Abstract
Passive network intrusion detection systems detect a wide range of attacks, yet by themselves lack the capability to actively respond to what they find. Some sites thus provide their IDS with a separate control channel back to the network, typically by enabling it to dynamically insert ACLs into a gateway router for blocking IP addresses. Such setups, however, tend to remain narrowly tailored to the site’s specifics, with little opportunity for reuse elsewhere, as different networks deploy a wide array of hard- and software and differ in their network topologies. To overcome the shortcomings of such ad-hoc approaches, we present a novel network control framework that provides passive network monitoring systems with a flexible, unified interface for active response, hiding the complexity of heterogeneous network equipment behind a simple task-oriented API. Targeting operational deployment in large-scale network environments, we implement the design of our framework on top of an existing open-source IDS. We provide exemplary backends, including an interface to OpenFlow hardware, and evaluate our approach in terms of functionality and performance.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Indeed, our Bro OpenFlow module remains independent of Ryu and could support other controllers as well if one extended them with a similar receiver component.
- 2.
Currently, Bro talks to an intermediary Python script, which in turn relays commands to acld through TCP. We plan to integrate Broker into acld directly in the future.
- 3.
As this could potentially reorder rules, users can optionally disable threading.
- 4.
While the lack of this feature does not affect the network control framework directly, it could prevent using it in combination with further static monitoring rules.
- 5.
We excluded the HP A5500 with bi-directional rules due to problematic behavior when inserting rules that way: The average latency was \(>\)10 s, with many rules timing out and never getting an acknowledgment from the switch.
- 6.
The connections reporting a size of 0 were not fully established.
References
ACL blocker notes. http://www-nrg.ee.lbl.gov/leres/acl2.html
Allcock, W., Bester, J., Bresnahan, J., Chervenak, A., Liming, L., Tuecke, S.: GridFTP: Protocol Extensions for the Grid. Grid ForumGFD-R-P.020 (2003)
Ballard, J.R., Rae, I., Akella, A.: Extensible and scalable network monitoring using OpenSAFE. In: INM/WREN (2010)
Braga, R., Mota, E., Passito, A.: Lightweight DDoS flooding attack detection using NOX/OpenFlow. In: LCN (2010)
Bro Network Monitoring System. https://www.bro.org
Broker: Bro’s Messaging Library. https://github.com/bro/broker
Campbell, S., Lee, J.: Prototyping a 100g monitoring system. In: PDP (2012)
Presentation slides–Anonymized for submission (2014)
ESnet: Science DMZ Security - Firewalls vs. Router ACLs. https://fasterdata.es.net/science-dmz/science-dmz-security/
GlobalNOC: SciPass: IDS Load Balancer & Science DMZ. http://globalnoc.iu.edu/sdn/scipass.html
Gonzalez, J., Paxson, V., Weaver, N.: Shunting: a hardware/software architecture for flexible, high-performance network intrusion prevention. In: ACM Communications and Computer Security (CCS) Conference, Washington, D.C (2007)
Maier, G., Sommer, R., Dreger, H., Feldmann, A., Paxson, V., Schneider, F.: Enriching network security analysis with time travel. In: Proceedings of the ACM SIGCOMM (2008). http://www.icir.org/robin/papers/sigcomm08-tm.pdf
McKeown, N., Anderson, T., Balakrishnan, H., Parulkar, G., Peterson, L., Rexford, J., Shenker, S., Turner, J.: OpenFlow: enabling innovation in campus networks. CCR 38(2), 69–74 (2008)
Network Control framework and utility code. http://icir.org/johanna/netcontrol
OSCARS: On-Demand Secure Circuits and Advance Reservation System. http://www.es.net/engineering-services/oscars/
Papadogiannakis, A., Polychronakis, M., Markatos, E.P.: Improving the accuracy of network intrusion detection systems under load using selective packet discarding. In: EUROSEC (2010)
Paxson, V.: Bro: a system for detecting network intruders in real-time. Comput. Netw. 31(23–24), 2435–2463 (1999)
Porras, P., Cheung, S., Fong, M., Skinner, K., Yegneswaran, V.: Securing the software-defined network control layer. In: Proceedings of the 2015 Network and Distributed System Security Symposium (NDSS), February 2015
Ryu SDN Framework. http://osrg.github.io/ryu/
Science DMZ - A Scalable Network Design Model for Optimizing Science Data Transfers. https://fasterdata.es.net/science-dmz
Security and NAT Gateway for the Munich Scientific Network (MWN). https://www.lrz.de/services/netzdienste/secomat_en/
Shirali-Shahreza, S., Ganjali, Y.: FleXam: flexible sampling extension for monitoring and security applications in openflow. In: HotSDN (2013)
Snortsam - A Firewall Blocking Agent for Snort. https://www.snortsam.net
Van Adrichem, N., Doerr, C., Kuipers, F.: OpenNetMon: network monitoring in OpenFlow software-defined networks. In: NOMS (2014)
Xing, T., Huang, D., Xu, L., Chung, C.J., Khatkar, P.: SnortFlow: a OpenFlow-based intrusion prevention system in cloud environment. In: GREE (2013)
Acknowledgments
We would like to thank Aashish Sharma, Keith Lehigh, and Paul Wefel for their feedback and help.
This work was supported by the National Science Foundation under grant numbers ACI-1348077 and CNS-1228792. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the NSF.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Amann, J., Sommer, R. (2015). Providing Dynamic Control to Passive Network Security Monitoring. In: Bos, H., Monrose, F., Blanc, G. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2015. Lecture Notes in Computer Science(), vol 9404. Springer, Cham. https://doi.org/10.1007/978-3-319-26362-5_7
Download citation
DOI: https://doi.org/10.1007/978-3-319-26362-5_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-26361-8
Online ISBN: 978-3-319-26362-5
eBook Packages: Computer ScienceComputer Science (R0)