Intrusion Detection Systems (IDS) are one of the most widely used appliances for detecting attacks in data centers. In inline-mode, where all traffic between source and sink passes through IDS, they play an active role in the network increasing their performance requirements. Not only puts this IDS in a position where their performance can (and does) become a bottle neck but also high load causes security problems with attack detection resulting in an excessive number of false-positives.
With the rise of Software-Defined Networking (SDN) and Network Function Virtualization (NFV) new possibilities arise for directed manipulation of network traffic, allowing for an application and/or connection oriented network behavior, e.g. routing, at run-time. Virtualization also allows for the dynamic on-demand placement and instantiation of new network functions at selected network hosts.
With adaptive black and white listing as well as selective filtering (baseline for comparison) we present three SDN-based approaches, selecting based on various criteria which traffic to send via the IDS and which to forward directly to the protected service host without detours. In all three approaches, the traffic for applications that are not protected by signature rules installed in the IDS, is also directly forwarded. While the adaptive black listing only routes incoming packets for a configured time windows over the IDS, the adaptive white listing requires a threshold of ¬¬benign packets to be transmitted. If an attack is detected during the interval the adaptive black listing routes the traffic permanently via the IDS. On the other hand, the adaptive white listing routes the traffic directly to the host that passes the threshold. Selective filtering routes the traffic, the IDS are configured for, always via the IDS while other traffic is forwarded to the service host.
To evaluate these algorithms, we test, how the approaches perform under different load scenarios in a data center like environment using native and virtualized network components. Under normal load all three approaches show noticeable increases in network performance concerning throughput and latency. Adaptive black and white listing suffer from the employment of a native SDN switch reducing the attack detection rate to 20% while using a virtualized switch keeps a Level of about 100%. Under overload the approaches still show an increase in network performance. Also, the number of false-positives in stress situations is decreased. Again, the adaptive approaches profit from the utilization of a virtualized switch.
Summing up, we show, that the performance if IDS can be increased by augmenting them using SDN. Replacing the switch with a virtualized network function allows to minimize the decrease in security accuracy.
These results among other projects are part of our research in what we call “Attack-aware Service Function Chaining”.