This project is founded by SURFnet. Current Distributed Intrusion Detection Systems (D-IDS) are most often based on a client-server approach where the client is called a sensor. These sensors often contain a honeypot and/or a passive analysis tool like snort. This approach has four major disadvantages:
In order to avoid these disadvantages SURFnet is setting up a different design for a D-IDS. This approach is based on the following rules:
In our approach, an ordinary workstation is used as a sensor. The workstation is turned into a sensor by booting it from an USB stick containing the SURFnet D-IDS sensor software. This USB stick contains a remastered Knoppix distribution and uses OpenVPN to start a layer-2 tunnel to the D-IDS server. The layer-2 tunnel is put in bridging mode with the network interface of the sensor. Next, a DHCP request is made from the D-IDS server through the tunnel into the client LAN. This request allows the D-IDS server to obtain an IP-address on the client LAN and then bind it on a virtual interface containing a honeypot. Virtually, the D-IDS server will be present on the client LAN and attackers will think they are attacking a host on the client LAN. The honeypot that is being used on the D-IDS server is Nepenthes, which is able to simulate certain known Windows vulnerabilities. If an attacker triggers the honeypot it is considered a malicious attack and the honeypot attempts to retrieve the malware that an attacker tries to put on the host, which the attacker thinks is compromised. All attacks are logged into a PostgreSQL database and users are able to view detailed information about the attacks through a web interface.
The main problem with many current IDS solutions is the amount of work needed to deploy and maintain detection throughout your network. Keeping up to date with your detection is important. The SURFids framework was designed with a few key criteria in mind:
The SURFids is a Distributed Intrusion Detection framework. The detection tools are installed on a central server (from now on called tunnel server). Distributed sensors connect to the tunnel server and tunnel all their layer 2 and higher traffic to the tunnel server. This way we create a central spot for all the detection tools we want to implement.