Why can t I just do that with a switch? Joseph Magee Chief Security Officer Top Layer Networks

Transcription

1 Why can t I just do that with a switch? Joseph Magee Chief Security Officer Top Layer Networks - 1 -

2 Introduction In the field you may come across the following question: Why can t I do what your IDS Balancer does with a regular switch? Depending on the depth of the conversation, this question may at first be tough to answer. This short paper describes the clear cut advantages of using a Top Layer IDS Balancer over a Conventional Switch or a Web Switch (such as a Server Load Balancer). Using a Conventional Switch to Aggregate Traffic The truth is, if you re just interested in aggregating multiple traffic streams for sake of analysis by a single device, then you can use a conventional switch (capable of VLANs and SPANS Port) to aggregate traffic. This has been tested with both a Cisco 3500 Series and an Extreme Summit24. Figure 1.1 shows a typical deployment for using a conventional switch to perform traffic aggregation. As you can see, the links coming from the different networks are connected to the switch where they are then mirrored out through the Gigabit port to the Sniffer/IDS. TX Link RX Link Gigabit Etherenet Conventional Switch Gig Capable Sniffer/IDS Network A Network A Network B Network B Network C Network C Figure

3 For this to work, one would define all of the mirror links (coming off of the Net Optics taps or from other SPANS ports) as one VLAN and then mirror that VLAN to a gigabit port. In Figure 1.2 we see that all of the mirror links are defined as vlan01, then vlan01 is mirrored to port 14. In this case, port 14 is the gigabit port on the switch. Conventional Switch vlan01 mirrored to port 14 vlan01 Gig Capable Sniffer/IDS Figure 1.2 Although this methodology takes away some of the value add with using our product to do link aggregation, there are a series of major downfalls: 1. You cannot load balance the aggregated traffic load to multiple IDS Sensors/Sniffers. 2. You re not guaranteed that you will see all traffic due to the potential packet loss of using a SPANS or mirror port. Generally sending data out of a SPANS (or mirror) port is at the bottom of the switch s queuing priority. 3. Asymmetrical network packet streams cannot be reassembled to form a conversation that the IDS can appropriately translate. 4. You can not address the need for requiring multiple copies of the incoming traffic for analysis, forensics, debugging, collection, etc

4 Trying to use a Web Switch to perform IDS Load Balancing When using a web switch or server load balancer to perform IDS balancing, you will run into some pitfalls. First, web switches typically use a VIP or Virtual IP address to be the front end for a farm of servers. When traffic is destined to the VIP address, the web switch load balances that traffic across multiple servers. VIP= Server 1 Internet Web Switch Server 2 Server 3 Figure 2.1 Now if we were to try to apply this same method of load balancing to IDS traffic, the network would look like this: VIP= Sniffer/IDS Sensor 1 Web Switch Sniffer/IDS Sensor 2 Sniffer/IDS Sensor 3 Internet Internet Figure 2.2 As you can see, the problem we have here is that the web switch balances traffic that is destined to its VIP address, it will not balance traffic that is doesn t have the VIP as the destination IP address; therefore, making this methodology ineffective for IDS Balancing

5 While these are fundamental examples of why standard web switches will not work, certain Web Switches, such as Alteon, have the capability of distributing all incoming traffic (not just traffic destined for the VIP) using a basic round robin algorithm. The problem is these web switches use a load balancing algorithm that locks in the source IP address to a specific server (or in this case IDS sensor) to maintain persistence to and from that IP address. While this may be an acceptable methodology for the short term (Figure 2.3), over time you will have an inconsistent balance of network traffic going to a given server or IDS sensor. Figure 2.4 illustrates the effects of this algorithm over time. Note the packet processing utilization inconsistencies Figure 2.3 Figure

6 Using a Top Layer IDS Balancer to Aggregate and Load Balance Traffic Using the Top Layer solution, you can aggregate and balance the incoming traffic load to multiple gigabit capable IDS Sensors/Sniffers or multiple Fast Ethernet IDS Sensors/Sniffers. Another advantage is that you can fully insure that any traffic coming in through the input links will be properly balanced to the IDS Sensors/Sniffers. As Figure 3.1 shows, you can balance the incoming traffic streams to multiple Gigabit capable IDS/Sniffers. Although not shown, you can also balance the incoming streams to the remaining Fast Ethernet ports. Gig Capable IDS/Sniffer Gig Capable IDS/Sniffer TX Link RX Link Gigabit Etherenet Top Layer IDS Balancer Network A Network A Network B Network B Network C Network C Figure 3.1 As you can see this methodology is far more superior to the conventional method. You have the ability to balance the aggregated traffic load to multiple IDS Sensors/Sniffers, provide active failover for your network IDS, and ensure that every packet that is connected to the IDS Balancer will make it to your IDS Sensors

7 What makes the IDS Balancer different from its Web Switch or Server Load Balancing competitors is its unique patented flow based load balancing algorithm. The IDS Balancer maintains state on all inbound traffic and balances the traffic according to flow. A flow is defined as a complete TCP conversation. Additionally the IDS Balancer keeps state on UDP and ICMP which are stateless in nature. This unique load balancing algorithm achieves the most efficient method of traffic distribution for IDS Sensors. Figure 3.2 As Figure 3.2 shows, 1. Multiple inputs are aggregated into the IDS Balancer and are internally condensed into one input stream. 2. The input stream enters the IDS Balancer s State Table. 3. The traffic is balanced flow by flow to each of the IDS Sensors/Sniffers. 4. This balancing algorithm evenly distributes traffic resulting in even packet processing utilization across the IDS Sensors/Sniffers - 7 -

8 Why isn t just using conventional switching with a SPANs port good enough? When deploying a network IDS you have to ask yourself, Do I want to see 100% of my network traffic? If the answer is no and your willing to settle for less than 100% visibility of your network than you probably can get away with using a conventional switch with a SPANs port enabled. To those who think that they can get away with less than 100% I ask: If you re not going to monitor 100% of your network traffic then why perform Intrusion Detection to begin with? It can be very troubling to think that the $ IDS solution that you are about to deploy will only monitor 90% of your network traffic to begin with. (Try proposing that solution to management). It s challenging enough keeping signatures and policies updated on your IDS Sensors. It s important to realize that if you do not monitor 100% of your network traffic then you will miss attacks that occur on your network. Bottom line. Using a conventional layer 2 switch with SPANs or Switchport Analyzer port enabled has many drawbacks. A layer 2 switch is optimized for fast packet handling. When you enable a SPANS port the switch performance becomes an issue on many fronts. Figure 4.1 illustrates known problems with using a conventional layer 2 switch with a SPANs port. 1. Some Layer 2 switches do not allow you to mirror an entire vlan to a single port. 2. The SPANs port is the last thing to be serviced in the queuing of the switch and therefore will drop packets if the switch is doing prioritized duties such as switching vlans. 3. The two 100Mb links coming from the NetOptics tap will overrun the SPAN port with too much bandwidth. This is known as oversubscribing. 4. You can only enable one SPANs port. Attempting to enable more than one will result in erratic behavior.** 5. The IDS Sensor will not receive all of the packets presented to the switch due to conditions The IDS Sensor may not be able to handle the amount of traffic being transmitted to it. **Tested on an Extreme Summit 24 and Cisco 3500 switches

9 In a recent SANS article Intrusion Detection Systems: An Overview of RealSecure the following comments were mentioned about SPAN port problems: The advantage of using a SPAN port is that it can be easily configured and doesn t require additional hardware. There are some limitations to this type of deployment that could cause it to be more trouble than it s worth. A typical switch will only allow for one SPAN port to be used. This means that to monitor more than one port, a range of ports must be spanned to the single SPAN port. In a network with heavy traffic, monitoring more than one port would quickly overwhelm the SPAN port and cause it to start dropping packets. There is also the inability of a SPAN port to mirror errors such as Runts and Giants, which could indicate a network attack. You can read the entire article here: Because of the problems with using a SPANs it is recommended to use a or Schomitti Century Tap. These devices give you a fully mirrored copy of the traffic without introducing any latency into the network. These types of taps are fail open, meaning if they were to fail in your network, your network service would not be interrupted. What about hubs? The use of a hub in an enterprise network is not an option. There is a preconceived notion that using a hub would be an acceptable way to monitor network traffic since all information transmitted on a hub is shared with every port, essentially negating the need for a SPANS port. While hubs are convenient for test environments and in labs, they are not acceptable to use in an enterprise network. Putting a hub inline on your network may have an adverse effect on your network performance. When operating at full duplex hubs are susceptible to packet collisions which will cause your IDS to not see 100% of the packets. When operating at half duplex you will miss packets that are transmitted in access of 50Mbs unidirectional or 100Mbs bidirectional. Why is the Top Layer Solution a better one? The Top Layer IDS Balancer enables you to have 100% Intrusion Detection coverage. Perform 100% Intrusion Detection on high speed networks. Properly aggregate and balance traffic from multiple points on your network. The ability to mirror multiple copies of your network traffic to multiple IDS/Sniffers Allows for IDS in switched environments (with the use of a Tap) Reassemble asymmetrical network streams for intrusion and network analysis. Application based IDS Balancing Active IDS Sensor redundancy Increased scalability as your network speeds increase. Increase the overall effectiveness of your Intrusion Detection