Re: RE: Network Utilization discussion...

[gdead () shmoo com (Bruce Potter)]

tried to send this the other but it didn't make it due to a subscription
fubar...

Wouldn't it be possible to use one of the layer 4 switches (arrowpoint,
etc) to to create a distributed pool of IDS sensors watching a high
bandwidth stream?  Basically, take the port that you'd be monitoring out
of the switch/router/whatever into the L4 switch.  Then take and break
out the traffic into reasonable parts. With some intelligent segmenting
of traffic you could put very specific IDS's against certain streams
while still handling large amounts of traffic. ie, if your traffic
looked like:

Protocol         Total  Flows   Packets Bytes  Packets Active(Sec)
Idle(Sec)
--------         Flows   /Sec     /Flow  /Pkt     /Sec     /Flow    
/Flow
TCP-Telnet        1159    0.0        29    62      0.0      15.7     
14.3
TCP-FTP           6732    0.0        15    69      0.0       5.5      
8.3
TCP-FTPD          4864    0.0        17   264      0.0       3.2      
6.9
TCP-WWW         198377    0.1        17  1052      2.2       9.3      
8.1
TCP-SMTP         17353    0.0        14   280      0.1       4.6      
7.0
TCP-X                1    0.0         1    44      0.0       0.0     
15.4
TCP-BGP              2    0.0         2    41      0.0       0.7     
10.9
TCP-NNTP          1986    0.0      1483   479      1.9      81.1     
14.7
TCP-Frag             1    0.0         1   223      0.0       0.0     
15.9
TCP-other        56864    0.0         8   498      0.3       4.2     
11.6
UDP-DNS          15549    0.0         1    60      0.0       0.8     
15.4
UDP-NTP          18011    0.0         1    76      0.0       0.0     
15.4
UDP-Frag             1    0.0         1    89      0.0       0.0     
15.4
UDP-other       100433    0.0         1   220      0.1       0.7     
15.4
ICMP             45478    0.0        19    83      0.5      20.6     
15.3
Total:          466811    0.3        18   646      5.4       7.3     
11.3

granted this is a low traffic router, but the ratio still works.  one
IDS box could get all port 80 traffic and the other box would get the
rest.. this would scale up to 80Mb/s-ish given the current status of IDS
capablity.  This setup would require a little intelligence on the
backend looking for scans that would span the two interception domains
(ie: some attcker going after a php and portmapper attack.. the combined
information carries much more weight than one of the events singly).

just a thought.

bruce
Daily security news at http://www.shmoo.com

Ron Gula wrote:
> > What's very clear (at a minimum) from this thread and others like it is:
> >
> > There is no Gigabit or FDDI IDS solution.  ISPs who are sporting OC -12s and
> > OC-48s cannot expect Intrusion Detection Systems to work accurately for
> > them, especially if most of the IDS world cannot reliably capture DS-3
> > utilitization levels.
>
> - FDDI is mostly an interface problem. Dragon has been deployed on several
>   FDDI networks through the use of dedicated media converters. Any other
>   packet IDS should be able to do this. Many other NIDS can read directly
>   from FDDI networks. (Read Bob Graham's IDS FAQ) FDDI is also 100 Mb/s and
>   should be able to be monitored by a wide variety of NIDS unless the data
>   rates are in access of 50-60 Mb/s. Once the data goes above those rates
>   it really depends on which NIDS you test, what your data is and how you
>   configure the NIDS.
>
> - OC-3, OC-12 and OC-48 interfaces require a "bump on the wire" or a passive
>   tap. That is, the OC link gets plugged into a box that does "passive" IDS
>   before moving the packets or some sort of silvered mirror tap (like a
>   Shomiti tap) is used to pull off the light signal. Of course more
>   sophisticated software is required to rebuild the ATM traffic. The "bump"
>   approach tends to slow down any network traffic and is usually very cost
>   prohibitive. It also usually fought by any WAN engineer because it is a
>   single point of failure. Some high-end products use the passive tap approach
>   and we will be incorporating this into future Dragon Appliance offerings.
>
> - We're finding that most of our high bandwidth customers are using full
>   duplex Ethernet (~200 Mb/s), Gigabit Ethernet or IP over SONET.
>
> Ron Gula
> Network Security Wizards