network-security

slurpslapoutΔίκτυα και Επικοινωνίες

20 Νοε 2013 (πριν από 3 χρόνια και 11 μήνες)

98 εμφανίσεις

Network Security

Dr. Subrata Goswami

Aerogram Networks

Fremont, CA


Overview


History


Current State


Current Efforts

History


For a long time network security implied cryptography to the
R&D community (50
-
90).


Internet arrived with Web
-
browser and email


and the
venerated Firewall and Virus Scanner appeared ( circa
1995).


The first Internet virus is Morris Worm in 1988.


FW in late 80’s (accredited to Steve Bellovin).


Trusted Information Systems (TIS) Firewall Toolkit (FWTK) 10/1/1993.


Checkpoint FW
-
1 in 1994.


McAfee Pro
-
scan 1990.


IPSec and SSL standardized (circa 1998).


Then Spam Filters, IDS and IPS.


AES standardized (2001), 3DES (1999), DES (1977).


WiFi WEP debacle prompted 802.11i (circa 2004) .


SHA
-
1 broken ? (2005).

The Current Issues


Virus, Spam, Worms, DOS/DDOS although
tamed still exists.


Software vulnerabilities (bad/sloppy code).


Spyware/Adware


Peer
-
to
-
peer


Federal and Sate regulations: SOX, HIPPA,
GLB, CA SB 1386, ITAR.


Phising, Social Engineering.

Current Industry Efforts

(Partial List)


Network Access Control


Content Scanning


Traffic Profiling

AV

Agent

Access Control
-

Cisco NAC

Cisco ACS

Cisco Trust Agent

1.
Communicate

2.
EAP TLV

3.
Auth (PEAP)

4.
encryption

Network

Access

Device

AAA

Server

EAP

Over

UDP/802.1x

EAP

Over

RADIUS

HCAP

Vendor

Policy

Server

1. Triggers Intercept ACL on router, default ACL determines initial network access

2. Router triggers posture validation with CTA (EAPoUDP)

3. CTA sends posture credentials to router (EAPoUDP)

4. Router sends posture credentials to AAA (RADIUS)

5. If necessary, AAA request posture validation (HCAP
-

Host Credential Authorization Protocol (HTTPSbased)
)

6. AAA validates posture (Healthy, Checkup, Quarantine, Remediate)

7. AAA sends Access
-
Accept with ACLs/URL redirect as per policy to router.

8. Host granted/denied/redirected/restricted access.

Remediation

Access Control
-

Cisco NAC


Network Admission Control functionality
enables Cisco routers to enforce access
privileges when an endpoint (OS and AV
patches) attempts to connect to a network.


Proprietary architecture


Proprietary Protocols


PEAP and HCAP.


Partners Symantec, McAfee, Trendmicro

Access Control
-

MAC
-
SEC


To provide user data confidentiality, frame
data integrity, and data origin authenticity.


A

B

C

D

SC
A

SC
B

SC
C

HUB

CA
ABC

SC: Secure Channel

CA: Connectivity Assoc

SecY

KaY

CA Discovery

Peer Authentication

Key Mgmt

Protection

Access Control
-

MAC
-
SEC

DST:6

SRC:6

SecureTAG:8/16

DATA

ICV:8
-
16

Ether Type:2

TCI

AN

SL:1

PacketNumber:4

SCID:8

SRC MAC + Port

> 2 peers

SPI:4

DATA:n

SN:4

PAD:0
-
255

PL:1

NH:1

ICV:n

IPSEC ESP

Access Control
-

MAC
-
SEC (TX)

Access Control
-

MAC
-
SEC (RX)

Content Scanning


The problem is to find a hex sub
-
string in
the continuous bytes of a flow.


Substantial theoretical research: Boyer
-
Moore, Aho
-
Corasick,


CPU MIPS required.

String Matching Algorithm


Knuth
-
Morris
-
Pratt


Boyer
-
Moore uses huresritcs to speed up.


O(k(m+n))


Commentz
-
Walter


Wu
-
Manbar


Aho
-
Corasick creats an NFA( then a DFA)
out all the search patterns.


O(n)


State explosion

COTS IP Packet Processor
Architecture (IXP 2400 circa 2003)


4 GE ports


Throughput


4 Gbps for all frame sizes


12 mpps for 64 byte frames


0.4 mpps for 1518 byte frames


Latency :


100% throughput 45 usec for 1518 byte frames.


75% throughput 34 usec for 1518 byte frames.


50% throughput 26 usec for 1518 byte frames.


25% throughput 17.4 usec for 1518 byte frames.



IXP2400 Internal Architecture

MEv2

6

MEv2

7

MEv2

5

MEv2

8

XScale


Core

32K IC

32K DC

Rbuf

64 @ 128B

Tbuf

64 @ 128B

Hash

64/48/128

Scratch

16KB

QDR

SRAM

1

QDR

SRAM

2

DDRAM

G

A

S

K

E

T


PCI


(64b)

66 MHz


32
b

32
b

18

18

18

18

72

64
b

S

P

I

3

or

C

S

I

X

Stripe/byte align

E/D Q

E/D Q

MEv2

2

MEv2

3

MEv2

1

MEv2

4

CSRs

-
Fast_wr

-
UART

-
Timers

-
GPIO

-
BootROM/Slow Port

1

2

3

4


DRAM packet buffer access speed = d (19.2 gbps).


Average packet size = b (1000 bits)


SRAM pattern access speed = s (12.8 gbps).


ME/CPU compares = c ( 0.600 gips)


Number of patterns = p (1000 )


Average pattern length = l (100 bits)


Times each pattern read /packet = f
1
(1 ,scratch memory)


Theoretical pattern matching rate


1/( b/d + f
1
lp/s + blp/32
2
c )


127Kpps


5860 pps (worst case), 28654 pps (with tree/DFA)



String Matching
-

MIPS Issue


17 Gbps content search (Seaway Networks).


Stream based vs. packet based.


HW assists for content matching, modification, and replication.


4.0 Gbps (Cavium Networks)


Multi
-
core architecture connected by SPI 4.2 (10 Gbps).


(Sensory Networks)


Origin in gene sequence search.


Matching against one pattern ? how long pattern ? What
algorithm ?

String Matching
-

MIPS Issue

(Content Processors)

String Matching Uses


IDS

(SNORT)

Preprocessor

Detection

Engine

Log/Alert

Engine

pcap

frag2

stream4

http_decode

portscan

SPADE

Ouput

Engine

syslog

sql

smb

rules

content

Signature based

Software

String Matching Uses 1

(SNORT)


Snort


Open source software IDS


Uses BM, AC, WM, Setwise BM


User space


substantial performance issue


I believe
the best performance has been about 80 mbps on
state of the art PC platforms.


String matching used for flagging viruses, spy wares,
application vulnerabilities through signatures.


Also supports Regular Expressions


performance is
an issues.

String Matching Use


Compliance

(Reconnex)

String Matching Uses 2

(Reconnex)


Content Security for compliance and IP protection.


Detects SSN, Credit Card Numbers etc.


Uses proprietary methods to generate signatures
from repositories.


Signatures matched in as packets are streamed in.


Packets are assembled into flows and stored in
hard disks for audit purposes.


PC platform , dual Pentium , 4 G RAM, 1.5TB HD.

Profiling


Profiled Items


Top Applications


Top Sources & Destinations


Top Conversations


Protocol Analysis


TCP state reconstruction


UDP/ICMP state reconstruction


Application protocols


FTP, Telnet, HTTP, Sun RPC,
MSRPC, NFS, SMB/CIFS, P2P


Kazza, etc.


Tunneled


IPIP, HTTP


Profiling
-

Issues


Number of simultaneous flows (s)


Memory issue


typical per flow memory is 256 bytes.


Current products support ~ 5 millions flows.


Flow create rate ( c)


A pathological case is SYN attack.


Flow demise rate ( d)


Graceful demise ( e.g. 4
-
way TCP FIN hand shake).


Timeouts (e.g. SYN attack).


Steady State


c < d


average flow life < s/d

Profiling
-

Issues


Protocol state machine


both sides
-

client/server, requestor/responder,
initiator/responder.


Time budget


CPU/NP/CP clock cycle time, t
c

(1.0 nsec).


Buffering memory available , M ( 1 GB ).


System throughput, t
t
( 2 Gbps).


Cycles per bit available, c.


c = M/(t
c*
t
t
)( 4 sec/1e9) !
-

Not allowed, tolerable latency is
<< 150 ms. If 1.0 msec is allowed, then c is 1,000,000.


Profiling


Cisco Netflow (IPFIX), PSAMP


CAIDA


Mazu Networks


Imperva


Allot


Narus

Conclusion


Network Security, Information Security, is a
very vibrant area
-

many players selling many
products and services ( eerily similar to 1999).


Overheard


information security is a eternal
gold mine.