Network Security: Dr. Subrata Goswami Aerogram Networks Fremont, Ca

Network Security

Dr. Subrata Goswami Aerogram Networks Fremont, CA

Overview

➲ ➲ ➲

History Current State Current Efforts

History ➲ ➲

For a long time network security implied cryptography to the R&D community (50-90). Internet arrived with Web-browser and email – and the venerated Firewall and Virus Scanner appeared ( circa 1995). ● ● ● ● ●

➲ ➲ ➲ ➲ ➲

The first Internet virus is Morris Worm in 1988. FW in late 80’s (accredited to Steve Bellovin). Trusted Information Systems (TIS) Firewall Toolkit (FWTK) 10/1/1993. Checkpoint FW-1 in 1994. McAfee Pro-scan 1990.

IPSec and SSL standardized (circa 1998). Then Spam Filters, IDS and IPS. AES standardized (2001), 3DES (1999), DES (1977). WiFi WEP debacle prompted 802.11i (circa 2004) . SHA-1 broken ? (2005).

The Current Issues

➲

➲ ➲ ➲ ➲

➲

Virus, Spam, Worms, DOS/DDOS although tamed still exists. Software vulnerabilities (bad/sloppy code). Spyware/Adware Peer-to-peer Federal and Sate regulations: SOX, HIPPA, GLB, CA SB 1386, ITAR. Phising, Social Engineering.

Current Industry Efforts (Partial List) ➲ ➲ ➲

Network Access Control Content Scanning Traffic Profiling

Access Control - Cisco NAC AV Agent Cisco Trust Agent 2. Communicate 3. EAP TLV 4. Auth (PEAP) 5. encryption

EAP Over RADIUS

EAP Over UDP/802.1x

AAA Server HCAP Cisco ACS

Network Access Device

Vendor Policy Server

Remediation

1. Triggers Intercept ACL on router, default ACL determines initial network access 2. Router triggers posture validation with CTA (EAPoUDP) 3. CTA sends posture credentials to router (EAPoUDP) 4. Router sends posture credentials to AAA (RADIUS) 5. If necessary, AAA request posture validation (HCAP - Host Credential Authorization Protocol (HTTPSbased)) 6. AAA validates posture (Healthy, Checkup, Quarantine, Remediate) 7. AAA sends Access-Accept with ACLs/URL redirect as per policy to router. 8. Host granted/denied/redirected/restricted access.

Access Control - Cisco NAC ➲

➲ ➲ ➲

Network Admission Control functionality enables Cisco routers to enforce access privileges when an endpoint (OS and AV patches) attempts to connect to a network. Proprietary architecture Proprietary Protocols – PEAP and HCAP. Partners Symantec, McAfee, Trendmicro

Access Control - MAC-SEC ➲

To provide user data confidentiality, frame data integrity, and data origin authenticity. HUB

D

A SCA

B SCB

C

KaY

CA Discovery Peer Authentication Key Mgmt

SecY

Protection

SCC CAABC SC: Secure Channel CA: Connectivity Assoc

Access Control - MAC-SEC DST:6

SRC:6 SecureTAG:8/16

DATA

ICV:8-16

Ether Type:2 TCI AN SL:1 PacketNumber:4

SCID:8 SRC MAC + Port > 2 peers

SPI:4

SN:4

DATA:n

PAD:0-255 PL:1 NH:1 ICV:n IPSEC ESP

Access Control - MAC-SEC (TX)

Access Control - MAC-SEC (RX)

Content Scanning

➲

➲

➲

The problem is to find a hex sub-string in the continuous bytes of a flow. Substantial theoretical research: BoyerMoore, Aho-Corasick, CPU MIPS required.

String Matching Algorithm ➲ ➲

Knuth-Morris-Pratt Boyer-Moore uses huresritcs to speed up. ●

➲ ➲ ➲

O(k(m+n))

Commentz-Walter Wu-Manbar Aho-Corasick creats an NFA( then a DFA) out all the search patterns. ● ●

O(n) State explosion

COTS IP Packet Processor Architecture (IXP 2400 circa 2003) ➲ ➲

4 GE ports Throughput ● ● ●

➲

4 Gbps for all frame sizes 12 mpps for 64 byte frames 0.4 mpps for 1518 byte frames

Latency : ● ● ● ●

100% throughput 45 usec for 1518 byte frames. 75% throughput 34 usec for 1518 byte frames. 50% throughput 26 usec for 1518 byte frames. 25% throughput 17.4 usec for 1518 byte frames.

IXP2400 Internal Architecture 72 Stripe/byte align DDRAM

PCI 64b

(64b) 66 MHz

XScale Core 32K IC 32K DC

MEv2 1

3

G A S K E T

MEv2 2

1 Rbuf 64 @ 128B

MEv2 4

MEv2 3

2

4

Tbuf 64 @ 128B

MEv2 5

MEv2 6

S 32b P I 3 or C S I X 32b

Hash 64/48/128

Scratch 16KB QDR SRAM 1

QDR SRAM 2

E/D Q

E/D Q

18 18

18 18

MEv2 8

MEv2 7

CSRs -Fast_wr -UART -Timers -GPIO -BootROM/Slow Port

String Matching - MIPS Issue

➲

DRAM packet buffer access speed = d (19.2 gbps). Average packet size = b (1000 bits) SRAM pattern access speed = s (12.8 gbps). ME/CPU compares = c ( 0.600 gips) Number of patterns = p (1000 ) Average pattern length = l (100 bits) Times each pattern read /packet = f1 (1 ,scratch memory)

➲

Theoretical pattern matching rate

➲ ➲ ➲ ➲ ➲ ➲

●

1/( b/d + f1lp/s + blp/322c ) ● ●

127Kpps 5860 pps (worst case), 28654 pps (with tree/DFA)

String Matching - MIPS Issue (Content Processors) ➲

17 Gbps content search (Seaway Networks). ● ●

➲

4.0 Gbps (Cavium Networks) ●

➲

Multi-core architecture connected by SPI 4.2 (10 Gbps).

(Sensory Networks) ●

➲

Stream based vs. packet based. HW assists for content matching, modification, and replication.

Origin in gene sequence search.

Matching against one pattern ? how long pattern ? What algorithm ?

String Matching Uses – IDS (SNORT) frag2 stream4

pcap

http_decode

syslog

portscan

sql

SPADE

smb

Preprocessor

Signature based Software

Detection Engine rules content

Log/Alert Engine

Ouput Engine

String Matching Uses 1 (SNORT) ➲ ➲ ➲

➲

➲

Snort – Open source software IDS Uses BM, AC, WM, Setwise BM User space – substantial performance issue – I believe the best performance has been about 80 mbps on state of the art PC platforms. String matching used for flagging viruses, spy wares, application vulnerabilities through signatures. Also supports Regular Expressions – performance is an issues.

String Matching Use – Compliance (Reconnex)

String Matching Uses 2 (Reconnex) ➲ ➲ ➲

➲ ➲

➲

Content Security for compliance and IP protection. Detects SSN, Credit Card Numbers etc. Uses proprietary methods to generate signatures from repositories. Signatures matched in as packets are streamed in. Packets are assembled into flows and stored in hard disks for audit purposes. PC platform , dual Pentium , 4 G RAM, 1.5TB HD.

Profiling

➲

Profiled Items ● ● ●

➲

Top Applications Top Sources & Destinations Top Conversations

Protocol Analysis ● ● ●

●

TCP state reconstruction UDP/ICMP state reconstruction Application protocols – FTP, Telnet, HTTP, Sun RPC, MSRPC, NFS, SMB/CIFS, P2P – Kazza, etc. Tunneled – IPIP, HTTP

Profiling - Issues ➲

Number of simultaneous flows (s) ● ●

➲

Flow create rate ( c) ●

➲

A pathological case is SYN attack.

Flow demise rate ( d) ● ●

➲

Memory issue – typical per flow memory is 256 bytes. Current products support ~ 5 millions flows.

Graceful demise ( e.g. 4-way TCP FIN hand shake). Timeouts (e.g. SYN attack).

Steady State ● ●

c
Profiling - Issues ➲

Protocol state machine ●

➲

both sides - client/server, requestor/responder, initiator/responder.

Time budget ●

CPU/NP/CP clock cycle time, tc (1.0 nsec).

●

Buffering memory available , M ( 1 GB ).

●

System throughput, tt( 2 Gbps).

●

Cycles per bit available, c. ●

c = M/(tc* tt)( 4 sec/1e9) ! - Not allowed, tolerable latency is << 150 ms. If 1.0 msec is allowed, then c is 1,000,000.

Profiling

➲ ➲ ➲ ➲ ➲ ➲

Cisco Netflow (IPFIX), PSAMP CAIDA Mazu Networks Imperva Allot Narus

Conclusion

➲

➲

Network Security, Information Security, is a very vibrant area - many players selling many products and services ( eerily similar to 1999). Overheard – information security is a eternal gold mine.