CardGuard: - PowerPoint PPT Presentation

About This Presentation
Title:

CardGuard:

Description:

intrusion prevention is preferable over detection. active guarding ... distributed firewalling. signature detection is easier. at the network edge. can overwhelm CPU ... – PowerPoint PPT presentation

Number of Views:27
Avg rating:3.0/5.0
Slides: 18
Provided by: csVu
Category:

less

Transcript and Presenter's Notes

Title: CardGuard:


1
CardGuard Towards software-based signature
detection for intrusion prevention on the network
card Herbert Bos and Kaiming Huang presented by
Willem de Bruijn
2
IDS is insufficient
  • intrusion prevention is preferable over detection
  • active guarding
  • nullifies evasion insertion attemps
  • but, prevention problematic at traditional
    firewalls
  • performance issues
  • lack of knowledge
  • internal nodes expected safe
  • rigid, leading to circumvention

3
Move IPS to the edge
CardGuard implements
full payload scanning ,at line-rate
using a software based solution on the network
card
to create a (crude) cost-effective local IPS
4
IntroductionArchitectureImplementationResults
5
distributed firewalling
  • signature detection is easier
  • at the network edge
  • can overwhelm CPU
  • 69Mbps max on 1.8 Ghz P4
  • a solution is to offload to the NIC
  • unobtrusive difficult to subverge

6
Network Processors
  • Programmable NICs that combine
  • cheap software with fast hardware
  • they contain
  • stream processors
  • asynchronous memory
  • hardware assist (e.g., CAM)

7
Efficient Pattern Matching
  • snort ruleset
  • gt28.000 pattern-based rules
  • requires parallel processing

Aho Corasick pattern-matching algorithm single-pa
ss complexity independent of patterns
8
Aho Corasick Example
  • a deterministic finite automaton (DFA)
  • for the Slammer worm
  • identifies 5 different patterns

9
IntroductionArchitectureImplementationResults
10
IXP1200
  • PCI daughterboard
  • or stand-alone box
  • two 1Gbps ports
  • 6 stream µEngines
  • 4 HW threads/engine
  • 1 StrongARM CPU _at_ 200Mhz
  • IXP 2XXX

11
software mapping

12
Flow handling
  • TCP reconstruction light
  • basic flow-accounting
  • datastream sanitisation
  • Out-of-order handling
  • put on hold, or
  • two-pass scan

13
efficient memory use
memory access is the bottleneck
Registers, 512B, 1 cycle shared
Istore, 1KB, 1 cycle
Scratch, 16KB, 12..14 cycles
SRAM 8 MB , 16..20 cycles
SDRAM 256 MB , 30...40 cycles
14
IntroductionArchitectureImplementationResults
15
(No Transcript)
16
benchmarks
processing costs scale linearly with datarate,
not packetrate
Full TCP scan sustainable at 100Mbit
17
conclusions
  • intrusion prevention is feasible at the network
    edge
  • NP-based solutions are cheap and unobtrusive
  • caveat
  • CardGuard is only a crude prototype
  • lacks a sophisticated management plane
Write a Comment
User Comments (0)
About PowerShow.com