With today’s heightened threat levels, many companies are shoring up their defenses and adding an intrusion detection system (IDS) to their security stacks. By constantly monitoring network and system activities for malicious activity or policy violations, IDS applications can alert security administrators to breaches that may otherwise go undetected.
Knowing that an IDS is only is good as the information it receives, how do you physically connect the IDS to the network to ensure that it receives 100% of the traffic?
If a security solution can’t access all network traffic as it flows in and out of the network, it can’t accurately spot an issue. To be sure your IDS sees every packet from every layer, you need a strong network design and security connectivity plan from the start.
Network Connectivity Considerations
The first step in any IDS network design project is to verify the parameters of your physical network. Check the wiring – is it copper or fiber? Is the fiber single or multi-mode? Then check the speed - the difference between a 1G network and a 10G network has significant implications for both the appliance and your connectivity plan.
So how do you physically connect the IDS to the network to ensure that it receives 100% of the traffic? Best practice network design suggests using a network bypass TAP. A bypass TAP is a purpose built piece of hardware whose only job is to provide fail-proof network connectivity to security appliances. They can be inserted anywhere in a network, which allows IDS solutions to analyze and compare traffic patterns. Unlike switches or routers, a bypass TAP doesn’t actively do anything to the traffic, so it cannot impact the data sent to the IDS.
Often times, companies try to connect their IDS appliances to the SPAN/mirror ports on the network switch thinking that it will work well enough for an out-of-band solution. There are a variety of problems with this design. SPAN ports are limited and needed for a variety of network management tasks, which leads to the IDS getting unplugged for a bit when more pressing issues surface. But even when it is plugged in, there is no guarantee that it will see and send all the packets. From a network management perspective, IDS applications are low priority. When traffic loads increase (as they would if the company was under attack), the switch prioritizes mission critical business applications over the IDS solution. Timing changes (sessions and traffic are no longer synced) and/or packets are dropped. In effect, the company is as vulnerable and unprotected as it would be without an intrusion detection system.
Prior to installing an IDS, it is important to decide what kind of data you want to collect and how many points throughout your network do you want to tap? Being able to compare traffic flows from inside the firewall to the traffic outside can identify breaches in which critical data is being steadily sent to a specific IP address. Similarly, analyzing data before and after it flows through the web application servers can reveal critical issues. Identify your traffic collection points beforehand to optimize the network design and connectivity plan accordingly.
From here you can determine how the IDS solution itself should be configured as it is dependent on the amount of data being collected and where it is coming from. For instance, if you have 10 1G collection points, do you want to aggregate the data and connect them to one 10G IDS server to reduce management issues or do you prefer 10 1G servers to reduce costs?
For some projects, budgetary or equipment constraints may require you to evaluate media conversion options. Products that use copper are cheaper than their fiber counterparts. Companies that use expensive single-mode fiber may prefer to use a multi-mode fiber connection between the network TAP and the IDS to lower costs. Bypass TAPs can handle media conversion wherever needed.
Load balancing is a critical part of the network design process – if the solution can handle traffic spikes and packets are lost to the IDS, it may as well be turned off. If a network bypass TAP is in place, it will mitigate this risk – session aware traffic flows can be stored and analyzed as soon as resources become available. Otherwise, you will need a sophisticated policy control algorithm. However, these too tend to be overridden in favor of business critical applications when network resources are scarce.
Intrusion detection systems are fully dependent on your network design and connectivity plan to function properly. Increasing your project budget by a mere 5-10% to include a network bypass TAP will be well worth the investment to ensure that 100% of your network traffic is being analyzed at all times.
[Looking for more on IDS, download our white paper: Managing the Edge of Your Network: A New Necessity for Security Architects]