BlueCurve - Northumbria University
Download
Report
Transcript BlueCurve - Northumbria University
Deep Packet Inspection in
Tomorrows Firewalls
Udu E. Ogah
Supervisory Team: Dr. Richard Binns
& Dr. Graham Sexton
Introduction
• Rise in Web/Network attacks in recent years
• Rise in the number of people using the internet
• Marked rise in corporate businesses who have opted for an
online presence
• Proliferation in the number of intelligent viruses/worms
and trojans attacking systems
• Current security techniques
– “edge-of-the-network”
– Can’t fight against the distributed attacks
Basic Definitions
• The OSI, or Open System Interconnection, model defines a
networking framework for implementing protocols in seven
layers.
For the purposes of this presentation, we will be concerned
mainly with:
• The Application Layer
• The Transport Layer
• The Network Layer
These represent the layers at which Routers, IPSs, IDSs, and
ALGs(Application Level Gateways) operate.
• Intrusion Detection and Prevention Systems
The OSI Network Model
The OSI Network Model
Current Trends in Network Security
• Firewalls etc.
- Stateful Inspection Firewalls
- Perimeter/”Edge-of-the-network” Firewalls
• Intrusion Detection Systems
• Intrusion Prevention Systems
• Application Level Gateways
Problems of the existing Network
Security Models
• The internet or TCP/IP internetworking was built upon inherently
flawed foundational protocols e.g. ARP
• Built primarily for connectivity and so didn’t bear security in mind
• Any client machine is innately able to do anything on a network subject
to the availability of appropriate tools and adequate user knowledge.
• Network security implementations have always been centralized, hostbased.
• Lack of built-in security facilities
• Plaintext payload (commonly exploited by worms e.g. msblast)
• No source authentication
• Stateless forwarding
A Generic Network Security Model: Example 1
Single layer model
Disadvantages
Failure of the
firewall results in
a security breach
for the whole
network
A Generic Network Security Model: Example 2
A practical model
Disadvantages
Failure to protect
against the more
sophisticated DDoS
A Novel Approach
• This research will ultimately attempt
at shifting the focus of current
network security models from a
host-based Intrusion
detection/prevention framework to a
client-based implementation
How ?
•
•
Exhaustive protocol verification to determine what
is normal/abnormal in application layer protocols
Formulate rule-sets forming the basis of device
drivers which will be built into client adapters
This has the advantage of
1. Distributing the processing workload and
taking the stress off Firewalls.
2. Making sure clients do only what they are
permitted to do on a network – hence
changing the problem
Test Rig
• PC hardware based on the Linux/BSD Platform
(deploying the stable 2.4 series kernel)
– Access to Low level kernel and network functions via
kernel mode device drivers
– The core is written in C, affording extremely fast
packet capture and analysis using libpcap (packet
capture) libraries.
– Freely available open source code will encourage
learning and development.(with due regard for the
Academic Alliance )
Invisible Bridging Firewall (Gentoo
Linux based)
• Works at layer 2 (Datalink Layer) of the OSI model
• Has no IP address and hence is effectively invisible on a
network!
• Has been kernel patched to filter IP-based network traffic via
the Netfilter/Iptables framework. It can hence control and
regulate network packets and traffic even whilst still invisible
• It can be literally deployed in any point on a network without
any configuration changes. Hence it’s an inline device.
• These characteristics make it ideal as a testbench for packet
analysis, injection etc.
Many thanks!