Intrusion alert

There’s a persistent problem with today’s new breed of gigabit-speed intrusion-detection systems: They simply cannot plow through IP traffic fast enough to provide blanket protection on networks running at gigabit speed, according to industry experts and at least three vendors who make such products.

When an IDS reaches its maximum processing capacity it begins to drop large numbers of packets, thereby increasing the possibility of missing attacks. The newer gigabit-speed IDS products, delivered as an appliance or software customers load onto their own boxes, fall down on the job, according to lab tests conducted by Miercom, a network consultancy and a Network World (U.S.) Global Test Alliance member. Although IDS equipment can achieve near-gigabit throughput, in lab tests they missed half the attacks thrown at them.

Miercom tested Inc.’s SecureNet Gig appliance to see how it stands up to a blitz of Web exploits, buffer overflows, port scanners and the like. The test found the box could detect only 44 per cent of the attacks when incoming traffic reached near-gigabit speed of 986.94Mbps.

“Was it missing 60 per cent? Yes,” acknowledges Ryan Packer, an Intrusion vice-president. Like other IDS tools, SecureNet Gig recognizes suspicious activity based on attack “signatures,” and the challenge is finding a way to perform rigorous signature-based analysis at high speeds.

“It’s like sitting on a highway overpass trying to find autos with expired decals,” Packer says. “It’s much harder to do on a 10-lane highway than a country road. And gigabit speed is 10 lanes wide.”

Intrusion also says there is a limit to the number of simultaneous connections its IDS can tolerate: 50,000 connections for HTTP, e-mail or file transfer traffic, a number it says should be higher.

Intrusion benchmarked this 50,000 limit by beta-testing SecureNet Gig at a large hosting facility for Web pornography sites in Colorado, chosen because of the large files, lengthy HTTP connections and a lot of attempted hacker exploits, Packer says.

In Miercom’s lab tests, SecureNet Gig recognized 88 per cent of attacks thrown its way at 789.6Mbps and 98 per cent at rates up to 690.86Mbps. Intrusion says it will release an upgrade of its gigabit IDS designed to overcome the first version’s shortcomings.

IDS equipment from other vendors hasn’t fared much better in lab tests, according to Kevin Brown, a Miercom engineer.

“The higher the bandwidth, the more the IDS starts dumping packets,” Brown says. He declined to provide more specifics until the lab tests are made public.

However, executives from two other Gigabit IDS vendors – Internet Security Systems Inc. (ISS) and Enterasys Networks Inc. – say their products have similar shortcomings. While most vendors don’t like to highlight the limitations of gigabit IDS in their marketing materials, they’re straightforward about it if you ask.

Ron Gula, vice-president of the intrusion-detection unit at Enterasys, says his company’s gigabit IDS product, Dragon Sensor, will not achieve optimum performance over 250Mbps. Enterasys added support for gigabit speed to Dragon so it could accept traffic over 100Mbps.

IDS works by copying IP traffic to analyse packet and packet flows in depth, so the more packets it needs to look at, the harder it is to perform that job, Gula says. When an IDS pushes the limit, it just can’t look at the packets. “We will do a demo for customers, and the demo will show the number of dropped packets,” he says.

ISS, which sells BlackIce Sentry Gigabit, says its IDS can perform attack monitoring at speeds up to 600Mbps.

“High performance has been a challenge to IDS for some time,” says Jason Anderson, an ISS product manager. “The challenge is the packets per second. On a gigabit link, we could easily cover up to the full pipe. But if the packets are on the small side, we tend to drop packets because it’s too many packets per second – 1,500-byte packets are easy, but 64-byte packets are hard.”

ISS is also working on a new high-speed sensor for release next year that is aimed at overcoming these limitations.

The lower-speed IDS product from ISS, RealSecure Network Sensor, is designed to monitor 100Mbps segments. Some organizations, such as Johns Hopkins University, are harnessing multiple RealSecure sensors using load-balancing equipment – Top Layer Networks Inc.’s AppSafe – to achieve gigabit bandwidth coverage as their nets get faster.

“If you’re dropping 50 per cent or 60 per cent of the packets in a full-gigabit network, you have to add more probes,” says Alan Wilkins, Johns Hopkins lead engineer.

“Load balancing is certainly a decent idea. It’s a technique you can throw at the problem,” says Marcus Ranum, CTO at NFR Security, which makes network-based intrusion-detection gear.

“Historically, we’re reluctant to say you can handle more than 600Mbps with an IDS,” Ranum says. Although Top Layer pushes its load-balancing equipment as specialized for IDS, Ranum says balancing the load of IDS can be performed with switches from ArrowPoint Communications Inc. (now Cisco Systems Inc.), F5 Networks Inc. and other vendors. However, costs rise when multiple IDS have to be used with load-balancing gear in lieu of gigabit IDS that cannot reliably handle the traffic stress.

“Load balancing is a crutch,” says Frank Huerta, CEO at Recourse Technologies Inc., which competes in the gigabit IDS arena with Gigabit ManHunt.

Huerta says Gigabit ManHunt does not falter at high speeds, a claim backed by a Miercom lab test. But the product is designed differently from the signature-based offerings from ISS, Enterasys and Intrusion. ManHunt spots “anomalies” or unusual traffic, but it doesn’t provide nearly the level of detail about applications under attack as its competitor’s products do.

“We’re not as detailed, that’s a fair criticism, and we’re trying to shore that up,” says Fred Kost, a Recourse vice-president.

Faster networks aren’t the only challenge IDS vendors face. Their biggest fear may be new hacker tools with names such as “Stick,” “Snot” and “Whisker” that generate bogus TCP traffic with the goal of interfering with routers and IDSs.

If you can plug tools such as these into the same hub as the IDS, you can deceive any network IDS, says Enterasys product engineer Sam Stover. These hacker tools generate so many suspicious events that they can overwhelm any IDS sensor and let hackers sneak through in the process, or they can even cause an IDS to buckle completely.

These hacker tools work over T-3 or DSL connections to overwhelm IDS, although less effectively, Stover says.

For network managers who want to test how well their IDS is performing, professional engineering tools can generate a variety of attacks that might occur during Web sessions.