The Power of Virtualisation for Comprehensive Intrusion Detection

Added on March 8, 2010 in General.

Virtualisation is not something we usually associate with intrusion detection capability (minus perhaps consolidating your back-office technology & the cost saving and green benefits that brings) however there is much to be gained from developing solutions around virtual environments. Take for example the traditional sensor configuration, many implementations will focus around a single product. From the open-source perspective this would usually be one built around Snort, or perhaps Bro. Most analysts will know the limitations this brings, and most will realise that the resulting view of the network is severely limited….

This is where I believe virtualisation technologies can fill the gap. You will already know the benefits of a single virtual environment in place of many physical servers, however it seems to have remained an untouched area in the Network Security field. An effective intrusion detection system must provide the analyst with a comprehensive view of the area they are monitoring. Restricting the sensor configuration around a single product often fails to provide an acceptable level of coverage, which is why the commercial market is moving towards multiple sensor configurations, much like anti-virus products; incorporating heuristic analysis tools and much better sensor optimisation options. Here is where the open-source community can benefit from using a virtual environment. The commercial development sector has the resources available to integrate multiple technologies into their “off the shelf” products, whereas the open-source community often doesn’t have this luxury. However, many technologies have already been built to provide the individual functionality needed to create a comprehensive sensor solution, they just haven’t been combined into a usable solution. Virtual environments could allow the implementation needed to gain full coverage, without having to use commercial solutions. Let me explain:

Imagine a system, built on a virtual platform, allowing the analyst to deploy any number of sensor technologies able to monitor the tapped traffic already presented to your current environment. The concept is simple – the virtual platform provides a base to deploy sensor ‘images’ as and when they are required. You may choose to deploy a Snort, Bro and, say a Suricata sensor, running in tandem to provide the traditional signature based analysis, Bro’s heuristics and Suricata’s protocol awareness. At this point the idea is a concept, I assume extensive testing would need to be done to determine what, if any virtualisation technology is able to provide the near-real time packet awareness that is needed for effective monitoring. However where there is a will, there is a way – as they say! I have an idea of how this might work:

Currently my idea is one of installing a separated packet capture server, installed with all the usual DAC’s and high speed SAS drives or whatever spec you use for dumping packets. This acts as a buffer to the actual sensor “engine” perhaps using tcpreplay to forward the traffic on at a rate the sensor can manage. The Vhost should be configured with multiple gigabit NIC’s set up in an ether-channel configuration to allow maximum throughput. The guest machines (the sensors) would be configured to have direct access to the etherchannel (this is where the concept truly is just a concept as I’m not quite sure how possible this is) and their respective operating systems configured just like any other standalone sensor. This should give us the respective environment allowing multi-sensor detection capability in a single host. The hard bit is going to be normalizing the output…

One major issue I foresee with developing a solutions like this is how to correlate the output from each sensor. There are no guarantees that the packets will be processed and the results output at the same time (in fact its almost certainly not going to happen) so this brings about an important question – how do we know a packet that one sensor fired against, is the same packet that the next fired on?

For now, I will leave this for you to think about. I believe it is an interesting and potentially usable solution, whether the technology is there yet remains to be seen. But I’m sure it can be done. I would appreciate you’re comments and suggestions – perhaps you know a group attempting this, or that it’s already been done! Either way I would be interested to know.

Post to Twitter Post to Delicious Post to Digg Post to Facebook Post to Ping.fm Post to StumbleUpon

0 Comments

0 Responses to “The Power of Virtualisation for Comprehensive Intrusion Detection”

Feed for this Entry Trackback Address
  • No Comments

Leave a Reply

About Me

Hi. I'm Matt Newham, 23 years old. I'm a network security engineer, specializing in Intrusion Detection.

My Skype Status

Add me to Skype - Matt Newham: My status is Offline
» Get Skype, call free!

Post Archive

  • -2010 (12)
  • +2009 (7)

Dynamic Tag Cloud

IDS K2 powershell Rants Skype Snipt Snorby Snort Twonky Ubuntu Wordpress General (14)
Reviews (2)
Technical Articles (3)

WP Cumulus Flash tag cloud by Roy Tanck and Luke Morton requires Flash Player 9 or better.