With the advent of worms, passive malcode, and sophisticated attackers, the "Big Firewall" model of security has failed. To build robust commercial networks in the future, security will need to move into the LAN infrastructure. The LAN vantage point requires a nearly two-order-of-magnitude cost/performance improvement over conventional network intrusion detection and response. In this talk, I introduce the rational for LAN-centric defences and the difficulties in implementing for these targets. I will then discuss our work on Shunting, a technique which enables the Bro intrusion detection to operate at Gigabit line rate with the addition of a small piece of hardware support. The small hardware enables Bro to decide, on a connection by connection basis, whether a connection requires further analysis. Additionally, VLAN-rewriting can allow a shunt, when coupled with a commodity managed Ethernet switch, to control all network traffic which passes through the switch.

Length:46 min 29 sec
Date Submitted: 03/01/07
Hits: 73
Rating: based on 0 votes