ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS Update and plans for the next six months Heraklion, 4 th June 2007.

Slides:



Advertisements
Similar presentations
Firewall Simulation Teaching Information Security Using: Visualization Tools, Case Studies, and Hands-on Exercises May 23, 2012.
Advertisements

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.
CCNA 1 v3.1 Module 11 Review.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &
CLIENT / SERVER ARCHITECTURE AYRİS UYGUR & NİLÜFER ÇANGA.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Chapter 2 Networking Overview. Figure 2.1 Generic protocol layers move data between systems.
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.
1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.
Data Communications and Networks
OSI Model Routing Connection-oriented/Connectionless Network Services.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Intrusion Protection Mark Shtern. Protection systems Firewalls Intrusion detection and protection systems Honeypots System Auditing.
Workpackage 3 New security algorithm design ICS-FORTH Heraklion, 3 rd June 2009.
ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS The next six months Cork, 29 January 2007.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Workpackage 3 New security algorithm design ICS-FORTH Paris, 30 th June 2008.
January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.
 TCP/IP is the communication protocol for the Internet  TCP/IP defines how electronic devices should be connected to the Internet, and how data should.
What is a Protocol A set of definitions and rules defining the method by which data is transferred between two or more entities or systems. The key elements.
Chapter 6: Packet Filtering
FEATURES & FUNCTIONALITY. Page 2 Agenda Main topics Packet Filter Firewall Application Control Other features.
Networks – Network Architecture Network architecture is specification of design principles (including data formats and procedures) for creating a network.
Access Control List ACL. Access Control List ACL.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Introduction to Networks CS587x Lecture 1 Department of Computer Science Iowa State University.
Component 9 – Networking and Health Information Exchange Unit 1-1 ISO Open Systems Interconnection (OSI) This material was developed by Duke University,
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
TCP/IP Transport and Application (Topic 6)
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
1 The Internet and Networked Multimedia. 2 Layering  Internet protocols are designed to work in layers, with each layer building on the facilities provided.
Access Control List (ACL)
1 Firewalls G53ACC Chris Greenhalgh. 2 Contents l Attacks l Principles l Simple filters l Full firewall l Books: Comer ch
TCP/IP Protocols Contains Five Layers
CCNA 1 v3.0 Module 11 TCP/IP Transport and Application Layers.
EECB 473 DATA NETWORK ARCHITECTURE AND ELECTRONICS PREPARED BY JEHANA ERMY JAMALUDDIN Basic Packet Processing: Algorithms and Data Structures.
OS Services And Networking Support Juan Wang Qi Pan Department of Computer Science Southeastern University August 1999.
Chapter 2 Protocols and the TCP/IP Suite 1 Chapter 2 Protocols and the TCP/IP Suite.
Department of Computer Science and Engineering Applied Research Laboratory Architecture for a Hardware Based, TCP/IP Content Scanning System David V. Schuehler.
1 Network Firewalls CSCI Web Security Spring 2003 Presented By Yasir Zahur.
Workpackage 3 New security algorithm design ICS-FORTH Ipswich 19 th December 2007.
ACCESS CONTROL LIST.
Security fundamentals Topic 10 Securing the network perimeter.
WP5 – Wirespeed Photonic Firewall Validation Start M27, finish M35 Avanex lead Description of Work –Establish test bed suitable to validated the optical.
An Efficient Gigabit Ethernet Switch Model for Large-Scale Simulation Dong (Kevin) Jin.
Page 12/9/2016 Chapter 10 Intermediate TCP : TCP and UDP segments, Transport Layer Ports CCNA2 Chapter 10.
Machine Learning for Network Anomaly Detection Matt Mahoney.
Role Of Network IDS in Network Perimeter Defense.
Access Control List (ACL) W.lilakiatsakun. Transport Layer Review (1) TCP (Transmission Control Protocol) – HTTP (Web) – SMTP (Mail) UDP (User Datagram.
1 Review – The Internet’s Protocol Architecture. Protocols, Internetworking & the Internet 2 Introduction Internet standards Internet standards Layered.
WP5 – Wirespeed Photonic Firewall Validation Start M27, finish M41(tbc) CIP now lead Description of Work –Establish test bed suitable to validated the.
WISDOM Demonstrator End of project experiment to demonstrate optical security checking Hardware/software for TCP port checking Proposal –Use software defined.
Chapter 8.  Upon completion of this chapter, you should be able to:  Understand the purpose of a firewall  Name two types of firewalls  Identify common.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 OSI transport layer CCNA Exploration Semester 1 – Chapter 4.
IST 201 Chapter 11 Lecture 2. Ports Used by TCP & UDP Keep track of different types of transmissions crossing the network simultaneously. Combination.
Network Processing Systems Design
Security fundamentals
What is a Protocol A set of definitions and rules defining the method by which data is transferred between two or more entities or systems. The key elements.
CompTIA Security+ Study Guide (SY0-401)
Snort – IDS / IPS.
Transport Protocols Relates to Lab 5. An overview of the transport protocols of the TCP/IP protocol suite. Also, a short discussion of UDP.
CompTIA Security+ Study Guide (SY0-401)
I. Basic Network Concepts
Firewalls.
Firewalls Chapter 8.
Transport Protocols Relates to Lab 5. An overview of the transport protocols of the TCP/IP protocol suite. Also, a short discussion of UDP.
Presentation transcript:

ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS Update and plans for the next six months Heraklion, 4 th June 2007

ICS-FORTH WISDOM WP3: New security algorithm design Objectives Identify critical security application components which can be efficiently implemented in the optical domain. Characterise constraints to algorithmic components and develop novel analytical techniques for simplified pattern matching. Design a Security Application Programming Interface (SAPI) which will be the interface between high-level security applications and low-level optical implementation Tasks - Deliverables WP 3.1: Security Applications Partitioning (M12) WP 3.2: Identification of simplified Security Algorithm Components (M24) WP 3.3: Definition of a Security Application Programming Interface: SAPI (M27)

ICS-FORTH WP3.1 Security Applications Partitioning Identify components which can be effectively and efficiently implemented in the optical domain e.g., optical bit filtering, simple optical bit pattern matching Partitioning of security-related applications (Firewalls, DoS attacks detection, IDS/IPS) into -high-level part (electronic) -low-level part (optical) WP2 outcome crucial to WP3 restrictions from optical hardware D3.1 report M12

ICS-FORTH WP3.1 Security Applications Partitioning Identify efficient operations in optical domain by considering basic firewall functionality prevent communication for specific servers and services basic IDS/IPS functionality signature, anomaly based detection packet structure and decoding TCP/IP, UDP, ICMP, etc optical hardware optical data format, optical bit filtering, optical pattern matching, buffer (delays)

ICS-FORTH WP3.1 Security Applications Partitioning Optical hardware Return-to-zero data format NRZ to RZ, DPKS to RZ conversion possible Baseline data rate at 40 Gb/s 25 ps bit period 100 Gb/s and up will be considered later Synchronous operation Optoelectronic clock recovery Delays (variable?) Short term storage of packets in recirculating buffer memory Delays proportional to packet size and to bit rate 40 bits (5 bytes) at 40 Gb/s translates to 20 cm buffer and 1ns propagation delay

ICS-FORTH WP3.1 Security Applications Partitioning Optical hardware Optical processing units -Pattern recognition system For n bits compared with N-bit target latency Nn bit periods Target length set electronically Sequence length should be equal to recirculating loop (note readily variable) -Optical switch Gate packets according to packet inspection Sub-nanoseconds switching times Reconfigurable in nanoseconds

ICS-FORTH WP3.1 Security Applications Partitioning Packet structure and decoding Header (fixed length), Payload (variable length) Optical processing for headers only Optical filtering to extract specific fields from headers Complication: need to check options length.

ICS-FORTH WP3.1 Security Applications Partitioning Basic firewall functionality in the optical domain Look at port numbers Block traffic for specific ports Optical filtering, optical pattern matching Look at IP addresses Block traffic for specific IP addresses Optical filtering, optical/electronic pattern matching Look at IP protocol Block traffic for certain protocols Headers only Less than 10% of rules, more than 90% of alerts What happens to payload in the meantime? (sampling, randomized, heuristic…)

ICS-FORTH WP3.1 Security Applications Partitioning Firewall rule example Inspection Deny all incoming traffic with IP matching internal IP source IP address Deny incoming from black-listed IP addresses source IP address Deny all incoming ICMP traffic IP protocol Deny incoming TCP/UDP 135/445 (RPC, Windows Sharing) destination port Deny incoming/outgoing TCP 6666/6667 destination port Allow incoming TCP 80, 443 (http, https) destination port to internal web server (destination IP address) Deny incoming TCP 25 to SMTP server destination port from external IP addresses (destination)/source IP address Allow UDP 53 to internal destination port DNS server (destination IP address) typical port assignments for some other services/applications ftp TCP 21, ssh TCP 22, telnet TCP 23, POP3 TCP 110, IMAP 143

ICS-FORTH WP3.1 Security Applications Partitioning Filtering out traffic

ICS-FORTH WP3.1 Security Applications Partitioning Matching IP address

ICS-FORTH WP3.1 Security Applications Partitioning proposed optical DoS attack detection DoS attacks SYN bit optical counter?

ICS-FORTH WP3.1 Security Applications Partitioning Basic Firewall, NIDS/NIPS functionality Simple pattern matching optical for packet header, electronic for payload Stateful inspection no obvious implementation in the optical Anomaly detection optical (e.g. simple DoS attacks) and electronic

ICS-FORTH WP3.2 Identification of Simplified Security Algorithms Components Optical pre-processing for more complex pattern recognition Restrictions in optical domain (buffering, level of integration, etc) Scalability of security pattern matching algorithms, optimum balance between optical and electronic processing (WP6 ) Develop algorithms that will allow optical bit-serial processing subsystems to operate as a pre-processor to more complex pattern recognition techniques. D3.2 Identification of simplified Security Algorithms Components (M24)

ICS-FORTH WP 3.3 Definition of a Security Application Programming Interface (SAPI) SAPI will bridge the gap between optical execution of key components and programming of security applications High-level programming, abstract all low-level details Monitoring Application Programming Interface (MAPI) D3.3 Definition of SAPI (M27)

ICS-FORTH Next six months D3.2 Identification of simplified Security Algorithms Components Tree-like structures Hash functions Bloom filters Heuristics Parallel use of optical devices up to a dozen “on a chip” Parallel/Distributed Architectures

ICS-FORTH Modeling and simulation Physical models of optical hardware from WP4 but useful for WP3 Functional models of optical devices and simulators Optical bit matching Conventional electronics

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.