North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

A possible anodyne (was Re: RBL-type BGP service for known rogue networks?).

  • From: Roland Dobbins
  • Date: Fri Jul 07 06:56:53 2000

Here's what I'm implementing in order to a) dynamically disallow
hosts/nets which are causing me problems, and b) ensure that -my-
customers aren't causing problems for anyone else:

	http://www.cisco.com/warp/public/cc/pd/sqsw/sqidsz/

	http://www.cisco.com/univercd/cc/td/doc/pcat/nerg.htm

There are similar commercial products like the Network Flight Recorder
from www.nfr.net as well as Snort - www.snort.org - which is a freeware
product.  The things I like about the Cisco solution are its tight
integration with their routers and its scalability.

I can set up this system so that upon detection of an inbound or
outbound attack (tuning it to avoid false positives is key), it
automagically - or with the click of a mouse for purposes of manual
oversight - rewrites the ACLs on designated routers so as to disallow
the offending traffic.  It's a scalable solution, so I can deploy as
many sensor boxes as are necessary, and implement a hierarchy of
'director' machines to run them all.  I can dump all the logging into
Oracle, with the forensic benefits that implies.  This rewriting of ACLs
on the fly is called "shunning" in Cisco terminology, and it can be done
on a per-host or per-network basis, as one would expect.

In fact, Cisco routers may be used as 'sensors' themselves, at the cost
of a bit of CPU overhead.  I haven't experimented with using a router in
this way, yet, but plan on doing so in the near future.  If it doesn't
impact performance too much to do so, I could probably avoid having to
set up SPAN ports for use by the dedicated 'sensor' boxes, as well as
the host ports required for 'sensor'-to-'director' communications.

Since the core of my network is MPLS running on Catalysts with NFFC II
cards, the processing overhead for running extensive ACLs is pretty
low.  Whilst I'm nowhere near the size of a Verio or an Exodus, I should
think that a system such as this, coupled tightly with the
routing/switching infrastructure, could go a long way towards freezing
out the hax0rs and script-kiddies as we all wait to enter the IPv6
Promised Land.  

And it also avoids the pitfalls involved in tinkering with the
functionality of BGP, etc.

Is anyone else out there using an intrusion detection system in this
manner?  Any suggestions or comments would be greatly appreciated.

-- 
-----------------------------------------------------------
Roland Dobbins <[email protected]tmore.net> // 818.535.5024 voice