hardware based network ips
TRANSCRIPT
-
8/14/2019 Hardware Based Network IPS
1/26
Computer Networks and Internet Engineering C-DAC,2009 Computer Networks and Internet Engineering
Hardware based Network IPSComputer Networks and
Internet Engineering (CNIE)
Division
C-DAC, Electronics City
and
C-DAC Mumbai
-
8/14/2019 Hardware Based Network IPS
2/26
Computer Networks and Internet Engineering C-DAC,2009 Computer Networks and Internet Engineering
Background Objective: To carryout research in intrusion
prevention & content analysis to design anddevelop high-performance hardware basednetwork intrusion prevention system.
Duration:18 months (from Feb. 2008)
Expected Outcome:
Hardware based Network Intrusion PreventionSystem
-
8/14/2019 Hardware Based Network IPS
3/26
Computer Networks and Internet Engineering C-DAC,2009 Computer Networks and Internet Engineering
Target Specifications Functional
Signature Protections
Server crack protection
Reconnaissance Detection
Stateful Inspection Traffic Anomaly Detection
Flow Detection
Access control
In-line Operation mode
Alerting
Management Comprehensive Threat Protection
Performance Maximum Through put (1-Gbps)
Latencies (< 250 micro Sec)
10,00,000 Sessions
-
8/14/2019 Hardware Based Network IPS
4/26
Computer Networks and Internet Engineering C-DAC,2009 Computer Networks and Internet Engineering
TrafficAnalyzer
ScanDetection
FlowDetection
Flood Detection
FlowCollector
TrafficProfiler IDMEF co mmunica tion
IPSManagement
DataManagement
Use r I/f
PacketCollector
PacketDecoder
Packet &
Context Base d
Detection
State Base dDetection
Rule Engine
Dyna mic Loade r
Connect ion Mana gement
Applica tion Dec ode r
Dyna mic Loade r
SignatureDetection
Packets
Flows
Events
Events
Decoded
Packets
( IP Que ue)
IPS Components
-
8/14/2019 Hardware Based Network IPS
5/26
Computer Networks and Internet Engineering C-DAC,2009 Computer Networks and Internet Engineering
Flow Bas eDetection
IP SManagement
Pack et &
ContextBasedDetection
State Base dDetection
Signature Protection
Server Crack Protection
Access Control
Reconnaissance Detection
Traffic Anomaly Detection
Flow Detection
Stateful Inspection
Alerting
Management
Specifications and Corresponding
Components
-
8/14/2019 Hardware Based Network IPS
6/26
Computer Networks and Internet Engineering C-DAC,2009 Computer Networks and Internet Engineering
Flow Bas eDetection
IP SManagement
Pack et &
ContextBasedDetection
State Base dDetection
Implemented,tested,
interacted with user
Implemented,
tested,interacted with user
Implemented,
tested for
HTTP
Implemented,tested
Current Status
-
8/14/2019 Hardware Based Network IPS
7/26
Computer Networks and Internet Engineering C-DAC,2009 Computer Networks and Internet Engineering
Additional Functionalities
Certain specifications mentioned below
that are not the part of targetspecifications were also considered in
development:
1. Encrypted Traffic (SSL based attacks)2. Compressed HTTP Traffic
3. Bandwidth analysis for security
-
8/14/2019 Hardware Based Network IPS
8/26
Computer Networks and Internet Engineering C-DAC,2009 Computer Networks and Internet Engineering
Packet and Context based
Signature Detection Packet and Context based signature detection
engine completed
Incorporated SNORT signatures (Jan 09 set) Carried out Signature validation (by craftingattacks, confirming the criticality of signatures)
Currently, 296 IPS signatures (web & active-x
(50%), smtp, ftp, rpc, scan) More SNORT IPS signatures to be validated and
added
System functional and Testing on-going
-
8/14/2019 Hardware Based Network IPS
9/26
Computer Networks and Internet Engineering C-DAC,2009 Computer Networks and Internet Engineering
State Based Design
C1C2
Cn
S0 S1 S2S3
Conn (C): Src IP, Src Port,
Dst IP, Dst Port
Protocol
Application
Specific
Signature
S S,A A
-
8/14/2019 Hardware Based Network IPS
10/26
Computer Networks and Internet Engineering C-DAC,2009 Computer Networks and Internet Engineering
Modules of State Based Detection
Connection Management
Maintaining the connection table
Application State Analysis (HTTP, SMTP and
DNS)
Expansion of IPS Signatures with state knowledge
Application protocol parsing (keyword extraction) Implementation done for HTTP
-
8/14/2019 Hardware Based Network IPS
11/26
Computer Networks and Internet Engineering C-DAC,2009 Computer Networks and Internet Engineering
Flow Analyzer
-
8/14/2019 Hardware Based Network IPS
12/2612
Computer Networks and Internet Engineering C-DAC,2009 Computer Networks and Internet Engineering
Flow Analyser
-
8/14/2019 Hardware Based Network IPS
13/26
Computer Networks and Internet Engineering C-DAC,2009 Computer Networks and Internet Engineering
Flow Analyser
Learning Phase
Configurable (hours/days/weeks)
Key parameters such as Flow aggregation,
single packet counts, Avg Flow Duration, Avg
Bytes per Packet
Detection Phase Scan detection, flood detection, traffic
anomalies
-
8/14/2019 Hardware Based Network IPS
14/26
14
Computer Networks and Internet Engineering C-DAC,2009 Computer Networks and Internet Engineering
Flow Analyser
Capabilities
TCP, UDP and ICMP scan Detection
Vertical, Horizontal,Sequential and Random scan
TCP Scan
TCP connect() scan
TCP SYN (Half-open ) scan
Stealthy scan like inverse TCP flag scanning ( FIN,NULL and Xmas tree scan)
ACK flag probe scanning and Window Scan
Scanning using non-standard packet size ( -- data_length option in nmap)
Flooding (TCP, UDP and ICMP)
Limitations
Accuracy of Slow scan detection is less
-
8/14/2019 Hardware Based Network IPS
15/26
Computer Networks and Internet Engineering C-DAC,2009 Computer Networks and Internet Engineering
Flow Analyzer IPFIX based implementation can reduce
latencies 50 seconds (under testing)
Continuous learning model using moving
average (under testing)
Deployed different networks
-
8/14/2019 Hardware Based Network IPS
16/26
Computer Networks and Internet Engineering C-DAC,2009 Computer Networks and Internet Engineering
Comprehensive Threat
Protection Vulnerability Profile creation
Validation of Intrusive events with respectto vulnerability profile and
Generation of true IDS alerts
-
8/14/2019 Hardware Based Network IPS
17/26
Computer Networks and Internet Engineering C-DAC,2009 Computer Networks and Internet Engineering
Hardware Approach Packet capture and decoding will be done
in the NetFPGA board Host will carryout detection and
prevention
-
8/14/2019 Hardware Based Network IPS
18/26
Computer Networks and Internet Engineering C-DAC,2009 Computer Networks and Internet Engineering
Serializer
Deserializer
Tx FIFO
Rx buffer
Multi giga-bit Rocket IO transceiver core
Control Logic
Block Array
for
user defined
logic
Switch
Routing
Matrix
Block
Select
RAM
Distributed
RAM
Digital
Clock
Manager
Input/Output
Blocks
With Double Data
Rate registers
18 *18 bit
multiplier
block
Net-FPGA
Packet Collector
Packet Decoder
-
8/14/2019 Hardware Based Network IPS
19/26
Computer Networks and Internet Engineering C-DAC,2009 Computer Networks and Internet Engineering
IPS Management
Data management
Communication Interface Alerts and User Interface
Work in progress:
Signature Update mechanism Enhance of visualization & Query optimization
Signature Update mechanism
-
8/14/2019 Hardware Based Network IPS
20/26
Computer Networks and Internet Engineering C-DAC,2009 Computer Networks and Internet Engineering
Other Challenges
Handling SSL based Encrypted traffic..
Issue: Signatures can not be matchedfor the encrypted traffic
Studied Approaches followed by
Radware and McCaffee
We are exploring Proxy based approachfor our IPS
-
8/14/2019 Hardware Based Network IPS
21/26
Computer Networks and Internet Engineering C-DAC,2009 Computer Networks and Internet Engineering
Other Challenges
Handling compressed HTTP Traffic
Issue: Signatures can not be matchedfor the compressed traffic
Solution:
Identify compressed HTTP payloads and
Decompress to carryout signature detection
-
8/14/2019 Hardware Based Network IPS
22/26
Computer Networks and Internet Engineering C-DAC,2009 Computer Networks and Internet Engineering
Test Cases Packet & Context based Signature Detection
296 nemesis scripts used to generate attacks for 296
signatures
State-based Signature Detection
15 traffic dump of attacks against which HTTP based
state detection is verified Tested with traffic dump for compressed HTTP traffic
Stress testing carried out connection management
-
8/14/2019 Hardware Based Network IPS
23/26
Computer Networks and Internet Engineering C-DAC,2009 Computer Networks and Internet Engineering
Test Cases Flow based detection
Test runs done using nmap, port-bunny andangry IP scanner for testing for various Scan
detection
Test runs done using HPing for testing flood
detection
Test cases for response time carried out
(currently achieved 2 mts)
-
8/14/2019 Hardware Based Network IPS
24/26
Computer Networks and Internet Engineering C-DAC,2009 Computer Networks and Internet Engineering
Testing Methodology Follow NSS guidelines for IPS evaluation
Gigabit LAN testbed for performanceevaluation
Functionality testing along with user
agencies based on intermediatemilestones
Third party testing
-
8/14/2019 Hardware Based Network IPS
25/26
Computer Networks and Internet Engineering C-DAC,2009 Computer Networks and Internet Engineering
Acknowledgements
Project Review and Streering Group
Members Department of Information Technology,
Ministry of Communications and
Information Technology, Government ofIndia, Delhi
-
8/14/2019 Hardware Based Network IPS
26/26
Computer Networks and Internet Engineering C-DAC,2009 Computer Networks and Internet Engineering
Thank You