Work in Progress: Bro-LAN Pervasive Network Inspection and Control for LAN Traffic

Abstract

Network intrusion detection and prevention systems (NIDS and NIPS) have to date focused on protecting external access links, or, when internally deployed, links between major enclaves in an enterprise. As previously argued, major threats (worms, insiders, and attackers with a toehold) come from inside the local network, rather than outside. Recently, two approaches have arisen to address this threat: ubiquitous deployment of end system monitors and custom hardware to replace switching infrastructure. This paper presents a third way: exploiting the VLAN capabilities of modern switches to enforce that all LAN communications must traverse and meet the approval of an intrusion detection monitor that operates separately from the switches. This architecture can realize two key benefits: (1) deployment and operation in today's enterprise networks without requiring replacement of existing network infrastructure, and (2) the use of highly flexible, commodity PCs for LAN monitoring, rather than algorithms embedded in difficult-to-reprogram custom hardware