By: Jim Hurst
One reason the computer industry is so fascinating to watch is the pace of change. Technology evolves. Insoluble problems are worked around. Very few things are static. Intrusion detection is no different. Indeed, as a maturing technology, it is evolving quickly. There are certain challenges that intrusion detection must address as corporate networks make the transition to higher speed, switched networks. This paper will review the options that have been available to date, and will present three emerging options that may foreshadow how network intrusion detection will keep pace with the challenges it faces: Cisco’s IDS blade, Top Layer’s AppSwitch, and the Hogwash packet scrubber.
Network intrusion detection systems, by definition, gather network traffic for analysis and detection. These systems intercept packets as they travel across the network between hosts. The intercepted packets are analyzed by comparison with a database of known signatures and by searching for anomalous activity that suggests inappropriate behavior.
As networks evolve, NIDS vendors must offer relevant solutions or be left behind. Two factors are currently driving improvement in network performance. First, corporate networks are abandoning hubs for switched networks. Switches were only recently a luxury purchase, but price drops have made them competitive with hubs. They preserve precious bandwidth, and offer protection against packet sniffers. Second, networks are getting faster. 100 Mbps is no longer the speed limit for enterprise networks. Gigabit Ethernet has a foothold, and looks to be the new standard, as FDDI and Fibre Channel fade. Each of these developments poses particular problems for network intrusion detection.
NIDS are at heart packet sniffers, so the move from shared media networks, where all ports on a hub receive all the signals, to switched networks, where the signal is relayed only to the port of the destination host, makes it harder for them to operate. The traditional approaches to this problem, as explained at http://www.sans.org/resources/switched.php, are three: taps, hubs, or spanning ports. Each of these has advantages and disadvantages. For this discussion, assume that the IDS needs to monitor all traffic between a router and a resource, where a switch connects them, as shown below in Figure 1.
Spanning ports are the traditional solution. A Switched Port Analyzer (SPAN) port is used to monitor network traffic on a switch. The switch is given instructions to send copies of network traffic from a port or ports to a designated SPAN port, to which the IDS is attached. The advantages are obvious: this is easy to install (it costs only a port on the switch), and is inexpensive because it has no additional hardware or management requirements. If desired, the IDS can send traffic to the source and destination of an alert (in particular, to terminate a session). There are disadvantages to spanning ports, however. Only one spanning port per switch is allowed. It is possible to span traffic from more than one port on some switches, but there is no guarantee of reliability: the spanning port is easily overloaded by copying traffic from more than one port to it. If the IDS has no other network connection besides the spanning port, any traffic generated by the IDS (in response to an alert, perhaps) causes additional problems with port overloading. Spanning ports may also be unable to mirror certain types of errors, such as oversized and undersized packets.
Taps, or Ethernet taps, are special purpose hardware devices that split the signal, sending one branch to the original destination, and the other to the IDS. Taps are designed to “fail open,” so that the connection being tapped will remain open even if the tap loses power or fails. Taps possess several advantages. They do not affect or degrade traffic flow. Changes in IDS infrastructure won’t affect the larger network. Typically in a tap, the IDS link is deployed so the IDS can receive the traffic, but cannot transmit. This makes the IDS unassailable by most attacks, since it cannot open a session with an attacker through the tap, but it also eliminates the IDS’s ability to terminate a session (without extra expense and trouble). Other disadvantages of using taps include the expense and overhead of deploying and maintaining a new class of devices in the data center, and difficulties in monitoring traffic in both directions.
Hubs operate very much like taps, with some additional limitations. The good news is that hubs are easy and cheap to deploy. But because they are shared media, they will not work if the connection is full duplex (that is, traffic moves in both directions at once). Yet full duplex is the emerging standard, so hubs are becoming much less attractive.
Matthew Tanase, in an Infocus column at SecurityFocus (http://www.securityfocus.com/infocus/1518), suggests that IDS vendors will find switched networks and higher speeds “easy” problems. The top performing solutions vendors develop will be expensive, but the organizations that demand them will be willing to pay the price, he suggests. If enterprise customers require IDS for high-speed switched networks, the vendors will provide…
Never shy to attack a networking problem, Cisco Systems has developed an intrusion detection system integrated into a blade that plugs directly into a 6000 series switch. The blade integrates with Cisco Secure Policy Manager, a policy based system run from the management console. The card plugs into the backplane of the switch, and monitors traffic directly as it passes through the switch, rather than from sensors placed on ports. This bypasses many of the resource limitations of the more traditional IDS.
This is an ingenious solution, integrating IDS at wire speed. The Catalyst 6000 IDS Module is reported by Network World (http://www.nwfusion.com/reviews/2000/1218rev2.html) to monitor and report on traffic without performance degradation at 200 Mbps, full duplex. They found monitoring to be effective for a throughput of almost 770 Mbps on traffic across eight 100 Mbps ports, but this was in a laboratory setting, and the testing team expected some degradation with real world conditions. Nonetheless, the integrated blade provided effective IDS at speeds well above those they had previously tested as of December 2000. It is a safe prediction that the product will continue to evolve, and performance will continue to improve. Other vendors are also using combinations of hardware and software to make sure that the Cisco offering will not be alone at the high end.
The Cisco approach, while clever, is essentially brute force, and will hit limits. Ferocious (and currently unachievable) clock speeds will be required to monitor 48 ports of Gigabit Ethernet, for example. Top Layer Networks (www.toplayer.com) provides an alternate approach with their family of devices that uses the divide-and-conquer approach. The AS 3500, the AppSwitch, and the IDS Balancer represent a new type of network device: the switch specifically built to facilitate high speed IDS. The devices provide IDS mirroring, and are capable of copying traffic to an array of external IDS sensors. They keep track of state within a TCP session so that both directions of a connection are routed to the same IDS.
Top Layer calls this technique flow switching. According to Top Layer, flow switching means looking at all the traffic as a bi-directional flow between end systems, and using information from previous packets to determine packet forwarding, much as stateful firewalls use such information to make drop/pass decisions. The flow switch specifically learns ephemeral ports of the connecting client, and uses this to apply traffic policies. Such dynamic port recognition is a requirement if sessions are to be coherently divided among multiple IDSs.
This is Layer 7 switching: that is, the application layer becomes an integral part of traffic control. The current generation of these switches allows only segregated traffic mirroring, but expect future versions to provide session kills and the rerouting of traffic to honeypots and forensic boxes.
Top Layer is not alone in developing higher layer switching. Arrowpoint, Alteon, and Foundry all are developing intelligent switches that integrate application layer information into routing. This process of integrating application knowledge into traffic control decisions will continue, because this is an effective way to balance available sensor throughput with increasing network capacity. The competition may not be so much between the Cisco approach and the Top Layer approach, but a race to see who can most successfully integrate the two capabilities.
Hogwash (http://hogwash.sourceforge.net) is a young open source project that represents a completely different approach: the inline packet scrubber. Hogwash is designed to merge the capabilities of the firewall with the IDS: rather than maintaining a static list of open and closed ports, Hogwash drops or passes traffic based on a signature match. It is designed to live inline, and uses the Snort engine. This technique is also known as the signature-based firewall. Again this represents the fusion of related technologies to address the emerging needs of IDS.
This approach has potential, because there is a tendency for networks to proliferate incoming connections. One fat pipe is no longer enough for the corporate enterprise. The Hogwash project, if successful, offers the ability to deploy multiple low-cost scrubbers on a multihomed system. It may well find a niche, not as a replacement to the more traditional IDS, but as a complement. Defense in depth is a good thing, and the packet scrubber approach offers promise because it provides a relatively independent layer of defense with low costs for maintenance and deployment.
This discussion has outlined three very different approaches to the technical problems posed by increasing network capacity. None of the three necessarily represent the future of IDS, but as a group they illustrate the innovation and ingenuity that will be applied to the problems of intrusion detection. These techniques, or others like them, can solve the technical aspects of high speed networks.
The real challenge facing IDS is analysis and correlation. These high speed networks will provide massive amounts of data from both host and network. How can that data best be organized and presented in ways that aid the ID analyst? This is a design problem, and like most design problems, it will be solved through occasional brilliance, much hard work, some trial and error, and perhaps some colossal mistakes. The pieces needed will include interface design, traffic analysis, integration of network and host based IDS, and the integration of the IDS console into the wider network architecture. The IDS market will be great fun to watch the next five years.
Cisco Systems. “Cisco Fills Gaps in Intrusion Detection Suite” November, 2000.
Laing, Brian. “How To Guide – Implementing A Network Based Intrusion Detection System” 2000.
Messmer, Ellen. “Intrusion Alert” December 3, 2001.
Network World Fusion. “Cisco Offers Wire Speed Intrusion Detection” December 18, 2000.
Tanase, Matthew. “The Future of IDS” December 4, 2001.