With the advent of worms, passive malcode, and sophisticated attackers, the "Big Firewall" model of security has failed. To build robust commercial networks in the future, security will need to move into the LAN infrastructure.
The LAN vantage point requires a nearly two-order-of-magnitude cost/performance improvement over conventional network intrusion detection and response. In this talk, I introduce the rational for LAN-centric defences and the difficulties in implementing for these targets. I will then discuss our work on Shunting, a technique which enables the Bro intrusion detection to operate at Gigabit line rate with the addition of a small piece of hardware support. The small hardware enables Bro to decide, on a connection by connection basis, whether a connection requires further analysis. Additionally, VLAN-rewriting can allow a shunt, when coupled with a commodity managed Ethernet switch, to control all network traffic which passes through the switch.
Nicholas Weaver received his Ph.D in 2003 from the University of California at Berkeley. His research areas include computer security, intrusion detection, and FPGA architectures.