Although current intrusion detection and prevention (IDP) products rely on specialised security software or programs to inspect individual packets or network flows, the future of IDP is as a function within the network switch itself.

Innovative network switch vendors are driving this trend by building IDP capability directly into their switches. One advantage of this approach is that the switches already process every packet and flow across a network. They also have built-in redundancy and backup capabilities, which separate IDP appliances lack.

Because a network is responsible for examining every packet that passes across the network, it follows that there are clear performance benefits from integrating network security within switches. In most IDP implementations, a switch is responsible for mirroring specific traffic to network-based sensors for inspection against signatures. Port mirroring is a key feature of a switch that lets IDPs focus on the traffic most likely to contain threats, such as an e-mail or Web page

Network switches also provide flow accounting data (for example, through NetFlow) that can be reported to a security analysis system. Load-balancing features, such as the IETF's 802.3ad protocol, also are leveraged by mirroring specific traffic flows to specific sensors, to keep flow intelligence in context within each sensor. Each of these switch features is integral to the IDP process. Furthermore, enterprise-class, chassis-based switches provide redundancy features that eliminate single points of failure on a network. All these factors point to the logical progression of moving the critical IDP function on board switches.

Swings vs roundabouts
Some switches provide more detailed accounting data than others. Packet sampling techniques such as NetFlow record information for only a subset of all the packets passing through a switch. Some switches record statistics for every packet passing through. Switches with only packet-sampling capabilities may not detect all types of security threats, but they can detect many types of worms, distributed denial-of-service events and port scans.

Switches that provide statistics on every packet deliver maximum security visibility and generally match the monitoring capabilities of stand-alone, flow-monitoring anomaly-detection systems. Another benefit of having statistics on all packets is improved forensics capabilities, which can be used to replay an attack to determine exactly what occurred and the extent that network assets were compromised and by whom.

Adding sensors
In larger, high-performance networks, switches can increase the effectiveness of internal sensors by channelling traffic to a bank of sensors in a manner that a single sensor always receives all the parts of a given flow, or conversation, on a network. In this way switches provide sensor load balancing capabilities to aggregate a number of less expensive, smaller sensors to create a large virtual sensor.

Technologies such as the 802.3ad protocol can be used for sensor aggregation. The complete context of a conversation is tracked by a single sensor and reported to the security analysis system. This capability is tied to the access control list of policy classification facilities within the switch.

Switches with integrated IDP capabilities are available today. Over time, more of these feature-rich switches will be available until the entire IDP function will reside on the switch.

Mark MacDonald is a product marketing manager at Enterasys. David Frattura is director of product management at Enterasys.