Transcript atm

CS 551/651 SOFTWARE SECURITY
Design of a High-Performance
ATM Firewall
Written by Jun Xu and Mukesh Singhal
Presented by Yiting Nan
March 27, 2000
1
Index
•
•
•
•
Motivation
Existing approaches
QoF logical design
QoF physical design
2
Firewall
• Definition:
A network firewall is a device that controls communications
across the boundary between trusted and untrusted network.
• Purpose:
To control access by denying unauthorized communications. It
also provides a single point where security and auditing can
be imposed.
• Where to put
Typically operate at the IP, TCP, and/or application layer in the
OSI reference model.
3
ATM and Traditional Network
• ATM
– Switched virtual connections
– Fixed length cells
• Tradition Network
–
–
–
–
Connectionless
Share medium
Various length cells
Broadcast network
4
Motivation
• packet-filtering needs to terminate an end-to-end
ATM connection in the middle in order to extract
IP packets for inspection. High SAR* overhead
• Filtering bandwidth is below 100Mbps, much less
than ATM rate of OC-3c, OC-12c**
*SAR: Segmentation and Reassemble.
** OC-3c:155Mbps, OC-12c: 622Mbps
5
Packet-level filtering is indispensable
• ATM forum: avoid packet filtering, exert discretion
at connection establishment time
– no way to check the contents after the connection established.
• SVC is requested when each new service started.
– Considerable change to the whole TCP/IP stack and existing
applications
– SVC explosion - a new SVC for each transport layer flow
• Apply cryptographic measures end-to-end,
– authentication and encryption do not automatically ensure proper
access control,
– need to inspect content after connection
– need to connect between untrusted parties
* SVC - Switched virtual connection
6
Existing approaches - ATLAS
A line filter that scans an ATM physical link to
perform packet-level filtering at OC-3c.
• To avoid SAR, for each packet it only checks the
first cell. Pass or fail!
• Use a policy cache architecture to speed up. Core
unit is policy cache. (CAM)
If hit cache, the packet’s cells are forwarded. Otherwise
the first cell go through a software-screening process
and other cells are buffered in a queue.
7
Limitation and drawbacks of ATLAS
• Does not accept IP packets with IP option fields
• CAM is not scalable.
• Not friendly for management and administration.
8
Quality of Firewall (QoF)
Applies security measures of different strength to
traffic with different risk levels in order to
achieves a nice tradeoff between performance and
security.
Four classes (High QoF will be applied to the more
dangerous connections)
AB C
D
Safest
dangerous
9
Logical design of ATM firewall
Call Screening
VC-Specific
Proxy Option
Proxy
D
Unsafe Packets
Traffic Profile
VC-Specific
TCP/IP rules
VC-Specific
TCP/IP rules
Traffic Monitoring
B
Unsafe Packets
Traffic Profile
Packet Filtering
C
Unsafe Packets
Traffic Profile
Firewall Management
Invalid Calls
Signaling Profile
Call Screening Rules
Management Commands
10
Call-Screening Service
Call-screening rules includes:
1. Source identity
2. Destination identity
3. Authentication information
4. QoF of the new connection to be established
5. Information needed for packet-level inspection
11
Packet-Filtering Service
• filtering the first (or two) cell only
• A layer-4-route cache architecture
A forward decision is made not only on the basis of
destination address, but also on source address,
port numbers, protocol, and possibly some other
fields.
• Last Cell Hostage (LCH)
All cells of a packet except the last one is “hostage”
before the software inspection is finished.
12
Traffic-Monitoring Service
• Nearly as secure as the packet-filtering service for
TCP traffic and introduces no latency even when a
cache miss occurs (after-the-fact nature).
• Monitor the headers of IP packets contained in
class B connections.
• Might used with SSH or VPN cryptography and
maintaining state information for half-open
connections.
13
Proxy Service
• Acts as an application-level gateway (a proxy
server) for a number of Internet protocols.
• Unlike the packet-filtering service which looks
only at the header of the packet, proxy service
monitors the execution of the protocol and filters
at the application level.
• Since it need to understand the protocol and
requires SAR, it commonly be performed at the
rate of a traditional firewall.
• Another usage is to “oversee” the execution of
ISAKMP.
14
Firewall Management Service
Controls and manages other security services in the
ATM firewall and provides user-friendly
administration tools to network managers. Log
two types of events:
1. The violation of security policy.
2. The profile information on each connection.
15
Physical components of the ATM firewall
ATM Firewall Switch
Trusted
ATM
LAN
Untrusted
ATM
LAN
Firewall
Management
Server
Proxy
Server
Traffic
Monitoring
Server
16
ATM Switch
SM
CAC
OAM Cells
Signaling Cells
SONET
SONET
IM
OM
CSF
IM
OM
Internal structure of an ATM switch
17
ATM Firewall Switch - IM
CAC
OM
TCP/IP Software Check
IP option check
Signaling
Cells
cells
Signaling
cells filter
Management cells
Management
cells filter
TCP/IP Express Check
User Cells
Enhanced header translation
Enhanced
VP/VC Table
18
ATM Firewall Switch (Continue)
• OM
– Involved in implementing the LCH scheme
• CAC
– Implement call screening service and cryptograph
• SM
– Add firewall management
• CSF
– handle processing of T-Monitor bit.
19
Other components
• Traffic-Monitoring Server
– An ATM-attached workstation equipped with policy
cache hardware to perform header checking at high
speed.
• Proxy Server
– A traditional proxy firewall equipped with ATM
interfaces.
20
Links related to ATM security
• ATM Firewall Performance Evaluation
http://tebbit.eng.umd.edu/people/carrozzi/project.html
• ATM Security page,
http://www.itr.unisa.edu.au/~dstowww/atm_security
• Carsten Benecke Uwe Ellermann,“Securing 'Classical IP
over ATM Networks’” Firewall-Laboratory for HighSpeed Networks
Fachbereich Informatik, Universit at Hamburg
http://www.fwl.dfn.de/eng/team/cb
• Firewall Laboratory for High-Speed Networks
http://www.cert.dfn.de/eng/fwl/
21
Questions?
22
ATLAS
ATM-Line-Access-And-Security.
• An ATM-Firewall filtering cells with a speed of OC-3c.
• Supports Classical-IP, LAN-Emulation and FORE-IP
over ATM, MPOA over ATM.
CISCO´s 7513 is not able to filter on layer 3 (needed for MPOA) but ATLAS will.
• Can set more then 1000 Filters without any performance
degradation.
• If two ATLAS-Systems talk to each other across an
ATM-Network you can encrypt the data as well.
23
Limitations of Firewall
• Cannot protect against attacks that do not pass
through the firewall.
Proprietary data can also be transmitted via modem or
media.
• Cannot protect very well against viruses.
24
ATM basics
• ATM cells
ATM is based on 53-byte cell structure. Application data is placed
into ATM Protocol Data Units (PDU) of up to 9180 bytes that are
segmented into fixed sized cells. Cells are multiplexed onto
network links and reassembled into PDUs at the endpoint of the
ATM network.
Each fixed size cell ahs a 5-byte header followed by 48-byte payload.
The head identifies the payload-type, VPI(Virtual path identifier),
VCI(virtual channel identifier), and header error check. VPI and
VCI make up the VC(Virtual circuit) identifier. The VC label is
used to perform a table lookup in a switch table and a label
swapping function is done in hardware to quickly switch the fixed
size cells.
25
ATM basics (Continue)
ATM cell payload structure is dependent on the type of service being used.
The ATM Adaptation Layer (AAL) was designed to support different
services and types of traffic. The AAL maps the ATM layer services to
the upper layers of the protocol stack through the Convergence
Sublayer (CS) and SAR functions. The ATM Layer is mainly
concerned with management of the cell headers during receiving and
sending of ATM cells.
ATM is efficient in its use of bandwidth because it multiplexes multiple
streams of traffic onto network links using a technique known as cell
interleaving. Cells from many different flows can be interleaved on a
physical link avoiding the problem encountered in data networks
where a small, real-time packets can get stuck in a transmission queue
behind large packets.
26