Transcript network-security

Network Security
Dr. Ken Regis
Aerogram Networks
Fremont, CA
Overview
➲
➲
➲
History
Current State
Current Efforts
History
➲
For a long time network security implied cryptography to the
R&D community (50-90).
Internet arrived with Web-browser and email – and the
venerated Firewall and Virus Scanner appeared ( circa
1995).
➲
●
●
●
●
●
➲
➲
➲
➲
➲
The first Internet virus is Morris Worm in 1988.
FW in late 80’s (accredited to Steve Bellovin).
Trusted Information Systems (TIS) Firewall Toolkit (FWTK) 10/1/1993.
Checkpoint FW-1 in 1994.
McAfee Pro-scan 1990.
IPSec and SSL standardized (circa 1998).
Then Spam Filters, IDS and IPS.
AES standardized (2001), 3DES (1999), DES (1977).
WiFi WEP debacle prompted 802.11i (circa 2004) .
SHA-1 broken ? (2005).
The Current Issues
➲
➲
➲
➲
➲
➲
Virus, Spam, Worms, DOS/DDOS although
tamed still exists.
Software vulnerabilities (bad/sloppy code).
Spyware/Adware
Peer-to-peer
Federal and Sate regulations: SOX, HIPPA,
GLB, CA SB 1386, ITAR.
Phising, Social Engineering.
Current Industry Efforts
(Partial List)
➲
➲
➲
Network Access Control
Content Scanning
Traffic Profiling
Access Control - Cisco NAC
AV
Agent
EAP
Over
RADIUS
EAP
Over
UDP/802.1x
AAA
Server HCAP
Cisco ACS
Cisco Trust Agent
1. Communicate
2. EAP TLV
3. Auth (PEAP)
4. encryption
Network
Access
Device
Vendor
Policy
Server
Remediation
1. Triggers Intercept ACL on router, default ACL determines initial network access
2. Router triggers posture validation with CTA (EAPoUDP)
3. CTA sends posture credentials to router (EAPoUDP)
4. Router sends posture credentials to AAA (RADIUS)
5. If necessary, AAA request posture validation (HCAP - Host Credential Authorization Protocol (HTTPSbased))
6. AAA validates posture (Healthy, Checkup, Quarantine, Remediate)
7. AAA sends Access-Accept with ACLs/URL redirect as per policy to router.
8. Host granted/denied/redirected/restricted access.
Access Control - Cisco NAC
➲
➲
➲
➲
Network Admission Control functionality
enables Cisco routers to enforce access
privileges when an endpoint (OS and AV
patches) attempts to connect to a network.
Proprietary architecture
Proprietary Protocols – PEAP and HCAP.
Partners Symantec, McAfee, Trendmicro
Access Control - MAC-SEC
➲
To provide user data confidentiality, frame
data integrity, and data origin authenticity.
HUB
D
A
SCA
B
SCB
C
KaY
CA Discovery
Peer Authentication
Key Mgmt
SecY
Protection
SCC
CAABC
SC: Secure Channel
CA: Connectivity Assoc
Access Control - MAC-SEC
DST:6
SRC:6 SecureTAG:8/16
DATA
ICV:8-16
Ether Type:2 TCI AN SL:1 PacketNumber:4
SCID:8
SRC MAC + Port
> 2 peers
SPI:4
SN:4
DATA:n
PAD:0-255 PL:1 NH:1 ICV:n
IPSEC ESP
Access Control - MAC-SEC (TX)
Access Control - MAC-SEC (RX)
Content Scanning
➲
➲
➲
The problem is to find a hex sub-string in
the continuous bytes of a flow.
Substantial theoretical research: BoyerMoore, Aho-Corasick,
CPU MIPS required.
String Matching Algorithm
➲
➲
Knuth-Morris-Pratt
Boyer-Moore uses huresritcs to speed up.
●
➲
➲
➲
O(k(m+n))
Commentz-Walter
Wu-Manbar
Aho-Corasick creats an NFA( then a DFA)
out all the search patterns.
●
●
O(n)
State explosion
COTS IP Packet Processor
Architecture (IXP 2400 circa 2003)
➲
4 GE ports
Throughput
➲
●
●
●
➲
4 Gbps for all frame sizes
12 mpps for 64 byte frames
0.4 mpps for 1518 byte frames
Latency :
●
●
●
●
100% throughput 45 usec for 1518 byte frames.
75% throughput 34 usec for 1518 byte frames.
50% throughput 26 usec for 1518 byte frames.
25% throughput 17.4 usec for 1518 byte frames.
IXP2400 Internal Architecture
72
Stripe/byte align
DDRAM
64b
3
XScale
Core
PCI
(64b)
66 MHz
MEv2
1
32K IC
32K DC
G
A
S
K
E
T
MEv2
2
1
Rbuf
64 @ 128B
MEv2
4
MEv2
3
4
Tbuf
64 @ 128B
2
MEv2
5
MEv2
6
S 32b
P
I
3
or
C
S
I
X 32b
Hash
64/48/128
Scratch
16KB
QDR
SRAM
1
QDR
SRAM
2
E/D Q
E/D Q
18
18
18
18
MEv2
8
MEv2
7
CSRs
-Fast_wr -UART
-Timers -GPIO
-BootROM/Slow Port
String Matching - MIPS Issue
➲
DRAM packet buffer access speed = d (19.2 gbps).
Average packet size = b (1000 bits)
SRAM pattern access speed = s (12.8 gbps).
ME/CPU compares = c ( 0.600 gips)
Number of patterns = p (1000 )
Average pattern length = l (100 bits)
Times each pattern read /packet = f1 (1 ,scratch memory)
Theoretical pattern matching rate
➲
➲
➲
➲
➲
➲
➲
1/( b/d + f1lp/s + blp/322c )
●
●
●
127Kpps
5860 pps (worst case), 28654 pps (with tree/DFA)
String Matching - MIPS Issue
(Content Processors)
➲
17 Gbps content search (Seaway Networks).
●
●
➲
4.0 Gbps (Cavium Networks)
●
➲
Multi-core architecture connected by SPI 4.2 (10 Gbps).
(Sensory Networks)
●
➲
Stream based vs. packet based.
HW assists for content matching, modification, and replication.
Origin in gene sequence search.
Matching against one pattern ? how long pattern ? What
algorithm ?
String Matching Uses – IDS
(SNORT)
frag2
stream4
pcap
http_decode
syslog
portscan
sql
SPADE
smb
Preprocessor
Signature based
Software
Detection
Engine
rules
content
Log/Alert
Engine
Ouput
Engine
String Matching Uses 1
(SNORT)
➲
➲
➲
➲
➲
Snort – Open source software IDS
Uses BM, AC, WM, Setwise BM
User space – substantial performance issue – I believe
the best performance has been about 80 mbps on
state of the art PC platforms.
String matching used for flagging viruses, spy wares,
application vulnerabilities through signatures.
Also supports Regular Expressions – performance is
an issues.
String Matching Use – Compliance
(Reconnex)
String Matching Uses 2
(Reconnex)
➲
➲
➲
➲
➲
➲
Content Security for compliance and IP protection.
Detects SSN, Credit Card Numbers etc.
Uses proprietary methods to generate signatures
from repositories.
Signatures matched in as packets are streamed in.
Packets are assembled into flows and stored in
hard disks for audit purposes.
PC platform , dual Pentium , 4 G RAM, 1.5TB HD.
Profiling
➲
Profiled Items
●
●
●
➲
Top Applications
Top Sources & Destinations
Top Conversations
Protocol Analysis
●
●
●
●
TCP state reconstruction
UDP/ICMP state reconstruction
Application protocols – FTP, Telnet, HTTP, Sun RPC,
MSRPC, NFS, SMB/CIFS, P2P – Kazza, etc.
Tunneled – IPIP, HTTP
Profiling - Issues
➲
Number of simultaneous flows (s)
●
●
➲
Memory issue – typical per flow memory is 256 bytes.
Current products support ~ 5 millions flows.
Flow create rate ( c)
●
➲
A pathological case is SYN attack.
Flow demise rate ( d)
●
●
➲
Graceful demise ( e.g. 4-way TCP FIN hand shake).
Timeouts (e.g. SYN attack).
Steady State
●
●
c<d
average flow life < s/d
Profiling - Issues
➲
Protocol state machine
both sides - client/server, requestor/responder,
initiator/responder.
●
➲
Time budget
CPU/NP/CP clock cycle time, tc (1.0 nsec).
Buffering memory available , M ( 1 GB ).
System throughput, tt( 2 Gbps).
Cycles per bit available, c.
●
●
●
●
●
c = M/(tc* tt)( 4 sec/1e9) ! - Not allowed, tolerable latency is
<< 150 ms. If 1.0 msec is allowed, then c is 1,000,000.
Profiling
➲
➲
➲
➲
➲
➲
Cisco Netflow (IPFIX), PSAMP
CAIDA
Mazu Networks
Imperva
Allot
Narus
Conclusion
➲
➲
Network Security, Information Security, is a
very vibrant area - many players selling many
products and services ( eerily similar to 1999).
Overheard – information security is a eternal
gold mine.