Intrusion alert
Gigabit-speed intrusion-detection systems miss attacks on faster nets.
 
|
|||
 | |||
|
There's a persistent problem with today's new breed of gigabit-speed intrusion-detection systems: They simply cannot plow through IP traffic fast enough to provide blanket protection on networks running at gigabit speed, according to industry experts and at least three vendors who make such products.
When an IDS reaches its maximum processing capacity it begins to drop large numbers of packets, thereby increasing the possibility of missing attacks. The newer gigabit-speed IDS products, delivered as an appliance or software customers load onto their own boxes, fall down on the job, according to lab tests conducted by Miercom, a network consultancy and a Network World Global Test Alliance member. Although IDS equipment can achieve near-gigabit throughput, in lab tests they missed half the attacks thrown at them.
Miercom tested Intrusion's SecureNet Gig appliance to see how it stands up to a blitz of Web exploits, buffer overflows, port scanners and the like. The test found the box could detect only 44% of the attacks when incoming traffic reached near-gigabit speed of 986.94M bit/sec.
"Was it missing 60%? Yes," acknowledges Ryan Packer, an Intrusion vice president. Like other IDS tools, SecureNet Gig recognizes suspicious activity based on attack "signatures," and the challenge is finding a way to perform rigorous signature-based analysis at high speeds.
"It's like sitting on a highway overpass trying to find autos with expired decals," Packer says. "It's much harder to do on a 10-lane highway than a country road. And gigabit speed is 10 lanes wide."
Intrusion also says there is a limit to the number of simultaneous connections its IDS can tolerate: 50,000 connections for HTTP, e-mail or file transfer traffic, a number it says should be higher.
Intrusion benchmarked this 50,000 limit by beta-testing Secure-Net Gig at a large hosting facility for Web pornography sites in Colorado, chosen because of the large files, lengthy HTTP connections and a lot of attempted hacker exploits, Packer says.
In Miercom's lab tests, Secure-Net Gig recognized 88% of attacks thrown its way at 789.6M bit/sec and 98% at rates up to 690.86M bit/sec. Intrusion says it will re-lease an upgrade of its gigabit IDS designed to overcome the first version's shortcomings.
IDS equipment from other vendors hasn't fared much better in lab tests, according to Kevin Brown, a Miercom engineer.
"The higher the bandwidth, the more the IDS starts dumping packets," Brown says. He declined to provide more specifics until the lab tests are made public.
However, executives from two other Gigabit IDS vendors - Internet Security Systems (ISS) and Enterasys Networks - say their products have similar shortcomings. While most vendors don't like to highlight the limitations of gigabit IDS in their marketing materials, they're straightforward about it if you ask.
Ron Gula, vice president of the intrusion-detection unit at Entera-sys, says his company's gigabit IDS product, Dragon Sensor, will not achieve optimum performance over 250M bit/sec. Enter-asys added support for gigabit speed to Dragon so it could accept traffic over 100M bit/sec.
IDS works by copying IP traffic to analyze packet and packet flows in depth, so the more packets it needs to look at, the harder it is to perform that job, Gula says. When an IDS pushes the limit, it just can't look at the packets. "We will do a demo for customers, and the demo will show the number of dropped packets," he says.
ISS, which sells BlackIce Sentry Gigabit, says its IDS can perform attack monitoring at speeds up to 600M bit/sec.
"High performance has been a challenge to IDS for some time," says Jason Anderson, an ISS product manager. "The challenge is the packets per second. On a gigabit link, we could easily cover up to the full pipe. But if the packets are on the small side, we tend to drop packets because it's too many packets per second - 1500-byte packets are easy, but 64-byte packets are hard."
ISS is also working on a new high-speed sensor for release next year that is aimed at overcoming these limitations.
The lower-speed IDS product from ISS, RealSecure Network Sensor, is designed to monitor 100M bit/sec segments. Some organizations, such as Johns Hopkins University, are harnessing multiple RealSecure sensors using load-balancing equipment - Top Layer Networks' AppSafe - to achieve gigabit bandwidth coverage as their nets get faster.
"If you're dropping 50% or 60% of the packets in a full-gigabit network, you have to add more probes," says Alan Wilkins, Johns Hopkins lead engineer.
"Load balancing is certainly a decent idea. It's a technique you can throw at the problem," says Marcus Ranum, CTO at NFR Security, which makes network-based intrusion-detection gear.
"Historically, we're reluctant to say you can handle more than 600M bit/sec with an IDS," Ranum says. Although Top Layer pushes its load-balancing equipment as specialized for IDS, Ranum says balancing the load of IDS can be performed with switches from Arrow-Point Com-munications (now Cisco), F5 Networks and other vendors. However, costs rise when multiple IDS have to be used with load-balancing gear in lieu of gigabit IDS that cannot reliably handle the traffic stress.
"Load balancing is a crutch," says Frank Huerta, CEO at Recourse Technologies, which competes in the gigabit IDS arena with Gigabit ManHunt.
Huerta says Gigabit ManHunt does not falter at high speeds, a claim backed by a Miercom lab test. But the product is designed differently from the signature-based offerings from ISS, Entera-sys and Intrusion. ManHunt spots "anomalies" or unusual traffic, but it doesn't provide nearly the level of detail about applications under attack as its competitor's products do.
"We're not as detailed, that's a fair criticism, and we're trying to shore that up," says Fred Kost, a Recourse vice president.
Faster networks aren't the only challenge IDS vendors face. Their biggest fear may be new hacker tools with names such as "Stick," "Snot" and "Whisker" that generate bogus TCP traffic with the goal of interfering with routers and IDSs.
If you can plug tools such as these into the same hub as the IDS, you can deceive any network IDS, says Enterasys product engineer Sam Stover. These hacker tools generate so many suspicious events that they can overwhelm any IDS sensor and let hackers sneak through in the process, or they can even cause an IDS to buckle completely.
These hacker tools work over T-3 or DSL connections to overwhelm IDS, although less effectively, Stover says.
For network managers who want to test how well their IDS is performing, professional engineering tools can generate a variety of attacks that might occur during Web sessions.
Related Links
