Tuning Intrusion Detection to Work with a Two Encryption Key Version of IPsec

Network-based intrusion detection systems (NIDSs) are one component of a comprehensive network security solution. The use of IPsec, which encrypts network traffic, renders network intrusion detection virtually useless unless traffic is decrypted at network gateways. Host-based intrusion detection systems (HIDSs) can provide some of the functionality of NIDSs but with limitations. HIDSs cannot perform a network-wide analysis and can be subverted if a host is compromised. We propose an approach to intrusion detection that combines HIDS, NIDS, and a version of IPsec that encrypts the header and the body of IP packets separately ("Two-Zone IPsec"). We show that all of the network events currently detectable by the Snort NIDS on unencrypted network traffic are also detectable on encrypted network traffic using this approach. The NIDS detects network-level events that HIDSs have trouble detecting and HIDSs detect application-level events that can't be detected by the NIDS.

[1]  William Cheswick,et al.  Firewalls and Internet Security , 1994 .

[2]  Randall J. Atkinson,et al.  Security Architecture for the Internet Protocol , 1995, RFC.

[3]  Peter G. Neumann,et al.  EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances , 1997, CCS 2002.

[4]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[5]  Hugo Krawczyk,et al.  A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[6]  Stephen T. Kent,et al.  IP Encapsulating Security Payload (ESP) , 1995, RFC.

[7]  Yongguang Zhang,et al.  A multilayer IP security protocol for TCP performance enhancement in wireless networks , 2004, IEEE Journal on Selected Areas in Communications.

[8]  Juan M. Estévez-Tapiador,et al.  Concepts and Attitudes for Internet Security (A review of Firewalls and Internet Security: Repelling the Wily Hacker, Second Edition by William R. Cheswick, Steven M. Bellovin, and Aviel D. Rubin). , 2003 .

[9]  Richard P. Lippmann,et al.  Making Network Intrusion Detection Work With IPsec , 2007 .

[10]  John S. Baras,et al.  Security issues in hybrid networks with a satellite component , 2005, IEEE Wireless Communications.

[11]  Vern Paxson,et al.  Enhancing Network Intrusion Detection with Integrated Sampling and Filtering , 2006, RAID.

[12]  Sneha Kumar Kasera,et al.  On securely enabling intermediary-based services and performance enhancements for wireless mobile users , 2003, WiSe '03.

[13]  David Moore,et al.  The Spread of the Witty Worm , 2004, IEEE Secur. Priv..

[14]  Christopher Krügel,et al.  Stateful intrusion detection for high-speed network's , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[15]  Richard Lippmann,et al.  Practical Attack Graph Generation for Network Defense , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[16]  Hugo Krawczyk,et al.  A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[17]  Ben Soh,et al.  A critical analysis of multilayer IP security protocol , 2005, Third International Conference on Information Technology and Applications (ICITA'05).

[18]  Dorothy E. Denning The Clipper Encryption System , 1993 .