Presentation is loading. Please wait.

Presentation is loading. Please wait.

High-speed IDS The search for the Holy Grail….. Agenda The Problem Types of IDS’ The Problem Drawbacks Testing Assumptions Conclusions.

Published byIrma Gardner Modified over 9 years ago

Similar presentations

Presentation on theme: "High-speed IDS The search for the Holy Grail….. Agenda The Problem Types of IDS’ The Problem Drawbacks Testing Assumptions Conclusions."— Presentation transcript:

1 High-speed IDS The search for the Holy Grail….

2 Agenda The Problem Types of IDS’ The Problem Drawbacks Testing Assumptions Conclusions

3 The Problem Present network speeds and topology have made it difficult and expensive to deploy a pervasive IDS.

4 Types of IDS’ Plain Hard Work Host Based Network Based Log Based Target Monitoring

5 Plain Hard Work Freeware Sniffers Log analysis Lots of time Very exciting work Log aggregation is a pain

6 Host Based Lives on Host Uses CPU Cycles Uses Disk Cycles Real-time Alerts Many Vendors Thresholds

7 Network Based Listens to All Traffic on Segment Must Live on Target Net Has Throughput Limitations

8 Log Based Reviews syslog Reviews SNMP Not Real-time Forensics Tool

9 Target Monitoring Watches the OS Lives on Box Watches Files Scheduled Runs Near Real-time

10 Possible Solutions New, Fast Gig Sensor Use Application Switch –Separate on ‘streams’ Distribute IDS Functions –Close the Loop between functions Use Faster Sensors –Expensive Give up

11 Drawbacks Each System has Drawbacks Some are not Fast Enough Some are not Real-time Some Intrude on OS Others Can Cause Application Compatibility Problems

12 Testing Looking at High-speed IDS Separate Test Network Used Sanitized ‘Tools’ Captured Test Results Postulated Possible Outcome Ran Tests Multiple Times Had Vendor ‘In the loop’ and Sometimes On-site

13 Assumptions Looking to Meet 100Mb/s FD Sensor Engines Would Operate at 25Mb/s Uses Noise Injection to simulate traffic Basic Attacks –Syn floods –Pre captured Switch would control Streams

14 Test Configuration Engines were ISS –Solaris on Sparc Used Application Switch Cisco Cat5k NAI Sniffer Pro Shomiti Packet Blaster Noise Generator Target was NT Server

15 Application Switch TopLayer –Listens for basic signatures –Separates on Streams –Beta Test Program –Operates at 100Mb/s –8 ports for IDS –One management port –‘T’ Configuration

16 IDS Profile Top 20% of the present hacks –List of hacks Percentage of Successful hacks

17 Test Configuration Drawing Attack Sensors Top Layer Cisco Switch Target Sniffer & Control Noise

18 Test Results

19 Disappointing for Individual Sensors –15 MB/s –Sparc with 256MB –Had ISS Rep Promising for Ganged Sensors –Did see streams –Could get to 40Mb/s

20 Conclusions Combination of IDS’ Seems to be Working Sees New and Exciting Things –Lots of interesting kiddie activities –Makes it difficult to consolidate activites Not Perfect –Still misses attacks at high noise levels Closes Loop

21 The Future Promises of Gigabit IDS –Hardware based –Allows placement closer to the edge Embedded in Switches Forget about routers…. Look for results, not just claims

22 Contacts markk@conxion.net

23 Thanx

Download ppt "High-speed IDS The search for the Holy Grail….. Agenda The Problem Types of IDS’ The Problem Drawbacks Testing Assumptions Conclusions."

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Network Intrusion Detection System Omar ISMAIL Internet Engineering Lab Graduate School of Information Science Nara Institute of Science and Technology.

Network Intrusion Detection System Omar ISMAIL Internet Engineering Lab Graduate School of Information Science Nara Institute of Science and Technology.
Logically Centralized Control Class 2. Types of Networks ISP Networks – Entity only owns the switches – Throughput: 100GB-10TB – Heterogeneous devices:

Logically Centralized Control Class 2. Types of Networks ISP Networks – Entity only owns the switches – Throughput: 100GB-10TB – Heterogeneous devices:
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008 Non-Intrusive Out-of-Band Network Monitoring Utilizing a Data-Access Switch April 1, 2008 Patrick.

SHARKFEST '08 | Foothill College | March 31 - April 2, 2008 Non-Intrusive Out-of-Band Network Monitoring Utilizing a Data-Access Switch April 1, 2008 Patrick.
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
Net security - budi rahardjo Overview of Network Security Budi Rahardjo CISCO seminar 13 March 2002.

Net security - budi rahardjo Overview of Network Security Budi Rahardjo CISCO seminar 13 March 2002.
Intrusion Detection and Information Fusion/Decision Making By Ganesh Godavari.

Intrusion Detection and Information Fusion/Decision Making By Ganesh Godavari.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Near Term Tools: Using honeynet tools and techniques for post intrusion intelligence gathering Edward G. Balas Indiana University Advanced Network Management.

Near Term Tools: Using honeynet tools and techniques for post intrusion intelligence gathering Edward G. Balas Indiana University Advanced Network Management.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) SriramGopinath(1203800749)

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) SriramGopinath( )
Common IS Threat Mitigation Strategies An overview of common detection and protection technologies Max Caceres CORE Security Technologies www.coresecurity.com.

Common IS Threat Mitigation Strategies An overview of common detection and protection technologies Max Caceres CORE Security Technologies
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
Topics in Advanced Network Security 1 Stateful Intrusion Detection for High Speed Networks Christopher Kruegel Fredrick Valeur Giovanni Vigna Richard Kemmerer.

Topics in Advanced Network Security 1 Stateful Intrusion Detection for High Speed Networks Christopher Kruegel Fredrick Valeur Giovanni Vigna Richard Kemmerer.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.

Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
A survey of commercial tools for intrusion detection 1. Introduction 2. Systems analyzed 3. Methodology 4. Results 5. Conclusions Cao er Kai. INSA lab.

A survey of commercial tools for intrusion detection 1. Introduction 2. Systems analyzed 3. Methodology 4. Results 5. Conclusions Cao er Kai. INSA lab.
Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.

Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.
Intrusion Detection/Prevention Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality,

Intrusion Detection/Prevention Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality,
Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS 395-0 Professor Yan Chen.

Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS Professor Yan Chen.

Similar presentations

Ads by Google