A Full Bandwidth ATM Firewall Olivier Paul, Maryline Laurent, Sylvain Gombault ENST de Bretagne in collaboration with France Telecom R&D DRET.

Slides:

Advertisements

Similar presentations

Traffic Engineering over MPLS

Advertisements

ENST Bretagne Access Control in ATM Networks Olivier Paul IBM Zurich, March 1 st ENST Bretagne RSM Department.

CARAT Access Control and Quality of service in ATM Networks Sylvain GombaultGwenn Gueguen Maryline LaurentOlivier Paul ENST de Bretagne CELAR France Telecom.

ATM Asynchronous Transfer Mode. ATM Networks Use optical fibre similar to that used for FDDI networks ATM runs on network hardware called SONET ATM cells.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

EECC694 - Shaaban #1 lec # 10 Spring Asynchronous Transfer Mode (ATM) ATM is a specific asynchronous packet-oriented information, multiplexing.

IUT– Network Security Course 1 Network Security Firewalls.

Principles of Information Security, 2nd Edition1 Firewalls and VPNs.

Policy Based Routing using ACL & Route Map By Group 7 Nischal ( ) Pranali ( )

1 Version 3 Module 8 Ethernet Switching. 2 Version 3 Ethernet Switching Ethernet is a shared media –One node can transmit data at a time More nodes increases.

In-Band Flow Establishment for End-to-End QoS in RDRN Saravanan Radhakrishnan.

Students:Gilad Goldman Lior Kamran Supervisor:Mony Orbach Mid-Semester Presentation Spring 2005 Network Sniffer.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

Protocols and the TCP/IP Suite Asynchronous Transfer Mode (ATM)

Chapter 2 Protocols and the TCP/IP Suite 1 Chapter 5 Asynchronous Transfer Mode (ATM)

TCP/IP Protocol Suite 1 Chapter 3 Objectives Upon completion you will be able to: Underlying Technology Understand the different versions of wired Ethernet.

Gursharan Singh Tatla Transport Layer 16-May

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

McGraw-Hill©The McGraw-Hill Companies, Inc., 2000 Chapter 3 Underlying Technologies.

Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Christopher Bednarz Justin Jones Prof. Xiang ECE 4986 Fall Department of Electrical and Computer Engineering University.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Intranet, Extranet, Firewall. Intranet and Extranet.

LECTURE 9 CT1303 LAN. LAN DEVICES Network: Nodes: Service units: PC Interface processing Modules: it doesn’t generate data, but just it process it and.

11-01-K.Steenhaut & J.Tiberghien - VUB 1 Telecommunications Concepts Chapter 4.2 IPv4 and Other Networks.

IP Ports and Protocols used by H.323 Devices Liane Tarouco.

January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.

What is a Protocol A set of definitions and rules defining the method by which data is transferred between two or more entities or systems. The key elements.

Chapter 6: Packet Filtering

1 CISCO NETWORKING ACADEMY PROGRAM (CNAP) SEMESTER 1/ MODULE 8 Ethernet Switching.

Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.

Advanced topics in Computer Networks

P RESENTED B Y - Subhomita Gupta Roll no: 10 T OPICS TO BE DISCUSS ARE : Introduction to Firewalls  History Working of Firewalls Needs Advantages and.

Firewalls Nathan Long Computer Science 481. What is a firewall? A firewall is a system or group of systems that enforces an access control policy between.

Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.

Univ. of TehranAdv. topics in Computer Network1 Advanced topics in Computer Networks University of Tehran Dept. of EE and Computer Engineering By: Dr.

CS Spring 2009 CS 414 – Multimedia Systems Design Lecture 21 – Case Studies for Multimedia Network Support (Layer 3) Klara Nahrstedt Spring 2009.

Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.

© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.

Telecommunications Essentials Chapter 7 Wide Area Networking.

1 Firewalls Types of Firewalls Inspection Methods  Static Packet Inspection  Stateful Packet Inspection  NAT  Application Firewalls Firewall Architecture.

4/19/20021 TCPSplitter: A Reconfigurable Hardware Based TCP Flow Monitor David V. Schuehler.

5 Firewalls in VoIP Selected Topics in Information Security – Bazara Barry.

High-Speed Policy-Based Packet Forwarding Using Efficient Multi-dimensional Range Matching Lakshman and Stiliadis ACM SIGCOMM 98.

Firewalls2 By using a firewall: We can disable a service by throwing out packets whose source or destination port is the port number for that service.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.

Rehab AlFallaj.  Network:  Nodes: Service units: PC Interface processing Modules: it doesn’t generate data, but just it process it and do specific task.

J. Liebeher (modified by M. Veeraraghavan) 1 Introduction Complexity of networking: An example Layered communications The TCP/IP protocol suite.

Securing Access to Data Using IPsec Josh Jones Cosc352.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

IST 201 Chapter 11 Lecture 2. Ports Used by TCP & UDP Keep track of different types of transmissions crossing the network simultaneously. Combination.

What is a Protocol A set of definitions and rules defining the method by which data is transferred between two or more entities or systems. The key elements.

The Transport Layer Implementation Services Functions Protocols

Unit-7 The Transport Layer.

Computer Data Security & Privacy

Prepared By : Pina Chhatrala

Chapter 6 The Transport Layer.

TCP Transport layer Er. Vikram Dhiman LPU.

CT1303 LAN Rehab AlFallaj.

Asynchronous Transfer Mode

Review of Important Networking Concepts

* Essential Network Security Book Slides.

IS 4506 Server Configuration (HTTP Server)

CS580 Special Project: IOS Firewall Setup using CISCO 1600 router

Lecture 2: Overview of TCP/IP protocol

Transport Layer 9/22/2019.

Presentation transcript:

A Full Bandwidth ATM Firewall Olivier Paul, Maryline Laurent, Sylvain Gombault ENST de Bretagne in collaboration with France Telecom R&D DRET

Introduction n ATM (Asynchronous Transfer Mode) : –Specified to transport various kind of flows. –Allows applications to request Quality of Service. –Connection oriented. –Data transported through small packets (cells). –High Speed (155M->2.4Gb/s). –Usage: n Directly: Some native ATM applications (ANS, VoD). n Indirectly: IP over ATM (IPOA, LANE, MPOA, MPLS): most common use.

Which problems ? Public Network Private Network n Protect the Private network from the outside. n Control Actions of Private Network users. n Protect the Public Network from customers. Firewall

Which problems ?

Access Control Process ReassemblyFragmentation Classification Buffer Firewall n Classification Policy n Content of the packet ACTION

Access Control Process ReassemblyFragmentation Classification Buffer Firewall n The classification process usually requires a lot of power. –Poor performance.

Access Control Process ReassemblyFragmentation Classification Buffer Firewall n The classification process is not aware of QoS requirements. –QoS may not be respected.

Access Control Process ReassemblyFragmentation Classification Buffer Firewall n Whole architecture has to be able to deal with high throughputs. –The PC architecture is currently not well suited for this task.

CARAT - Goals n Security level similar to a stateless packet filter. n Improving access control on ATM Signalling. n High speed. –Worst case throughput = 620 Mb/s. n QoS preservation. –Delay has to be small and bounded. n Easy to manage.

Architecture n Located between public and private networks. n Made of three modules: –Manager. –Signalling Filter. –Cell-Level Filter. n Integrates to an existing switch. –Signalling flows are directed to the signalling filter. –User flows are directed to the cell-level filter.

Access Control Policy Description Example: Authorize workstation with the address to use external WWW servers: 1 : IF (IP SRC ADDRESS = ) AND (IP DST ADDRESS > ) AND (TCP SRC PORT > 1023) AND (TCP DST PORT = 80) THEN PERMIT. 2 : IF (IP SRC ADDRESS > ) AND (IP DST ADDRESS = ) AND (TCP SRC PORT = 80) AND (TCP DST PORT > 1023) AND (TCP FLAG = SYN) THEN DENY. 3 : IF (IP SRC ADDRESS > ) AND (IP DST ADDRESS = ) AND (TCP SRC PORT = 80) AND (TCP DST PORT > 1023) THEN PERMIT. n ATM level access control policy n TCP/IP level access control policy.

Splitting the Access Control Policy Manager signalling FilterCell-Level Filter Sig. A.C. PolicyTCP/IP static policy Security Officer A.C. Policy

The Signalling Filter n GOAL : Improve signalling access control parameters. –Addressing Information. –QoS Descriptors. –Service Descriptors. n Based on a SUN ATM signalling protocol stack. n Modifications on the protocol stack. n Filter (UNI 3.1 IEs filtering capability).

Cell-level filter n IFT (Internet Fast Translator) NICs: –Designed and manufactured by France Telecom RD. –Mono-directional. –Made of two parts: n OC 12 (620 Mb/s) Phys. connector. n Filtering Process. –On the fly configuration modification. Filtering Process OC 12 Phys. connector Solaris PC Filtering Process n IFT Driver IFT DriverRPC Demon n RPC demon. –Remote configuration.

Filtering Process n Cells Extraction Process –Extracts the 1st cell of the AAL5 frames. –Propagates A.C. decision to the relevant ATM Cells. Filtering Process Interface to IFT driver Trie Memory Static Part Dynamic Part Analysis Automaton 1st Cell Extraction Process 1st Cell AAL 5 frames

What’s inside the 1st cell ? IP HeaderTCP/UDP/ICMP IP HeaderTCP/UDP/ICMP SNAP/LLC IP HeaderTCP/UDP/ICMP SNAP/LLC AAL5 IP HeaderTCP/UDP/ICMP SNAP/LLC ATM TCP/UDP/ICMP IP SNAP/LLC AAL5 ATM 53 bytes IP header w options/ v6 TCP/UDP/ICMP SNAP/LLC ATM

1st ATM Cell

Protocols used over ATM TCP/UDP/ICMP IP SNAP/LLC AAL5 NULL Encaps SNAP/LLC LANE SNAP/LLC MPOA Native ATM Applications & Services ATM ? Where can we find the usefull Information in ATM Cells ?

Linking ATM Connections to TCP/IP Access Control Policy Manager signalling FilterCell-Level Filter New connection (encaps,vpi,vci) Sig. A.C. PolicyTCP/IP static policy Dynamic Part of the A.C. Policy (encaps,vpi,vci) Security Officer A.C. Policy Connection Establishment

Manager Signalling FilterCell-Level Filter Connection shutdown(vpi,vci)Clearing (vpi,vci) Connection Shutdown Linking ATM Connections to TCP/IP Access Control Policy

Filtering Process n Cells Extraction Process –Extracts the 1st cell of the AAL5 frames. –Propagates A.C. decision to the relevant ATM Cells. Filtering Process Interface to IFT driver Trie Memory Static Part Dynamic Part Analysis Automaton 1st Cell Extraction Process A.C. Decision 1st Cell n Analysis Automaton –Driven by the Trie Memory Content. n Trie Memory : 2 parts : –Dynamic, small : VPI/VCI, Encaps. –Static, big : All other fields. –Memory Size : 4 M bytes. n Interface to IFT driver AAL 5 frames

Classification Algorithm n Classification Algorithm = Content of the Trie Memory Existing Determinist Classification Algorithms n Algorithms for Static Policies –Fast. –Take advantage of access control policies redundancies. –Unbounded temporal & spatial complexities. –Generation & Update of the classification structure are slow. n Algorithms for Dynamic Policies –Comparatively slow. –Bounded temporal & spatial complexities. –Bounded complexities for Generation & update of the classification structure. –Has to run on Trie Memory

Trie Memory Configuration n Static Part –Complexities of the classification algorithm height and size of the classification structure stored in trie memory. n We have developed algorithms that are able to build a classification structure with: –Temporal Complexity : O(d). –Max. Spatial Complexity : O((2n+1) d ). –d : number of fields to analyse, n number of rules in the policy. Good, independent from number of rules Unusable for d = 4 and n = 50 HOWEVER ! n In practice we succeed to implement large policies by taking advantage: –The redundancy in the expression of A.C. Policies. –The ability of Trie Memory to use this redundancy to minimise the memory needed to store the policy.

Trie Memory Configuration n Practical examples, analysis of 9 fields, using 15 ns analysis cycle. n Standing the load ? < 1,31 * 53 * 8 = 555 Mb/s Min. Classification Capability Cell Size Min. Classification Capacity : 620 * 26/27= 599 Mb/s OC 12 Phys. Throughput Physical layer Overhead Max. Throughput to classify: Buffering (8192 bytes) Max. delay = 120  s

Conclusion n Security –Similar to a stateless packet filter. n Good performance –High Speed (577 Mb/s) and small delay (<120  s) –Throughput and delay don’t depend on policy and packets sizes. n Improved ATM signalling access control. –Almost all the information provided by signalling IEs can be used. n Easy to manage –Single access control policy definition language. n However some problems remain to be solved: –IP options problem and IPv6.

Future n Possible evolutions for our prototype –Tests in real networks. –Translators for popular router filtering languages. –Classification algorithms improvements. n Possible evolutions for the IFTs –IP Version (Without ATM support). –New physical connector (1Gb/s). –In deep analysis (255 bytes). –New tools to improve classification algorithms. n QUESTION : Can we still take advantage of rules redundancy with application level policies ?