Title: CardGuard:
1CardGuard Towards software-based signature
detection for intrusion prevention on the network
card Herbert Bos and Kaiming Huang presented by
Willem de Bruijn
2IDS is insufficient
- intrusion prevention is preferable over detection
- active guarding
- nullifies evasion insertion attemps
- but, prevention problematic at traditional
firewalls - performance issues
- lack of knowledge
- internal nodes expected safe
- rigid, leading to circumvention
3Move IPS to the edge
CardGuard implements
full payload scanning ,at line-rate
using a software based solution on the network
card
to create a (crude) cost-effective local IPS
4IntroductionArchitectureImplementationResults
5distributed firewalling
- signature detection is easier
- at the network edge
- can overwhelm CPU
- 69Mbps max on 1.8 Ghz P4
-
- a solution is to offload to the NIC
- unobtrusive difficult to subverge
6Network Processors
- Programmable NICs that combine
- cheap software with fast hardware
- they contain
- stream processors
- asynchronous memory
- hardware assist (e.g., CAM)
7Efficient Pattern Matching
- snort ruleset
- gt28.000 pattern-based rules
- requires parallel processing
Aho Corasick pattern-matching algorithm single-pa
ss complexity independent of patterns
8Aho Corasick Example
- a deterministic finite automaton (DFA)
- for the Slammer worm
- identifies 5 different patterns
9IntroductionArchitectureImplementationResults
10IXP1200
- PCI daughterboard
- or stand-alone box
- two 1Gbps ports
- 6 stream µEngines
- 4 HW threads/engine
- 1 StrongARM CPU _at_ 200Mhz
- IXP 2XXX
11software mapping
12Flow handling
- TCP reconstruction light
- basic flow-accounting
- datastream sanitisation
- Out-of-order handling
- put on hold, or
- two-pass scan
13efficient memory use
memory access is the bottleneck
Registers, 512B, 1 cycle shared
Istore, 1KB, 1 cycle
Scratch, 16KB, 12..14 cycles
SRAM 8 MB , 16..20 cycles
SDRAM 256 MB , 30...40 cycles
14IntroductionArchitectureImplementationResults
15(No Transcript)
16benchmarks
processing costs scale linearly with datarate,
not packetrate
Full TCP scan sustainable at 100Mbit
17conclusions
- intrusion prevention is feasible at the network
edge - NP-based solutions are cheap and unobtrusive
- caveat
- CardGuard is only a crude prototype
- lacks a sophisticated management plane