Towards HardLANs: Scaling IDS to 1 Gbps and Beyond
Spanagel 421, 1500 - 1550, Thursday, October 26, 2006

Abstract:
With the advent of worms, passive malcode, and sophisticated attackers, the ÒBig FirewallÓ model of security has failed. To build robust commercial networks in the future, security will need to move into the LAN infrastructure.

The LAN vantage point requires a nearly two-order-of-magnitude cost/performance improvement over conventional network intrusion detection and response. In this talk, I introduce the rational for LAN-centric defenses and the difficulties in implementing for these targets. I will then discuss our work on Shunting, a technique which enables the Bro intrusion detection to operate at Gigabit line rate with the addition of a small piece of hardware support. The small hardware enables Bro to decide, on a connection by connection basis, whether a connection requires further analysis. Additionally, VLAN-rewriting can allow a shunt, when coupled with a commodity managed Ethernet switch, to control all network traffic which passes through the switch.

Bio: Nicholas Weaver is a researcher at the International Computer Science Institute in Berkeley. He specializes in network security, in particular the automatic detection and analysis of worms, network intrusion detection, and hardware for high performance networking. He received his Ph.D. in 2003 from UC, Berkeley.