Network Security

1
Network Security

• Dr. Subrata Goswami
• Aerogram Networks
• Fremont, CA

2
Overview

• History
• Current State
• Current Efforts

3
History

• For a long time network security implied
  cryptography to the RD community (50-90).
• Internet arrived with Web-browser and email and
  the venerated Firewall and Virus Scanner appeared
  ( circa 1995).
• The first Internet virus is Morris Worm in 1988.
• FW in late 80s (accredited to Steve Bellovin).
• Trusted Information Systems (TIS) Firewall
  Toolkit (FWTK) 10/1/1993.
• Checkpoint FW-1 in 1994.
• McAfee Pro-scan 1990.
• IPSec and SSL standardized (circa 1998).
• Then Spam Filters, IDS and IPS.
• AES standardized (2001), 3DES (1999), DES (1977).
• WiFi WEP debacle prompted 802.11i (circa 2004) .
• SHA-1 broken ? (2005).

4
The Current Issues

• Virus, Spam, Worms, DOS/DDOS although tamed still
  exists.
• Software vulnerabilities (bad/sloppy code).
• Spyware/Adware
• Peer-to-peer
• Federal and Sate regulations SOX, HIPPA, GLB, CA
  SB 1386, ITAR.
• Phising, Social Engineering.

5
Current Industry Efforts(Partial List)

• Network Access Control
• Content Scanning
• Traffic Profiling

6
Access Control - Cisco NAC
EAP Over RADIUS
AAA Server
Vendor Policy Server
EAP Over UDP/802.1x
AV Agent
HCAP
Cisco ACS

• Cisco Trust Agent
• Communicate
• EAP TLV
• Auth (PEAP)
• encryption

Network Access Device
Remediation
1. Triggers Intercept ACL on router, default ACL
determines initial network access 2. Router
triggers posture validation with CTA (EAPoUDP) 3.
CTA sends posture credentials to router
(EAPoUDP) 4. Router sends posture credentials to
AAA (RADIUS) 5. If necessary, AAA request posture
validation (HCAP - Host Credential Authorization
Protocol (HTTPSbased)) 6. AAA validates posture
(Healthy, Checkup, Quarantine, Remediate) 7. AAA
sends Access-Accept with ACLs/URL redirect as per
policy to router. 8. Host granted/denied/redirecte
d/restricted access.
7
Access Control - Cisco NAC

• Network Admission Control functionality enables
  Cisco routers to enforce access privileges when
  an endpoint (OS and AV patches) attempts to
  connect to a network.
• Proprietary architecture
• Proprietary Protocols PEAP and HCAP.
• Partners Symantec, McAfee, Trendmicro

8
Access Control - MAC-SEC

• To provide user data confidentiality, frame data
  integrity, and data origin authenticity.

HUB
CA Discovery Peer Authentication Key Mgmt
KaY
A
B
C
D
SecY
Protection
SCA
SCB
SCC
CAABC
SC Secure Channel CA Connectivity Assoc
9
Access Control - MAC-SEC
DST6
SRC6
SecureTAG8/16
DATA
ICV8-16
Ether Type2
TCI
AN
SL1
PacketNumber4
SCID8
SRC MAC Port gt 2 peers
SPI4
DATAn
SN4
PAD0-255
PL1
NH1
ICVn
IPSEC ESP
10
Access Control - MAC-SEC (TX)
11
Access Control - MAC-SEC (RX)
12
Content Scanning

• The problem is to find a hex sub-string in the
  continuous bytes of a flow.
• Substantial theoretical research Boyer-Moore,
  Aho-Corasick,
• CPU MIPS required.

13
String Matching Algorithm

• Knuth-Morris-Pratt
• Boyer-Moore uses huresritcs to speed up.
• O(k(mn))
• Commentz-Walter
• Wu-Manbar
• Aho-Corasick creats an NFA( then a DFA) out all
  the search patterns.
• O(n)
• State explosion

14
COTS IP Packet Processor Architecture (IXP 2400
circa 2003)

• 4 GE ports
• Throughput
• 4 Gbps for all frame sizes
• 12 mpps for 64 byte frames
• 0.4 mpps for 1518 byte frames
• Latency
• 100 throughput 45 usec for 1518 byte frames.
• 75 throughput 34 usec for 1518 byte frames.
• 50 throughput 26 usec for 1518 byte frames.
• 25 throughput 17.4 usec for 1518 byte frames.

15
IXP2400 Internal Architecture
1
3
4
2
16
String Matching - MIPS Issue

• DRAM packet buffer access speed d (19.2 gbps).
• Average packet size b (1000 bits)
• SRAM pattern access speed s (12.8 gbps).
• ME/CPU compares c ( 0.600 gips)
• Number of patterns p (1000 )
• Average pattern length l (100 bits)
• Times each pattern read /packet f1 (1 ,scratch
  memory)
• Theoretical pattern matching rate
• 1/( b/d f1lp/s blp/322c )
• 127Kpps
• 5860 pps (worst case), 28654 pps (with tree/DFA)

17
String Matching - MIPS Issue(Content Processors)

• 17 Gbps content search (Seaway Networks).
• Stream based vs. packet based.
• HW assists for content matching, modification,
  and replication.
• 4.0 Gbps (Cavium Networks)
• Multi-core architecture connected by SPI 4.2 (10
  Gbps).
• (Sensory Networks)
• Origin in gene sequence search.
• Matching against one pattern ? how long pattern ?
  What algorithm ?

18
String Matching Uses IDS(SNORT)
frag2
stream4
syslog
http_decode
sql
portscan
smb
SPADE
Preprocessor
Detection Engine
Log/Alert Engine
Ouput Engine
pcap
rules
Signature based Software
content
19
String Matching Uses 1(SNORT)

• Snort Open source software IDS
• Uses BM, AC, WM, Setwise BM
• User space substantial performance issue I
  believe the best performance has been about 80
  mbps on state of the art PC platforms.
• String matching used for flagging viruses, spy
  wares, application vulnerabilities through
  signatures.
• Also supports Regular Expressions performance
  is an issues.

20
String Matching Use Compliance(Reconnex)
21
String Matching Uses 2(Reconnex)

• Content Security for compliance and IP
  protection.
• Detects SSN, Credit Card Numbers etc.
• Uses proprietary methods to generate signatures
  from repositories.
• Signatures matched in as packets are streamed in.
• Packets are assembled into flows and stored in
  hard disks for audit purposes.
• PC platform , dual Pentium , 4 G RAM, 1.5TB HD.

22
Profiling

• Profiled Items
• Top Applications
• Top Sources Destinations
• Top Conversations
• Protocol Analysis
• TCP state reconstruction
• UDP/ICMP state reconstruction
• Application protocols FTP, Telnet, HTTP, Sun
  RPC, MSRPC, NFS, SMB/CIFS, P2P Kazza, etc.
• Tunneled IPIP, HTTP

23
Profiling - Issues

• Number of simultaneous flows (s)
• Memory issue typical per flow memory is 256
  bytes.
• Current products support 5 millions flows.
• Flow create rate ( c)
• A pathological case is SYN attack.
• Flow demise rate ( d)
• Graceful demise ( e.g. 4-way TCP FIN hand
  shake).
• Timeouts (e.g. SYN attack).
• Steady State
• c lt d
• average flow life lt s/d

24
Profiling - Issues

• Protocol state machine
• both sides - client/server, requestor/responder,
  initiator/responder.
• Time budget
• CPU/NP/CP clock cycle time, tc (1.0 nsec).
• Buffering memory available , M ( 1 GB ).
• System throughput, tt( 2 Gbps).
• Cycles per bit available, c.
• c M/(tc tt)( 4 sec/1e9) ! - Not allowed,
  tolerable latency is ltlt 150 ms. If 1.0 msec is
  allowed, then c is 1,000,000.

25
Profiling

• Cisco Netflow (IPFIX), PSAMP
• CAIDA
• Mazu Networks
• Imperva
• Allot
• Narus

26
Conclusion

• Network Security, Information Security, is a very
  vibrant area - many players selling many products
  and services ( eerily similar to 1999).
• Overheard information security is a eternal
  gold mine.