Re: Network Security IDS vs NetFlow

[Jesse Bowling <jesseb () UGA EDU>]

On 6/26/11 11:50 AM, Daniel Foerst wrote:
> Hey all,
>
> So we are looking into augmenting and increasing our network security.
> We already have a number of security appliances and solutions in place,
> but recently there has been a push for an Intrusion Detection System.
> Now without going into all our preventative measures, I will say that we
> have at least an IPS solution that is used in several locations on our
> network, but not a IDS.

Generally, an IDS = an IPS that's not blocking, simply generating
alerts, so your experiences with an IPS should translate almost directly.

> Now an IDS, to my understanding, is a solution that would require
> multiple network sensors that listen and chirp when many false positives
> occur until we have had enough data received and man time to tune the
> system to our needs.

Essentially correct, just keep in mind that the "man time to tune" never
goes away.  It SHOULD be considered a permanent cost, although many are
guilty of tuning only once or periodically.  There are, after all, only
so many hours in a day.

>  Given these two scenarios, what are you thoughts and how would you
> suggest to proceed? I do not want to walk into a meeting (adhoc or
> structured) without enough understanding, but specifically I would like
> to know others in education that have implemented such solutions.

As a consultant might answer before they start the billable hours
portion:  "It depends."

I think the fundamental thing to keep in mind is that flow data does NOT
generally contain user data*; only high level data is gathered such as
hosts, ports, protocols, time, size, flags set, etc.  IPS/IDS requires
full content data; i.e., a full mirror of the data, headers and payload,
user data.  The most useful IPS/IDS signatures are based on searching
the content of packets, not the headers.

> Personally I like the LanCope solution of leveraging technology we
> already have in place and only requiring one or two collectors vs the
> need to place multiple sensors all over the network. However I am

Flow collection can be turned off or on as needed and pointed at
existing collectors, generally without having to make physical changes,
such as adding additional hardware or backhauling** mirrored traffic for
an IDS/IPS.  This is a powerful advantage, to be able to "zoom in" on
any affected network with minimal configuration complexity.

More advantages can be found in that it is likely that the security and
network groups can both take advantage of flow data for troubleshooting
and incident response.  Flow data is MUCH more compact than full content
data, and is thus easier in terms of management and storage costs.

Watch out for any added complexity if you're dealing with multiple
vendors for networking equipment; i.e., you only get sFlow from Brocade,
and Netflow from Cisco (AFAIK).  The way the data is collected and
distributed is slightly different, and may make a difference if you
require super-accurate coutns on things like bytes transferred.

> cognizant enough that buzz words and naming schemes tend to hold a lot
> of weight and as such an "Intrustion Detection System (IDS)" will likely
> seem to be the "needed solution" over a "monitoring/ flow collection
> solution".

An IDS/IPS is great for security folks.  When you want to be able to
tell not just "we have X hosts talking to Y web sites" but "of X hosts,
Z of them are issuing C&C requests to this malicious website", you need
to look at full content data.  Full content data can give you the full
story***.  Full content data is expensive in terms of backhauling and
storage. Full content gives you the most flexibility; for example, you
can collect full content and subject it to IDS AND convert it to a flow
format.


> If any of you wouldn't mind sharing your solutions (I fully understand
> if you can't or don't) or recommend one vendor over another, that would
> be great too!

If you have to choose one, I would choose flow data for its lighter
hardware costs and cross-function benefits (network and security get
insight into the overall picture of the network).  Many questions can be
answered using flow data, and flow data collection from switches and
routers allows you to scale to full network visibility at a smaller
cost, as flow export functionality (of some flavor) is built into any
enterprise networking equipment.

Perhaps flow data for the general case, and an IDS at a logical choke
point, such as the network border.  Most of the action (for security
folks) is happening at the border anyway.  Whatever your feelings on
open-source software, I don't know of any security folks who would
nay-say the use of Snort as your IDS.  The software is free, in heavy
use all over the world, and in addition to the (excellent) free
rulesets, there are very inexpensive (and also excellent) commercial
signature feeds for snort.  You could go a very long way using free
snort with reasonable hardware, and if you need a vendor support model,
you could get it from Sourcefire and not lose time translating the
gained skill set.

All this being said, I know for a fact there are a number of sharp
network and security folks on this list that could chime in and my
opinion is but one of many...

Cheers,

Jesse

* the open source program 'argus' can generate flow data from a full
content data, and can optionally include the first (512?) bytes of user
data.  This is a nice balance in terms of storage, but still incurs all
the other costs of doing full content data such as backhauling and
sensor hardware.

** Backhauling, or bringing a full copy of the required data from the
switch/router it's mirrored from back, to the sensor is not required if
you can put a hardware sensor at the originating switch; however the
added expense of backhauling can save headaches in terms of retrieving
data for analysis and troubleshooting/maintaining sensors.  You MIGHT
get some savings with backhauling in terms of sensor hardware (i.e., one
(beefy) sensor analyzes multiple network locations), but that all
depends on how big the network pipes we're talking about are.

*** Encryption makes full content about as useful as flow data, unless
you have the skill set and resources to pull client certificates and
decrypt the data; even this ability has limits.

> Thanks in advance for any help and guidance!
>
> -dan

-- 
Jesse Bowling
_______________________________________
Incident Response Manager          |~~|
Office of Information Security     |\/|
University of Georgia              |^^|
(706) 542-2127                     |/\|
jesseb at uga dot edu              |~~|
----------------------------------------

No matter that we may mount on stilts, we still must walk on our own
legs. And on the highest throne in the world, we still sit only on our
own bottom. -Michel de Montaigne