high-speed ids the search for the holy grail….. agenda the problem types of ids’ the problem...
TRANSCRIPT
![Page 1: High-speed IDS The search for the Holy Grail….. Agenda The Problem Types of IDS’ The Problem Drawbacks Testing Assumptions Conclusions](https://reader036.vdocument.in/reader036/viewer/2022062422/56649ece5503460f94bdbab5/html5/thumbnails/1.jpg)
High-speed IDS
The search for the Holy Grail….
![Page 2: High-speed IDS The search for the Holy Grail….. Agenda The Problem Types of IDS’ The Problem Drawbacks Testing Assumptions Conclusions](https://reader036.vdocument.in/reader036/viewer/2022062422/56649ece5503460f94bdbab5/html5/thumbnails/2.jpg)
Agenda
• The Problem
• Types of IDS’
• The Problem
• Drawbacks
• Testing
• Assumptions
• Conclusions
![Page 3: High-speed IDS The search for the Holy Grail….. Agenda The Problem Types of IDS’ The Problem Drawbacks Testing Assumptions Conclusions](https://reader036.vdocument.in/reader036/viewer/2022062422/56649ece5503460f94bdbab5/html5/thumbnails/3.jpg)
The Problem
• Present network speeds and topology have made it difficult and expensive to deploy a pervasive IDS.
![Page 4: High-speed IDS The search for the Holy Grail….. Agenda The Problem Types of IDS’ The Problem Drawbacks Testing Assumptions Conclusions](https://reader036.vdocument.in/reader036/viewer/2022062422/56649ece5503460f94bdbab5/html5/thumbnails/4.jpg)
Types of IDS’
• Plain Hard Work
• Host Based
• Network Based
• Log Based
• Target Monitoring
![Page 5: High-speed IDS The search for the Holy Grail….. Agenda The Problem Types of IDS’ The Problem Drawbacks Testing Assumptions Conclusions](https://reader036.vdocument.in/reader036/viewer/2022062422/56649ece5503460f94bdbab5/html5/thumbnails/5.jpg)
Plain Hard Work
• Freeware
• Sniffers
• Log analysis
• Lots of time
• Very exciting work
• Log aggregation is a pain
![Page 6: High-speed IDS The search for the Holy Grail….. Agenda The Problem Types of IDS’ The Problem Drawbacks Testing Assumptions Conclusions](https://reader036.vdocument.in/reader036/viewer/2022062422/56649ece5503460f94bdbab5/html5/thumbnails/6.jpg)
Host Based
• Lives on Host
• Uses CPU Cycles
• Uses Disk Cycles
• Real-time Alerts
• Many Vendors
• Thresholds
![Page 7: High-speed IDS The search for the Holy Grail….. Agenda The Problem Types of IDS’ The Problem Drawbacks Testing Assumptions Conclusions](https://reader036.vdocument.in/reader036/viewer/2022062422/56649ece5503460f94bdbab5/html5/thumbnails/7.jpg)
Network Based
• Listens to All Traffic on Segment
• Must Live on Target Net
• Has Throughput Limitations
![Page 8: High-speed IDS The search for the Holy Grail….. Agenda The Problem Types of IDS’ The Problem Drawbacks Testing Assumptions Conclusions](https://reader036.vdocument.in/reader036/viewer/2022062422/56649ece5503460f94bdbab5/html5/thumbnails/8.jpg)
Log Based
• Reviews syslog
• Reviews SNMP
• Not Real-time
• Forensics Tool
![Page 9: High-speed IDS The search for the Holy Grail….. Agenda The Problem Types of IDS’ The Problem Drawbacks Testing Assumptions Conclusions](https://reader036.vdocument.in/reader036/viewer/2022062422/56649ece5503460f94bdbab5/html5/thumbnails/9.jpg)
Target Monitoring
• Watches the OS
• Lives on Box
• Watches Files
• Scheduled Runs
• Near Real-time
![Page 10: High-speed IDS The search for the Holy Grail….. Agenda The Problem Types of IDS’ The Problem Drawbacks Testing Assumptions Conclusions](https://reader036.vdocument.in/reader036/viewer/2022062422/56649ece5503460f94bdbab5/html5/thumbnails/10.jpg)
Possible Solutions
• New, Fast Gig Sensor• Use Application Switch
– Separate on ‘streams’
• Distribute IDS Functions– Close the Loop between functions
• Use Faster Sensors– Expensive
• Give up
![Page 11: High-speed IDS The search for the Holy Grail….. Agenda The Problem Types of IDS’ The Problem Drawbacks Testing Assumptions Conclusions](https://reader036.vdocument.in/reader036/viewer/2022062422/56649ece5503460f94bdbab5/html5/thumbnails/11.jpg)
Drawbacks
• Each System has Drawbacks
• Some are not Fast Enough
• Some are not Real-time
• Some Intrude on OS
• Others Can Cause Application Compatibility Problems
![Page 12: High-speed IDS The search for the Holy Grail….. Agenda The Problem Types of IDS’ The Problem Drawbacks Testing Assumptions Conclusions](https://reader036.vdocument.in/reader036/viewer/2022062422/56649ece5503460f94bdbab5/html5/thumbnails/12.jpg)
Testing
• Looking at High-speed IDS• Separate Test Network• Used Sanitized ‘Tools’• Captured Test Results• Postulated Possible Outcome• Ran Tests Multiple Times• Had Vendor ‘In the loop’ and Sometimes On-site
![Page 13: High-speed IDS The search for the Holy Grail….. Agenda The Problem Types of IDS’ The Problem Drawbacks Testing Assumptions Conclusions](https://reader036.vdocument.in/reader036/viewer/2022062422/56649ece5503460f94bdbab5/html5/thumbnails/13.jpg)
Assumptions
• Looking to Meet 100Mb/s FD
• Sensor Engines Would Operate at 25Mb/s
• Uses Noise Injection to simulate traffic
• Basic Attacks– Syn floods– Pre captured
• Switch would control Streams
![Page 14: High-speed IDS The search for the Holy Grail….. Agenda The Problem Types of IDS’ The Problem Drawbacks Testing Assumptions Conclusions](https://reader036.vdocument.in/reader036/viewer/2022062422/56649ece5503460f94bdbab5/html5/thumbnails/14.jpg)
Test Configuration
• Engines were ISS– Solaris on Sparc
• Used Application Switch• Cisco Cat5k• NAI Sniffer Pro• Shomiti Packet Blaster• Noise Generator• Target was NT Server
![Page 15: High-speed IDS The search for the Holy Grail….. Agenda The Problem Types of IDS’ The Problem Drawbacks Testing Assumptions Conclusions](https://reader036.vdocument.in/reader036/viewer/2022062422/56649ece5503460f94bdbab5/html5/thumbnails/15.jpg)
Application Switch
• TopLayer– Listens for basic signatures– Separates on Streams– Beta Test Program– Operates at 100Mb/s– 8 ports for IDS– One management port– ‘T’ Configuration
![Page 16: High-speed IDS The search for the Holy Grail….. Agenda The Problem Types of IDS’ The Problem Drawbacks Testing Assumptions Conclusions](https://reader036.vdocument.in/reader036/viewer/2022062422/56649ece5503460f94bdbab5/html5/thumbnails/16.jpg)
IDS Profile
• Top 20% of the present hacks– List of hacks
• Percentage of Successful hacks
![Page 17: High-speed IDS The search for the Holy Grail….. Agenda The Problem Types of IDS’ The Problem Drawbacks Testing Assumptions Conclusions](https://reader036.vdocument.in/reader036/viewer/2022062422/56649ece5503460f94bdbab5/html5/thumbnails/17.jpg)
Test Configuration Drawing
Attack
Sensors
Top Layer
CiscoSwitch
Target
Sniffer &Control
Noise
![Page 18: High-speed IDS The search for the Holy Grail….. Agenda The Problem Types of IDS’ The Problem Drawbacks Testing Assumptions Conclusions](https://reader036.vdocument.in/reader036/viewer/2022062422/56649ece5503460f94bdbab5/html5/thumbnails/18.jpg)
Test Results
![Page 19: High-speed IDS The search for the Holy Grail….. Agenda The Problem Types of IDS’ The Problem Drawbacks Testing Assumptions Conclusions](https://reader036.vdocument.in/reader036/viewer/2022062422/56649ece5503460f94bdbab5/html5/thumbnails/19.jpg)
Test Results
• Disappointing for Individual Sensors– 15 MB/s– Sparc with 256MB– Had ISS Rep
• Promising for Ganged Sensors– Did see streams– Could get to 40Mb/s
![Page 20: High-speed IDS The search for the Holy Grail….. Agenda The Problem Types of IDS’ The Problem Drawbacks Testing Assumptions Conclusions](https://reader036.vdocument.in/reader036/viewer/2022062422/56649ece5503460f94bdbab5/html5/thumbnails/20.jpg)
Conclusions
• Combination of IDS’ Seems to be Working
• Sees New and Exciting Things– Lots of interesting kiddie activities– Makes it difficult to consolidate activites
• Not Perfect– Still misses attacks at high noise levels
• Closes Loop
![Page 21: High-speed IDS The search for the Holy Grail….. Agenda The Problem Types of IDS’ The Problem Drawbacks Testing Assumptions Conclusions](https://reader036.vdocument.in/reader036/viewer/2022062422/56649ece5503460f94bdbab5/html5/thumbnails/21.jpg)
The Future
• Promises of Gigabit IDS– Hardware based– Allows placement closer to the edge
• Embedded in Switches
• Forget about routers….
• Look for results, not just claims
![Page 23: High-speed IDS The search for the Holy Grail….. Agenda The Problem Types of IDS’ The Problem Drawbacks Testing Assumptions Conclusions](https://reader036.vdocument.in/reader036/viewer/2022062422/56649ece5503460f94bdbab5/html5/thumbnails/23.jpg)
Thanx