A Distributed Intrusion Detection System based on passive sensors

SURFnet is a very high-speed network which connects the networks of Dutch universities, colleges, research centers, academic hospitals and scientific libraries to one another and to other networks in Europe and the rest of the world. SURFnet handles many computer security incidents in which a SURFnet customer is involved, either as a victim or as a suspect. In order to decrease the amount of computer security incidents, SURFnet is going to roll-out a Distributed Intrusion Detection System (D-IDS) as a service to SURFnet connected parties.

Current Distributed Intrusion Detection Systems (D-IDS) are most often based on a client-server approach where the client is called a sensor. These sensors often contain a honeypot and/or a passive analysis tool like snort. This approach has four major disadvantages:

• The sensor must be upgradeable in order to add future honeypots and new signatures.
• The sensor may be vulnerable to the exploits used against the honeypot and passive analysis software.
• The D-IDS will generate false positive alerts.
• Installing and running the sensor is not plug and play.

In order to avoid these disadvantages SURFnet is setting up a different design for a D-IDS. In this paper we describe a new approach for setting up and rolling out a D-IDS. This approach is based on the following rules:

• The sensor should run out-of-the-box.
• The sensor should be completely passive and therefore maintenance free.
• The D-IDS should not generate any false positive alerts.
• A sensor should be able to run in a “standard” LAN.
• Comparison of statistics generated by sensors and groups of sensors should be possible.