Abstract
Network intrusion prevention systems provide proactive defense against security threats by detecting and blocking attack-related traffic. This task can be highly complex, and therefore, software-based network intrusion prevention systems have difficulty in handling high speed links. This paper describes the design and implementation of a high-performance network intrusion prevention system that combines the use of software-based network intrusion prevention sensors and a network processor board. The network processor acts as a customized load balancing splitter that cooperates with a set of modified content-based network intrusion detection sensors in processing network traffic. We show that the components of such a system, if co-designed, can achieve high performance, while minimizing redundant processing and communication. We have implemented the system using low-cost, off-the- shelf technology: an IXP1200 network processor evaluation board and commodity PCs. Our evaluation shows that our enhancements can reduce the processing load of the sensors by at least 45% resulting in a system that can handle a fully-loaded Gigabit Ethernet link using at most four commodity PCs.
Chapter PDF
Similar content being viewed by others
Key words
References
Aaron Turner and Matt Bing. tcpreplay Tool. http://tcpreplay.sourceforge.net.
S. Antonatos, K. G. Anagnostakis, and E. P. Markatos. Generating realistic workloads for intrusion detection systems. In Proceedings of the 4th ACM SIGSOFT/SIGMETRICS Workshop on Software and Performance (WOSP 2004), January 2004.
Z. Cao, Z. Wang, and E.W. Zegura. Performance of hashing based schemes for internet load balancing. In Proceedings of IEEE Infocom, pp. 323–341, 2000.
Y. Charitakis, K. G. Anagnostakis, and E. Markatos. An active splitter architecture for intrusion detection (short paper). In Proceedings of the Tenth IEEE/ACM Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunications Systems (MASCOTS 2003), October 2003.
Y. Charitakis, D. Pnevmatikatos, E. P. Markatos, and K. G. Anagnostakis. Code generation for packet header intrusion analysis on the IXP1200 network processor. In Proceedings of the 7th International Workshop on Software and Compilers for Embedded Systems (SCOPES 2003), September 2003.
Intel Corporation. Intel PRO/1000 MT Dual Port Server Adapter. http://www.intel.com.
Intel Corporation. Intel IXP1200 Network Processor (white paper), 2000. http://developer.intel.com.
Internet Security Systems Inc. http://www.iss.net.
Intrusion Prevention Systems Group Test-Edition 1, NSS Group Ltd. http://www.nss.co.uk/acatalog/.
L. Kencl and J. Y. L. Boudec. Adaptive load sharing for network processors. In Proceedings of IEEE Infocom, June 2002.
C. Kruegel, F. Valeur, G. Vigna, and R. Kemmerer. Stateful intrusion detection for high-speed networks. In Proceedings of the IEEE Symposium on Security and Privacy, pp. 285–294, May 2002.
R. Lippmann, J.W. Haines, D. J. Fried, J. Korba, and K. Das. The 1999 DARPA off-line intrusion detection evaluation. Computer Networks, 34(4):579–595, October 2000.
Network Associates, Inc. http://www.networkassociates.com.
V. Paxson. Bro: A system for detecting network intruders in real-time. In Proceedings of the 7th USENIX Security Symposium, January 1998.
M. Roesch. Snort: Lightweight intrusion detection for networks. In Proc. of the second USENIX Symposium on Internet Technologies and Systems, November 1999. (Software available from http://www.snort.org).
R. Russo, L. Kencl, B. Metzler, and P. Droz. Scalable and adaptive load balancing on IBM Power NP. Technical report, Research Report-IBM Zurich, August 2002.
Time-Stamp Counter. http://www.intel.com/design/Xeon/applnots/24161825.pdf.
TippingPoint Technologies Inc. http://www.tippingpoint.com.
Top Layer Networks. http.//www.toplayer.com.
K. Xinidis, K. G. Anagnostakis, and E. P. Markatos. Design and Implementation of a High-Performance Network Intrusion Prevention System. ICS-FORTH Technical Report 333, March 2004.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 International Federation for Information Processing
About this paper
Cite this paper
Xinidis, K., Anagnostakis, K.G., Markatos, E.P. (2005). Design and Implementation of a High-Performance Network Intrusion Prevention System. In: Sasaki, R., Qing, S., Okamoto, E., Yoshiura, H. (eds) Security and Privacy in the Age of Ubiquitous Computing. SEC 2005. IFIP Advances in Information and Communication Technology, vol 181. Springer, Boston, MA. https://doi.org/10.1007/0-387-25660-1_24
Download citation
DOI: https://doi.org/10.1007/0-387-25660-1_24
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-25658-0
Online ISBN: 978-0-387-25660-3
eBook Packages: Computer ScienceComputer Science (R0)