Presentation is loading. Please wait.

Presentation is loading. Please wait.

High-speed IDS The search for the Holy Grail….. Agenda The Problem Types of IDS’ The Problem Drawbacks Testing Assumptions Conclusions.

Similar presentations


Presentation on theme: "High-speed IDS The search for the Holy Grail….. Agenda The Problem Types of IDS’ The Problem Drawbacks Testing Assumptions Conclusions."— Presentation transcript:

1 High-speed IDS The search for the Holy Grail….

2 Agenda The Problem Types of IDS’ The Problem Drawbacks Testing Assumptions Conclusions

3 The Problem Present network speeds and topology have made it difficult and expensive to deploy a pervasive IDS.

4 Types of IDS’ Plain Hard Work Host Based Network Based Log Based Target Monitoring

5 Plain Hard Work Freeware Sniffers Log analysis Lots of time Very exciting work Log aggregation is a pain

6 Host Based Lives on Host Uses CPU Cycles Uses Disk Cycles Real-time Alerts Many Vendors Thresholds

7 Network Based Listens to All Traffic on Segment Must Live on Target Net Has Throughput Limitations

8 Log Based Reviews syslog Reviews SNMP Not Real-time Forensics Tool

9 Target Monitoring Watches the OS Lives on Box Watches Files Scheduled Runs Near Real-time

10 Possible Solutions New, Fast Gig Sensor Use Application Switch –Separate on ‘streams’ Distribute IDS Functions –Close the Loop between functions Use Faster Sensors –Expensive Give up

11 Drawbacks Each System has Drawbacks Some are not Fast Enough Some are not Real-time Some Intrude on OS Others Can Cause Application Compatibility Problems

12 Testing Looking at High-speed IDS Separate Test Network Used Sanitized ‘Tools’ Captured Test Results Postulated Possible Outcome Ran Tests Multiple Times Had Vendor ‘In the loop’ and Sometimes On-site

13 Assumptions Looking to Meet 100Mb/s FD Sensor Engines Would Operate at 25Mb/s Uses Noise Injection to simulate traffic Basic Attacks –Syn floods –Pre captured Switch would control Streams

14 Test Configuration Engines were ISS –Solaris on Sparc Used Application Switch Cisco Cat5k NAI Sniffer Pro Shomiti Packet Blaster Noise Generator Target was NT Server

15 Application Switch TopLayer –Listens for basic signatures –Separates on Streams –Beta Test Program –Operates at 100Mb/s –8 ports for IDS –One management port –‘T’ Configuration

16 IDS Profile Top 20% of the present hacks –List of hacks Percentage of Successful hacks

17 Test Configuration Drawing Attack Sensors Top Layer Cisco Switch Target Sniffer & Control Noise

18 Test Results

19 Disappointing for Individual Sensors –15 MB/s –Sparc with 256MB –Had ISS Rep Promising for Ganged Sensors –Did see streams –Could get to 40Mb/s

20 Conclusions Combination of IDS’ Seems to be Working Sees New and Exciting Things –Lots of interesting kiddie activities –Makes it difficult to consolidate activites Not Perfect –Still misses attacks at high noise levels Closes Loop

21 The Future Promises of Gigabit IDS –Hardware based –Allows placement closer to the edge Embedded in Switches Forget about routers…. Look for results, not just claims

22 Contacts markk@conxion.net

23 Thanx


Download ppt "High-speed IDS The search for the Holy Grail….. Agenda The Problem Types of IDS’ The Problem Drawbacks Testing Assumptions Conclusions."

Similar presentations


Ads by Google