IDS/IPS implementation. Phase 2. Throughput metering

Usually traffic intrusion detection in the corporate network is provided without an ability to affect the productive services. This mode is named IDS (Intrusion Detection System). IDS also may be integrated with the active network equipment for an ability to block the attacker host or network (IDS shun). Another way is the sensor usage in the active protection mode called inline IPS (Intrusion Prevention System) or with an ability to terminate the TCP-sessions by the way of RST-packet sending to the source and destination host of the malicious session. Let's make some analysis of the IDS and IPS modes according to the network integration requirements.

IDS:

- works with the traffic copy, so it needs a SPAN-session, VACL capture, links mirroring or NetFlow information;
- no network traffic influence;
- topological mistake causes the information security monitoring level decreasing;
- no active protection provided.
IDS shun:

- works with the traffic copy: SPAN-session, VACL capture or links mirroring;
- topological mistake causes the information security monitoring level decreasing and shun function ability;

- blocks attacker hosts and networks after the attack is detected and may be done.

IPS with TCP RESET:

- works with the traffic copy: SPAN-session;

- may need an active network equipment additional configuration for the spoofed TCP RST packets forwarding;

- topological mistake causes the information security monitoring level decreasing and TCP RST function ability;

- active protection is effective for the TCP-based protocols only;
- may affect only TCP-based services in the productive environment.

Inline IPS:

- inline installation requires cabling and/or active network equipment configuration;

- may affect productive services going therough the IPS;

- topological mistake causes the information security monitoring level decreasing and productive services functionality;

- additional bottleneck and a point of failure;

- provides an active protection for all types of protocols going through the IPS.

Let's analyze the IDS working with the full traffic copy (SPAN-session, VACL capture or links mirroring). A traffic copy from the managed switch is forwarded to the dedicated mirrored (SPAN-port in the Cisco Systems terminology) or capture-port, where the network sensor is listening. It is possible to copy ingress or egress packets packets from particular physical or logical interfaces to the destination SPAN-port or ACL-described traffic forwarding to the VACL-capture port. So, for the effective intrusion detection the IDS or TCP RST IPS bandwidth must be at least as an aggregated peak bandwidth of the analyzed interfaces.
E.g. we have a switch with n physical or logical interfaces and the network traffic from m of them must be copied to the IDS. In spite of the point of SPAN-session termination the condition must be kept up:

m ≤ n – 1

because the destination SPAN-port can't send its' traffic copy to self. According to the purpose and the switch capabilities any of the m interfaces gives a copy of incoming, outgoing or both directions traffic. Let's define r as a peak interface throughput in the incoming direction and t is for outgoing ones. The destination SPAN-port and IDS throughput (b) for the m interfaces in+out traffic is calculated as described in the formula:

 

           (1)

If we are planning to inspect  incoming or outgoing packets only depending to the switch port and the equipment connected then we must use some additional parameters: y - interfaces quantity with outgoing traffic analyzed, x - interfaces with incoming one. These parameters meet the condition:

x ≤ m, y ≤ m

x and y values ratio are defined with the investigation tasks or software/hardware switch restrictions. So, the formula (1) for the SPAN-port throughput b calculation is transformed to the view:

 

          (2)

  

During the IDS/IPS throughput calculation it is important to take into consideration a traffic ability to grow up or slow down on the analyzed network segment in the close future. The network growth or extinction is expressed in the traffic amount change. Suppose that the network traffic is changed according to the incoming or outgoing packets rate increasing or decreasing. Let's use the traffic rate change coefficient on the interface after the measurement. We'll define it as p for incoming data and as q for the outgoing one. So, these parameters meet the conditions:

 p,q > 1             for interfaces with the increasing traffic;

p,q = 1               if no throughput changes made;

0 < p,q < 1        for the decreasing traffic;

p,q = 0               if the interface was deactivated or the duplex type was changed.

p_i and q_i parameters ratio depends on the traffic or duplex change disposition and may vary. Considering some possible load change in the close future the formula (1) takes the form:

 

                (3)

and the formula (2):

 

              (4)


For the inline IPS sensor throughput it is possible to use formulas (1) - (4) for the physical interfaces connected to the inline IPS. So, we must buy the sensor with the throughput parameter multiplier 2 or 3 in relation to the b value calculated if we want to consider the traffic explosion. 
The practice adaptation of the results described above for the enterprise ethernet network usually concluded to the desision making problems solving:

• Physical interfaces type and quantity determination (FastEthernet, GigabitEthernet or TenGigabit Ethernet and etherchannel usage practicability) for the SPAN/capture port.
• Interfaces type and quantity determination for inline cabling the IPS interfaces.
• IDS/IPS sensor model selection with appropriate throughput.

To be continued... You may enjoy the next part in the Open source vs proprietary article.