Author: Seaman
The biggest feature of intrusion detection and development in 2002 is a happy and worry. The invasion testing is no longer a new thing, intrusion detection, firewall, anti-virus and encryption are recognized by four major parts that are considered network security procurement. Book bidding for major projects. Worry is that intrusion detection manufacturers are not good, there is a general payroll, and there is a large-scale layoff, and the door is closed. On the surface, this happy and worrying seems to be contradictory. The user is approved, the market has got up, and the days should be better. Think carefully, there is nothing wrong, just like Mr. Ye Sheng Tao, "more than three five struggles", some people sell more, the price has fallen, and the days are naturally not good. The difference is that "more than three five fights" is the merchant price of the rice, and the intrusion detection is internal struggle. It is not possible to play price games and sales skills. This is a happy thing is just right.
In people's mind, in 2002, there is no large-scale malignant virus outbreak, there is no large-scale hacker invasion and destruction, everything seems to be too calm, and the things that can be remembered. However, in the second half of the year, Gigabit IDS suddenly became the highest highlight of the intrusion detection market! Various publicity and introduction, the greetings between the air, one time, intrusion detection manufacturers are: "Are you gigabit today?"
From the birth date of birth, IDS continues to improve their performance to adapt to the rapid growth of network traffic. China's Gigabit IDS is the first launch of Queon Star Corporation and passed the test certification of the authority department. This is an embodiment of its "six-year grinding sword" is a technical big breakthrough. However, this is a process, there is no basis for large-scale applications. There is no extensive experience, there is no continuous technical study, and it is impossible to "suddenly a night spring breeze, thousands of trees and pears." So wide propaganda gigabit IDS must have a mix of fish, let's take a look at this highlights and lies.
Gigabit IDS a few highlights
1, "zero copy"
"Zero copy" is a major fashion that this year's domestic intrusion detection manufacturers.
Its technical principles are as follows:
The traditional processing network data packet is running in the kernel space due to the NIC driver. When the network card receives the package, the package will be stored in the kernel space, because the upper application runs in the user space, and cannot directly access the kernel space, so it is necessary to pass the system Call the top floor application system, then a replication process will occur at this time. At the same time, this process is often accompanied by a replication process from the grip library to the detection engine. If a small operation is handled for general applications, such system overhead can be tolerated, but the application of the network packets such as the intrusion detection system, this overhead is hard to endure.
"Zero copy" technology refers to a network card driver shared a memory area. When the network card caught directly to the shared memory, such a process reduction has reduced at least once replication. At the same time, a network card driver is reduced to replicate the system call to the user space. The overhead of a system call is actually quite large. For intrusion detection systems, due to the frequency of frequent network card drivers to be frequently used, a large amount of system call is caused by traditional methods, resulting in a decline in the performance of the system. However, this is effective after "zero copy" technology.
Is "zero copy" is the Gigabit IDS? In fact, from the above technical principles we can clearly see that "zero copy" application is indeed a technique for intrusion detection under high flow, and the expression is a dedicated network card driver. But in essence, "zero copy" solves the performance issues brought by the captain, and for Gigabit IDs, the captain is a constraint, but the analysis of the packet is another restrictive factor, " Zero copy "only solves one of them, so only" zero copy "technology is not gigabit IDS.
Therefore, we are seeing if an intrusion detection product is just a dedicated network card driver, then it is not called Gigabit IDS. 2, "load balancing"
There is a problem that the stand-alone cannot solve, and people usually think of the superposed method, so there is a load balance; "load balancing" is a single processing device to balance the load to multiple processing devices in a high flow environment exceeding the processing power. Distributing processing, generally used in routers, firewalls, application servers, etc. Important network dry network devices, is also a solution for IDS.
Load balancing although solves the detection problem of high-speed network environment to some extent, it is still not the best solution, because there are several issues to face and solve load balancing technologies:
In general, the load balancer is divided into data according to a certain rule (such as an agreement or IP address), then the load balancer cannot be smart when the data from an IP address is suddenly increased. The IDS responsible for the port is overwhelmed; if the load balancer has a balanced balance, the attack information is also possible to be split, and the corresponding IDS may not configure the corresponding attack detection policy and leak detection.
In addition, the behavior correlation between different attack modes is determined, and the split will not be identified. Finally, the current load shunt is generally using dedicated hardware devices. Its main providers are foreign manufacturers. The price is naturally not Philippine, plus multiple 100 mega intrusion detection, and the one hand takes more rack space, manages trouble; On the other hand, users have an additional security investment.
Relying on Gigabit traffic to multiple 100M IDS is just a solution before the real gigabit IDs, the development of Gigabit firewall also proves this. So people's eyes also returned to the technology itself of intrusion detection. Otherwise, wait until 10G-level networks, is there any IDS that is more than 10 Gigabit load balancing?
3, "agreement analysis"
"Agreement Analysis" should be the most adopted by most of the IDS. The principle of protocol analysis is based on existing protocol mode, to a fixed position rather than one, then determines its protocol and implement the next step analysis operation based on the value obtained. Its role is very similar to the mailing automatic distribution device of the post office, which effectively improves the analysis efficiency, and can avoid the false positives brought by simple mode matching.
For Gigabit IDS, the agreement analysis is not just what the agreement is as simple as the agreement. To improve its performance and accuracy, you must do a deeper protocol analysis, such as the value of the data field of the high-level protocol. Therefore, the "protocol analysis" adopted by Gigabit IDS is to require more complete protocol analysis, and the scope of the pattern matching as much as possible.
4, "match algorithm"
After the existing commercial intrusion detection system has finished the protocol analysis, it will match the pattern. Mode match is a comparison of strings, which involves an algorithm problem. Therefore, it is generally claimed to adopt an efficient algorithm in Gigabit IDS. This efficient algorithm is usually a BM algorithm (or improved). This algorithm is a very common method of string matching domain, widely applied to a string search for text editors, which can effectively improve the matching efficiency of single rules matching packets.
The efficiency of intrusion detection without the efficiency algorithm is unimaginable, but under the high-speed traffic of Gigabit, the matching efficiency of simple single rules matching packets does not fully adapt to its requirements, especially the rule mode of the current intrusion detection. Increasing, the number of times which may match each packet may also be increasing, so its performance cannot be fully met.
Really efficient is to combine the "matching algorithm" and "rule structure", do the unrelated property of matching efficiency and rules, and even the rules, the higher the efficiency. From the current point of view, the breakthrough in this regard is to reflect on the "Tianzhu" Gigabit Intrusion Detection System in the Queen Star.
5. The performance of the "High Performance Hardware" software relies on the hardware platform of its place, and domestic intrusion detection products often install their engines on a fixed hardware device. Therefore, from the appearance, Gigabit IDS is more aligned than 100 megabo IDs, from internal configuration, its CPU, memory, etc., there are more specifications. For example, a multi-CPU mode is to assign multiple threads to different CPU processing to improve performance. The use of "high performance hardware" is the ability to further improve intrusion detection, but it is definitely not the main factor. Therefore, if a Gigabit intrusion detection product is only more than 100 mega intrusion detection, the hardware configuration is higher, then do not treat it as a gigabit IDS, its correct name is "can be accessed IDS in a Gigabit environment.
Gigabit IDS a few lies
1, Gigabit detection characteristics reach 1800
I don't know when to start, intrusion detection is characterized by a satellite indicator. It seems that the stronger the ability of its product, so there is a phenomenon: an invading of some characteristics of 1800 Detecting products, we surprised discovery, the control information between its own console and the engine is also included in it, and there are more than 60, and there is a back door, and there is more than 50. It turned out that the intrusion detection characteristics were added to this quantity. I don't know what this test feature is used in a Gigabit environment?
2, monitoring while multiple high-speed network segments
At present, dual network card detection techniques are only applicable to a very low bandwidth network environment (for example, ISS is clearly pointed out in the system requirements manual in its RealSecure's latest version: supporting two NetWork_Sensors on a host, but only allowed in bandwidth Very low network; install three network cards and three network_sensor monitoring three networks, but we do not support this installation and maintenance service.). That is to say, when the hardware architecture and operating system of the current, when the two NICs simultaneously captures and analyzes, the system resources consume far greater than using a network card to analyze the flow of two network cards. Especially in high-speed network (Gigabit), its performance has more obvious. Of course, if the RISC-based structure, the technology of the captain and protocol analysis is implemented in a dedicated hardware chip, it should be improved. Regrettably, the current international and domestic intrusion detection manufacturers have not been achieved, because the chip technology has technical barriers and monopoly, and it is necessary to develop its cost alone.
So I can believe that the dual network card detection is working under normal traffic, this still has a long way to go. Now simultaneously monitor the simultaneous monitoring of high-speed network segments, if it does not specify its applicable environment, it cannot be said to be the user's deception.
3, the maximum number of TCP connections monitored
The maximum number of TCPs is originally an indicator of the firewall. Now it is now introduced as an indicator of intrusion detection, and through its size than the expertise. The latest data is that the maximum TCP connection claimed in a gigabit white paper is 500,000.
The supported TCP connections are mainly different from the difference in the implementation of the program, and the configuration can be easily modified. The amount of impact is mainly in the size of the system memory. The calculation method is:
Maximum connection × buffer size per connection = memory occupation
For example: If each of our connectors use 4K buffer to process, then 10,000 TCP connections means that the memory usage in the case is 4K * 10000 = 40m.
There are two ways to improve the number of connections: increasing memory capacity is a way to understand. If the memory occupies the constant number, we can improve the maximum number of connections by reducing the size of the buffer used in each connection. (If it is 600M memory space, we decrease the buffer size of 0.5k, then the maximum number of connections can be 1200K). However, if the buffer used is too small, it will affect the accuracy of the detection, resulting in a leak, so general 2k, 4K is relatively reasonable. It is also a lie to compare the capacity of two IDS systems with the maximum number of TCPs.
4, detection rules upgrade
Now the upgrade cycle of anti-virus products is basically once a week, while some intrusion detection manufacturers are basically synchronized with antivirus upgrades. Take a look at the rules of the test, it turns out the rules of Snort. Everyone knows that the Snort rule is free, as long as there is time to download from the Internet, it is possible to pay attention to the special human to analyze research. Thus, the number is guaranteed, and the upgrade is also guaranteed. But Snort itself is just a lightweight intrusion detection system, and how can I expect to use it online online?
5, network content is real-time playback
A part of the intrusion detection vendor's main function is to grab all of HTTP, FTP, and mail information, and administrators can see the contents of someone else online information. This feature is very tempting to some users. However, intrusion detection itself is detected to network information, found that intrusion behavior and violation behavior included are reported. For the Internet, email is usually normal behavior, and the complete playback of this information is unable to invade privacy and leaks. At the same time, because online information is mostly this normal behavior, record this information will consume a lot of resources, reduce performance, if this playback is also disastrous if it is also used on high speed IDs.
Therefore, in the confidential network, this network content is not received in real time.
6, event tracking analysis and processing
I saw a domestic manufacturer's ability to track the intrusion event in its product information, and I will admire the invasion. It is to know that a big difficulty in the network IDs is to active tracking analysis and verification of intrusion events. After reading the actual features of its products, the so-called "tracking analysis and processing" is to integrate some gadgets into the product, and you can do Ping, Telnet, and Tracert for the source address, just this.
7. Qualification of Gigabit IDS products
There is a process of authority testing and certification through the country. After many intrusion detection vendors launched a Gigabit intrusion detection system, they claimed to have the authority of the country. In fact, some vendors are fuzzy with the qualifications of 100M products. At this time, these vendors regard Gigabit IDs as IDs that can be installed in a Gigabit environment, not emphasizing the differences in technology and performance.
The user's network environment is developed to the high-speed direction is an inevitable trend, such as Gigabit network swap devices, Gigabit network firewalls, etc., traditional 100M interrival detection products cannot adapt to existing network structures; therefore, people are urgently Invasive detection systems that require faster, better features, and stronger performance, adapt to improve network security levels in high-speed environments. Meanwhile Look for problems related to key protection assets. Therefore, the information analysis capabilities and strategic control capabilities of high-speed intrusion detection systems are an important challenge.
At present, there are several network security vendors to launch or privately expressed a Gigabit intrusion detection system, and some products have to be continuously improved, and some products may have certain differences in functionality and performance and user demand, perhaps even just Technically close to the final product, this is not the most important, as long as it is a long-term research exploration, continuous technological innovation and function improvement, the digital speech is spent, will also be promoted The development of high-performance network security products with national independent intellectual property rights have played a good role. However, we don't want some intrusion detection manufacturers in order to propagate too much lies, attempt to use users to use users to sell their products or use play price games to make bad competition, whether it is Users who invades detection are fatal for the entire industry of intrusion detection.
"The road is long and the road is long, I will go up and down", "Qu Yuan's eugenic name is undoubtedly the best words for intrusion detection manufacturers.
