Distributed Intrusion Detection Platform Flexible, scalable and secure

SURFnet(1) is the national computer network for higher education and research in The Netherlands. It connects the networks of universities, colleges, research centers, academic hospitals and scientific libraries to one another and to other networks in Europe and the rest of the world. Like other networks, the SURFnet network is exposed to attacks. The origin of the attacks performed on SURFnet connected networks can be found at local internal networks, networks of other SURFnet connected organizations and the Internet. SURFnet wants to gather representative data concerning malicious activities on the networks of connected parties. With the information extracted from the collected data, security advisories can be given to administrators of affected systems or networks. To acquire the desired information, a number of sensors need to be placed in customer administrated networks. Since time and expertise desired for adequate "Intrusion Detection" might not be available at all sites, deployment and maintenance need to be easy. Local sensor maintenance should not be necessary or be kept to an absolute minimum. Therefore, sensor management and data storage should be centralized. This setup also enables central data analysis. The goal of this project is to design a flexible, scalable and secure platform, which meets the requirement mentioned above. A proof of concept setup might be build to demonstrate functionality. This document will discuss the design of a platform for Distributed Intrusion Detection and the proof of concept we have implemented.