Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Secure Access Node: An FPGA-based Security Architecture for Access Networks The Sixth International Conference on Internet Monitoring and Protection (ICIMP 2011) USSAF: User safety, privacy, and protection over Internet St. Maarten, The Netherlands Antilles, March 20 – 25, 2011 J. Rohrbeck, V. Altmann, P. Danielis, S. Pfeiffer, D. Timmermann, University of Rostock, Germany Institute of Applied Microelectronics and Computer Engineering University of Rostock M. Ninnemann, M. Rönnau Nokia Siemens Networks Broadband Access Division Greifswald, Germany Motivation Protection of Internet users is absolutely necessary! Customers attack customers, networks, and services They do that with or without awareness Internet security today Networks with too few security measurements A high level of security requires specialized knowledge Customers have to protect their private networks They may not have the knowledge to do so 5/25/2017 2 Internet Security of Users How to protect users‘ network? Set filters against e.g., Spoofing Use blacklists e.g., Domain blocking Deep Packet Inspection (DPI) e.g., Unauthorized access Hard to configure security measures in the right way! Customers are overstrained with this task! Customers are not protected! 5/25/2017 3 How to Increase Network Security? Customers Area Access Area Core Area Integrates a further stage of security into access area Provides basic protection for subscribers Eliminates misconfigured firewalls Fortifies the access node Creates a new service for ISPs Secure Access Node 5/25/2017 4 Requirements to the SecAN 1. 2. 3. 4. 5. 5/25/2017 Protection of Customers, access and core network Control of up to 32,000 connections Minimum traffic rate of 1 Gbit/s Uninterruptible traffic control Easy to upgrade 5 SecAN - Architecture upstream downstream Packet Classification Engine Flow ID Packet Processing Engine upstream downstream Rule Set Engine SRAM Configuration Conf Data 5/25/2017 DDR Rule Set SDRAM Configurator 6 SecAN - Architecture Packet Classification Engine (PCE) Rule Set Engine (RSE) Packet Processing Engine (PPE) Receives & buffers Ethernet frames Extraction of frame parameters For frame classification & accelerated frame processing MACs, VLANs, ethertype, protocol, IPs, ports Search & deliver the specific rules set Firewall: Webfilter: DPI: 5/25/2017 Applies rules from RSE Blocks blacklisted domains High speed pattern matching 7 Packet Classfication & Rule Set Engine PCE upstream downstream Distinct Flow ID (32k) RSE Packet Classification Engine Rule Set Engine SRAM Configuration Data DDR SDRAM Configurator Rule ID (mapping) SRAM Rule Set DDR SDRAM 5/25/2017 8 Packet Processing Engine – Firewall • High speed modular filter chain downstream • Easy to maintain • Easy to extend OSI Layer 3 Configuration Data OSI Layer 4 5/25/2017 Configurator Header Modification IP Anti Spoof IPs Ethertype 1 DDR SDRAM SRAM MACs VLANs Packet Processing Engine Packet Classification Engine Rule Set Engine • Actions: accept, drop, modify • Log data generation OSI Layer 2 upstream Protocols Ports MAT 9 Packet Processing Engine – Web Filter • Filtering URL vs. Domain upstream • URL: nearly unlimited length • Domain: max. 255 byte downstream Packet Processing Engine Packet Classification Engine 2 Rule Set Engine • 4096 blacklisted domains SRAM Configuration Data DDR SDRAM Configurator Blacklisted CRC64 hash tree CRC64( )= Domain Domain Domain Domain DDR SDRAM 5/25/2017 10 Packet Processing Engine – DPI • Snort database for attack pattern • Real time pattern matching upstream downstream • 192,480 pattern/cycle • Input data matching by Bloom filter Index 3 Rule Set Engine SRAM Configuration Data Index Packet Processing Engine Packet Classification Engine DDR SDRAM Configurator Index Compression h1 h2 k Hash functions hk Character string (signature) is mapped to an Integer (Index) SIGNATURE Signature 5/25/2017 11 Packet Processing Engine – DPI Memory m-1 0 m-bit Vector / Array 1 Bit Index Index SDRAM: slow, external SRAM: quick, external BRAM: quick, internal Index Compression h1 h2 k Hash functions hk Character string (signature) is mapped to an Integer (Index) SIGNATURE Signature 12 Packet Processing Engine – DPI m-1 1 Bit 0 0 m-bit Vector / Array 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Index Index Initializiation Index h1 h2 k Hash functions hk Signature 13 Packet Processing Engine – DPI m-1 1 Bit 0 0 m-bit Vector / Array 0 1 0 0 0 0 1 0 0 0 0 1 0 0 0 Index Index Programming & Searching Index h1 h2 k Hash functions hk Signature E1 14 Packet Processing Engine – DPI Analysis: MATCH: all indizes show to a ‘1’ MISMATCH: a minimum of one index is ‘0’ 15 Implementation of the SecAN Firewall Configuration Web Filter DPI 5/25/2017 16 Summary • • • • • • ISP provided security solutions Low latency web data control (Hardware-software-co-design) Successfully prototyped Flexibility by reconfiguration Modular expandable System performance • Speed: 4.57 Gbit/s Modul Slices BRAM PCE & RSE 4,106 (9%) 15 (10%) Firewall Ca. 560/module (1.2%) 0 (0%) Web filter 897 (2%) 13 (9%) DPI module 17,150 (38%) 134 (90%) 5/25/2017 17 Thank you for your attention! Questions? 5/25/2017 18