The problems faced by IDs intrusion detection system

I. Problems to be faced

Intrusion detection systems (intrusion detection system, IDS) are the hot security products in the past two years, which play a role in the network security system can detect intrusion behavior and alarm. The intrusion behavior described here covers a wide range of activities, including not only hacker attacks, but also various network anomalies, such as the leakage of internal network confidential information and the illegal use of network resources, and so on.

In order to ensure the security of the network, to use a lot of security products, anti-virus, firewall, server security reinforcement, encryption transmission and identity authentication and so on. Compared with them, IDS has more intelligent characteristics, can judge the network intrusion behavior and alarm and real-time block.

But in the past two years, manufacturers, media and websites have been promoting the function of IDs from the front, but avoiding the flaws of IDs. Among the many defects, the data mirroring of the switch and VLAN to the network Intrusion Detection System (NIDS) has caused great trouble. And many of the IDs vendors have avoided, this will inevitably mislead users, so that users can not achieve their own security value maximization.

Second, the analysis of the problem

Because the shared hub (hub) can carry out network monitoring, will bring a great threat to network security, so now the network, especially high-speed networks are basically using switches (switch), so as to network intrusion detection system network monitoring brings trouble.

1. One of the problems: switch port Mirroring

To understand the problem of intrusion detection systems listening in the switch environment, you need to understand how hubs and switches work in different ways. The hub does not have a connection concept, but instead sends each packet to each port in the hub except for the port that the packet comes in. However, the switch is based on connectivity, and when a temporary connection comes in a packet on a switch, the Exchange opportunity packages the data to the destination port of the connection and forwards it from the destination port. Therefore, in the hub environment, we can connect the network intrusion detection system sensors to any port, and for the switch, we must be sure that the sensor can "see" to the desired network traffic.

You need to set up a dedicated listening port on the switch. The listening port is a special port configured on the switch, and span (switch Port Analyzer) is often used to view network usage, and span ports are often referred to as listening (Spy) ports or mirror (MIRROR) ports.

The switch mirrors the communication data on the specified port to the listening port so that the network sensor can capture the data on the specified port. As shown in Figure 1, we need to tell the switch to mirror the data on the port of the resource host to the port of the IDs in order to monitor the connection between the switch and the resource host. This approach can work with the data being transmitted, the data received, and both. Some switches do not support mirrored port functionality, and some switches do not transfer 100% of the data to the mirrored port, so even if IDS is configured with detection rules for specific attacks, the attack is also missed. Also, the switch can mirror only one port at a time, so it can be difficult and impossible to monitor multiple machines.

　

Figure 1: Switch port Mirroring monitoring

In addition, port mirroring has the following drawbacks in a switched environment:

Usually connected to the switch is Full-duplex, that is, on the 100MB switch two-way traffic may reach 200MB, but the monitoring port traffic up to 100MB, resulting in the switch packet loss;

To conserve the switch port, it is possible to configure a switch port to listen for multiple other ports, under normal traffic, listening to the port can be all listening, but in the attack, network traffic may increase, so that the total number of monitored port traffic over the upper limit of the listening port, causing the switch packet loss;

In general, when the switch is heavy, the listening port can not keep up with the speed of the other ports, causing the switch to lose the packet. If a listening port is to monitor the data of all switch ports, the packet loss of the switch will be more serious;

Adding a listening port means you need more switch ports, which may require buying additional switches or even modifying the network structure (for example, a VLAN originally on one switch now needs to be distributed to two switches);

Different manufacturers, different models of the switch on the mirror Port support function is different. Some switches can set any port as the mirror port, some switches can only set a port as a mirror port (such as Port 1), and some switches on the mirror port can listen to all the port data, some switches on the mirror port can only listen to a certain port;

A switch that supports listening is much more expensive than an unsupported switch, and many networks are not designed to take into account the need for network monitoring, and the purchased switch does not support network monitoring or poor monitoring performance, which requires replacing the switch when preparing to install NIDs.