Dr subrata goswami aerogram networks fremont ca
Download
1 / 26

Network Security - PowerPoint PPT Presentation


  • 286 Views
  • Uploaded on

Dr. Subrata Goswami Aerogram Networks Fremont, CA. Network Security. Overview. History Current State Current Efforts. History. For a long time network security implied cryptography to the R&D community (50-90).

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Network Security' - KeelyKia


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Dr subrata goswami aerogram networks fremont ca l.jpg

Dr. Subrata Goswami

Aerogram Networks

Fremont, CA

Network Security


Overview l.jpg
Overview

  • History

  • Current State

  • Current Efforts


History l.jpg
History

  • For a long time network security implied cryptography to the R&D community (50-90).

  • Internet arrived with Web-browser and email – and the venerated Firewall and Virus Scanner appeared ( circa 1995).

    • The first Internet virus is Morris Worm in 1988.

    • FW in late 80’s (accredited to Steve Bellovin).

    • Trusted Information Systems (TIS) Firewall Toolkit (FWTK) 10/1/1993.

    • Checkpoint FW-1 in 1994.

    • McAfee Pro-scan 1990.

  • IPSec and SSL standardized (circa 1998).

  • Then Spam Filters, IDS and IPS.

  • AES standardized (2001), 3DES (1999), DES (1977).

  • WiFi WEP debacle prompted 802.11i (circa 2004) .

  • SHA-1 broken ? (2005).


The current issues l.jpg
The Current Issues

  • Virus, Spam, Worms, DOS/DDOS although tamed still exists.

  • Software vulnerabilities (bad/sloppy code).

  • Spyware/Adware

  • Peer-to-peer

  • Federal and Sate regulations: SOX, HIPPA, GLB, CA SB 1386, ITAR.

  • Phising, Social Engineering.


Current industry efforts partial list l.jpg
Current Industry Efforts(Partial List)

  • Network Access Control

  • Content Scanning

  • Traffic Profiling


Access control cisco nac l.jpg
Access Control - Cisco NAC

EAP

Over

RADIUS

AAA

Server

Vendor

Policy

Server

EAP

Over

UDP/802.1x

AV

Agent

HCAP

Cisco ACS

  • Cisco Trust Agent

  • Communicate

  • EAP TLV

  • Auth (PEAP)

  • encryption

Network

Access

Device

Remediation

1. Triggers Intercept ACL on router, default ACL determines initial network access

2. Router triggers posture validation with CTA (EAPoUDP)

3. CTA sends posture credentials to router (EAPoUDP)

4. Router sends posture credentials to AAA (RADIUS)

5. If necessary, AAA request posture validation (HCAP - Host Credential Authorization Protocol (HTTPSbased))

6. AAA validates posture (Healthy, Checkup, Quarantine, Remediate)

7. AAA sends Access-Accept with ACLs/URL redirect as per policy to router.

8. Host granted/denied/redirected/restricted access.


Access control cisco nac7 l.jpg
Access Control - Cisco NAC

  • Network Admission Control functionality enables Cisco routers to enforce access privileges when an endpoint (OS and AV patches) attempts to connect to a network.

  • Proprietary architecture

  • Proprietary Protocols – PEAP and HCAP.

  • Partners Symantec, McAfee, Trendmicro


Access control mac sec l.jpg
Access Control - MAC-SEC

  • To provide user data confidentiality, frame data integrity, and data origin authenticity.

HUB

CA Discovery

Peer Authentication

Key Mgmt

KaY

D

A

B

C

SecY

Protection

SCA

SCB

SCC

CAABC

SC: Secure Channel

CA: Connectivity Assoc


Access control mac sec9 l.jpg
Access Control - MAC-SEC

DST:6

SRC:6

SecureTAG:8/16

DATA

ICV:8-16

Ether Type:2

TCI

AN

SL:1

PacketNumber:4

SCID:8

SRC MAC + Port

> 2 peers

SPI:4

SN:4

DATA:n

PAD:0-255

PL:1

NH:1

ICV:n

IPSEC ESP




Content scanning l.jpg
Content Scanning

  • The problem is to find a hex sub-string in the continuous bytes of a flow.

  • Substantial theoretical research: Boyer-Moore, Aho-Corasick,

  • CPU MIPS required.


String matching algorithm l.jpg
String Matching Algorithm

  • Knuth-Morris-Pratt

  • Boyer-Moore uses huresritcs to speed up.

    • O(k(m+n))

  • Commentz-Walter

  • Wu-Manbar

  • Aho-Corasick creats an NFA( then a DFA) out all the search patterns.

    • O(n)

    • State explosion


Cots ip packet processor architecture ixp 2400 circa 2003 l.jpg
COTS IP Packet Processor Architecture (IXP 2400 circa 2003)

  • 4 GE ports

  • Throughput

    • 4 Gbps for all frame sizes

    • 12 mpps for 64 byte frames

    • 0.4 mpps for 1518 byte frames

  • Latency :

    • 100% throughput 45 usec for 1518 byte frames.

    • 75% throughput 34 usec for 1518 byte frames.

    • 50% throughput 26 usec for 1518 byte frames.

    • 25% throughput 17.4 usec for 1518 byte frames.


Ixp2400 internal architecture l.jpg

72

Stripe/byte align

MEv2

1

MEv2

2

DDRAM

Rbuf

64 @ 128B

S

P

I

3

or

C

S

I

X

32b

MEv2

4

MEv2

3

XScale

Core

32K IC

32K DC

G

A

S

K

E

T

PCI

(64b)

66 MHz

Tbuf

64 @ 128B

32b

64b

MEv2

5

MEv2

6

Hash

64/48/128

Scratch

16KB

CSRs

-Fast_wr -UART

-Timers -GPIO

-BootROM/Slow Port

QDR

SRAM

1

QDR

SRAM

2

MEv2

8

MEv2

7

E/D Q

E/D Q

18

18

18

18

IXP2400 Internal Architecture

1

3

4

2


String matching mips issue l.jpg
String Matching - MIPS Issue

  • DRAM packet buffer access speed = d (19.2 gbps).

  • Average packet size = b (1000 bits)

  • SRAM pattern access speed = s (12.8 gbps).

  • ME/CPU compares = c ( 0.600 gips)

  • Number of patterns = p (1000 )

  • Average pattern length = l (100 bits)

  • Times each pattern read /packet = f1 (1 ,scratch memory)

  • Theoretical pattern matching rate

    • 1/( b/d + f1lp/s + blp/322c )

      • 127Kpps

      • 5860 pps (worst case), 28654 pps (with tree/DFA)


String matching mips issue content processors l.jpg
String Matching - MIPS Issue(Content Processors)

  • 17 Gbps content search (Seaway Networks).

    • Stream based vs. packet based.

    • HW assists for content matching, modification, and replication.

  • 4.0 Gbps (Cavium Networks)

    • Multi-core architecture connected by SPI 4.2 (10 Gbps).

  • (Sensory Networks)

    • Origin in gene sequence search.

  • Matching against one pattern ? how long pattern ? What algorithm ?


String matching uses ids snort l.jpg
String Matching Uses – IDS(SNORT)

frag2

stream4

syslog

http_decode

sql

portscan

smb

SPADE

Preprocessor

Detection

Engine

Log/Alert

Engine

Ouput

Engine

pcap

rules

Signature based

Software

content


String matching uses 1 snort l.jpg
String Matching Uses 1(SNORT)

  • Snort – Open source software IDS

  • Uses BM, AC, WM, Setwise BM

  • User space – substantial performance issue – I believe the best performance has been about 80 mbps on state of the art PC platforms.

  • String matching used for flagging viruses, spy wares, application vulnerabilities through signatures.

  • Also supports Regular Expressions – performance is an issues.



String matching uses 2 reconnex l.jpg
String Matching Uses 2(Reconnex)

  • Content Security for compliance and IP protection.

  • Detects SSN, Credit Card Numbers etc.

  • Uses proprietary methods to generate signatures from repositories.

  • Signatures matched in as packets are streamed in.

  • Packets are assembled into flows and stored in hard disks for audit purposes.

  • PC platform , dual Pentium , 4 G RAM, 1.5TB HD.


Profiling l.jpg
Profiling

  • Profiled Items

    • Top Applications

    • Top Sources & Destinations

    • Top Conversations

  • Protocol Analysis

    • TCP state reconstruction

    • UDP/ICMP state reconstruction

    • Application protocols – FTP, Telnet, HTTP, Sun RPC, MSRPC, NFS, SMB/CIFS, P2P – Kazza, etc.

    • Tunneled – IPIP, HTTP


Profiling issues l.jpg
Profiling - Issues

  • Number of simultaneous flows (s)

    • Memory issue – typical per flow memory is 256 bytes.

    • Current products support ~ 5 millions flows.

  • Flow create rate ( c)

    • A pathological case is SYN attack.

  • Flow demise rate ( d)

    • Graceful demise ( e.g. 4-way TCP FIN hand shake).

    • Timeouts (e.g. SYN attack).

  • Steady State

    • c < d

    • average flow life < s/d


Profiling issues24 l.jpg
Profiling - Issues

  • Protocol state machine

    • both sides - client/server, requestor/responder, initiator/responder.

  • Time budget

    • CPU/NP/CP clock cycle time, tc (1.0 nsec).

    • Buffering memory available , M ( 1 GB ).

    • System throughput, tt( 2 Gbps).

    • Cycles per bit available, c.

      • c = M/(tc* tt)( 4 sec/1e9) ! - Not allowed, tolerable latency is << 150 ms. If 1.0 msec is allowed, then c is 1,000,000.


Profiling25 l.jpg
Profiling

  • Cisco Netflow (IPFIX), PSAMP

  • CAIDA

  • Mazu Networks

  • Imperva

  • Allot

  • Narus


Conclusion l.jpg
Conclusion

  • Network Security, Information Security, is a very vibrant area - many players selling many products and services ( eerily similar to 1999).

  • Overheard – information security is a eternal gold mine.