Deep Packet Inspection in Tomorrows Firewalls

About This Presentation

Title:

Description:

Number of Views:508

Avg rating:3.0/5.0

Slides: 15

Provided by: COR119

Category:

more less

Transcript and Presenter's Notes

Title: Deep Packet Inspection in Tomorrows Firewalls

1
Deep Packet Inspection in Tomorrows Firewalls

Supervisory Team Dr. Richard Binns
Dr. Graham Sexton
2
Introduction

Security was not a major concern when
communication protocols e.g. TCP/IP was
developed.
Lack of built-in security facilities
Plaintext payload (commonly exploited by worms
e.g. msblast)
No source authentication
Stateless forwarding
Current security techniques
edge-of-the-network
Cant fight against the distributed attacks
Firewalls
Restrict the network activities of the internal
users
Failed to protect against the more sophisticated
DDoS

3
Introduction

Rise in Web/Network attacks in recent years
Rise in the number of people using the internet
Marked rise in corporate businesses who have
opted for an online presence
Proliferation in the number of intelligent
viruses/worms and trojans attacking systems
Current security techniques
edge-of-the-network
Cant fight against the distributed attacks

4
Basic Definitions

The OSI, or Open System Interconnection, model
defines a networking framework for implementing
protocols in seven layers.
For the purposes of this presentation, we will be
concerned mainly with
The Application Layer
The Transport Layer
The Network Layer
These represent the layers at which Routers,
IPSs, IDSs, and ALGs(Application Level Gateways)
operate.
Intrusion Detection and Prevention Systems

5
The OSI Network Model
6
The OSI Network Model
7
Current Trends in Network Security

8
Problems of the existing Network Security Models

The internet or TCP/IP internetworking was built
upon inherently flawed foundational protocols
e.g. ARP
Built primarily for connectivity and so didnt
bear security in mind
Any client machine is innately able to do
anything on a network subject to the availability
of appropriate tools and adequate user knowledge.
Network security implementations have always been
centralized, host-based.
Lack of built-in security facilities
Plaintext payload (commonly exploited by worms
e.g. msblast)
No source authentication
Stateless forwarding

Single layer model

A practical model

11
A Novel Approach

This research will ultimately attempt at shifting
the focus of current network security models from
a host-based Intrusion detection/prevention
framework to a client-based implementation

12
How ?

Exhaustive protocol verification to determine
what is normal/abnormal in application layer
protocols
Formulate rule-sets forming the basis of device
drivers which will be built into client adapters
This has the advantage of
1. Distributing the processing workload and
taking the stress off Firewalls.
2. Making sure clients do only what they
are
permitted to do on a network hence
changing the problem

13
Test Rig

PC hardware based on the Linux/BSD Platform
(deploying the stable 2.4 series kernel)
Access to Low level kernel and network functions
via kernel mode device drivers
The core is written in C, affording extremely
fast packet capture and analysis using libpcap
(packet capture) libraries.
Freely available open source code will encourage
learning and development.(with due regard for the
Academic Alliance ?)

14
Invisible Bridging Firewall (Gentoo Linux based)

Works at layer 2 (Datalink Layer) of the OSI
model
Has no IP address and hence is effectively
invisible on a network!
Has been kernel patched to filter IP-based
network traffic via the Netfilter/Iptables
framework. It can hence control and regulate
network packets and traffic even whilst still
invisible
It can be literally deployed in any point on a
network without any configuration changes. Hence
its an inline device.
These characteristics make it ideal as a
testbench for packet analysis, injection etc.