Workpackage 3 New security algorithm design ICS-FORTH Heraklion, 3 rd June 2009.

Slides:



Advertisements
Similar presentations
Guide to Network Defense and Countermeasures Second Edition
Advertisements

Firewall Simulation Teaching Information Security Using: Visualization Tools, Case Studies, and Hands-on Exercises May 23, 2012.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
Introduction to ISA 2004 Dana Epp Microsoft Security MVP.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) SriramGopinath( )
1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Chapter 9 Classification And Forwarding. Outline.
Department Of Computer Engineering
Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.
Protocols and the TCP/IP Suite Chapter 4. Multilayer communication. A series of layers, each built upon the one below it. The purpose of each layer is.
OSI Model Routing Connection-oriented/Connectionless Network Services.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
Intrusion Protection Mark Shtern. Protection systems Firewalls Intrusion detection and protection systems Honeypots System Auditing.
ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS The next six months Cork, 29 January 2007.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Intranet, Extranet, Firewall. Intranet and Extranet.
Workpackage 3 New security algorithm design ICS-FORTH Paris, 30 th June 2008.
Guide to Firewalls and VPNs, 3rd Edition
COEN 252 Computer Forensics
NetworkProtocols. Objectives Identify characteristics of TCP/IP, IPX/SPX, NetBIOS, and AppleTalk Understand position of network protocols in OSI Model.
What is a Protocol A set of definitions and rules defining the method by which data is transferred between two or more entities or systems. The key elements.
Chapter 6: Packet Filtering
Protocols and the TCP/IP Suite
1 The Firewall Menu. 2 Firewall Overview The GD eSeries appliance provides multiple pre-defined firewall components/sections which you can configure uniquely.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Repeaters and Hubs Repeaters: simplest type of connectivity devices that regenerate a digital signal Operate in Physical layer Cannot improve or correct.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
1 The Internet and Networked Multimedia. 2 Layering  Internet protocols are designed to work in layers, with each layer building on the facilities provided.
Access Control List (ACL)
TCP/IP Protocols Contains Five Layers
Univ. of TehranAdv. topics in Computer Network1 Advanced topics in Computer Networks University of Tehran Dept. of EE and Computer Engineering By: Dr.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
OS Services And Networking Support Juan Wang Qi Pan Department of Computer Science Southeastern University August 1999.
4/19/20021 TCPSplitter: A Reconfigurable Hardware Based TCP Flow Monitor David V. Schuehler.
Lecture 12: Reconfigurable Systems II October 20, 2004 ECE 697F Reconfigurable Computing Lecture 12 Reconfigurable Systems II: Exploring Programmable Systems.
Department of Computer Science and Engineering Applied Research Laboratory Architecture for a Hardware Based, TCP/IP Content Scanning System David V. Schuehler.
Workpackage 3 New security algorithm design ICS-FORTH Ipswich 19 th December 2007.
Chapter 3 - VLANs. VLANs Logical grouping of devices or users Configuration done at switch via software Not standardized – proprietary software from vendor.
Security fundamentals Topic 10 Securing the network perimeter.
WP5 – Wirespeed Photonic Firewall Validation Start M27, finish M35 Avanex lead Description of Work –Establish test bed suitable to validated the optical.
1 Firewall Rules. 2 Firewall Configuration l Firewalls can generally be configured in one of two fundamental ways. –Permit all that is not expressly denied.
High-Speed Policy-Based Packet Forwarding Using Efficient Multi-dimensional Range Matching Lakshman and Stiliadis ACM SIGCOMM 98.
Architecture View Models A model is a complete, simplified description of a system from a particular perspective or viewpoint. There is no single view.
ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS Update and plans for the next six months Heraklion, 4 th June 2007.
Role Of Network IDS in Network Perimeter Defense.
Access Control List (ACL) W.lilakiatsakun. Transport Layer Review (1) TCP (Transmission Control Protocol) – HTTP (Web) – SMTP (Mail) UDP (User Datagram.
1 Review – The Internet’s Protocol Architecture. Protocols, Internetworking & the Internet 2 Introduction Internet standards Internet standards Layered.
WP5 – Wirespeed Photonic Firewall Validation Start M27, finish M41(tbc) CIP now lead Description of Work –Establish test bed suitable to validated the.
A MAIN PROJECT SEMINAR ON PACKET FILTERING FIREWALL USING NETFILTERS IN LINUX FOR ARM9 BY: R. SRINIVASULU (07N21A0446) CH. SHIVA RAM (07N21A0442) K. MALLIKARJUNA.
WISDOM Demonstrator End of project experiment to demonstrate optical security checking Hardware/software for TCP port checking Proposal –Use software defined.
Chapter 8.  Upon completion of this chapter, you should be able to:  Understand the purpose of a firewall  Name two types of firewalls  Identify common.
IST 201 Chapter 11 Lecture 2. Ports Used by TCP & UDP Keep track of different types of transmissions crossing the network simultaneously. Combination.
Network Processing Systems Design
What is a Protocol A set of definitions and rules defining the method by which data is transferred between two or more entities or systems. The key elements.
CompTIA Security+ Study Guide (SY0-401)
Snort – IDS / IPS.
Introduction to Networking
CompTIA Security+ Study Guide (SY0-401)
Digital Pacman: Firewall Edition
I. Basic Network Concepts
Firewalls.
Presentation transcript:

Workpackage 3 New security algorithm design ICS-FORTH Heraklion, 3 rd June 2009

WISDOM WP3: New security algorithm design Objectives Identify critical security application components which can be efficiently implemented in the optical domain Characterise constraints to algorithmic components and develop novel techniques for simplified pattern matching Design a Security Application Programming Interface (SAPI) which will be the interface between high-level security applications and low-level optical implementation Tasks – Deliverables WP3.1: Security Applications Partitioning (M12) WP3.2: Identification of Simplified Security Algorithm Components (M24) WP3.3: Definition of a Security Application Programming Interface: SAPI (M30)

WP3.1 Security Applications Partitioning Identify efficient operations in optical domain by considering basic firewall functionality prevents communication for specific servers and services basic IDS/IPS functionality signature, anomaly based detection packet structure and decoding header (fixed length) payload (variable length) optical hardware optical data format, optical bit filtering, optical pattern matching, buffer (delays)

WP3.1 Security Applications Partitioning Critical security operations in the optical domain Basic firewall functionality, inspect packet headers Less than 10% of rules, more than 90% of alerts Look at specific packet header field Block or filter traffic for specific protocols, ports, etc Optical filtering, optical pattern matching, optical routing Block or filter traffic for specific IP addresses Optical possible but not efficient Combined inspections of several header fields Specific IP protocols and ports From specific IP addresses to specific ports Optical possible but combination of optical and electronic more efficient

WP3.1 Security Applications Partitioning Firewall rule example Inspection Deny all incoming traffic with IP matching internal IP source IP address Deny incoming from black-listed IP addresses source IP address Deny all incoming ICMP traffic IP protocol Deny incoming TCP/UDP 135/445 (RPC, Windows Sharing) destination port Deny incoming/outgoing TCP 6666/6667 (IRC) destination port Allow incoming TCP 80, 443 (http, https) destination port to internal web server (destination IP address) Deny incoming TCP 25 to SMTP server destination port from external IP addresses (destination)/source IP address Allow UDP 53 to internal destination port DNS server (destination IP address) typical port assignments for some other services/applications ftp TCP 21, ssh TCP 22, telnet TCP 23, POP3 TCP 110, IMAP 143

WP3.2 Identification of Simplified Security Algorithms Components Optical pre-processing for more ‘traditional’ IDS –Restrictions in optical domain (buffering, level of integration, etc) –Scalability of security pattern matching algorithms, optimum balance between optical and electronic processing (WP6 ) –Develop algorithms that will allow optical bit-serial processing subsystems to operate as a pre-processor to more complex pattern recognition techniques in the electronic domain. D3.2 Identification of Simplified Security Algorithms Components

WP3.2 Identification of Simplified Security Algorithms Components Identify feasible and efficient all-optical operations –Inspection of specific fields in packet headers (protocol number, port number, etc) –Pattern matching –Routing Keep all options for conventional (electronic) IDS –Design high speed optical pre-processing that makes electronic processing more efficient Demonstration of key security functions –Example applications with efficient and reliable operation of a hybrid system consisting of both all-optical and electronic components

WP3.2 Identification of Simplified Security Algorithms Components Combine optical and electronic signature-based detection Optical traffic splitters –optical header processing –split high speed network traffic –group packets, e.g., according to port number Multiple “specialized” (electronic) processors –less packets to inspect per processor –more efficient payload inspection by performing same operations to same type of packets

WP3.2 Identification of Simplified Security Algorithms Components Approach for Hybrid Optical – Electrical Platform All-optical inspection of packet headers only A few well chosen useful rules optically implemented –Restrictions in memory and level of integration imply small number of selected rules can be implemented in optical domain –Reconfigurable optical systems –Analysis and statistics of network security threats Seamless coupling of optics with electronics –Electronic processing enhanced by optical preprocessing –Security applications (including payload inspection) in electronic domain with more conventional NIDS tools –Take advantage of “conventional” NIDS/NIPS methods continuously developed

WP3.2 Identification of Simplified Security Algorithms Components Use network traffic monitoring and classification appmon

WP3.2 Identification of Simplified Security Algorithms Components Select rules using statistics on suspect packets NoAH honeypots statistics Protocols Ports

WP3.2 Identification of Simplified Security Algorithms Components

Network traffic monitoring –Deployment of network of sensors for global view Protocols –ICMP often used in attacks –TCP most popular, UDP also heavily used Ports HEAnet –Some high level applications use TCP/IP with pre-assigned port numbers –Others use dynamically assigned port numbers, different for different connections –Some attacks work on specific ports

WP3.2 Identification of Simplified Security Algorithms Components Benefits from optical splitting for electronic processing Similar approaches already proved successful in intensive NIDS applications Early filtering and forwarding Packets of the same type are grouped by the splitter and forwarded to specialized electronic processors Performance benefits (50-90/%) with the use of digital network processors Clustering of packets with same destination port number improves performance of conventional IDS 40% increase in packet processing throughput 60% improvement in packet loss rate

WP3.2 Identification of Simplified Security Algorithms Components Available hybrid integrated optical circuits: XOR, AND logic gates buffer memory (limited) routing switch Bit pattern matching circuit Target pattern generator Pseudo random bit sequence generator Header sampler (proposal) CRC (proposal)

WP3.2 Identification of Simplified Security Algorithms Components Input: flux of packets, consisting of RZ pulses T Output: packets dropped or allowed to proceed Box: Header sampler Bit pattern matching Routing switch Buffer memory MZI1 CRC

WP3.2 Identification of Simplified Security Algorithms Components Same components, simple pipelined configuration 8 bit pattern matching at left boxes 16 bit pattern matching at right boxes Possible packet collisions, bottleneck

WP3.2 Identification of Simplified Security Algorithms Components “router”: round-robin, CRC

WP3.2 Identification of Simplified Security Algorithms Components Simulator of optical device operation Basic building blocks are logic gates Useful for circuit design, testing efficiency of proposed configurations, analysis of more complex algorithms, hybrid optical-electronic detection, load balancing, parallel/distributed configurations, anomaly-based detection, etc.

WP 3.3 Definition of a Security Application Programming Interface (SAPI) Software platform – “mini” operating system bridges the gap between optical execution of key components and programming of security applications High-level programming, abstract all low-level details operates independent of system modifications, allows for integration of additional software and hardware components of increasing complexity Hardware – software interface fast optical processing, reconfigurable at much slower rates user interventions rare, at conventional speed of electronics Front-end for SAPI and WSIM Hardware and simulator run under same environment D3.3 Definition of SAPI (M30)

WP 3.3 Definition of a Security Application Programming Interface (SAPI) Device configuration hardware control Set security application rules predefined filters custom filters System monitoring visualization of security operations outcome Easy to use GUI at front-end user friendly control panel same for actual operation and simulation Testbed and more complex systems designed to support any hybrid optical-electronic architecture

WP3: SAPI Interface with hardware and simulator (details coming up)

WP3: SAPI WSIM tool

WP3: SAPI WSIM tool …more to follow…

WP3: New security algorithm design Basic Firewall functionality in the optical domain (D3.1) –Feasible, useful, and efficient packet header fields inspection Optical pre-processing for electronic NIDS/NIPS (D3.2) –Actual security threats taken into account through network monitoring and attack statistics –All-optical header inspection and packet classification combined with electronic processing of payload –Proposal for hybrid systems with optimum balance between optical and electrical processing: optical enhances electrical, benefits from conventional electronic NIDS/NIPS preserved SAPI (D3.3) –High-level programming of security applications running over optical and electronic hardware Functional optical device simulator – Complex algorithm design –Development that may be of more general interest

WP3 concluded: What next? Prepare SAPI for (upcoming) demonstrator/hardware Quantify benefits from optical pre-processing Extensive processing of actual traces with simulator Test different scenarios, DoS attacks, etc Constant improvement of simulation tools Include physical models of optical devices in simulations Perhaps not essential to this project, but overall very important… Details on high performance commercial NIDS Endace, Crossbeam, etc., simple parallelization, dumb load balancers, or more? Convince about advantages of all-optical pre-processing Future ‘Green’ aspects of project (e.g., low power consumption) Think again about payload inspection (partially in optical domain) What is feasible in terms of optical components and devices?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.