CardGuard: - PowerPoint PPT Presentation

1 / 17
About This Presentation
Title:

CardGuard:

Description:

intrusion prevention is preferable over detection. active guarding ... a deterministic finite automaton (DFA) for the Slammer worm. identifies 5 different patterns ... – PowerPoint PPT presentation

Number of Views:39
Avg rating:3.0/5.0
Slides: 18
Provided by: few5
Category:

less

Transcript and Presenter's Notes

Title: CardGuard:


1
CardGuard Towards software-based signature
detection for intrusion prevention on the network
card Herbert Bos and Kaiming Huang presented by
Willem de Bruijn September 7th, 2005 Seattle,
WA, USA
2
ID is insufficient
  • intrusion prevention is preferable over detection
  • active guarding
  • nullifies evasion insertion attemps
  • but, prevention problematic at traditional
    firewalls
  • performance issues
  • lack of knowledge
  • internal nodes expected safe
  • rigid, leading to circumvention

3
Move IPS to the edge
CardGuard implements
full payload scanning, at line-rate
using a software based solution on the network
card
to create a (crude) cost-effective local IPS
4
IntroductionArchitectureImplementationResults
5
distributed firewalling
  • signature detection is easier
  • at the network edge
  • hosts switches
  • can overwhelm CPU
  • 69Mbps max on 1.8 Ghz P4
  • a solution is to offload to the NIC
  • unobtrusive difficult to subverge

6
Network Processors
  • Programmable NICs that combine
  • cheap software with fast hardware
  • they contain
  • stream processors
  • asynchronous memory
  • hardware assist (e.g., CAM)

7
Efficient Pattern Matching
  • snort ruleset
  • gt28.000 pattern-based rules
  • requires parallel processing

Aho Corasick pattern-matching algorithm single-pa
ss complexity independent of patterns
8
Aho Corasick Example
  • a deterministic finite automaton (DFA)
  • for the Slammer worm
  • identifies 5 different patterns

9
IntroductionArchitectureImplementationResults
10
Intel IXP1200 Network Processor
  • PCI daughterboard
  • or stand-alone box
  • two 1Gbps ports
  • 6 stream µEngines
  • 4 HW threads/engine
  • 1 StrongARM CPU _at_ 200Mhz
  • Old hardware
  • latest is IXP2800 16µEngines _at_1.4Ghz

11
Flow handling
  • TCP reconstruction light
  • basic flow-accounting
  • datastream sanitisation
  • Out-of-order handling
  • put on hold, or
  • two-pass scan

12
software mapping

13
efficient memory use
Registers, 1KB, 1 cycle shared
Istore, 1KB, 1 cycle
Scratch, 16KB, 12..14 cycles
SRAM 8 MB , 16..20 cycles
SDRAM 256 MB , 30...40 cycles
14
IntroductionArchitectureImplementationResults
15
(No Transcript)
16
benchmarks
processing costs scale linearly with datarate,
not packetrate
Full TCP scan sustainable at 100Mbit
17
conclusions
  • intrusion prevention is feasible at the network
    edge
  • NP-based solutions are cheap and unobtrusive
  • caveat
  • CardGuard is only a crude prototype
  • lacks a sophisticated management plane
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "CardGuard:" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!