rfc 1925: the twelve networking security and truths€¦ · hacking next gen ¥infrastructure...
TRANSCRIPT
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1Behringer – Challenges in IDS
Security andComplexity inNetworks
Michael Behringer <[email protected]>
Distinguished Engineer
ReSIST Summer School, 27 Sep 2007
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2
RFC 1925: The Twelve NetworkingTruths
! “With sufficient thrust, pigs fly just fine.”
“However, this is not necessarily a good idea.”
287
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 3
The Resilience-Complexity Trade-Off
Complexity
Resilience
where is thispoint?
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 4
General Networking Recommendations
! Keep it simple
! Single resiliencegenerally sufficient
3: Often too complex!
! Layering
Do a job in *one* layer,and do it well
Example: Failover
Customers
PoP/Aggregation
Network
Core
InternetInternet
Customers
288
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 5
IP over DWDM - Simplicity
!Increased Performance
4x increase in throughputfor existing 10G DWDMsystems
!Lower CapEx
50% optics reduction
!Lower OpEx
Fewer shelves (space,cooling, power,management), fewerinterconnects
!Enhanced resiliency
Fewer devices,fewer active components,fewerinterconnects
Before
Router ROADMTransponder
TransponderIntegrated into Router
Router ROADM
DW
DM
I/F
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 6
BROADBANDSubscriber
IPTVVoIPMP3
InternetGaming
VoD
2010 – The SP Nightmare – IP Works
TV
PSTN
Internet
Mobile
Provider A
Provider B
Provider C
Provider D
Subscriber
Dedicated access for eachservice
Trust within service
Reliability per service
One access for all
Trust no one / everyone
Overall reliability
289
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 7
Complexity inSecurity
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 8
Security: The Threats Have Evolved:
GlobalInfrastructur
eImpact
RegionalNetworks
MultipleNetworks
IndividualNetworks
IndividualComputer
Target andScope ofDamage
1st Gen• Boot viruses
2nd Gen• Macro viruses
• DoS
• Limitedhacking
3rd Gen• Network DoS
• Blended threat(worm + virus+trojan)
• Turbo worms
• Widespreadsystemhacking
Next Gen• Infrastructure
hacking
• Flash threats
• Massiveworm driven
• DDoS
• Damagingpayloadviruses andworms
TIME FROM KNOWLEDGE OFVULNERABILITY TO RELEASE OF
EXPLOIT IS SHRINKING
1980s 1990s Today Future
Weeks
Days
Minutes
Seconds
290
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 9
Example Intrusion Protection:The Problem Space
! Signature management
! Many different IDS approaches
! False positives
! Day-0 recognition
! Scale of alerts
! Complexity of decision
! Network scale
! Visibility (encryption, location, …)
! …
Manageability
Performance
Intelligence
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 10
The Goal
! Manageability
! Intelligence
! Performance
" Automation
" Correctness
" Completeness
291
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 11
IDS: Approaches
! Signature based (define “bad”)
Needs to know attack up front; hard tomanage
! Behaviour based
Complex to manage; up front config
! Honeypots
Good for worms and scanning, not muchelse
! Statistical Analysis
Only detects big changes
+ quite precise
- complex
- slow
+ performant
- not precise
enough
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 12
Two Generic Approaches
1. Full packet / session inspection
Precision!!!
But: Mostly signature based, see next section
But: Performance required, see later
2. Header inspection: Flow based, honeypot
Statistics based " heuristics are simple
Can catch day-zero, quite efficient
But: Not precise enough!!!
Probably both required!
292
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 13
Manageability
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 14
Manageability Challenges: Overview
! Different device types
Router, firewall, IDS, HIDS,DDoS protection, honeypot,…
" Different IDS capabilities
" Different management
" Different signatures
" Different event types
! Scaling issues:
Updating N devices
Receiving lots of events
Correlation
Internet
Firewall
IDS / IPSAnti-DoS
Routers
IDS / IPS
Host IDS
config / signature
updates
events
Honeypots
293
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 15
Number of Events, Network Wide
300,00010,000Cisco
150,0005000Cisco
75,0003000Cisco
30,0001000Cisco
15,000500Cisco
7,50050Cisco
PerformanceNetFlows/Sec
PerformanceEvents/Sec*
Model
Marketing Stuff
irrelevant h
ere 1000s of events per second
10,000s of flows per second
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 16
Intelligence
294
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 17
+
+
+
Is attack relevant tohost being attacked?
How prone tofalse positive?
How critical is thisdestination host?
EVENT SEVERITY
SIGNATURE FIDELITY
ATTACKRELEVANCY
ASSET VALUEOF TARGET
RISK RATINGDrivesMitigationPolicy
How urgent isthe threat?
Process for Accurate Threat Mitigation:Rating Alarms for Threat Context
Decision Support Balances Attack Urgency with Business Risk
Your job to define. Network wide.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 18
LOW
MEDIUM
HIGH
RISKRATING
TIME
0 2 4 6 8 10
Event AEvent B
Event C
Event D
A + B + C + D = WORM! DROPEventD- WormStopped!
Process for Accurate Threat Mitigation:Integrated Event Correlation
! Links lower risk eventsinto a high risk meta-event, triggeringprevention actions
! Models attack behaviorby correlating:
Event type
Time span
On-Box Correlation AllowsAdaptation to New Threats inReal-Time without User Intervention
295
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 19
Example for Increasing Complexity:Obfuscation
IDS looking for “..\” to detect attacks like:
...\WINNT\SYSTEM32\CMD.EXE
IDS needs to look for “\”:
• \ or /
• %5c (%5C is hexa code for \ )
•• %25 %255c (%25 is hexa code for %)
• %%35%35c (%35 is hexa code for 5)
• %%35%35%63 (%63 is hexa code for c)
• %c0%af (using Unicode)
• ….
Double decode !
IDS must parse! " Complex!
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 20
Performance
296
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 21
Performance: Goal
! Inspect:
Each packet header
Each packet payload
At full line rate
! Checks:
against 1000s signatures
do virtual reassembly
be stateful (track connections)
application awareness
Network Speed
Development:
Complexity
Development:
BUT:
… so: “just build faster chips!”
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 22
Silicon Industry Challenge
1
10
100
1000
10000
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
Moore’s lawx2/18m
DRAM access rate x1.1/18m
Silicon speedx1.5/18m
297
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 23
Silicon Industry Challenge
1
10
100
1000
10000
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
Moore’s lawx2/18m
DRAM access rate x1.1/18m
Silicon speedx1.5/18m
Router Capacityx2.9/18m
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 24
Silicon Density – Touching the Limits
Intel Pentium 4
Wafer
298
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 25
Silicon Density and Moore’s Law
“Feature size”
This dimension is
what Moore’s Law
is all about!
Basic CMOS inverter
Gate Oxide Layer
For 90nm process,
this is approx 1.2nm
= 5 Atoms!
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 26
ASIC Feature Size Evolution
8/Cu1.0V/1.2V611/72.97220040.09(0.07)
9/Cu1.0V/1.2V4.5/5.06/8?12020050.065
2002
2000
1999
Qual.Year
20/15
23
?
Gatedelay
(ps)
1.5
0.81
-
DRAMdensity
(Mbit/mm2)
7/Cu
6/Cu
5/Al
Metallayers
1.2V/1.5V9400.13(0.10)
1.8V20240.18(0.15)
2.5/1.8V50100.25
CoreVoltage
Power
(nW/MHz/gate)
UsableGates
(M)
Featuresize (drawn)
(µm)
Source: IBM SA-12E, SA-27E, Cu-11, Cu-08, Cu-65
299
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 27
Biggest Scaling Issue: Power!
103WPentium IV(3.2GHz, 0.09um)
Pentium“Extreme Edition 840”
3.2GHz, HyperThreading
Pentium III(1.33GHz, 0.13um)
Pentium II(400MHz)
Pentium
‘486
Device
28W
34W
180W
10W
< 5W
Power
Source: Intel datasheets
The constraints of ‘standard’ cooling and packaging of
networking systems are very significant…
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 28
Power is Becoming an Issue
Indeed, the goal is to purchase CPU generations that offer the bestperformance per unit of power, not absolute performance. Estimatesof the power required for over 450,000 servers range upwards of 20megawatts, which could cost on the order of US$2 million per month inelectricity charges.(source: http://en.wikipedia.org/wiki/Google_platform)
300
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 29
CRS-1 System MechanicalLine Card Chassis Overview—Full Rack Unit
! Slots (Midplane design):
Front
16 PLIM slots
2 RP slots + 2 Fan Controllers
Back
16 LC Slots
8 Fabric cards
! Dimensions:23.6” W x 41*” D x 84” H
(60 W x 104.2 D x 213.36H (cm))
! Power: ~12 KW (AC or DC)
! Weight: ~ 707kg
! Heat Dis.: 33000 BTUs (AC)
*For standalone Chassis Depth = 35” (no fabric chassis cable management)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 30
But: Efficiency is Still Increasing!!
CONFIDENTIA
L
Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 232323Cisco Proprietary and Confidential
500.4
134
44.2
241668
268
52
12
1
10
100
1000
10000
7513 12012 12016 HFR
Floor Space
(Sq.ft)
Heat Dissipation
(KW)
Floor Space
(Sq.ft)
Heat Dissipation
(KW)
Resources for a 1 Terabit Router
Hardware design
is still improving!!
301
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 31
Scaling Performance
! Not just “faster, faster, faster”
! Need new approaches for h/w and s/w
! Distribute processing:
Host – switch – edge router – core router
Each device what it knows best
! But: Challenge in Management!
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 32
The Way Forward
302
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 33
So, Host Based Security is “the”Solution, right?
! Performance distributed
! Encryption not an issue
! Stateful
! Application awareness
Can you trust the host?
- may be subverted
- User might switch host secuirty off / bypass it
- Service Provider Case: no control over host!
Sounds ideal,
doesn’t it?!?
BUT:
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 34
Ways Forward
! Distribute processing
Host, router, access switch, honeypot, …
! More “intelligence”
Innovative, simple, approaches
! Evolve management
Distributed, “intelligent”
! Combine approaches
Signature based, flow based, behaviour based, …
… more research needed!
303
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 35
Resilience and Security
! Too much resilience is counter productive
Increased complexity actually lowers effective resilience
! Lesson learned: Focus on a single method
Do that one well
! Do not forget operations
operators must understand their network
" Keep it simple
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 36
Summary
! Today:
Need expert to operate network security!
Significant effort (opex) required
! Work needed to:
Make network wide security manageable
Increase intelligence " low false positive, negative
! Tomorrow:
Self-updating
Self-correlating
Self-defending
! Keep it simple, also for resilience
304