Hardened IDS using IXP
Download
Report
Transcript Hardened IDS using IXP
Hardened IDS using IXP
Didier Contis, Dr. Wenke Lee, Dr. David Schimmel
Chris Clark, Jun Li, Chengai Lu, Weidong Shi, Ashley Thomas, Yi Zhang
Motivation
The Vision
Current Network Intrusion Detection Systems (NIDS)
are software based. They have a number of issues and
limitations, including:
Create a new generation of network hardware
based IDS / Firewall sensor, integrated on the
Network Card
• An inability to keep up with throughput significantly greater
than 100 Mb/s
• An inability to deal with encrypted traffic (VPN)
• An inability to utilize knowledge of network topology and OS
• Not easily scalable as network becomes more complex and
Take advantage of the hardware and the
network sensors to create a global distributed
and adaptable IDS
higher speed
Conventional Software based IDS
Policy script
Current Implementation of an IXP based IDS
Alerts
Host
Policy Script Interpreter
Host
Event control
Event stream
StrongARM
Libpcap
1. Port open-source software IDS systems such as Bro or Snort on
the StrongArm
2. Offload some of the CPU intensive functions of these software IDS
to the Micro-Engines (CRC checksums, Defragmentation, Sanity
checks)
3. Investigate the use of FPGA based co-processor to work with the
IXP1200, to perform some specific tasks (TCP state-tracking and
reassembly)
Proposed implementation of an IXP
based IDS with FPGAs
Lan
Event stream
Event Engine: ip-defrag, tcp
reassembly, event generation
Filtered pkt stream
Implementation of a proof of concept:
Alerts
Policy Script Interpreter
Event control
Event Engine
tcpdump filters
Policy script
Current Project
Packet
Capture of Network Traffic
(e.g. receive of ethernet frames)
Packet stream
NIC
Network Card
tcpdump filters
Engines
TCP Reassembly in Hardware
A TCP reassembly unit has been implemented in VHDL and mapped
to a Xilinx XCV1000. This prototype is currently being ported to the
Celoxica FPGA environment
A dynamically re-configurable FPGA implementation permits adaptive allocation of
detection resources and therefore a more accurate and efficient pattern-matching or
behavorial analysis.
data_in
CLK
enable
TCP/IP header
elements
Input State-Machine
Payload data
exception_flags
read
server
data_out
data_valid
Connection – State-Machine
Memory Gateway
Ack/Seq Tracking Unit
SelectRAM
Client Server
1,2,3,8,16 kB
Buffer
Block diagram of the reassembly unit
SelectRAM
Server Client
1,2,3,8,16 kB
IP Packet Preprocessing:
Packet
• CRC check
• IPDefrag
• IP options check
IDS Analysis:
Pattern Matching
Behavioral model
Filtered pkt stream
Libpcap: compatibility w/ existing IDSs
Network
IXP1200
Functions performed at the micro-engine level
Re-programmable Co-processors:
• TCP Stream Reassembly
•…
Filtered pkt stream
Network: header analysis, filtering
Current Status & Lessons Learned
In parallel, some micro-code are being developed to offload some of the cpu intensive functions of the IDS:
• IP Defragmentation
• CRC Checksums at Layer 4
• Packet decoding
ACE + Micro-Engine C Compiler = Faster learning Cycle
BUT
The PCI interface between the Board and the Host, as well as the
current drive appears as a bottleneck
The ACE SDK generates too much overhead on the StrongArm
Host
Alerts
Future Steps
Implementation of a fully distributed IDS
Adaptation in the NIDS
• Integration of detection and response
• Agile context dependent reconfiguration multiple of IDS
methods such as pattern-matching and behavioral models.
Unified framework for network policies
• Common response mechanisms for QoS, Fault Detection,
NIDS Load Balancing