enst bretagne access control in atm networks olivier paul ibm zurich, march 1 st enst bretagne rsm...
TRANSCRIPT
ENST Bretagne
Access Control in ATM Networks
Olivier Paul
IBM Zurich, March 1st
ENST Bretagne
RSM Department
IBM Zurich ENST
Bretagne2
Agenda
• Introduction
• Access Control
Parameters
• Access Control
Architectures
• Access Control
management
• Conclusion
IBM Zurich ENST
Bretagne3
Introduction• Access Control:
– Security service providing a protection against an unauthorised used by an entity or group of entities (ISO).
Network
Client Server
Firewall
access-list 101 permit tcp any gt 1023 192.165.203.5 0.0.0.0 eq 80
• Source and destination addresses
• Protocol
• Application or Service identifiers
• Action
IBM Zurich ENST
Bretagne4
Introduction
• ATM (Asynchronous Transfer Mode) :
– Specified to transport various kind of flows.
– Allows applications to request Quality of Service.
– High Speed (Mb/s -> Gb/s).
– Connection oriented.
– Data transported through small packets (cells).
– Usage:
• Directly: Some native ATM applications (ANS, VoD).• Indirectly: IP over ATM (IPOA, LANE, MPOA, MPLS): most
common use.
IBM Zurich ENST
Bretagne5
Introduction
ReassemblyOperations
FragmentationClassificationBuffer
Firewall
Bus/
Switch
• The impact on the QoS depends on the buffer characteristics.
• Classification and copy(bus) operations are generally considered as the bottleneck in the firewall architecture.
IBM Zurich ENST
Bretagne6
The flow classification problem
Classifier
ProtoSourceports
DestAddress
SourceSource
AddressAddressFlags
Destports
If Cond1 and Cond2 and Cond3 then action1If Cond4 and Cond5 then action2If Cond6 then action1
n rules carrying on d fields
Theoretical bounds :Theoretical bounds :
• Temporal Comp. : O(log n),
Spatial Comp. : O(n d).
• Temporal Comp.: O(n),
Spatial Comp.: O(log d-1 n).
d fieldsd fields
Lakshman & al. [ACM SIGCOMM ‘ 98]
IBM Zurich ENST
Bretagne7
Introduction
• In the case of ATM networks:
Throughput Quality of Service Access Control Parameters
Reassemble FragmentationClassificationBuffer
Firewall
Bus/
Switch
• The impact on the QoS depends on the buffer characteristics.
• Classification and copy(bus) operations are generally considered as the bottleneck in the firewall architecture.
IBM Zurich ENST
Bretagne8
Agenda
• Introduction
• Access Control
Parameters
• Access Control
Architectures
• Access Control
Management
• Conclusion
IBM Zurich ENST
Bretagne9
Access Control parameters
ATM parameters
TCP/IP parameters
Already Well KnownAddresses
Information generated by the ATM model
ExistingParamet
ers
New attacks
Analogies with parameters used in existing protocols
New ATM Access Control Parameters
Access Control Parameters Classification
Analysis of ATM applications &
services
Application Access Control profiles
IBM Zurich ENST
Bretagne10
Access Control parameters
Information generated by the signalling protocol
Service descriptors
Quality of Service Descriptors
New addressing information
Other parameters
Information generated by ATM cell headers
Connection identifiers Type of flow
ATM parameters
TCP/IP parameters
Already Well KnownAddresses
ExistingParamet
ers
IBM Zurich ENST
Bretagne11
Agenda
• Introduction
• Access Control Parameters
• Access Control Architectures
• Access Control Management
• Conclusion
IBM Zurich ENST
Bretagne12
Access Control Architectures
Two main problems to solve:
Classification process efficiency
QoS insurance
Agents based access control architecture
Centralised Access Control Architecture
Distributed access control process
Non blocking Access Control
ProcessFast packet
classification Algorithm
Classification Algorithm with
bounded complexities
Goal: Provide an Access Control service– For ATM native applications
By using our new access control parameters– For IP over ATM applicationsBy using well known TCP/IP access Control Parameters
IBM Zurich ENST
Bretagne13
Agents based access control architectureImproving access control performance
ControllerInternal Network External NetworkPolicy
Controller
Controller
Policy
Policy
Concurrent access control processes
Schuba [Ph. D. Thesis, Purdue University, 97]
IBM Zurich ENST
Bretagne14
Agents based access control architectureImproving access control performance
Controller
Internal Network 1
External Network
Controller
Controller
Internal Network 2
Internal Network 3
Policy 1
Policy 2
Policy 3
Controllers specialisation through policy segmentation
IBM Zurich ENST
Bretagne15
Agent based access control architectureAre performance improvements sufficient to solve the QoS problem ?
• If we can prove that – The classification process is always fast enough.– The delay introduced by the classification process is small and bounded.
• Then: Yes.• Do existing access control devices comply with these conditions ?
Respect of the QoS has to be insured through other means
Basic Idea: Using a non blocking access control process
The Access Control decision is taken independently from the flows transported over the network.
Sometimes
No
IBM Zurich ENST
Bretagne16
If we don ’t block the flows, where can we find the useful access control information ?
> In the network devices protocol stacks . • Network devices keep information about ongoing
communications in their protocol stack.
ATMEnd
System 1
ATMSwitch
ATMEnd
System 2
External network
Line 1
Line 3
• This information can be accessed though external programs.
E. P.
E. P.E. P.
Line 2
ATMSwitch
• Most of the useful access control information can be found there.
Agent based access control architecture
IBM Zurich ENST
Bretagne17
• The basic idea is to extend such a program (later referred to as agent) with access control capabilities.
ATMEnd
System 1
ATMSwitch
ATMEnd
System 2
External network
Line 1
Line 3
Agent
Agent
Agent
• It then compares this information with a description of allowed communications.
• Periodically the agent polls the information located in the protocol stacks.
• If the communication is not allowed then the agent interacts with the protocol stack to stop the communication.
ATMSwitch
Line 2
Agent based access control architecture
IBM Zurich ENST
Bretagne18
Conclusions
• New architecture
– Distributed.
– Asynchronous.
• Traditional Classification algorithm
Agent Based Architecture
• Performance improvement is difficult to evaluate.
• Security is not guaranteed.
• How to manage access control agents.
IBM Zurich ENST
Bretagne19
Agenda
• Introduction
• Access Control Parameters
• Access Control Architectures
– Agents based Access Control Architecture
– Centralised Access Control Architecture.
• Access Control Management
• Conclusion
IBM Zurich ENST
Bretagne20
Classification Algorithms
Existing Determinist Classification Algorithms
• Algorithms for Static Policies
– Fast.
– Take advantage of access control policies redundancies.
– Unbounded temporal & spatial complexities.
– Generation & Update of the classification structure are slow.
• Algorithms for Dynamic Policies
– Comparatively slow.
– Bounded temporal & spatial complexities.
– Bounded complexities for Generation & update of the classification structure.
– Implementable.
IBM Zurich ENST
Bretagne21
Classification Algorithm
• New flow classification algorithm:
– Temporal Complexity : O(d).
– Spatial Complexity. : O((2n+1)d).
– d : number of fields to analyse, n number of rules in the classification policy.
Independent from the number of rules
Unusable when d = 4 and n = 50
However !
• In practice we succeed to implement large policies by taking advantage of:
– The redundancy in the classification structure.
IBM Zurich ENST
Bretagne22
Implementation
• IFT Traffic Analysis Cards (Designed by France Telecom R&D)
• Characteristics:
– Mono-directional.
– Physical connector: OC12 (622 Mb/s).
– Unspecified Classification algorithm.
– Action (1st Cell from an AAL5 frame, classification policy) : AAL5 switching.
Classification
Buffer
IFT
Physical Connector
PhysicalConnector
Switchingoperations
Policy
IBM Zurich ENST
Bretagne23
Content of the first ATM cell
IP Header TCP/UDP/ICMP
TCP/UDP/ICMP
IP Header TCP/UDP/ICMPSNAP/LLC
IP Header TCP/UDP/ICMPSNAP/LLC AAL5
IP Header TCP/UDP/ICMPSNAP/LLCATM
TCP/UDP/ICMP
IP
SNAP/LLC
AAL5
ATM
53 bytes
IP Header with options/ v6 TCP/UDP/ICMPSNAP/LLCATM
IBM Zurich ENST
Bretagne24
Centralised Architecture
• Goals:
– Design an architecture allowing IFTs to be used to provide the relevant access control service.
– Test our new classification algorithm to check if the performance bottleneck and QoS insurance problems could be solved.
• IFT Traffic Analysis Cards (Designed by France Telecom R&D)
• Characteristics:
– Mono-directional.
– Physical connector: OC12 (622 Mb/s).
– Unspecified Classification algorithm.
– Action (1st Cell from an AAL5 frame, classification policy) : AAL5 switching.
Classification
Buffer
IFT
Physical Connector
PhysicalConnector
Switchingoperations
Policy
IBM Zurich ENST
Bretagne25
Architecture
• Located between a private network and public network.
• Made of three modules:
ATM ATM IFT IFT
SignallingFilter
Manager
SUN Station
IFT Driver
Demon
ATMSwitch
Solaris PC
InternalNetwork
ExternalNetwork
Controler
– Manager
– Signalling Filter.
– Cell-Level Filter
• Integrates to an existing ATM switch.
IBM Zurich ENST
Bretagne26
Tests
• Throughput and QoS.
<1,31 * 53 * 8 = 555 Mb/s
Min Classification capabilities
Size of ATM Cells
Min. Classification capacity :
622 * 26/27= 599 Mb/s
Phys. ConnectorMax. Throughput
Physical LayerOverhead
Max. Throughput to classify:
Buffer (8192 bytes)Max. Delay= 120 s
• Memory requirements : Practical examples, analysis of 9 fields, using 15 ns analysis cycle.
Type of policy Number of rules Classification capabilities Memory required[Che94], [Cha95] 40 1,31 Mc/s 17 K bytes
750 1,31 Mc/s 1.2 M bytesFrench ISP 7900 1,31 Mc/s 3,4 M bytes
IBM Zurich ENST
Bretagne27
Conclusions
Centralised Architecture
• Old architecture
• New Classification algorithm
– Determinist.
– Delay introduced by the access control process can be bounded.
– Minimal throughput can be bounded.
– Resistant to DoS attacks.
• IPv6 problem.
• Algorithm is currently only able to deal with static policies.
IBM Zurich ENST
Bretagne28
Agenda
• Introduction
• Access Control parameters
• Access Control Architectures
• Access Control Management
– Distribution Criteria.
– A Distributed Access Control Management Architecture.
• Conclusion
IBM Zurich ENST
Bretagne29
Access Control Management
– Make sure that the whole access control architecture will provide the access control service defined by the security officer.
• Efficiency Insurance• Security Insurance
– Configure each device with the smallest subset of access control rules allowing the policy to be enforced.
• Criteria have to be defined to build these sets.
• Problem 1: Manage a set of devices with proprietary access control configuration interfaces. (Heterogeneity problem).
• Answer: Generic and ergonomic way to define the access control policy.
Constraints
• Problem 2: Manage distributed access control architectures (A big number of access control devices have to be configured remotely).
• Answer: Automatic configuration architectures.
IBM Zurich ENST
Bretagne30
Criteria
• Criterion 1: Device Access Control Capabilities.
– A rule r should not be attributed to a device if this device is not located between the source and the destination described by r.
Source Destination
A.C.
A.C. A.C.
A.C.
A.C.
A.C.A.C.A.C.
A.C.
• Criterion 2: Network Topology.
IF SRC_ADDRESS = Source AND DST_ADDRESS = Destination THEN PERMIT
A.C.A.C.A.C.
A.C.
– A rule can not be attributed to a device if this device is not able to implement the rule.
IBM Zurich ENST
Bretagne31
Criteria
• Criterion 3 (new): Type of rule (permit/ deny)
– A “deny” rule r has to be attributed to a single device. This device is the closest from the source or the destination described by r.
Source Destination
A.C.
A.C. A.C.
A.C.
A.C.
IF SRC_ADDRESS = Source AND DST_ADDRESS = Destination THEN DENY
A.C.A.C.
A.C.
A.C. A.C.A.C.A.C.
A.C.
A.C.
IBM Zurich ENST
Bretagne32
Centralised A.C. Management Architectures
Device 1 Device 3
Console Device 2
Security Officer
Access Control Policy
NetworkModel
• Filtering Postures, J. Guttman, IEEE S&P 97.
• Firmato toolkit, Bartal & al., IEEE S&P 99.
• Policy based management, S. Hinrichs, ACSAC 99.
• An Asynchronous Distributed Access Control Architecture For IP Over ATM Networks, Paul & al. , ACSAC 99.
• Managing Security In Dynamic networks, Konstantinou & al., LISA 99.
IBM Zurich ENST
Bretagne33
Acyclic Network model
Source Destination
A.C.
A.C.
A.C.
A.C.
IF SRC_ADDRESS = Source AND DST_ADDRESS = Destination THEN PERMIT
IF SRC_ADDRESS = Source AND DST_ADDRESS = Destination THEN DENY
IBM Zurich ENST
Bretagne34
Acyclic Network Model
Distribution enforces the three criteria.
Topology changes force the Security Officer to reconfigure access control devices.
Source Destination
A.C.
A.C.
A.C.
A.C.
IBM Zurich ENST
Bretagne35
Acyclic Model
The delay between topology changes and access control devices reconfiguration can introduce security holes.
Source Destination
A.C.
A.C.
A.C.
A.C.
X
A.C.
A.C.
IBM Zurich ENST
Bretagne36
Source Destination
A.C.
A.C.
A.C.
A.C.
X
A.C.
A.C.
X
Acyclic Model
The delay between topology changes and access control devices reconfiguration can introduce security holes.
IBM Zurich ENST
Bretagne37
Distributed A.C. Management Architecture
Device 1 Device 3
Console
Security Officer
AccessControlPolicy
Device 2
• Management of network security application, Hyland & Sandhu, NISSC 98.
• Integrated management of network and host based security mechanisms, Falk & al., ACISP 98.
IBM Zurich ENST
Bretagne38
Our proposal
• The agents interact with the other elements.
Device 1
Routing Agent
Device 3
Routing Agent
Device 2
Routing Agent
Device 4
Routing Agent
• Management agents located on access control devices. A.C.M. Agent
A.C.M. AgentA.C.M. Agent
Device 5
A.C. Manager
• The agents generate efficient configurations using our three criteria.
IBM Zurich ENST
Bretagne39
Our Proposal• Key features:
– Continuous interaction between the agent and it’s environment.
• Local Access Control Policy automatic adaptation.
Routing AgentAccess Control
Management Agent
Access ControlMechanisms
Routing Table
– Topology changes can be used when a new access control posture has been computed and implemented.
• Security holes can be avoided.
IBM Zurich ENST
Bretagne40
Simulation Results
The usage of the three criteria leads to a number of rules equivalent to the one generated through a manual configuration
Total number of rules in the network/Criterion Used
0
20000
40000
60000
80000
No criteria Criteria 1 Criteria 2 Crit. 2 & 3 All crit.Automatic Distribution results Hand configuration
The number of rules without optimisation grows in a polynomial way with the number of access control devices whereas the number of rules after optimisation grows linearly.
Nbr of rules/Nbr of nodes in the network
1
10
100
1000
10000
100000
1000000
4 13 40 121
Nb of rules after opt.C3C1C2Nb of rules before opt.
IBM Zurich ENST
Bretagne41
Conclusions
• The security officer learns “a posteriori” what happened in the network.
• The whole access control policy has to be sent to the agents.
• Generates more efficient configuration through the use of an additional distribution criterion.
• Reduces the interactions between the security officer and the access control management architecture.
• Prevents temporary security holes.
Distributed Access Control Management Architecture
IBM Zurich ENST
Bretagne42
• Introduction
• Access Control Parameters
• Access Control Architectures
• Access Control Management
• Conclusion
Agenda
IBM Zurich ENST
Bretagne43
Conclusion
• ATM Access Control parameters analysis – Application Protection Profiles.– Access Control Parameters have been classified.
• Two IP over ATM Access Control Architectures– Able to take new ATM access control parameters into account.– New access control architecture/ Old classification Algorithm.– Traditional access control Architecture/New classification Algorithm.– Implementation through IFT cards.
• Distributed Automatic Access Control Management Architecture
– New distribution criterion.– Distributed access control management architecture allowing security holes to be avoided.– Implementation using the ns simulator.
IBM Zurich ENST
Bretagne44
Future work• New application level
access control parameters • Improvements to our classification algorithm
• New version of IFTs.
– Higher Throughput (1Gb/s).
– Wider analysis capability.
– New classification functions.
• Application in new areas (Intrusion Detection, Application level Access Control).
• Adaptation to other security services.
• Taking mobility into account.
• Taking access control service integrity into account.
IBM Zurich ENST
Bretagne45
Questions ?