Download Folie 1

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts

Cracking of wireless networks wikipedia , lookup

IEEE 1355 wikipedia , lookup

Distributed firewall wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Deep packet inspection wikipedia , lookup

Transcript
Secure Access Node: An FPGA-based Security
Architecture for Access Networks
The Sixth International Conference on Internet
Monitoring and Protection (ICIMP 2011)
USSAF: User safety, privacy, and protection over Internet
St. Maarten, The Netherlands Antilles, March 20 – 25, 2011
J. Rohrbeck, V. Altmann, P. Danielis,
S. Pfeiffer, D. Timmermann,
University of Rostock, Germany
Institute of Applied Microelectronics
and Computer Engineering
University
of Rostock
M. Ninnemann, M. Rönnau
Nokia Siemens Networks
Broadband Access Division
Greifswald, Germany
Motivation
Protection of Internet users is absolutely necessary!
 Customers attack customers, networks, and services
 They do that with or without awareness
Internet security today
 Networks with too few security measurements
 A high level of security requires specialized knowledge
Customers have to protect their private networks
 They may not have the knowledge to do so
5/25/2017
2
Internet Security of Users
How to protect users‘ network?
Set filters
against
e.g., Spoofing
Use blacklists
e.g., Domain blocking
Deep Packet
Inspection (DPI)
e.g., Unauthorized access
Hard to configure security measures in the right way!
Customers are overstrained with this task!
Customers are not protected!
5/25/2017
3
How to Increase Network Security?
Customers Area
Access Area
Core Area
Integrates a further stage of security into access area
Provides basic protection for subscribers
Eliminates misconfigured firewalls
Fortifies the access node
Creates a new service for ISPs
Secure Access Node
5/25/2017
4
Requirements to the SecAN
1.
2.
3.
4.
5.
5/25/2017
Protection of Customers, access and core network
Control of up to 32,000 connections
Minimum traffic rate of 1 Gbit/s
Uninterruptible traffic control
Easy to upgrade
5
SecAN - Architecture
upstream
downstream
Packet
Classification
Engine
Flow ID
Packet
Processing
Engine
upstream
downstream
Rule Set Engine
SRAM
Configuration
Conf Data
5/25/2017
DDR
Rule
Set
SDRAM
Configurator
6
SecAN - Architecture
Packet Classification
Engine (PCE)
Rule Set Engine
(RSE)
Packet Processing
Engine (PPE)
Receives & buffers Ethernet frames
Extraction of frame parameters
 For frame classification & accelerated frame processing
 MACs, VLANs, ethertype, protocol, IPs, ports
Search & deliver the specific rules set
Firewall:
Webfilter:
DPI:
5/25/2017
Applies rules from RSE
Blocks blacklisted domains
High speed pattern matching
7
Packet Classfication & Rule Set Engine
PCE
upstream
downstream
Distinct Flow ID (32k)
RSE
Packet
Classification
Engine
Rule Set Engine
SRAM
Configuration Data
DDR
SDRAM
Configurator
Rule ID (mapping)
SRAM
Rule Set
DDR SDRAM
5/25/2017
8
Packet Processing Engine – Firewall
• High speed modular filter chain
downstream
• Easy to maintain
• Easy to extend
OSI Layer 3
Configuration Data
OSI Layer 4
5/25/2017
Configurator
Header Modification
IP Anti
Spoof
IPs
Ethertype
1
DDR
SDRAM
SRAM
MACs
VLANs
Packet
Processing
Engine
Packet
Classification
Engine
Rule Set Engine
• Actions: accept, drop, modify
• Log data generation
OSI Layer 2
upstream
Protocols
Ports
MAT
9
Packet Processing Engine – Web Filter
• Filtering URL vs. Domain
upstream
• URL: nearly unlimited length 
• Domain: max. 255 byte 
downstream
Packet
Processing
Engine
Packet
Classification
Engine
2
Rule Set Engine
• 4096 blacklisted domains
SRAM
Configuration Data
DDR
SDRAM
Configurator
Blacklisted CRC64 hash tree
CRC64(
)=
Domain
Domain
Domain
Domain
DDR SDRAM
5/25/2017
10
Packet Processing Engine – DPI
• Snort database for attack pattern
• Real time pattern matching
upstream
downstream
• 192,480 pattern/cycle 
• Input data matching by Bloom filter
Index
3
Rule Set Engine
SRAM
Configuration Data
Index
Packet
Processing
Engine
Packet
Classification
Engine
DDR
SDRAM
Configurator
Index
Compression
h1
h2
k Hash functions
hk
Character string (signature)
is mapped to an
Integer (Index)
SIGNATURE
Signature
5/25/2017
11
Packet Processing Engine – DPI
Memory
m-1
0
m-bit Vector / Array
1 Bit
Index
Index
SDRAM: slow, external
SRAM: quick, external
BRAM: quick, internal
Index
Compression
h1
h2
k Hash functions
hk
Character string (signature)
is mapped to an
Integer (Index)
SIGNATURE
Signature
12
Packet Processing Engine – DPI
m-1
1 Bit
0
0
m-bit Vector / Array
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Index
Index
Initializiation
Index
h1
h2
k Hash functions
hk
Signature
13
Packet Processing Engine – DPI
m-1
1 Bit
0
0
m-bit Vector / Array
0
1
0
0
0
0
1
0
0
0
0
1
0
0
0
Index
Index
Programming
&
Searching
Index
h1
h2
k Hash functions
hk
Signature E1
14
Packet Processing Engine – DPI
Analysis:
MATCH: all indizes show to a ‘1’
MISMATCH: a minimum of one index is ‘0’
15
Implementation of the SecAN
Firewall
Configuration
Web
Filter
DPI
5/25/2017
16
Summary
•
•
•
•
•
•
ISP provided security solutions
Low latency web data control (Hardware-software-co-design)
Successfully prototyped
Flexibility by reconfiguration
Modular  expandable
System performance
• Speed: 4.57 Gbit/s
Modul
Slices
BRAM
PCE & RSE
4,106 (9%)
15 (10%)
Firewall
Ca. 560/module (1.2%)
0 (0%)
Web filter
897 (2%)
13 (9%)
DPI module
17,150 (38%)
134 (90%)
5/25/2017
17
Thank you for your attention!
Questions?
5/25/2017
18