Posted by: Robert Westervelt
IDS, intrusion detection systems
Until now some experts have signaled the slow demise of intrusion defense systems, but one firm is having success in the government sector with an IDS appliance that can capture 100% of network traffic.
In government circles, it’s the little, but powerful engine that could. New Zealand firm Endace is quietly making headway with its intrusion detection system (IDS) appliances and is slowly making a name for itself.
The firm has developed an IDS that is powerful enough to capture 100% of network traffic and has added analysis tools that government agencies can use as part of layered network defenses to alert on anomalies. The system works by deploying “probes” at various endpoints and a centralized system where the management and analysis takes place. Endace’s system is Linux-based and uses high-end Intel processors to collect 100% of network packets in a memory buffer and then writes it to disk where analysis can take place. The system supports bandwidth speeds up to 40 GB/s and can collect up to 32 TB of data. It is set to automatically dump outdated traffic in a period of days or weeks.
Network security expert Marcus Ranum, who was CEO of Network Flight Recorder, an early innovator in the IDS market in the 1990s, said early IDS were deeply rooted in analysis, but it was a tough sell to enterprises because the systems gave too much information about the company’s network.
“Everybody wanted to buy an intrusion detection system and have it shut the hell up,” Ranum said. “We thought people were going to have this thing that sent alerts to console and would do something about it, but they didn’t.”
Network Flight Recorder was acquired by Check Point Software Technologies Ltd. in 2007. Ranum, who is currently chief security officer at Tenable Network Security, described the environment at the time as extremely frustrating for IDS.
“A lot of customers would buy intrusion detection systems, plug them in and get swarm of information,” he said. “To an experienced network admin, much of that information meant they were completely owned, but many people saw it as way too much work.”
That’s where intrusion prevention systems (IPS) came into play, Ranum said. Rather than being passively checking traffic and alerting, IPS would detect some network anomalies, identify them as malware and at some point take action. Ranum is not a huge fan of IPS, even calling it a “slap in the face of the design goal of intrusion detection.” IPS had sexy interfaces and were capable of stopping some worms, he said.
Endace’s IDS appliances seem like a packet vacuum. Sucking up the massive amounts of traffic like Endace purports to do, can enable network administrators to do lot of really neat stuff with algorithms over the long term, Ranum said.
Tim Nichols, Endace’s vice president of marketing, said the firm has already distinguished itself at dozens of government agencies and looks to go beyond the network forensics market. (Think NetWitness Corp., Solera Networks Inc.) He sees a multifunction cybermonitoring market emerging in which network probes tie into a central correlation system – an airline black box that records and analyzes all network traffic. It’s a system that is essentially extremely helpful for lawful intercept by government agencies and Internet service providers, he said.
Endace banks on Snort replacement
Endace provides no – zero – reporting capabilities, but Nichols says that’s not the point. He said he doesn’t see Endace being sold to enterprises to address regulatory issues since those firms tend to go for cheaper network monitoring products to meet compliance goals, rather than using the technology for a specific purpose. That probably leaves the company firmly tied into the government arena, though it has also landed customers in the financial services market.
“If you want to do lawful intercept, surveillance stuff or IDS in very particular environments then you want to capture every packet and be alerting on every packet,” Nichols said.
Capturing packets is only part of the problem, Nichols said, adding that the company built out a managed environment to analyze and work with the packets. The uniqueness about Endace is in its ability to get network packets written to disk at line rate, he said.
What else distinguishes Endace? The company is placing much of its marbles on the future of Suricata, an open source initiative that looks to build on Snort’s open source IDS engine. Snort is somewhat blind to application layer threats, whereas Suricata looks to change all that with more processing power. It supports multicore processors and accelerated network parsing.
“The objective is to create a next generation of open source IDS/IPS engine to replace Snort,” Nichols said. “This is about laying the foundation, applying the right engines on top of it and it’s about community partnership, because only the community can solve this problem.”
Endace’s appliances are currently being evaluated by NSS Labs. If all goes well, the company hopes to produce the results at RSA Conference Europe in July.