Analysis and Countermeasures of limitations of IDS vswitches

I. Problems

Intrusion Detection System (IDS) is a popular security product in the past two years. In the network security System, IDS can detect intrusions and generate alerts. The intrusion includes not only hacker attacks, but also abnormal network behaviors, such as leakage of internal network confidential information and illegal use of network resources.

To ensure network security, many security products are required, including anti-virus, firewall, server security reinforcement, encrypted transmission, and identity authentication. Compared with them, IDS has more intelligent features, allowing you to identify network intrusions, trigger alarms, and block them in real time.

However, in the past two years, vendors, media, and websites have been promoting IDS from the front, but they have avoided IDS defects. Among the many defects, the data image and VLAN of the switch bring great trouble to the application of the network intrusion detection system (NIDS. However, a large number of IDS vendors have avoided this, which will mislead users and make them unable to maximize their own security value.

Ii. Problem Analysis

Because shared hubs can monitor networks and pose great threats to network security, switches are usually used on networks, especially high-speed networks ), this makes network listening of the network intrusion detection system troublesome.

1. One problem: Switch Port Image

To understand the problem of the intrusion detection system listening in the vswitch environment, you need to understand the different working principles of the hub and vswitch. A hub does not have a connection concept. Instead, it sends each data packet to each port except the port on which the data packet comes in. However, a vswitch is based on a connection. When a temporary connection on the vswitch comes in with a data packet, the vswitch sends the data packet to the destination port of the connection and then forwards the data packet from the destination port. Therefore, in the hub environment, we can connect the sensor of the network intrusion detection system to any port. For a switch, we must be sure that the sensor can "see" the required network traffic.

In this case, you need to set a special listening port on the vswitch. The listening Port is a special Port configured on the Switch. The SPAN (Switch Port Analyzer) is usually used to check the network usage. The SPAN Port is also called the listening Port (Spy) port or Mirror port.

The switch will mirror the communication data of the specified port to the listening port, so that the network sensor can capture the data of the specified port. As shown in Example 1, to listen for the connection between the vswitch and the resource host, we need to tell the vswitch to mirror the port data of the resource host to the IDS port. This method can work with the transmitted data, received data, and the above two. Some vswitches do not support the Image Port function. Some vswitches cannot transmit 100% of the data to the Image Port. Therefore, even if IDS is configured with detection rules for specific attacks, this attack will be missed. Moreover, a vswitch can only mirror one port at a time, so it is difficult and impossible to monitor multiple machines.

　
Figure 1: vswitch port Image Monitoring

In addition, the port image has the following defects in the switching environment:

● Generally, the full duplex mode is used to connect to a vswitch. That is, the bidirectional traffic on a 200 MB vswitch may reach 100 MB, but the traffic on the listening port can reach MB at most, resulting in packet loss;

● To save vswitch ports, it is very likely to be configured as one vswitch port to listen to multiple other ports. Under normal traffic, all listening ports can be listened to, but when attacked, the network traffic may increase, so that the total traffic on the monitored port exceeds the upper limit of the listening port, resulting in packet loss on the switch;

● When a vswitch is under heavy load, the speed of the listening port cannot catch up with the speed of other ports, resulting in packet loss. If a listening port needs to listen on data from all the vswitch ports, packet loss will become more serious;

● Adding listening ports means that more switch ports are required. You may need to purchase additional switches, even modify the network structure (for example, a VLAN on a switch needs to be distributed to two switches now );

● Vswitches of different manufacturers and models have different functions on the Image Port. Some vswitches can set any port to an Image Port, while some vswitches can only set a port to an Image Port (such as Port 1). Some vswitches can monitor data of all ports on the Image Port, some switches can only listen to one port at the same time on the mirror port;

● The vswitches that support listening are much more expensive than the vswitches that do not support listening. Many networks do not consider network listening requirements during design. The purchased vswitches do not support network listening, or the listening performance is poor, therefore, you need to change the vswitch when preparing to install NIDS.