Transcript Hardened IDS using IXP

Hardened IDS using IXP
Didier Contis, Dr. Wenke Lee, Dr. David Schimmel
Chris Clark, Jun Li, Chengai Lu, Weidong Shi, Ashley Thomas, Yi Zhang
Motivation
The Vision
 Current Network Intrusion Detection Systems (NIDS)
are software based. They have a number of issues and
limitations, including:
 Create a new generation of network hardware
based IDS / Firewall sensor, integrated on the
Network Card
• An inability to keep up with throughput significantly greater
than 100 Mb/s
• An inability to deal with encrypted traffic (VPN)
• An inability to utilize knowledge of network topology and OS
• Not easily scalable as network becomes more complex and
 Take advantage of the hardware and the
network sensors to create a global distributed
and adaptable IDS
higher speed
Conventional Software based IDS
Policy script
Current Implementation of an IXP based IDS
Alerts
Host
Policy Script Interpreter
Host
Event control
Event stream
StrongARM
Libpcap
1. Port open-source software IDS systems such as Bro or Snort on
the StrongArm
2. Offload some of the CPU intensive functions of these software IDS
to the Micro-Engines (CRC checksums, Defragmentation, Sanity
checks)
3. Investigate the use of FPGA based co-processor to work with the
IXP1200, to perform some specific tasks (TCP state-tracking and
reassembly)
Proposed implementation of an IXP
based IDS with FPGAs
Lan
Event stream
Event Engine: ip-defrag, tcp
reassembly, event generation
Filtered pkt stream
 Implementation of a proof of concept:
Alerts
Policy Script Interpreter
Event control
Event Engine
tcpdump filters
Policy script
Current Project
Packet
Capture of Network Traffic
(e.g. receive of ethernet frames)
Packet stream
NIC
Network Card
tcpdump filters
Engines
TCP Reassembly in Hardware
A TCP reassembly unit has been implemented in VHDL and mapped
to a Xilinx XCV1000. This prototype is currently being ported to the
Celoxica FPGA environment
A dynamically re-configurable FPGA implementation permits adaptive allocation of
detection resources and therefore a more accurate and efficient pattern-matching or
behavorial analysis.
data_in
CLK
enable
TCP/IP header
elements
Input State-Machine
Payload data
exception_flags
read
server
data_out
data_valid
Connection – State-Machine
Memory Gateway
Ack/Seq Tracking Unit
SelectRAM
Client  Server
1,2,3,8,16 kB
Buffer
Block diagram of the reassembly unit
SelectRAM
Server  Client
1,2,3,8,16 kB
IP Packet Preprocessing:
Packet
• CRC check
• IPDefrag
• IP options check
IDS Analysis:
Pattern Matching
Behavioral model
Filtered pkt stream
Libpcap: compatibility w/ existing IDSs
Network
IXP1200
Functions performed at the micro-engine level
Re-programmable Co-processors:
• TCP Stream Reassembly
•…
Filtered pkt stream
Network: header analysis, filtering
Current Status & Lessons Learned
In parallel, some micro-code are being developed to offload some of the cpu intensive functions of the IDS:
• IP Defragmentation
• CRC Checksums at Layer 4
• Packet decoding
ACE + Micro-Engine C Compiler = Faster learning Cycle
BUT
 The PCI interface between the Board and the Host, as well as the
current drive appears as a bottleneck
 The ACE SDK generates too much overhead on the StrongArm
Host
Alerts
Future Steps
 Implementation of a fully distributed IDS
 Adaptation in the NIDS
• Integration of detection and response
• Agile context dependent reconfiguration multiple of IDS
methods such as pattern-matching and behavioral models.
 Unified framework for network policies
• Common response mechanisms for QoS, Fault Detection,
NIDS Load Balancing