Educause Security Discussion mailing list archives
Re: Network Security IDS vs NetFlow
From: Jesse Bowling <jesseb () UGA EDU>
Date: Sun, 26 Jun 2011 13:09:09 -0400
On 6/26/11 11:50 AM, Daniel Foerst wrote:
Hey all, So we are looking into augmenting and increasing our network security. We already have a number of security appliances and solutions in place, but recently there has been a push for an Intrusion Detection System. Now without going into all our preventative measures, I will say that we have at least an IPS solution that is used in several locations on our network, but not a IDS.
Generally, an IDS = an IPS that's not blocking, simply generating alerts, so your experiences with an IPS should translate almost directly.
Now an IDS, to my understanding, is a solution that would require multiple network sensors that listen and chirp when many false positives occur until we have had enough data received and man time to tune the system to our needs.
Essentially correct, just keep in mind that the "man time to tune" never goes away. It SHOULD be considered a permanent cost, although many are guilty of tuning only once or periodically. There are, after all, only so many hours in a day.
Given these two scenarios, what are you thoughts and how would you suggest to proceed? I do not want to walk into a meeting (adhoc or structured) without enough understanding, but specifically I would like to know others in education that have implemented such solutions.
As a consultant might answer before they start the billable hours portion: "It depends." I think the fundamental thing to keep in mind is that flow data does NOT generally contain user data*; only high level data is gathered such as hosts, ports, protocols, time, size, flags set, etc. IPS/IDS requires full content data; i.e., a full mirror of the data, headers and payload, user data. The most useful IPS/IDS signatures are based on searching the content of packets, not the headers.
Personally I like the LanCope solution of leveraging technology we already have in place and only requiring one or two collectors vs the need to place multiple sensors all over the network. However I am
Flow collection can be turned off or on as needed and pointed at existing collectors, generally without having to make physical changes, such as adding additional hardware or backhauling** mirrored traffic for an IDS/IPS. This is a powerful advantage, to be able to "zoom in" on any affected network with minimal configuration complexity. More advantages can be found in that it is likely that the security and network groups can both take advantage of flow data for troubleshooting and incident response. Flow data is MUCH more compact than full content data, and is thus easier in terms of management and storage costs. Watch out for any added complexity if you're dealing with multiple vendors for networking equipment; i.e., you only get sFlow from Brocade, and Netflow from Cisco (AFAIK). The way the data is collected and distributed is slightly different, and may make a difference if you require super-accurate coutns on things like bytes transferred.
cognizant enough that buzz words and naming schemes tend to hold a lot of weight and as such an "Intrustion Detection System (IDS)" will likely seem to be the "needed solution" over a "monitoring/ flow collection solution".
An IDS/IPS is great for security folks. When you want to be able to tell not just "we have X hosts talking to Y web sites" but "of X hosts, Z of them are issuing C&C requests to this malicious website", you need to look at full content data. Full content data can give you the full story***. Full content data is expensive in terms of backhauling and storage. Full content gives you the most flexibility; for example, you can collect full content and subject it to IDS AND convert it to a flow format.
If any of you wouldn't mind sharing your solutions (I fully understand if you can't or don't) or recommend one vendor over another, that would be great too!
If you have to choose one, I would choose flow data for its lighter hardware costs and cross-function benefits (network and security get insight into the overall picture of the network). Many questions can be answered using flow data, and flow data collection from switches and routers allows you to scale to full network visibility at a smaller cost, as flow export functionality (of some flavor) is built into any enterprise networking equipment. Perhaps flow data for the general case, and an IDS at a logical choke point, such as the network border. Most of the action (for security folks) is happening at the border anyway. Whatever your feelings on open-source software, I don't know of any security folks who would nay-say the use of Snort as your IDS. The software is free, in heavy use all over the world, and in addition to the (excellent) free rulesets, there are very inexpensive (and also excellent) commercial signature feeds for snort. You could go a very long way using free snort with reasonable hardware, and if you need a vendor support model, you could get it from Sourcefire and not lose time translating the gained skill set. All this being said, I know for a fact there are a number of sharp network and security folks on this list that could chime in and my opinion is but one of many... Cheers, Jesse * the open source program 'argus' can generate flow data from a full content data, and can optionally include the first (512?) bytes of user data. This is a nice balance in terms of storage, but still incurs all the other costs of doing full content data such as backhauling and sensor hardware. ** Backhauling, or bringing a full copy of the required data from the switch/router it's mirrored from back, to the sensor is not required if you can put a hardware sensor at the originating switch; however the added expense of backhauling can save headaches in terms of retrieving data for analysis and troubleshooting/maintaining sensors. You MIGHT get some savings with backhauling in terms of sensor hardware (i.e., one (beefy) sensor analyzes multiple network locations), but that all depends on how big the network pipes we're talking about are. *** Encryption makes full content about as useful as flow data, unless you have the skill set and resources to pull client certificates and decrypt the data; even this ability has limits.
Thanks in advance for any help and guidance! -dan
-- Jesse Bowling _______________________________________ Incident Response Manager |~~| Office of Information Security |\/| University of Georgia |^^| (706) 542-2127 |/\| jesseb at uga dot edu |~~| ---------------------------------------- No matter that we may mount on stilts, we still must walk on our own legs. And on the highest throne in the world, we still sit only on our own bottom. -Michel de Montaigne
Current thread:
- Network Security IDS vs NetFlow Daniel Foerst (Jun 26)
- Re: Network Security IDS vs NetFlow Jesse Bowling (Jun 26)