hardened ids using ixp didier contis, dr. wenke lee, dr. david schimmel chris clark, jun li, chengai...
TRANSCRIPT
Hardened IDS using IXPHardened IDS using IXPDidier Contis, Dr. Wenke Lee, Dr. David Schimmel
Chris Clark, Jun Li, Chengai Lu, Weidong Shi, Ashley Thomas, Yi Zhang
Current Network Intrusion Detection Systems (NIDS) are software based. They have a number of issues and limitations, including:
• An inability to keep up with throughput significantly greater than 100 Mb/s• An inability to deal with encrypted traffic (VPN)• An inability to utilize knowledge of network topology and OS• Not easily scalable as network becomes more complex and higher speed
MotivationMotivation
Create a new generation of network hardware based IDS / Firewall sensor, integrated on the Network Card
Take advantage of the hardware and the network sensors to create a global distributed and adaptable IDS
The VisionThe Vision
Implementation of a proof of concept:
1. Port open-source software IDS systems such as Bro or Snort on the StrongArm
2. Offload some of the CPU intensive functions of these software IDS to the Micro-Engines (CRC checksums, Defragmentation, Sanity checks)
3. Investigate the use of FPGA based co-processor to work with the IXP1200, to perform some specific tasks (TCP state-tracking and reassembly)
Current ProjectCurrent Project
Packet streamPacket stream
Filtered pkt Filtered pkt streamstream
Event Event streamstream
AlertsAlertsPolicy scriptPolicy script
Event controlEvent control
tcpdump filterstcpdump filters
HostHost
NICNIC
Event EngineEvent Engine
NetworkNetwork
LibpcapLibpcap
Policy Script InterpreterPolicy Script Interpreter
Conventional Software based IDSConventional Software based IDS
Filtered pkt Filtered pkt streamstream
Filtered pkt Filtered pkt streamstream
Event Event streamstream
AlertsAlertsPolicy scriptPolicy script
Event controlEvent control
tcpdump filterstcpdump filters
StrongARStrongARMM
EnginesEngines
Event Engine: ip-defrag, tcp Event Engine: ip-defrag, tcp reassembly, event generationreassembly, event generation
Network: header analysis, Network: header analysis, filteringfiltering
Libpcap: compatibility w/ existing Libpcap: compatibility w/ existing IDSsIDSs
Policy Script InterpreterPolicy Script InterpreterHostHost
Current Implementation of an IXP based IDSCurrent Implementation of an IXP based IDS
Lan
Host
IDS Analysis:Pattern MatchingBehavioral model
Re-programmable Co-processors:• TCP Stream Reassembly•…
Network Card
Capture of Network Traffic(e.g. receive of ethernet frames)
IP Packet Preprocessing:• CRC check• IPDefrag• IP options check
Functions performed at the micro-engine level IXP1200
Packet Packet
Alerts
Proposed implementation of an IXP Proposed implementation of an IXP based IDS with FPGAsbased IDS with FPGAs
Ack/Seq Tracking Unit
Buffer
Connection – State-Machine
Input State-Machine
enabledata_in
CLK
Payload data
TCP/IP headerelements
exception_flags
Memory Gateway
readserver
data_validdata_out
SelectRAMClient Server1,2,3,8,16 kB
SelectRAMServer Client1,2,3,8,16 kB
Block diagram of the reassembly unit
A TCP reassembly unit has been implemented in VHDL and mapped to a Xilinx XCV1000. This prototype is currently being ported to the Celoxica FPGA environment
A dynamically re-configurable FPGA implementation permits adaptive allocation of detection resources and therefore a more accurate and efficient pattern-matching or behavorial analysis.
TCP Reassembly in HardwareTCP Reassembly in Hardware
In parallel, some micro-code are being developed to off-load some of the cpu intensive functions of the IDS:
• IP Defragmentation• CRC Checksums at Layer 4• Packet decoding
ACE + Micro-Engine C Compiler = Faster learning Cycle
BUT
The PCI interface between the Board and the Host, as well as the current drive appears as a bottleneck The ACE SDK generates too much overhead on the StrongArm
Current Status & Lessons LearnedCurrent Status & Lessons Learned
Implementation of a fully distributed IDS Adaptation in the NIDS
• Integration of detection and response• Agile context dependent reconfiguration multiple of IDS methods such as pattern-matching and behavioral models.
Unified framework for network policies • Common response mechanisms for QoS, Fault Detection, NIDS Load Balancing
Future StepsFuture Steps