Download presentation
Presentation is loading. Please wait.
Published byIrma Gardner Modified over 9 years ago
1
High-speed IDS The search for the Holy Grail….
2
Agenda The Problem Types of IDS’ The Problem Drawbacks Testing Assumptions Conclusions
3
The Problem Present network speeds and topology have made it difficult and expensive to deploy a pervasive IDS.
4
Types of IDS’ Plain Hard Work Host Based Network Based Log Based Target Monitoring
5
Plain Hard Work Freeware Sniffers Log analysis Lots of time Very exciting work Log aggregation is a pain
6
Host Based Lives on Host Uses CPU Cycles Uses Disk Cycles Real-time Alerts Many Vendors Thresholds
7
Network Based Listens to All Traffic on Segment Must Live on Target Net Has Throughput Limitations
8
Log Based Reviews syslog Reviews SNMP Not Real-time Forensics Tool
9
Target Monitoring Watches the OS Lives on Box Watches Files Scheduled Runs Near Real-time
10
Possible Solutions New, Fast Gig Sensor Use Application Switch –Separate on ‘streams’ Distribute IDS Functions –Close the Loop between functions Use Faster Sensors –Expensive Give up
11
Drawbacks Each System has Drawbacks Some are not Fast Enough Some are not Real-time Some Intrude on OS Others Can Cause Application Compatibility Problems
12
Testing Looking at High-speed IDS Separate Test Network Used Sanitized ‘Tools’ Captured Test Results Postulated Possible Outcome Ran Tests Multiple Times Had Vendor ‘In the loop’ and Sometimes On-site
13
Assumptions Looking to Meet 100Mb/s FD Sensor Engines Would Operate at 25Mb/s Uses Noise Injection to simulate traffic Basic Attacks –Syn floods –Pre captured Switch would control Streams
14
Test Configuration Engines were ISS –Solaris on Sparc Used Application Switch Cisco Cat5k NAI Sniffer Pro Shomiti Packet Blaster Noise Generator Target was NT Server
15
Application Switch TopLayer –Listens for basic signatures –Separates on Streams –Beta Test Program –Operates at 100Mb/s –8 ports for IDS –One management port –‘T’ Configuration
16
IDS Profile Top 20% of the present hacks –List of hacks Percentage of Successful hacks
17
Test Configuration Drawing Attack Sensors Top Layer Cisco Switch Target Sniffer & Control Noise
18
Test Results
19
Disappointing for Individual Sensors –15 MB/s –Sparc with 256MB –Had ISS Rep Promising for Ganged Sensors –Did see streams –Could get to 40Mb/s
20
Conclusions Combination of IDS’ Seems to be Working Sees New and Exciting Things –Lots of interesting kiddie activities –Makes it difficult to consolidate activites Not Perfect –Still misses attacks at high noise levels Closes Loop
21
The Future Promises of Gigabit IDS –Hardware based –Allows placement closer to the edge Embedded in Switches Forget about routers…. Look for results, not just claims
22
Contacts markk@conxion.net
23
Thanx
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.