* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Hardened IDS using IXP
Survey
Document related concepts
Asynchronous Transfer Mode wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Computer network wikipedia , lookup
Internet protocol suite wikipedia , lookup
Zero-configuration networking wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
TCP congestion control wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Network tap wikipedia , lookup
Deep packet inspection wikipedia , lookup
Airborne Networking wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Packet switching wikipedia , lookup
Real-Time Messaging Protocol wikipedia , lookup
Transcript
Hardened IDS using IXP Didier Contis, Dr. Wenke Lee, Dr. David Schimmel Chris Clark, Jun Li, Chengai Lu, Weidong Shi, Ashley Thomas, Yi Zhang Motivation The Vision Current Network Intrusion Detection Systems (NIDS) are software based. They have a number of issues and limitations, including: Create a new generation of network hardware based IDS / Firewall sensor, integrated on the Network Card • An inability to keep up with throughput significantly greater than 100 Mb/s • An inability to deal with encrypted traffic (VPN) • An inability to utilize knowledge of network topology and OS • Not easily scalable as network becomes more complex and Take advantage of the hardware and the network sensors to create a global distributed and adaptable IDS higher speed Conventional Software based IDS Policy script Current Implementation of an IXP based IDS Alerts Host Policy Script Interpreter Host Event control Event stream StrongARM Libpcap 1. Port open-source software IDS systems such as Bro or Snort on the StrongArm 2. Offload some of the CPU intensive functions of these software IDS to the Micro-Engines (CRC checksums, Defragmentation, Sanity checks) 3. Investigate the use of FPGA based co-processor to work with the IXP1200, to perform some specific tasks (TCP state-tracking and reassembly) Proposed implementation of an IXP based IDS with FPGAs Lan Event stream Event Engine: ip-defrag, tcp reassembly, event generation Filtered pkt stream Implementation of a proof of concept: Alerts Policy Script Interpreter Event control Event Engine tcpdump filters Policy script Current Project Packet Capture of Network Traffic (e.g. receive of ethernet frames) Packet stream NIC Network Card tcpdump filters Engines TCP Reassembly in Hardware A TCP reassembly unit has been implemented in VHDL and mapped to a Xilinx XCV1000. This prototype is currently being ported to the Celoxica FPGA environment A dynamically re-configurable FPGA implementation permits adaptive allocation of detection resources and therefore a more accurate and efficient pattern-matching or behavorial analysis. data_in CLK enable TCP/IP header elements Input State-Machine Payload data exception_flags read server data_out data_valid Connection – State-Machine Memory Gateway Ack/Seq Tracking Unit SelectRAM Client Server 1,2,3,8,16 kB Buffer Block diagram of the reassembly unit SelectRAM Server Client 1,2,3,8,16 kB IP Packet Preprocessing: Packet • CRC check • IPDefrag • IP options check IDS Analysis: Pattern Matching Behavioral model Filtered pkt stream Libpcap: compatibility w/ existing IDSs Network IXP1200 Functions performed at the micro-engine level Re-programmable Co-processors: • TCP Stream Reassembly •… Filtered pkt stream Network: header analysis, filtering Current Status & Lessons Learned In parallel, some micro-code are being developed to offload some of the cpu intensive functions of the IDS: • IP Defragmentation • CRC Checksums at Layer 4 • Packet decoding ACE + Micro-Engine C Compiler = Faster learning Cycle BUT The PCI interface between the Board and the Host, as well as the current drive appears as a bottleneck The ACE SDK generates too much overhead on the StrongArm Host Alerts Future Steps Implementation of a fully distributed IDS Adaptation in the NIDS • Integration of detection and response • Agile context dependent reconfiguration multiple of IDS methods such as pattern-matching and behavioral models. Unified framework for network policies • Common response mechanisms for QoS, Fault Detection, NIDS Load Balancing