometimes On-site
Assumptions
• Looking to Meet 100Mb/s FD
• Sensor Engines Would Operate at 25Mb/s
• Uses Noise Injection to simulate traffic
• Basic Attacks– Syn floods– Pre captured
• Switch would control Streams
Test Configuration
• Engines were ISS– Solaris on Sparc
• Used Application Switch• Cisco Cat5k• NAI Sniffer Pro• Shomiti Packet Blaster• Noise Generator• Target was NT Server
Application Switch
• TopLayer– Listens for basic signatures– Separates on Streams– Beta Test Program– Operates at 100Mb/s– 8 ports for IDS– One management port– ‘T’ Configuration
IDS Profile
• Top 20% of the present hacks– List of hacks
• Percentage of Successful hacks
Test Configuration Drawing
Attack
Sensors
Top Layer
CiscoSwitch
Target
Sniffer &Control
Noise
Test Results
Test Results
• Disappointing for Individual Sensors– 15 MB/s– Sparc with 256MB– Had ISS Rep
• Promising for Ganged Sensors– Did see streams– Could get to 40Mb/s
Conclusions
• Combination of IDS’ Seems to be Working
• Sees New and Exciting Things– Lots of interesting kiddie activities– Makes it difficult to consolidate activites
• Not Perfect– Still misses attacks at high noise levels
• Closes Loop
The Future
• Promises of Gigabit IDS– Hardware based– Allows placement closer to the edge
• Embedded in Switches
• Forget about routers….
• Look for results, not just claims
Thanx
