Using IDS Sensors in Switched Networks

Previously, networks were based on a common bus using hubs, which repeated frames received by one port to all other ports (Fig. 10.10). Hubs have become inefficient in large networks that comprise hundreds and thousands of computers, since access delays grow exponentially with the growth of network hosts. Experiments have shown that the number of hosts within a segment with traditional traffic (text data) must not exceed 30 (for Ethernet networks). This number is even lower for multimedia data. As the number of hosts grows, traffic intensity increases, and network performance degrades, since most of the time the network is busy detecting and processing collisions.

Fig. 10.10. Hub operation

Using network sensors in such environments does not present any problems. The sensors can be switched to any port of the hub and then "listen" to traffic on all other ports.

To eliminate limitations specific to multiple access media, several different devices have been developed, particularly, bridges and switches that translate frames from port to port and analyze the destination addresses specified in those frames (Fig. 10.11).

Fig. 10.11. A switch operation

These devices simplify the lives of network administrators in large networks, but complicate them for security administrators, since connecting a network sensor to one of the switch ports only allows one to listen to the traffic directed to this port. Since normal traffic will not be directed to the network interface responsible for monitoring, IDS will see only broadcast packets and packets with a destination address unknown to the switch. In cases when VLAN is used, practically nothing will be directed to the "listening" port except for broadcast traffic of the local virtual network. The following methods of efficiently positioning sensors in networks with switching can be recommended:

• Using the SPAN port on the switch

• Connecting an additional hub

• Using a splitter

• Integrating the IDS with a switch

• Using load balancing devices

• Using system sensors controlling specific hosts

Using the SPAN Port

This mechanism is intended for switching the traffic from several switch ports to a single dedicated port, known as the SPAN port (Switch Port ANalyzer), which is generally used for connecting traffic analyzers (Fig. 10.12).

Fig. 10.12. The network sensor and span port

Some manufacturers use other terms for this port, such as mirror port, manage port, monitor port, or analyzer port. Notice that traffic commutation from controlled ports to a span port can be done using the following two methods:

• By directly configuring the switch (using, for example, commands such as the port monitor or set span for Cisco Catalyst 2900XL/3500XL and Catalyst 4000/5000/6000 switches, respectively.

• By using third-party software, for example, NetScout Manager Plus. NetScout uses the term "roving" for this mechanism.

SPAN port usage partially eliminates the problem of monitoring networks with switching; however, there are several important aspects that seriously influence the efficiency of IDS operation.

First, not all switches support SPAN ports (for example, for fiber optic networks), although most contemporary manufacturers build such mechanisms into their solutions (especially in the newer models of switches).

Second, it is the fastest port of the switch that must be designated the SPAN port. For example, if the switch is equipped with mostly 10 Mbit ports, and just one 100 Mbit port, this port must be selected as the SPAN port. Otherwise, one may have to deal with the system simultaneously transmitting data from several 10 Mbit/sec ports to the SPAN port (also 10 Mbit/sec). Since at 10 Mbit/sec, the SPAN port will not be able to process information at speeds exceeding 10 Mbit/sec, data will wait in the internal buffers of transmitting ports until the SPAN port is ready. When the internal buffers of any switch overflow, all packets coming into the port will be discarded. This will degrade the performance of the networks connected to the switch and that of the switch itself, and/or lead to a loss of the data processed by the sensor (if these data are not retransmitted). This problem is especially important when non-locking switches are used. That's why the fastest port must be selected as the SPAN port. In the case described above with parallel processing of network traffic by several sensors, the AppSwitch AS3502 was connected to the Gigabit SPAN port of the Catalyst 6000 switch. Bear in mind that errors are not translated to the SPAN port, which complicates the process of detecting network problems in time.

Third, when implementing VLAN, it is necessary to ensure that the SPAN port belongs to the VLAN that you want to protect from attacks. However, depending on the manufacturer and the switch model, this limitation might be eliminated. For example, in Catalyst 2900XL or 3500XL, the SPAN port can not control traffic in multiple VLANs, while in Catalyst 4000/5000/6000, this shortcoming does not exist. In addition, VLAN also influences response types. For example, sending an RST packet in order to terminate a connection can only be done via a controlled VLAN. Otherwise, the RST packet will not reach the recipient and the connection will not be terminated.

Finally, a simple mathematical calculation shows that even a Gigabit SPAN port is only able to switch a limited number of switch ports. How can we define this limit? To achieve this, one must consider the workload of each controlled port. For Ethernet, the factor indicating the average value of the workload is 30%, and in reality this value is even smaller - about 10% (the precise value of the port workload can be obtained using a network analyzer). Consequently, at first it seems that a Gigabit SPAN port can switch 100 ports (of 100 Mbits each), rather than 10 as in our example. However, there is an empirical rule which holds that an IDS network sensor on a Fast Ethernet network efficiently handles a workload of 60-80 Mbit/sec. Sensor performance on the Gigabit Ethernet network drops to 40-60%, i.e., 400-600 Mbit/sec. Therefore, 40-60 (rather than 100) would be a more realistic number of ports that could be switched to a single Gigabit SPAN port and efficiently handled by the sensor. Naturally, this is averaged data (a precise formula for calculating sensor performance will be provided at the end of this chapter), which depend on many factors. However, it demonstrates the general level of performance for network-level intrusion detection systems. One way to solve this problem (besides using another SPAN port) is to use the load balancing devices described earlier.

It is much simpler to use hubs. When the network workload coefficient increases, the delays of frames' access to multiple access media also grows exponentially. Critical values of the coefficient (excluding cases where a computer is connected directly to a hub) are as follows:

• 40-50% for Ethernet

• 60% for TokenRing

• 70% for FDDI

Since IDS sensors are able to handle such workloads, particular problems with sensor performance in multiple access networks do not arise, since the Ethernet technology itself protects the IDS from overloading.

Furthermore, there are several other drawbacks related to the usage of SPAN ports.

• As a rule, switches have only one SPAN port. However, most manufacturers allow you to use 2, 3, or even 4 SPAN ports.

• This port is vulnerable to attacks. A specially formed packet sent to a SPAN port can, under certain conditions, cause an intrusion detection system to fail.

• Controlling ports operating in full-duplex mode can cause difficulties, since communicating hosts can transmit their traffic simultaneously. This will have a significant effect on the SPAN port operation, since traffic intensity doubles.

• Since the SPAN port is implemented to operate in unidirectional mode, some response types can not be implemented (such as terminating the connection to the attacking host). In this case, it is necessary to employ an additional network interface responsible for control.

• Physical-level errors are not reproduced on the SPAN port.

• Using SPAN with an intrusion detection system prevents you from using network analyzers and other tools that are usually connected to this port, and vice versa. For example, if you are using a network analyzer connected to the SPAN port, this might prevent you from connecting the IDS sensor to the switch. A shortage of SPAN ports might result in a conflict of interest between the IT and information security departments. It is quite rare that this conflict is resolved to the benefit of the information security department.

Using SPAN ports can also have a negative impact on switch performance (despite what the manufacturer may claim). Depending on the specific features of its design and on network traffic, switch ports can slow down their operation. Usually, this is true for older models (for example, Catalyst 2900XL or 3500XL). Newer switch models (such as Catalyst 4000/5000/6000) are free of this drawback.

When making a decision whether or not to use the SPAN port to which you want to connect IDS sensor, I recommend that you go over the documentation provided by the manufacturer, since each manufacturer usually supplements its products with additional functionalities. For example, Cisco Systems has implemented the Remote SPAN (RSPAN) mechanism in Catalyst 6000, which allows you to control ports of remote switches. More detailed information on the implementation of SPAN technology in Cisco equipment can be found at the following address: http://www.cisco.com/public/473/41.html.

Connecting an Additional Hub

This approach involves the combined usage of switches and hubs. When using this method, an additional hub is installed between the host or segment controlled by the IDS sensor and switch. The IDS network sensor is connected to the hub (Fig. 10.13). This approach is applicable in cases where there is no SPAN port on the switch. Considering the low cost of 4-port switches, this solution is rather functional. The limitations of this approach are obvious, since you can only control one port of the switch. If the switch is used for monitoring more than one connection, loops might occur. Furthermore, connecting an additional device degrades the whole configuration's reliability. Finally, an increased number of collisions caused by a full-duplex connection between the sensor and the switch also presents a problem that may occur when using this solution.

Fig. 10.13. Combined usage of a hub and switch

Using a Splitter

A splitter (also known as a tap) is a device that duplicates the traffic transmitted between two or more network hosts (Fig. 10.14). TAP is an acronym that stands for Traffic Analyzer Port.

Fig. 10.14. Splitter operation

The equipment connected to the splitter port can not transmit data via this port. However, it also can not be attacked via that port, since the splitter does not allow direct calls to the network sensor or any other device connected to it. Furthermore, the intruder will not even be aware of the presence of a splitter between the switch and controlled host, since it operates on the physical layer and has neither a network nor a data link layer address.

Splitters are ideal tools for intrusion detection. In fact, splitters are the devices that most IDS manufacturers recommend. They provide the following advantages:

• Operate both in networks with switching and in global networks (such as Gigabit Ethernet or ATM)

• Provide the capability of processing traffic from different VLANs

• Operate efficiently in full-duplex networks

• Have no negative effect on the controlled network

• Allow the information security department to have an independent copy of all network traffic

• Do not require reconfiguring network equipment (such as switches)

Until recently, there were not many solutions available on the market. Currently, however, the situation has changed, and there are several manufacturers, each promoting their own line of various splitters. One such solution is the Century family of products from Shomiti, which the Finisar Corporation purchased in the fall of 2001 (http://www.finisar.com). Solutions included in this family can operate both in full-duplex and half-duplex networks, including Ethernet, Fast Ethernet, and Gigabit Ethernet. This line of products includes the following solutions:

• Single-port Ethernet splitters providing traffic duplication from a single Ethernet, Fast Ethernet, or Gigabit Ethernet connection to a single network sensor (Fig. 10.14). These splitters support full-duplex Ethernet operation mode, including single-mode and multiple-mode fiber optic and twisted pair.

• Multiple-port splitters, providing traffic duplication from several (8-12) full-duplex Ethernet, Fast Ethernet, or Gigabit Ethernet connections (Fig. 10.15).

Fig. 10.15. The Shomiti Century 12-Tap

Various types of configurations using single-port and multiple-port splitters are shown in Figs. 10.16 and 10.17.

Fig. 10.16. Using splitters and a network sensor

Fig. 10.17. Using a Century 12-Tap and network sensor

Besides Finisar, there are other companies that provide similar solutions. For example, NetOptics supplies 10 various splitters, including 4 models for Gigabit Ethernet networks and 1 model for ATM networks. Another manufacturer, Rioco Direct Ltd. (http://www.rioco.co.uk/), based in England, supplies Rioco Data Tap - 100-Mbit full-duplex splitters with 1, 4, and 12 ports. Finally, Network Critical (http://www.networkcritical.co.uk/) supplies one- and four-port splitters for Ethernet/Fast Ethernet networks.

Still, this solution is also not absolutely flawless; the most important problem being the fact that there are several types of attack responses that you can not implement (such as closing the connection to the attacking host). To overcome this, you should use a second network interface or additional equipment (Fig. 10.18). In this case, the sensor sends the RST packets to Splitter 2, which duplicates and retransmits them to Switches 3 and 1. Since Switch 3 is not able to transmit traffic further via Switch 1, there will not be any loops or duplicated routes.

Fig. 10.18. Closing the connection using splitters

The second shortcoming (see Fig. 10.14) is attributable to the fact that the sensor connected to the splitter can only see unidirectional traffic (TX). Obviously, this results in a false positive and false negative problem. Let us consider a typical situation. Suppose that some host attempts to establish a TCP connection to another host by sending an SYN packet to the port of the recipient. If the port is closed, the recipient replies by sending the RST packet, and the connection is terminated. However, if a splitter is used, RST packets will not reach the sensor, which will result in the detection of a SYN Flood attack and a false positive case. A similar result can be observed for several other events related to the ARP protocol.

Using Load Balancing Devices

The load balancing devices we just described, such as IDS Balancer, can be used in networks with switching. In particular, traffic from both splitters and SPAN ports of several switches can be directed to the input of such a load balancing device. This allows users to be free from the case of "one switch = one sensor." In a similar way, switching traffic from several 100-Mbit SPAN ports to the Gigabit sensor will allow you fully utilize its capabilities.

Using splitters and load balancing devices together lets security administrators create rather complicated schemes of protection without having to purchase additional IDS sensors. For example, Fig. 10.19 shows a scheme for protecting an Internet gateway.

Fig. 10.19. Using a load balancer to protect a set of controlled segments

The same solution allows you to resolve possible conflicts between IT and IS departments competing for precious Gigabit SPAN ports. To solve this problem, it is sufficient to connect the load balancing device to the Gigabit SPAN port and redirect all traffic to both IDS sensors and network analyzers (Fig. 10.20).

Fig. 10.20. Connecting a splitter to a load balancing device

Integrating Network Sensors into Switches

Direct integration of IDS network sensors into switches is another interesting method of employing IDS sensors. For example, Cisco Systems has adopted this approach, and at the end of 2000 they released the Catalyst 6500 IDS Module (formerly known as Cisco Secure IDS Blade), which is meant to cooperate with the Catalyst 6500 switch (Fig. 10.21) from the same manufacturer (Cisco models 6006, 6009, 6506, and 6509).

Fig. 10.21. The Cisco Catalyst 6000 IDS Module

Besides the features characteristic of other intrusion detection systems, the Cisco Catalyst 6500 IDS Module provides the following two advantages:

• High performance and no threat of switch bandwidth degradation. According to information provided by Cisco Systems, this module is capable of processing traffic at a rate of 47,000 packets per second (the average packet size is about 484 bytes). Testing conducted by Network World Global Test Alliance [Yocom1-00] has shown that the Catalyst 6000 IDS Module can process traffic at a speed of 200 Mbit/sec (in full-duplex mode), which is twice that assessed by Cisco Systems. However, in cases where it is necessary to control a Gigabit port (or a set of 100-Mbit ports), this throughput becomes insufficient.

• The capability of analyzing the traffic of several VLANs.

However, as the module in question costs more than $15,000, not every company, especially small ones, would be able to foot the bill.