![Page 1: Network Security Dr. Ken Regis Aerogram Networks Fremont, CA](https://reader035.vdocuments.site/reader035/viewer/2022081513/5697bfda1a28abf838cb0422/html5/thumbnails/1.jpg)
Network Security
Dr. Ken Regis
Aerogram Networks
Fremont, CA
![Page 2: Network Security Dr. Ken Regis Aerogram Networks Fremont, CA](https://reader035.vdocuments.site/reader035/viewer/2022081513/5697bfda1a28abf838cb0422/html5/thumbnails/2.jpg)
Overview
➲ History➲ Current State➲ Current Efforts
![Page 3: Network Security Dr. Ken Regis Aerogram Networks Fremont, CA](https://reader035.vdocuments.site/reader035/viewer/2022081513/5697bfda1a28abf838cb0422/html5/thumbnails/3.jpg)
History
➲ For a long time network security implied cryptography to the R&D community (50-90).
➲ Internet arrived with Web-browser and email – and the venerated Firewall and Virus Scanner appeared ( circa 1995).
● The first Internet virus is Morris Worm in 1988.● FW in late 80’s (accredited to Steve Bellovin).● Trusted Information Systems (TIS) Firewall Toolkit (FWTK) 10/1/1993.● Checkpoint FW-1 in 1994. ● McAfee Pro-scan 1990.
➲ IPSec and SSL standardized (circa 1998).➲ Then Spam Filters, IDS and IPS. ➲ AES standardized (2001), 3DES (1999), DES (1977).➲ WiFi WEP debacle prompted 802.11i (circa 2004) .➲ SHA-1 broken ? (2005).
![Page 4: Network Security Dr. Ken Regis Aerogram Networks Fremont, CA](https://reader035.vdocuments.site/reader035/viewer/2022081513/5697bfda1a28abf838cb0422/html5/thumbnails/4.jpg)
The Current Issues
➲ Virus, Spam, Worms, DOS/DDOS although
tamed still exists.➲ Software vulnerabilities (bad/sloppy code).➲ Spyware/Adware➲ Peer-to-peer ➲ Federal and Sate regulations: SOX, HIPPA,
GLB, CA SB 1386, ITAR. ➲ Phising, Social Engineering.
![Page 5: Network Security Dr. Ken Regis Aerogram Networks Fremont, CA](https://reader035.vdocuments.site/reader035/viewer/2022081513/5697bfda1a28abf838cb0422/html5/thumbnails/5.jpg)
Current Industry Efforts
(Partial List)
➲ Network Access Control➲ Content Scanning➲ Traffic Profiling
![Page 6: Network Security Dr. Ken Regis Aerogram Networks Fremont, CA](https://reader035.vdocuments.site/reader035/viewer/2022081513/5697bfda1a28abf838cb0422/html5/thumbnails/6.jpg)
AVAgent
Access Control - Cisco NAC
Cisco ACSCisco Trust Agent1. Communicate2. EAP TLV3. Auth (PEAP)4. encryption
NetworkAccessDevice
AAAServer
EAPOverUDP/802.1x
EAPOverRADIUS
HCAPVendorPolicyServer
1. Triggers Intercept ACL on router, default ACL determines initial network access2. Router triggers posture validation with CTA (EAPoUDP)3. CTA sends posture credentials to router (EAPoUDP)4. Router sends posture credentials to AAA (RADIUS)5. If necessary, AAA request posture validation (HCAP - Host Credential Authorization Protocol (HTTPSbased))6. AAA validates posture (Healthy, Checkup, Quarantine, Remediate)7. AAA sends Access-Accept with ACLs/URL redirect as per policy to router.8. Host granted/denied/redirected/restricted access.
Remediation
![Page 7: Network Security Dr. Ken Regis Aerogram Networks Fremont, CA](https://reader035.vdocuments.site/reader035/viewer/2022081513/5697bfda1a28abf838cb0422/html5/thumbnails/7.jpg)
Access Control - Cisco NAC
➲ Network Admission Control functionality
enables Cisco routers to enforce access
privileges when an endpoint (OS and AV
patches) attempts to connect to a network.➲ Proprietary architecture ➲ Proprietary Protocols – PEAP and HCAP.➲ Partners Symantec, McAfee, Trendmicro
![Page 8: Network Security Dr. Ken Regis Aerogram Networks Fremont, CA](https://reader035.vdocuments.site/reader035/viewer/2022081513/5697bfda1a28abf838cb0422/html5/thumbnails/8.jpg)
Access Control - MAC-SEC
➲ To provide user data confidentiality, frame
data integrity, and data origin authenticity.
A B CD
SCA SCB SCC
HUB
CAABC
SC: Secure ChannelCA: Connectivity Assoc
SecY
KaY
CA DiscoveryPeer AuthenticationKey Mgmt
Protection
![Page 9: Network Security Dr. Ken Regis Aerogram Networks Fremont, CA](https://reader035.vdocuments.site/reader035/viewer/2022081513/5697bfda1a28abf838cb0422/html5/thumbnails/9.jpg)
Access Control - MAC-SEC
DST:6 SRC:6 SecureTAG:8/16 DATA ICV:8-16
Ether Type:2 TCI AN SL:1 PacketNumber:4 SCID:8
SRC MAC + Port> 2 peers
SPI:4 DATA:nSN:4 PAD:0-255 PL:1 NH:1 ICV:n
IPSEC ESP
![Page 10: Network Security Dr. Ken Regis Aerogram Networks Fremont, CA](https://reader035.vdocuments.site/reader035/viewer/2022081513/5697bfda1a28abf838cb0422/html5/thumbnails/10.jpg)
Access Control - MAC-SEC (TX)
![Page 11: Network Security Dr. Ken Regis Aerogram Networks Fremont, CA](https://reader035.vdocuments.site/reader035/viewer/2022081513/5697bfda1a28abf838cb0422/html5/thumbnails/11.jpg)
Access Control - MAC-SEC (RX)
![Page 12: Network Security Dr. Ken Regis Aerogram Networks Fremont, CA](https://reader035.vdocuments.site/reader035/viewer/2022081513/5697bfda1a28abf838cb0422/html5/thumbnails/12.jpg)
Content Scanning
➲ The problem is to find a hex sub-string in
the continuous bytes of a flow.➲ Substantial theoretical research: Boyer-
Moore, Aho-Corasick, ➲ CPU MIPS required.
![Page 13: Network Security Dr. Ken Regis Aerogram Networks Fremont, CA](https://reader035.vdocuments.site/reader035/viewer/2022081513/5697bfda1a28abf838cb0422/html5/thumbnails/13.jpg)
String Matching Algorithm
➲ Knuth-Morris-Pratt➲ Boyer-Moore uses huresritcs to speed up.
● O(k(m+n))
➲ Commentz-Walter➲ Wu-Manbar➲ Aho-Corasick creats an NFA( then a DFA)
out all the search patterns. ● O(n)● State explosion
![Page 14: Network Security Dr. Ken Regis Aerogram Networks Fremont, CA](https://reader035.vdocuments.site/reader035/viewer/2022081513/5697bfda1a28abf838cb0422/html5/thumbnails/14.jpg)
COTS IP Packet Processor
Architecture (IXP 2400 circa 2003)
➲ 4 GE ports➲ Throughput
● 4 Gbps for all frame sizes● 12 mpps for 64 byte frames● 0.4 mpps for 1518 byte frames
➲ Latency :● 100% throughput 45 usec for 1518 byte frames.● 75% throughput 34 usec for 1518 byte frames.● 50% throughput 26 usec for 1518 byte frames.● 25% throughput 17.4 usec for 1518 byte frames.
![Page 15: Network Security Dr. Ken Regis Aerogram Networks Fremont, CA](https://reader035.vdocuments.site/reader035/viewer/2022081513/5697bfda1a28abf838cb0422/html5/thumbnails/15.jpg)
IXP2400 Internal Architecture
MEv26
MEv27
MEv25
MEv28
XScale Core32K IC32K DC
Rbuf64 @ 128B
Tbuf64 @ 128B
Hash64/48/128
Scratch16KB
QDRSRAM
1
QDRSRAM
2
DDRAM
GASKET
PCI
(64b)66 MHz
3232bb
3232bb
1818 18181818 1818
7272
6464bb
SPI3orCSIX
Stripe/byte align
E/D Q E/D Q
MEv22
MEv23
MEv21
MEv24
CSRs -Fast_wr -UART-Timers -GPIO-BootROM/Slow Port
1
2
3
4
![Page 16: Network Security Dr. Ken Regis Aerogram Networks Fremont, CA](https://reader035.vdocuments.site/reader035/viewer/2022081513/5697bfda1a28abf838cb0422/html5/thumbnails/16.jpg)
➲ DRAM packet buffer access speed = d (19.2 gbps).➲ Average packet size = b (1000 bits)➲ SRAM pattern access speed = s (12.8 gbps).➲ ME/CPU compares = c ( 0.600 gips)➲ Number of patterns = p (1000 )➲ Average pattern length = l (100 bits)➲ Times each pattern read /packet = f1 (1 ,scratch memory)➲ Theoretical pattern matching rate
● 1/( b/d + f1lp/s + blp/322c )● 127Kpps ● 5860 pps (worst case), 28654 pps (with tree/DFA)
String Matching - MIPS Issue
![Page 17: Network Security Dr. Ken Regis Aerogram Networks Fremont, CA](https://reader035.vdocuments.site/reader035/viewer/2022081513/5697bfda1a28abf838cb0422/html5/thumbnails/17.jpg)
➲ 17 Gbps content search (Seaway Networks).● Stream based vs. packet based.● HW assists for content matching, modification, and replication.
➲ 4.0 Gbps (Cavium Networks)● Multi-core architecture connected by SPI 4.2 (10 Gbps).
➲ (Sensory Networks)● Origin in gene sequence search.
➲ Matching against one pattern ? how long pattern ? What
algorithm ?
String Matching - MIPS Issue
(Content Processors)
![Page 18: Network Security Dr. Ken Regis Aerogram Networks Fremont, CA](https://reader035.vdocuments.site/reader035/viewer/2022081513/5697bfda1a28abf838cb0422/html5/thumbnails/18.jpg)
String Matching Uses – IDS
(SNORT)
PreprocessorDetectionEngine
Log/AlertEngine
pcap
frag2
stream4
http_decode
portscan
SPADE
OuputEngine
syslog
sql
smb
rules
contentSignature basedSoftware
![Page 19: Network Security Dr. Ken Regis Aerogram Networks Fremont, CA](https://reader035.vdocuments.site/reader035/viewer/2022081513/5697bfda1a28abf838cb0422/html5/thumbnails/19.jpg)
String Matching Uses 1
(SNORT)
➲ Snort – Open source software IDS➲ Uses BM, AC, WM, Setwise BM➲ User space – substantial performance issue – I believe
the best performance has been about 80 mbps on
state of the art PC platforms.➲ String matching used for flagging viruses, spy wares,
application vulnerabilities through signatures.➲ Also supports Regular Expressions – performance is
an issues.
![Page 20: Network Security Dr. Ken Regis Aerogram Networks Fremont, CA](https://reader035.vdocuments.site/reader035/viewer/2022081513/5697bfda1a28abf838cb0422/html5/thumbnails/20.jpg)
String Matching Use – Compliance
(Reconnex)
![Page 21: Network Security Dr. Ken Regis Aerogram Networks Fremont, CA](https://reader035.vdocuments.site/reader035/viewer/2022081513/5697bfda1a28abf838cb0422/html5/thumbnails/21.jpg)
String Matching Uses 2
(Reconnex)
➲ Content Security for compliance and IP protection.➲ Detects SSN, Credit Card Numbers etc.➲ Uses proprietary methods to generate signatures
from repositories.➲ Signatures matched in as packets are streamed in.➲ Packets are assembled into flows and stored in
hard disks for audit purposes.➲ PC platform , dual Pentium , 4 G RAM, 1.5TB HD.
![Page 22: Network Security Dr. Ken Regis Aerogram Networks Fremont, CA](https://reader035.vdocuments.site/reader035/viewer/2022081513/5697bfda1a28abf838cb0422/html5/thumbnails/22.jpg)
Profiling
➲ Profiled Items● Top Applications● Top Sources & Destinations● Top Conversations
➲ Protocol Analysis● TCP state reconstruction ● UDP/ICMP state reconstruction ● Application protocols – FTP, Telnet, HTTP, Sun RPC,
MSRPC, NFS, SMB/CIFS, P2P – Kazza, etc.● Tunneled – IPIP, HTTP
![Page 23: Network Security Dr. Ken Regis Aerogram Networks Fremont, CA](https://reader035.vdocuments.site/reader035/viewer/2022081513/5697bfda1a28abf838cb0422/html5/thumbnails/23.jpg)
Profiling - Issues
➲ Number of simultaneous flows (s)● Memory issue – typical per flow memory is 256 bytes.● Current products support ~ 5 millions flows.
➲ Flow create rate ( c)● A pathological case is SYN attack.
➲ Flow demise rate ( d)● Graceful demise ( e.g. 4-way TCP FIN hand shake).● Timeouts (e.g. SYN attack).
➲ Steady State● c < d ● average flow life < s/d
![Page 24: Network Security Dr. Ken Regis Aerogram Networks Fremont, CA](https://reader035.vdocuments.site/reader035/viewer/2022081513/5697bfda1a28abf838cb0422/html5/thumbnails/24.jpg)
Profiling - Issues
➲ Protocol state machine ● both sides - client/server, requestor/responder,
initiator/responder.
➲ Time budget● CPU/NP/CP clock cycle time, tc (1.0 nsec).
● Buffering memory available , M ( 1 GB ). ● System throughput, tt( 2 Gbps).
● Cycles per bit available, c.● c = M/(tc* tt)( 4 sec/1e9) ! - Not allowed, tolerable latency is <<
150 ms. If 1.0 msec is allowed, then c is 1,000,000.
![Page 25: Network Security Dr. Ken Regis Aerogram Networks Fremont, CA](https://reader035.vdocuments.site/reader035/viewer/2022081513/5697bfda1a28abf838cb0422/html5/thumbnails/25.jpg)
Profiling
➲ Cisco Netflow (IPFIX), PSAMP➲ CAIDA➲ Mazu Networks➲ Imperva➲ Allot➲ Narus
![Page 26: Network Security Dr. Ken Regis Aerogram Networks Fremont, CA](https://reader035.vdocuments.site/reader035/viewer/2022081513/5697bfda1a28abf838cb0422/html5/thumbnails/26.jpg)
Conclusion
➲ Network Security, Information Security, is a
very vibrant area - many players selling many
products and services ( eerily similar to 1999).➲ Overheard – information security is a eternal
gold mine.