online.securityfocus.com/infocus/1594 -> www.securityfocus.com/infocus/1594
This is largely due to the increased size of networks, and the requirement for increasingly faster and more efficient networks. On most networks, the data must now be dependable and timely. This transition from hubs to switches, however, has generated a conflict with already deployed and designed network intrusion detection systems. To combat design conflicts between network intrusion detection systems (NIDS) and switches, network taps were created. Network taps essentially allow all traffic on a network device to be monitored. Network taps are also very useful for passive network troubleshooting and analysis. Further, the tap makes the related NIDS system more secure, preventing attackers from being able to directly attack the NIDS system. This article will offer an introductory overview of taps, including: what taps are, why they should be implemented, their role in improving network security, how they should be implemented, and the economic benefits of taps. To understand why and how to use network taps, the design conflicts between NIDS and switches must also be understood. They differ in how they transmit data from port to port. To demonstrate this, imagine a 4-port hub in which each port has a distinct letter associated with it (A, B, C, D). A computer connected to port A wants to send information to a computer on port C. The packet is sent, the hub receives it, and sends the packet out to all the ports on the hub (A, B, C, D). Implementing Networks Taps with Network Intrusion Detection Systems Figure 1 Figure 1 In this situation, the NIDS systems have no problem. Since all traffic is sent to every port, a NIDS can detect traffic no matter where it is being sent across the hub. Switches, however, send data in a completely different way. Instead of sending data destined for port C to every port on the device, the switch sends this data only to port C. This increases efficiency by reducing packet collision, and optimizes bandwidth by reducing unnecessary transmissions. Implementing Networks Taps with Network Intrusion Detection Systems Figure 2 Figure 2 This diagram clearly demonstrates where the problem occurs. Absolutely no data is sent to the NIDS system (Port D), thus no event detection can take place. The only time the NIDS could detect an attack is if the attack were to be directed to the NIDS itself. This is, obviously, unacceptable as it completely defeats the purpose of having a NIDS on the network in the first place. Network taps allow all traffic on a network device (such as a switch) to be passively monitored. They are relatively inexpensive, reliable, and provide permanent access ports to monitor traffic through. Taps are usually separate devices, but can also be built into a switch itself. Two common tap solutions are offered by 22 NetOptics and 23 Finisar. There are taps for just about any type of network in use today. This includes GigaBit SX, LX or ZX, ATM, DS3, T1, Fast Ethernet copper, and GigaBit TX to SX. This means that our NIDS can be deployed using a tap on basically any type of network setup imaginable. Further, taps are completely passive which means they will not disrupt your current network configuration, and are easily implemented within any existing network set-up. Network taps are an ideal way to implement IDS into a switched and high-speed environment. To understand why taps should be used in these situations, it may be helpful to look at some other option for implementing an IDS into a switched environment. The most commonly used alternative is port spanning, also known as port mirroring. This option, although used often, has inherent flaws that create problems in implementing IDS systems with it. Port spanning or mirroring forces the switch to either send all packets from across the switch, or packets from a specified port, to a specific span/monitoring port in addition to delivering it to its intended recipient. This raises a few issues, the most obvious of which is that of packet loss to the mirror/span port. When utilizing such a port, it is much like a port on a hub. This means that there will be a higher rate of packet collisions, as the twenty other ports on the switch continually send packets to the mirror/span port. Furthermore, since this mirror/span port usually has the same amount of bandwidth as every other single port has, the packet loss is significantly increased again. Port mirroring also presents problems in that it does not receive error packets or VLAN information, and only presents one side of a full-duplex connection. Thus, the IDS sitting on a mirror is severely limited by increased packet loss, and a complete blindness to half of the traffic on a link. What good is an IDS that can only see half the traffic at best, and less than that under most circumstances? The workings of port mirroring are demonstrated in figure 3. Implementing Networks Taps with Network Intrusion Detection Systems Figure 3 Figure 3 Note that half of the session is not being sent to the Mirror/Span Port; The tap is able to give IDSs the ability to view both sides of a full duplex conversation, reduce packet loss due to network hardware completely, and view all packets that are transmitted across the line. It is able to accomplish all of this in a passive mode that does not affect the network structure as a whole. The Role of Taps in Increasing IDS Security As mentioned in the introduction, taps can actually increase the security of an intrusion detection system installation. The reason for this is quite simple: IDSs behind taps do not require an address because the tap takes any and all data off the line and throws it directly to the IDS interface, thus eliminating the need for addressing. This prevents directed attacks against the IDS system, and can actually make attackers believe that no IDS is present to identify and track their attacks. By preventing the detection of the IDS by attackers, the survivability of the system is significantly increased. After all, what good is an IDS if it can be attacked and disabled? Explanation of Implementation The installation and implementation of taps can be quite easy if you plan the set-up ahead of time, and if you have the right hardware. Most of the time, the tap will come off an expansion port that is commonly found on many newer switches, hubs, and routers. Often this is done through the utilization of data terminal equipment (DTE) and/or data communication equipment (DCE) interface. These interfaces will be discussed in greater depth later on. This allows the tap to be completely passive to the network, thus reducing the chances of the network disruption that many monitoring devices may cause. These lines also allow the high speeds required to permit tapping an entire device while keeping packet loss to an absolute minimum. The DTE/DCE interfaces are then fed directly to the fiber tapping panel that is stored on a server rack, which contains the tap monitoring port. Attached to the monitoring port is the NIDS we have decided to use. Implementing Networks Taps with Network Intrusion Detection Systems Figure 4 Figure 4 This is the most common type of set-up. Most network taps can be deployed on multiple devices across the network and then be interfaced together and with other systems at the server rack (as illustrated in figure 5). Implementing Networks Taps with Network Intrusion Detection Systems Figure 5 Figure 5 The monitoring racks (tap panels) are usually designed for high speed (gigabit and better) systems to allow for all of this traffic to be collected at this central point with the minimum possible amount of packet loss. Due to the extremely high speeds these monitoring racks can stand, it is often necessary to use multiple IDS systems and load balance between them, as very few IDSs are currently able to handle these types of speeds. If multiple IDSs are used, then one may consider the idea of aggregating this data together on an analysis machine for further viewing and event detection at a later date. Jeff Nathan's 24 Gigabit Tap IDS illustration gives a good demonstration of how this type of system would be set up and operated. Data Terminal Equip...
|
http://csua.com/feed/