raid2005 cardguard: towards software-based signature detection for intrusion prevention on the...
TRANSCRIPT
![Page 1: RAID2005 CardGuard: Towards software-based signature detection for intrusion prevention on the network card Herbert Bos and Kaiming Huang presented by](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649de35503460f94ada6c9/html5/thumbnails/1.jpg)
RAID2005
CardGuard:
Towards software-based signature detectionfor intrusion prevention on the network card
Herbert Bos and Kaiming Huangpresented by Willem de Bruijn
![Page 2: RAID2005 CardGuard: Towards software-based signature detection for intrusion prevention on the network card Herbert Bos and Kaiming Huang presented by](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649de35503460f94ada6c9/html5/thumbnails/2.jpg)
RAID2005
IDS is insufficient
intrusion prevention is preferable over detectionactive guardingnullifies evasion & insertion attemps
but, prevention problematic at traditional firewallsperformance issueslack of knowledgeinternal nodes expected saferigid, leading to circumvention
![Page 3: RAID2005 CardGuard: Towards software-based signature detection for intrusion prevention on the network card Herbert Bos and Kaiming Huang presented by](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649de35503460f94ada6c9/html5/thumbnails/3.jpg)
RAID2005
Move IPS to the edge
using a software based solutionon the network card
full payload scanning ,at line-rate*
to create a (crude) cost-effective local IPS
CardGuard implements
![Page 4: RAID2005 CardGuard: Towards software-based signature detection for intrusion prevention on the network card Herbert Bos and Kaiming Huang presented by](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649de35503460f94ada6c9/html5/thumbnails/4.jpg)
RAID2005
IntroductionArchitecture
ImplementationResults
![Page 5: RAID2005 CardGuard: Towards software-based signature detection for intrusion prevention on the network card Herbert Bos and Kaiming Huang presented by](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649de35503460f94ada6c9/html5/thumbnails/5.jpg)
RAID2005
distributed firewalling
signature detection is easier at the network edge
can overwhelm CPU69Mbps max on 1.8 Ghz P4
a solution is to offload to the NIC: unobtrusive & difficult to subverge
![Page 6: RAID2005 CardGuard: Towards software-based signature detection for intrusion prevention on the network card Herbert Bos and Kaiming Huang presented by](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649de35503460f94ada6c9/html5/thumbnails/6.jpg)
RAID2005
Network Processors
Programmable NICs that combinecheap software with fast hardware
they contain ●stream processors●asynchronous memory●hardware assist (e.g., CAM)
![Page 7: RAID2005 CardGuard: Towards software-based signature detection for intrusion prevention on the network card Herbert Bos and Kaiming Huang presented by](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649de35503460f94ada6c9/html5/thumbnails/7.jpg)
RAID2005
Efficient Pattern Matching
snort ruleset >28.000 pattern-based rulesrequires parallel processing
Aho Corasickpattern-matching algorithm
single-passcomplexity independent of #patterns
![Page 8: RAID2005 CardGuard: Towards software-based signature detection for intrusion prevention on the network card Herbert Bos and Kaiming Huang presented by](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649de35503460f94ada6c9/html5/thumbnails/8.jpg)
RAID2005
Aho Corasick Example
a deterministic finite automaton (DFA)for the Slammer wormidentifies 5 different patterns
![Page 9: RAID2005 CardGuard: Towards software-based signature detection for intrusion prevention on the network card Herbert Bos and Kaiming Huang presented by](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649de35503460f94ada6c9/html5/thumbnails/9.jpg)
RAID2005
IntroductionArchitecture
ImplementationResults
![Page 10: RAID2005 CardGuard: Towards software-based signature detection for intrusion prevention on the network card Herbert Bos and Kaiming Huang presented by](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649de35503460f94ada6c9/html5/thumbnails/10.jpg)
RAID2005
IXP1200
PCI daughterboardor stand-alone box
two 1Gbps ports6 stream µEngines
4 HW threads/engine1 StrongARM CPU @ 200MhzIXP 2XXX
![Page 11: RAID2005 CardGuard: Towards software-based signature detection for intrusion prevention on the network card Herbert Bos and Kaiming Huang presented by](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649de35503460f94ada6c9/html5/thumbnails/11.jpg)
RAID2005
software mapping
Cp
RxTx ToE
AC
AC
ToE
RegEx=
![Page 12: RAID2005 CardGuard: Towards software-based signature detection for intrusion prevention on the network card Herbert Bos and Kaiming Huang presented by](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649de35503460f94ada6c9/html5/thumbnails/12.jpg)
RAID2005
Flow handling
TCP reconstruction light:basic flow-accountingdatastream sanitisation
Out-of-order handling:put on hold, ortwo-pass scan
CpRx ACToE
TxCp ACToE
![Page 13: RAID2005 CardGuard: Towards software-based signature detection for intrusion prevention on the network card Herbert Bos and Kaiming Huang presented by](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649de35503460f94ada6c9/html5/thumbnails/13.jpg)
RAID2005
efficient memory use
size
latency Scratch, 16KB, 12..14 cycles
SRAM : 8 MB , 16..20 cycles
SDRAM : 256 MB , 30...40 cycles
Istore, 1KB, 1 cycle
Registers, 512B, 1 cycle; shared
inline DFA
in-memory DFA
memory access is the bottleneck
![Page 14: RAID2005 CardGuard: Towards software-based signature detection for intrusion prevention on the network card Herbert Bos and Kaiming Huang presented by](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649de35503460f94ada6c9/html5/thumbnails/14.jpg)
RAID2005
IntroductionArchitecture
ImplementationResults
![Page 15: RAID2005 CardGuard: Towards software-based signature detection for intrusion prevention on the network card Herbert Bos and Kaiming Huang presented by](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649de35503460f94ada6c9/html5/thumbnails/15.jpg)
RAID2005
inline DFA
in-memory DFA
inline in-memory0
100
200
300
400
500
600
700
800
900
cost of 10 state-transitionsReg SDRAM
#cy
cles
![Page 16: RAID2005 CardGuard: Towards software-based signature detection for intrusion prevention on the network card Herbert Bos and Kaiming Huang presented by](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649de35503460f94ada6c9/html5/thumbnails/16.jpg)
RAID2005
benchmarks
64 300 600 900 1200 15000
10000
20000
30000
40000
50000
60000
packetsize
cycl
es
processing costs scale linearly with datarate, not packetrate
Full TCP scan sustainable at 100Mbit
![Page 17: RAID2005 CardGuard: Towards software-based signature detection for intrusion prevention on the network card Herbert Bos and Kaiming Huang presented by](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649de35503460f94ada6c9/html5/thumbnails/17.jpg)
RAID2005
conclusions
intrusion prevention is feasible at the network edgeNP-based solutions are cheap and unobtrusive
caveatCardGuard is only a crude prototype
lacks a sophisticated management plane