What is the challenge with using BRO to implement your IDS?

To stay competitive, service providers have been expanding the ranges of services and applications they are delivering across their networks to end-customers. To do that, they are looking to OEM for IP Interconnectivity products that would prevent intrusions into network infrastructure and protect communication sessions from malicious and non-malicious threats.

In network interconnection, the key challenge is to detect the threats at the edge of the network where there are gigabytes of data per second to filter, tens of signaling protocols to handle, and tens of thousands of concurrent sessions to process. To address this challenge, Northforge Innovations’ software developers have been investigating several network analysis frameworks for Intrusion Detection System (IDS) development and a mechanism to concurrently access shared data without impacting multi-core scalability.

For IDS, fast bitrate monitoring is required for bitrate rules and BRO (an open source Unix-based network monitoring framework) was chosen for this function. However, some enhancements are needed to the BRO implementation of that function to reduce the level of overhead involved. The current implementation requires to first match the packet to the flow, then raise the associated BRO event to trigger the related script handler, and that script handler will later take care of processing the packet, update rate counters, and check the bitrate threshold. This process can be slow, particularly when we must deal with multiple flows. To solve this issue, the classic approach of distributed processing can be implemented.

Regarding attack detections, BRO comes with a variety of options but their implementation is not optimal. The attack detection handlers lack flexibility in term of event generation and delivery and their design doesn’t take advantage of the parallelism of multicore hardware to deliver superior performance.

To achieve flexibility, the task to generate events to inform about potential threat is separated from the final event delivery mechanism that trigger protection actions.  Splitting these responsibilities enabled the possibility to use the parallelism of the multicore system but create a scalability issue due to the need, in this case, for multiple processes to access the Shared Memory Area (SMA).

There are still ongoing academic and industry researches around improving multicore scalability for high throughput systems.  Currently there are three preferred solutions and they depend on the application that need access to the data: Database partitioning based on functionality, planned data access, and Split and Merge responsibilities.

IDS require fast decision making and therefore quick access to the database. Northforge knows which of the above solutions is best suited for IDS. You can contact Northforge to take advantage of this expertise.

by Frantz A.

Show Buttons
Hide Buttons