How to Keep Intrusion Detection From Sucking

Current Job Listings

I have never been a fan of fishing with plastic worms. Not because it's a real worm Vs fake worm purest argument, heck I've fished with TNT before as a kid. Now that's a real hoot! It's because I have never ever caught a single thing with them. To me, they are ineffective and a waste of time/money. That is how I feel about Intrusion Detection/Prevention. IDS is the plastic worm of network security devices in today's more advanced botnet orientated world. The marketing for both plastic worms and IDS is close to the same: - Looks Lifelike::Real World Based Signatures - 400x Scent dispersion::Lower False Positives - Recommended by Top Anglers::*** Certified and Tested - Money Back if not satisfied::...... I use an IDS node cluster for research and it works great for that. But what use is that data for a campus LAN? I use it to increase my knowledge and help the fight against bots world wide. I do not see Enis the accountant or Hank the server admin pumping out C code for a fix. Although, I admit it is great to use this data to pump out shellcode from Nebula for Snort sigs. But that is IDS. Now, if a device is a TRUE IPS and it will take action in either shunting an attack or reconfig'ing a firewall then we have a tool that is useful in the campus LAN. The difference here is active vs. passive. The single biggest mistake I see in IPS deployment is traffic flow engineering. Many folks get these shiny new IPS devices in and they either: - Config them like servers or - Config them like switches/routers An IPS device is config'ed different then any other piece of gear on the network. It is not just another 1U appliance to make mid level managers happy. A IPS needs to be placed inline to traffic flow. Now any engineer worth their salt is going to design a network to withstand a failure from inline gear. Most inline appliances have hard drives that are prone to failure. Heck I have replaced three in my laptop already. A inline failure stops traffic flow and increases resume flow. Not cool at all. So normally, we install two of these devices with channelized links to withstand multiple failures. That is the problem. Traffic flow thru an IPS MUST flow symmetrically thru an IPS and NOT asymmetrically. An IPS has to see both sides of a conversation to be effective. Truthfully, many folks install an IPS and never touch it again because of the high false positive rate. They hate it and think it sucks and classify it as the plastic worm in the network. Recently, I have visited many customer sites that classified conficker as a false positive because of their asymmetric traffic flow missed the command and control connection to the bot. IPS must be looked at from the traffic's port of view to be an effective piece of equipment. If not, you are just wasting your time and money putzing around with it. When I install a IPS cluster I normally do the following steps: - Break the network up into to VRF insistences per IPS. (assuming this is a switchblock designed L3 network) Half on one side and half on the other per IPS. This allows me to group my VLANs into a single manageable group for traffic flow engineering. - I use a separate switch to connect my multiple IPS links into. In a channelized link, traffic flow is determined by source-destination information. That info is hashed into an XOR type of algorithm to determine which link traffic should flow down. This is determined at each switch end. The switch in the middle helps keep this algorithm the same so traffic flow is consistent and BOTH sides of the conversation flow to the correct IPS. - Before deployment, I double check the switch algorithm with the IOS command: TWTVSwitch#test etherchannel load-balance interface port-channel 4 ip Computed RBH: 0x1 Would select Gi2/22 of Po4 This lets me dry run what my traffic flow will be before it ever hits the IPS to ensure I am seeing both sides of a conversation between hosts. I have been doing this little design trick for quite sometime now and it has decreased the false positive rate and increased IPS accuracy big time. Also, I need to give a huge shout out to the Cisco SAFE team that has published this and other great ideas in the brand new and minty fresh Safev2 documentation at This will certainly turn any IPS from a plastic worm to a Rapala X-Rap in no time flat! Jimmy Ray Purser Trivia File Transfer Protocol Dr. Suess' editor Bennett Cerf challenged him to write a book that could use no more then 50 words or less. Suess took that challenge and wrote the book; "Green Eggs and Ham" Which uses exactly 50 words: a, am, and, anywhere, are, be, boat, box, car, could, dark, do, eat, eggs, fox, goat, good, green, ham, here, house, I, if, in, let, like, may, me, mouse, not, on, or, rain, Sam, say, see, so, thank, that, the, them, there, they, train, tree, try, will, with, would, you.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT