Transcript BlueCurve - Northumbria University

Deep Packet Inspection in
Tomorrows Firewalls
Udu E. Ogah
Supervisory Team: Dr. Richard Binns
& Dr. Graham Sexton
Introduction
• Rise in Web/Network attacks in recent years
• Rise in the number of people using the internet
• Marked rise in corporate businesses who have opted for an
online presence
• Proliferation in the number of intelligent viruses/worms
and trojans attacking systems
• Current security techniques
– “edge-of-the-network”
– Can’t fight against the distributed attacks
Basic Definitions
• The OSI, or Open System Interconnection, model defines a
networking framework for implementing protocols in seven
layers.
For the purposes of this presentation, we will be concerned
mainly with:
• The Application Layer
• The Transport Layer
• The Network Layer
These represent the layers at which Routers, IPSs, IDSs, and
ALGs(Application Level Gateways) operate.
• Intrusion Detection and Prevention Systems
The OSI Network Model
The OSI Network Model
Current Trends in Network Security
• Firewalls etc.
- Stateful Inspection Firewalls
- Perimeter/”Edge-of-the-network” Firewalls
• Intrusion Detection Systems
• Intrusion Prevention Systems
• Application Level Gateways
Problems of the existing Network
Security Models
• The internet or TCP/IP internetworking was built upon inherently
flawed foundational protocols e.g. ARP
• Built primarily for connectivity and so didn’t bear security in mind
• Any client machine is innately able to do anything on a network subject
to the availability of appropriate tools and adequate user knowledge.
• Network security implementations have always been centralized, hostbased.
• Lack of built-in security facilities
• Plaintext payload (commonly exploited by worms e.g. msblast)
• No source authentication
• Stateless forwarding
A Generic Network Security Model: Example 1
Single layer model
Disadvantages
Failure of the
firewall results in
a security breach
for the whole
network
A Generic Network Security Model: Example 2
A practical model
Disadvantages
 Failure to protect
against the more
sophisticated DDoS
A Novel Approach
• This research will ultimately attempt
at shifting the focus of current
network security models from a
host-based Intrusion
detection/prevention framework to a
client-based implementation
How ?
•
•
Exhaustive protocol verification to determine what
is normal/abnormal in application layer protocols
Formulate rule-sets forming the basis of device
drivers which will be built into client adapters
 This has the advantage of
1. Distributing the processing workload and
taking the stress off Firewalls.
2. Making sure clients do only what they are
permitted to do on a network – hence
changing the problem
Test Rig
• PC hardware based on the Linux/BSD Platform
(deploying the stable 2.4 series kernel)
– Access to Low level kernel and network functions via
kernel mode device drivers
– The core is written in C, affording extremely fast
packet capture and analysis using libpcap (packet
capture) libraries.
– Freely available open source code will encourage
learning and development.(with due regard for the
Academic Alliance )
Invisible Bridging Firewall (Gentoo
Linux based)
• Works at layer 2 (Datalink Layer) of the OSI model
• Has no IP address and hence is effectively invisible on a
network!
• Has been kernel patched to filter IP-based network traffic via
the Netfilter/Iptables framework. It can hence control and
regulate network packets and traffic even whilst still invisible
• It can be literally deployed in any point on a network without
any configuration changes. Hence it’s an inline device.
• These characteristics make it ideal as a testbench for packet
analysis, injection etc.
Many thanks!