Global

This project is founded by SURFnet. Current Distributed Intrusion Detection Systems (D-IDS) are most often based on a client-server approach where the client is called a sensor. These sensors often contain a honeypot and/or a passive analysis tool like snort. This approach has four major disadvantages:

  • The sensor must be upgradeable in order to add future honeypots and new signatures.
  • The sensor may be vulnerable to the exploits used against the honeypot and passive analysis software.
  • The D-IDS will generate false positive alerts.
  • Installing and running the sensor is not plug and play.

In order to avoid these disadvantages SURFnet is setting up a different design for a D-IDS. This approach is based on the following rules:

  • The sensor should run out-of-the-box.
  • The sensor should be completely passive and therefore maintenance free.
  • The D-IDS should not generate any false positive alerts.
  • A sensor should be able to run in a standard LAN.
  • Comparison of statistics generated by sensors and groups of sensors should be possible.

In our approach, an ordinary workstation is used as a sensor. The workstation is turned into a sensor by booting it from an USB stick containing the SURFnet D-IDS sensor software. This USB stick contains a remastered Knoppix distribution and uses OpenVPN to start a layer-2 tunnel to the D-IDS server. The layer-2 tunnel is put in bridging mode with the network interface of the sensor. Next, a DHCP request is made from the D-IDS server through the tunnel into the client LAN. This request allows the D-IDS server to obtain an IP-address on the client LAN and then bind it on a virtual interface containing a honeypot. Virtually, the D-IDS server will be present on the client LAN and attackers will think they are attacking a host on the client LAN. The honeypot that is being used on the D-IDS server is Nepenthes, which is able to simulate certain known Windows vulnerabilities. If an attacker triggers the honeypot it is considered a malicious attack and the honeypot attempts to retrieve the malware that an attacker tries to put on the host, which the attacker thinks is compromised. All attacks are logged into a PostgreSQL database and users are able to view detailed information about the attacks through a web interface.

Global v2

The main problem with many current IDS solutions is the amount of work needed to deploy and maintain detection throughout your network. Keeping up to date with your detection is important. The SURFids framework was designed with a few key criteria in mind:

  • The system should be easily maintainable.
  • The detection tools should be easily manageable (ie, updates, new versions, more tools).
  • It should be easy to install for the end-user.
  • Alerts generated should provide no false positives.

The SURFids is a Distributed Intrusion Detection framework. The detection tools are installed on a central server (from now on called tunnel server). Distributed sensors connect to the tunnel server and tunnel all their layer 2 and higher traffic to the tunnel server. This way we create a central spot for all the detection tools we want to implement.

 
global/global.txt · Last modified: 2012/07/12 11:27 (external edit)
 
Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki