APNOMS 2003 Security Gateway System Team Design and Implementation of Security Gateway System for Intrusion Detection on High-speed Links Byoung-Koo Kim,

Slides:



Advertisements
Similar presentations
Project: IEEE P Working Group for Wireless Personal Area Networks (WPANS) Submission Title: [ Wideband Antenna Design for UWB System ] Date Submitted:
Advertisements

LTMI Internet Management Technology Laboratory APNOM 2003 A Study on Survivability of Mobile Network Nodes in the Network Mobility Sang Young Lee, Jin.
CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
IPv6 – IPv4 Network Address, Port & Protocol Translation & Multithreaded DNS Gateway Navpreet Singh, Abhinav Singh, Udit Gupta, Vinay Bajpai, Toshu Malhotra.
IDPS (Intrusion Detection & Prevention System )
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Firewalls and Intrusion Detection Systems
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Lan Nguyen Mounika Namburu 1.  DDoS Defense Research  A2D2 Design ◦ Subnet Flooding Detection using Snort ◦ Class -Based Queuing ◦ Multi-level Rate.
Students:Gilad Goldman Lior Kamran Supervisor:Mony Orbach Mid-Semester Presentation Spring 2005 Network Sniffer.
Securing TCP/IP Chapter 6. Introduction to Transmission Control Protocol/Internet Protocol (TCP/IP) TCP/IP comprises a suite of four protocols The protocols.
Design and Implementation of a Server Director Project for the LCCN Lab at the Technion.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Chapter 9 Classification And Forwarding. Outline.
Defining Network Protocols Application Protocols –Application Layer –Presentation Layer –Session Layer Transport Protocols –Transport Layer Network Protocols.
Design and Implementation of SIP-aware DDoS Attack Detection System.
CIS 193A – Lesson12 Monitoring Tools. CIS 193A – Lesson12 Focus Question What are the common ways of specifying network packets used in tcpdump, wireshark,
USENIX LISA ‘99 Conference © Copyright 1999, Martin Roesch Snort - Lightweight Intrusion Detection for Networks Martin Roesch.
Workpackage 3 New security algorithm design ICS-FORTH Heraklion, 3 rd June 2009.
ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS The next six months Cork, 29 January 2007.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
ECE 544 Project3 Kush Patel Siddharth Paradkar Ke Dong.
FIREWALL Mạng máy tính nâng cao-V1.
Penetration Testing Security Analysis and Advanced Tools: Snort.
Workpackage 3 New security algorithm design ICS-FORTH Paris, 30 th June 2008.
January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.
Chapter 6: Packet Filtering
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Introduction to Packet Processing Prof. Chu-Sing Yang December, 10, 2014 Aaron Liao
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Module 12: Routing Fundamentals. Routing Overview Configuring Routing and Remote Access as a Router Quality of Service.
Defense Techniques Sepehr Sadra Tehran Co. Ltd. Ali Shayan November 2008.
Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
Firewall Fingerprinting Amir R. Khakpour 1, Joshua W. Hulst 1, Zhihui Ge 2, Alex X. Liu 1, Dan Pei 2, Jia Wang 2 1 Michigan State University 2 AT&T Labs.
Linux Networking and Security
1 Network Layer Lecture 16 Imran Ahmed University of Management & Technology.
Snort Intrusion Detection. What is Snort Packet Analysis Tool Most widely deployed NIDS Initial release by Marty Roesch in 1998 Current version
IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows.
An overview.
Intrusion Intrusion Detection Systems with Snort Hailun Yan 564-project.
COEN 252: Computer Forensics Network Analysis and Intrusion Detection with Snort.
Workpackage 3 New security algorithm design ICS-FORTH Ipswich 19 th December 2007.
Snort - Lightweight Intrusion Detection for Networks YOUNG Wo Sang Program Committee, PISA
Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:
1 Bus topology network. 2 Data is sent to all computers, but only the destination computer accepts 02608c
ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS Update and plans for the next six months Heraklion, 4 th June 2007.
Security System for KOREN/APII-Testbed
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Snort – IDS / IPS.
Proventia Network Intrusion Prevention System
High Performance Computing Lab.
IT443 – Network Security Administration Instructor: Bo Sheng
Nicolas BOUTHORS Qosmos
<January 2002> doc.: IEEE <02/139r0> May, 2008
POOJA Programmer, CSE Department
<January 2002> doc.: IEEE <02/139r0> May, 2008
Firewalls.
doc.: IEEE <doc#>
46 to 1500 bytes TYPE CODE CHECKSUM IDENTIFIER SEQUENCE NUMBER OPTIONAL DATA ICMP Echo message.
Reference Router on NetFPGA 1G
Session 20 INST 346 Technologies, Infrastructure and Architecture
PCAV: Evaluation of Parallel Coordinates Attack Visualization
Intrusion Detection Systems
Chapter 4: outline 4.1 Overview of Network layer data plane
Presentation transcript:

APNOMS 2003 Security Gateway System Team Design and Implementation of Security Gateway System for Intrusion Detection on High-speed Links Byoung-Koo Kim, Ik-Kyun Kim, Jong-kook Lee, Ki-Young Kim and Jong-Soo Jang Security Gateway System Team Electronics and Telecommunications Research Institute 161 Gajeong-Dong, Yuseong-Gu, Daejeon, , KOREA Tel: , Fax: {kbg63228, ikkim21, ljk63466, kykim,

Security Gateway System Team, ETRIAPNOMS 2003 Introduction Overview of NSCS Environment CPCS SGS CPCS - CPCS: Cyber Patrol Control System - SGS: Security Gateway System

Security Gateway System Team, ETRIAPNOMS 2003 Architecture of NSCS PSAB(Packet Sensing and Analyzing Block) IDAB(Intrusion Detection and Analyzing Block) CPAB(Cyber Patrol Agent Block) COPS/IAP Client(Interface Block) COPS/IAP Server(Interface Block) PMB(Policy Management Block) AMB(Alert Management Block) SMB(System Management Block) HAB(High-Analyzer Block) CPCS SGS Viewer Inline Mode Operation

Security Gateway System Team, ETRIAPNOMS 2003 Detailed SGS Architecture Local Alert Manager COPS / IAP Client Local Policy Manager Local GUI Response Manager SNMP Agent Database Manager Filesystem /Database Application Task System Manager Data Structure for Rule IDAB : Kernel Module PCI Bus Flow StatisticsSensingBlockingForwarding PSAB : FPGA Logic Rule Mirror Table Preprocessor FilterFixed Field Pattern Matching IP defragmentation TCP reassembly Application decode Portscan detection Preprocessor Rule Manager Payload Pattern Matching IOCTL I/FSocket I/F

Security Gateway System Team, ETRIAPNOMS 2003 Payload Pattern Data size Content Offset Depth Uricontent Etc… Alert Message Signature ID Etc… Payload Pattern Data size Content Offset Depth Uricontent Etc… Alert Message Signature ID Etc… Payload Pattern Data size Content Offset Depth Uricontent Etc… Alert Message Signature ID Etc… Payload Pattern Data size Content Offset Depth Uricontent Etc… Alert Message Signature ID Etc… Payload Pattern Data size Content Offset Depth Uricontent Etc… Alert Message Signature ID Etc… Payload Pattern Data size Content Offset Depth Uricontent Etc… Alert Message Signature ID Etc… Fixed Field Pattern Source IP Address Destination IP Address Source Port Destination Port TTL IP ID Fragbits TCP Flags Seq Ack Etc… Fixed Field Pattern Source IP Address Destination IP Address Source Port Destination Port TTL IP ID Fragbits TCP Flags Seq Ack Etc… Fixed Field Pattern Source IP Address Destination IP Address Source Port Destination Port TTL IP ID Fragbits TCP Flags Seq Ack Etc… Fixed Field Pattern Source IP Address Destination IP Address Source Port Destination Port TTL IP ID Fragbits TCP Flags Seq Ack Etc… Fixed Field Pattern Source IP Address Destination IP Address Source Port Destination Port TTL IP ID Fragbits TCP Flags Seq Ack Etc… Fixed Field Pattern Source IP Address Destination IP Address Source Port Destination Port TTL IP ID Fragbits TCP Flags Seq Ack Etc… Detection Rule Configuration IP Group ICMP Group Fixed Field Pattern Source IP Address Destination IP Address Source Port Destination Port TTL IP ID Fragbits TCP Flags Seq Ack Etc… Fixed Field Pattern Source IP Address Destination IP Address Source Port Destination Port TTL IP ID Fragbits TCP Flags Seq Ack Etc… Payload Pattern Data size Content Offset Depth Uricontent Etc… Attack name Signature ID Etc… Payload Pattern Data size Content Offset Depth Uricontent Etc… Attack name Signature ID Etc… UDP Group H/W Logic Rule Mirror Table Kernel Logic Rule Table Alert related Fields Detection related Fields 1:N matching TCP Group

Security Gateway System Team, ETRIAPNOMS 2003 H/W Rule Table ProtocolTCPUDPICMPIP SRC IP DST IP TTL IP ID Fragbits TCP Flags SRC Port DST Port Seq Ack ICMP type ICMP code ICMP ID ICMP Seq Matching ID

Security Gateway System Team, ETRIAPNOMS 2003 Detection Algorithm – H/W Packet Monitor PP Filter Check Kernel Preprocessing necessary? FF Pattern Search FF Pattern Matching? PP Flag=1 FF Flag=1 PP Flag=0 FF Flag=0 PP Flag= 1 Or FF Flag= 1 Packet Send PCI Bus KERNEL LOGIC YES NO - PP : Preprocessor - FF : Fixed Field

Security Gateway System Team, ETRIAPNOMS 2003 Detection Algorithm – KernelDetection Algorithm Packet Decode Pre process Payload Pattern Search Alert Send FPGA LOGIC PCI Bus PP Flag = 1 FF Flag = 1 Payload Pattern Matching? Preprocessor Detection? CPAB Socket Interface YES YES/NONO

Security Gateway System Team, ETRIAPNOMS 2003 SGS Prototype for NSCS FPGA Logic(H/W) Functions Wire-Speed Forwarding 5-Tuple based Flow Classification Statistics/Blocking/Sensing/Fixed Field Pattern Matching Kernel Logic Functions Linux kernel based Kernel Module Programming Payload Pattern Matching/Alert Generation

Security Gateway System Team, ETRIAPNOMS 2003 Conclusion & Future Work Present the architecture of NSCS Design the SGS of NSCS Design the architecture of SGS Design the ruleset configuration of SGS Design the FPGA logic and kernel logic of SGS Develop the prototype of SGS Future Work Improve the detection mechanism on high-speed links Guarantee the secure transmission of messages among the prototype systems Resolve the problem derived from the verification of implemented system

Security Gateway System Team, ETRIAPNOMS 2003