Making Network Intrusion Detection Work With IPsec

Abstract

Network-based intrusion detection systems (NIDSs) are one component of a comprehensive network security solution. The use of IPsec, which encrypts network traffic, renders network intrusion detection virtually useless unless traffic is decrypted at network gateways. One alternative to NIDSs, host-based intrusion detection systems (HIDSs), provides some of the functionality of NIDSs but with limitations. HIDSs cannot perform a network-wide analysis and can be subverted if a host is compromised. We propose an approach to intrusion detection that combines HIDS, NIDS, and a version of IPsec that encrypts the header and the body of IP packets separately. We refer to the latter generically as TwoKey IPsec. We show that all of the network events currently detectable by the Snort NIDS on un- encrypted network traffic are also detectable on encrypted network traffic using this approach. The NIDS detects network-level events that HIDSs have trouble detecting and HIDSs detect application-level events that can't be detected by the NIDS.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
May 11, 2007
Accession Number
ADA468587

Entities

People

  • A. Studer
  • C. D. Mclain
  • R. P. Lippmann

Organizations

  • Massachusetts Institute of Technology

Tags

Communities of Interest

  • Cyber

DTIC Thesaurus Topics

  • Anomaly Detection
  • Application Protocols
  • Change Detection
  • Computer Networks
  • Denial Of Service Attack
  • Detection
  • Detectors
  • Intrusion
  • Intrusion Detection
  • Intrusion Detection Systems
  • Intrusion Detectors
  • Network Architecture
  • Network Protocols
  • Operating Systems
  • Routing Protocols
  • Security Protocols
  • Transport Protocols

Fields of Study

  • Computer science

Readers

  • Computer Networking
  • Military Engineering.
  • Sensor Fusion and Tracking Systems.

Technology Areas

  • Cyber