Download IBM Presentation - Telecom SudParis

IBM Zurich, March 1st
Access Control in ATM Networks
Olivier Paul
ENST Bretagne
RSM Department
ENST Bretagne
Agenda
• Introduction
• Access Control Parameters
• Access Control Architectures
• Access Control management
• Conclusion
IBM Zurich
2
ENST Bretagne
Introduction
• Access Control:
– Security service providing a protection against an unauthorised used by
an entity or group of entities (ISO).
Network
Firewall
Client
Server
access-list 101 permit tcp any gt 1023 192.165.203.5 0.0.0.0 eq 80
• Source and destination addresses
• Application or Service identifiers
• Protocol
• Action
IBM Zurich
3
ENST Bretagne
Introduction
• ATM (Asynchronous Transfer Mode) :
– Specified to transport various kind of flows.
– Allows applications to request Quality of Service.
– High Speed (Mb/s -> Gb/s).
– Connection oriented.
– Data transported through small packets (cells).
– Usage:
• Directly: Some native ATM applications (ANS, VoD).
• Indirectly: IP over ATM (IPOA, LANE, MPOA, MPLS): most common
use.
IBM Zurich
4
ENST Bretagne
Introduction
Reassembly
Operations
Buffer
Bus
/
Switch
Classification
Fragmentation
Firewall
• Classification and copy(bus) operations are generally considered
as the bottleneck in the firewall architecture.
• The impact on the QoS depends on the buffer characteristics.
IBM Zurich
5
ENST Bretagne
The flow classification problem
n rules carrying
on d fields
If Cond1 and Cond2 and Cond3 then action1
If Cond4 and Cond5 then action2
If Cond6 then action1
Theoretical bounds :
Classifier
• Temporal Comp. : O(log n),
Spatial Comp. : O(n d).
Dest Source Dest Source
Flags Proto
ports ports Address Address
• Temporal Comp.: O(n),
Spatial Comp.: O(log d-1 n).
d fields
Lakshman & al. [ACM SIGCOMM ‘ 98]
IBM Zurich
6
ENST Bretagne
Introduction
Reassemble
Buffer
Bus
/
Switch
Classification
Fragmentation
Firewall
• Classification and copy(bus) operations are generally considered
as the bottleneck in the firewall architecture.
• The impact on the QoS depends on the buffer characteristics.
• In the case of ATM networks:
Throughput
IBM Zurich
Quality of
Service
Access Control
Parameters
7
ENST Bretagne
Agenda
• Introduction
• Access Control Parameters
• Access Control Architectures
• Access Control Management
• Conclusion
IBM Zurich
8
ENST Bretagne
Access Control parameters
ATM parameters
Addresses
Existing
Parameter
s
TCP/IP parameters
Already Well Known
Information generated by the ATM model
New
attacks
Analogies with parameters used in
existing protocols
Analysis of ATM
applications &
services
New ATM Access Control Parameters
Application Access Control profiles
Access Control Parameters Classification
IBM Zurich
9
ENST Bretagne
Access Control parameters
ATM parameters
Addresses
Existing
Parameter
s
TCP/IP parameters
Already Well Known
Information generated by the signalling protocol
New addressing information
Service descriptors
Quality of Service Descriptors
Other parameters
Information generated by ATM cell headers
Type of flow
Connection identifiers
IBM Zurich
10
ENST Bretagne
Agenda
• Introduction
• Access Control Parameters
• Access Control Architectures
• Access Control Management
• Conclusion
IBM Zurich
11
ENST Bretagne
Access Control Architectures
Goal: Provide an Access Control service
– For ATM native applications
By using our new access control parameters
– For IP over ATM applications
By using well known TCP/IP access Control Parameters
Two main problems to solve:
Classification process
efficiency
Agents based access Distributed access control
control architecture
process
Centralised Access
Control Architecture
IBM Zurich
Fast packet
classification
Algorithm
12
QoS insurance
Non blocking
Access Control
Process
Classification
Algorithm with
bounded
complexities
ENST Bretagne
Agents based access control
architecture
Improving access control performance
Policy
Controller
Policy
Internal Network
Controller
External Network
Policy
Controller
Concurrent access control processes
Schuba [Ph. D. Thesis, Purdue University,
97]
IBM Zurich
13
ENST Bretagne
Agents based access control
architecture
Improving access control performance
Policy 1
Controller
Internal Network 1
Policy 2
Controller
External Network
Internal Network 2
Policy 3
Controller
Internal Network 3
Controllers specialisation through policy segmentation
IBM Zurich
14
ENST Bretagne
Agent based access control
architecture
Are performance improvements sufficient to solve the
QoS problem ?
• If we can prove that
– The classification process is always fast enough.
Sometimes
– The delay introduced by the classification process is small and
bounded.
No
• Then: Yes.
• Do existing access control devices comply with these
conditions ?
Respect of the QoS has to be insured through other
means
Basic Idea: Using a non blocking access control
process
The Access Control decision is taken independently from
the flows transported over the network.
IBM Zurich
15
ENST Bretagne
Agent based access control
Ifarchitecture
we don ’t block the flows, where can we find the useful
access control information ?
External network
> In the network devices protocol stacks .
ATM
Switch
• Network devices keep information about ongoing
communications in their protocol stack.
• Most of the useful access control
information can be found there.
• This information can be
accessed though external
programs.
IBM Zurich
Line 2
E. P.
ATM
Switch
E. P.
ATM
End
System 1
16
E. P.
Line 1
Line 3
ATM
End
System 2
ENST Bretagne
Agent based access control
architecture
• The basic idea is to extend such a program
(later referred to as agent) with access control
capabilities.
• Periodically the agent polls the information located in the
protocol stacks.
External network
ATM
Switch
• It then compares this information with a
description of allowed communications.
Line 2
• If the communication is not allowed then the
agent interacts with the protocol stack to stop
the communication.
Agent
ATM
Switch
Agent
ATM
End
System 1
Agent
Line 1
Line 3
IBM Zurich
17
ATM
End
System 2
ENST Bretagne
Conclusions
Agent Based Architecture
• New architecture
• Performance improvement is
difficult to evaluate.
– Distributed.
• Security is not guaranteed.
– Asynchronous.
• How to manage access control
agents.
• Traditional Classification
algorithm
IBM Zurich
18
ENST Bretagne
Agenda
• Introduction
• Access Control Parameters
• Access Control Architectures
– Agents based Access Control Architecture
– Centralised Access Control Architecture.
• Access Control Management
• Conclusion
IBM Zurich
19
ENST Bretagne
Classification Algorithms
Existing Determinist Classification Algorithms
•
Algorithms for Static Policies
•
Algorithms for Dynamic Policies
– Fast.
– Comparatively slow.
– Take advantage of access
control policies redundancies.
– Bounded temporal & spatial
complexities.
– Unbounded temporal & spatial
complexities.
– Bounded complexities for
Generation & update of the
classification structure.
– Generation & Update of the
classification structure are
slow.
IBM Zurich
– Implementable.
20
ENST Bretagne
Classification Algorithm
• New flow classification algorithm:
– Temporal Complexity : O(d).
Independent from the number of rules
– Spatial Complexity. : O((2n+1)d).
Unusable when d = 4 and n = 50
– d : number of fields to analyse, n number of rules in the classification
policy.
However !
• In practice we succeed to implement large policies by taking advantage
of:
– The redundancy in the classification structure.
IBM Zurich
21
ENST Bretagne
Implementation
• IFT Traffic Analysis Cards (Designed by France Telecom R&D)
Physical
Connector
Policy
Switching
operations
Buffer
Classification
Physical
Connector
IFT
• Characteristics:
– Mono-directional.
– Physical connector: OC12 (622 Mb/s).
– Unspecified Classification algorithm.
– Action (1st Cell from an AAL5 frame,
classification policy) : AAL5 switching.
IBM Zurich
22
ENST Bretagne
Content of the first ATM cell
SNAP/LLC
TCP/UDP/ICMP
TCP/UDP/ICMP
IP Header
TCP/UDP/ICMP
IP
IP Header
TCP/UDP/ICMP
SNAP/LLC
SNAP/LLC
ATM
IP Header
TCP/UDP/ICMP
AAL5
IPHeader
Headerwith options/
TCP/UDP/ICMP
SNAP/LLC IP
v6
TCP/UDP/ICMP
AAL5
ATM
53 bytes
IBM Zurich
23
ENST Bretagne
Centralised Architecture
• IFT Traffic Analysis Cards (Designed by France Telecom R&D)
Physical
Connector
Policy
Switching
operations
Buffer
Classification
• Characteristics:
IFT
• Goals:
– Mono-directional.
– Physical connector: OC12 (622 Mb/s).
– Unspecified Classification algorithm.
– Action (1st Cell from an AAL5 frame,
classification policy) : AAL5 switching.
IBM Zurich
Physical
Connector
24
– Design an architecture
allowing IFTs to be used to
provide the relevant access
control service.
– Test our new classification
algorithm to check if the
performance bottleneck and
QoS insurance problems
could be solved.
ENST Bretagne
Architecture
• Located between a private
network and public network.
• Made of three modules:
– Manager
– Signalling Filter.
SUN Station
Manager
Solaris PC
Demon
Signalling
Filter
IFT Driver
ATM
IFT
ATM
Controler
– Cell-Level Filter
• Integrates to an existing ATM
switch.
ATM
Switch
External
Network
Internal
Network
IBM Zurich
IFT
25
ENST Bretagne
Tests
• Memory requirements : Practical examples, analysis of 9 fields, using
15 ns analysis cycle.
Type of policy
Number of rules
[Che94], [Cha95]
40
750
French ISP
7900
Classification capabilities
1,31 Mc/s
1,31 Mc/s
1,31 Mc/s
Memory required
17 K bytes
1.2 M bytes
3,4 M bytes
• Throughput and QoS.
Min. Classification capacity :
1,31 * 53 * 8 = 555 Mb/s
Min Classification
capabilities
IBM Zurich
<
Max. Throughput to classify:
Buffer (8192 bytes) 622 * 26/27= 599 Mb/s
Max. Delay= 120 s
Size of ATM
Cells
Phys. Connector Physical Layer
Max. Throughput Overhead
26
ENST Bretagne
Conclusions
Centralised Architecture
• Old architecture
• IPv6 problem.
• New Classification algorithm
• Algorithm is currently only
able to deal with static
policies.
– Determinist.
– Delay introduced by the access
control process can be bounded.
– Minimal throughput can be
bounded.
– Resistant to DoS attacks.
IBM Zurich
27
ENST Bretagne
Agenda
• Introduction
• Access Control parameters
• Access Control Architectures
• Access Control Management
– Distribution Criteria.
– A Distributed Access Control Management Architecture.
• Conclusion
IBM Zurich
28
ENST Bretagne
Access Control Management
• Problem 1: Manage a set of devices with proprietary access control
configuration interfaces. (Heterogeneity problem).
• Answer: Generic and ergonomic way to define the access control policy.
• Problem 2: Manage distributed access control architectures (A big number of
access control devices have to be configured remotely).
• Answer: Automatic configuration architectures.
• Security Insurance
Constraint
s
• Efficiency Insurance
– Configure each device with the
smallest subset of access
control rules allowing the
policy to be enforced.
– Make sure that the whole access
control architecture will provide the
access control service defined by
the security officer.
• Criteria have to be defined
to build these sets.
IBM Zurich
29
ENST Bretagne
Criteria
• Criterion 1: Device Access Control Capabilities.
– A rule can not be attributed to a device if this device is not able to
implement the rule.
• Criterion 2: Network Topology.
IF SRC_ADDRESS = Source AND DST_ADDRESS = Destination THEN PERMIT
A.C.
A.C.
A.C.
Source
A.C.
A.C.
A.C.
Destination
A.C.
A.C.
A.C.
– A rule r should not be attributed to a device if this device is not
located between the source and the destination described by r.
IBM Zurich
30
ENST Bretagne
Criteria
• Criterion 3 (new): Type of rule (permit/ deny)
IF SRC_ADDRESS = Source AND DST_ADDRESS = Destination THEN DENY
A.C.
A.C.
A.C.
Source
A.C.
A.C.
A.C.
Destination
A.C.
A.C.
A.C.
– A “deny” rule r has to be attributed to a single device. This device is
the closest from the source or the destination described by r.
IBM Zurich
31
ENST Bretagne
Centralised A.C. Management
Architectures• Filtering Postures, J. Guttman, IEEE S&P 97.
• Firmato toolkit, Bartal & al., IEEE S&P 99.
Security Officer
Access
Control
Policy
• Policy based management, S. Hinrichs, ACSAC 99.
• An Asynchronous Distributed Access Control
Architecture For IP Over ATM Networks, Paul & al. ,
ACSAC 99.
Network
Model
• Managing Security In Dynamic networks,
Konstantinou & al., LISA 99.
Device 1
Console
IBM Zurich
Device 3
Device 2
32
ENST Bretagne
Acyclic Network model
A.C.
A.C.
Source
Destination
A.C.
A.C.
IF SRC_ADDRESS = Source AND DST_ADDRESS = Destination THEN PERMIT
IF SRC_ADDRESS = Source AND DST_ADDRESS = Destination THEN DENY
IBM Zurich
33
ENST Bretagne
Acyclic Network Model
A.C.
A.C.
Source
Destination
A.C.
A.C.
 Distribution enforces the three criteria.
 Topology changes force the Security Officer to reconfigure access
control devices.
IBM Zurich
34
ENST Bretagne
Acyclic Model
A.C.
X
A.C.
Source
Destination
A.C.
A.C.
 The delay between topology changes and access control devices
reconfiguration can introduce security holes.
IBM Zurich
35
ENST Bretagne
Acyclic Model
A.C.
X
A.C.
X
Source
Destination
A.C.
A.C.
 The delay between topology changes and access control devices
reconfiguration can introduce security holes.
IBM Zurich
36
ENST Bretagne
Distributed A.C. Management
Architecture
Security Officer
Access
Control
Policy
• Management of network security application, Hyland
& Sandhu, NISSC 98.
• Integrated management of network and host based
security mechanisms, Falk & al., ACISP 98.
Device 1
Console
IBM Zurich
Device 3
Device 2
37
ENST Bretagne
Our proposal
• Management agents located
on access control devices.
• The agents generate efficient
configurations using our
three criteria.
• The agents interact with the
other elements.
Routing Agent
A.C.M. Agent
Device 1
A.C. Manager
Device 5
Routing Agent
Device 2
Routing Agent
A.C.M. Agent
Routing Agent
Device 3
IBM Zurich
A.C.M. Agent
Device 4
38
ENST Bretagne
Our Proposal
• Key features:
– Continuous interaction between the agent and it’s environment.
• Local Access Control Policy automatic adaptation.
– Topology changes can be used when a new access control posture has
been computed and implemented.
• Security holes can be avoided.
IBM Zurich
Routing Agent
Access Control
Management Agent
Routing Table
Access Control
Mechanisms
39
ENST Bretagne
Simulation Results
Total number of rules in the network/Criterion Used
80000
1000000
Nbr of rules/Nbr of nodes in the network
The usage of the three
criteria leads to a number of
rules equivalent to the one
generated through a manual
configuration
60000
100000
40000
20000
0
10000
1000
100
No criteria Criteria 1
10
Criteria 2
Automatic Distribution results
1
4
IBM Zurich
13
Nb of rules after opt.
Crit. 2 &C33 All crit.
C1
HandC2configuration
Nb of rules before opt.
40
The number of rules without
optimisation grows in a
polynomial way with the
number of access control
devices whereas the number of
rules after optimisation grows
linearly.
121
40
ENST Bretagne
Conclusions
Distributed Access Control Management Architecture
• Generates more efficient
configuration through the use
of an additional distribution
criterion.
• Reduces the interactions
between the security officer
and the access control
management architecture.
• The security officer learns “a
posteriori” what happened in the
network.
• The whole access control policy
has to be sent to the agents.
• Prevents temporary security
holes.
IBM Zurich
41
ENST Bretagne
Agenda
• Introduction
• Access Control Parameters
• Access Control Architectures
• Access Control Management
• Conclusion
IBM Zurich
42
ENST Bretagne
Conclusion
• ATM Access Control parameters analysis
– Application Protection Profiles.
– Access Control Parameters have been classified.
• Two IP over ATM Access Control Architectures
– Able to take new ATM access control parameters into account.
– New access control architecture/ Old classification Algorithm.
– Traditional access control Architecture/New classification Algorithm.
– Implementation through IFT cards.
• Distributed Automatic Access Control Management Architecture
– New distribution criterion.
– Distributed access control management architecture allowing security holes to be
avoided.
– Implementation using the ns simulator.
IBM Zurich
43
ENST Bretagne
Future work
• New application level access
control parameters
• Improvements to our
classification algorithm
• New version of IFTs.
– Higher Throughput (1Gb/s).
– Wider analysis capability.
– New classification functions.
• Adaptation to other security
services.
• Application in new areas
(Intrusion Detection, Application
level Access Control).
• Taking mobility into account.
• Taking access control service
integrity into account.
IBM Zurich
44
ENST Bretagne
Questions ?
IBM Zurich
45
ENST Bretagne