Hardened IDS using IXP Didier Contis, Dr. Wenke Lee, Dr. David Schimmel Chris Clark, Jun Li, Chengai Lu, Weidong Shi, Ashley Thomas, Yi Zhang  Current Network Intrusion Detection Systems (NIDS) are software based. They have a number of issues and limitations, including: An inability to keep up with throughput significantly greater than 100 Mb/s An inability to deal with encrypted traffic (VPN) An inability to utilize knowledge of network topology and OS Not easily scalable as network becomes more complex and higher speedMotivation  Create a new generation of network hardware based IDS / Firewall sensor, integrated on the Network Card  Take advantage of the hardware and the network sensors to create a global distributed and adaptable IDS The Vision  Implementation of a proof of concept: 1.Port open-source software IDS systems such as Bro or Snort on the StrongArm 2.Offload some of the CPU intensive functions of these software IDS to the Micro-Engines (CRC checksums, Defragmentation, Sanity checks) 3.Investigate the use of FPGA based co-processor to work with the IXP1200, to perform some specific tasks (TCP state-tracking and reassembly) Current Project Packet stream Filtered pkt stream Event stream Alerts Policy script Event control tcpdump filters Host NIC Event Engine Network Libpcap Policy Script Interpreter Conventional Software based IDS Filtered pkt stream Event stream Alerts Policy script Event control tcpdump filters StrongARM  Engines Event Engine: ip-defrag, tcp reassembly, event generation Network: header analysis, filtering Libpcap: compatibility w/ existing IDSs Policy Script Interpreter Host Current Implementation of an IXP based IDS Lan Host IDS Analysis: Pattern Matching Behavioral model Re-programmable Co-processors: TCP Stream Reassembly … Network Card Capture of Network Traffic (e.g. receive of ethernet frames) IP Packet Preprocessing: CRC check IPDefrag IP options check Functions performed at the micro-engine level IXP1200 Packet Alerts Proposed implementation of an IXP based IDS with FPGAs Ack/Seq Tracking Unit Buffer Connection – State-Machine Input State-Machine enabledata_in CLK Payload data TCP/IP header elements exception_flags Memory Gateway read server data_valid data_out SelectRAM Client  Server 1,2,3,8,16 kB SelectRAM Server  Client 1,2,3,8,16 kB Block diagram of the reassembly unit  A TCP reassembly unit has been implemented in VHDL and mapped to a Xilinx XCV1000. This prototype is currently being ported to the Celoxica FPGA environment A dynamically re-configurable FPGA implementation permits adaptive allocation of detection resources and therefore a more accurate and efficient pattern-matching or behavorial analysis. TCP Reassembly in Hardware  In parallel, some micro-code are being developed to off- load some of the cpu intensive functions of the IDS: IP Defragmentation CRC Checksums at Layer 4 Packet decoding  ACE + Micro-Engine C Compiler = Faster learning Cycle BUT  The PCI interface between the Board and the Host, as well as the current drive appears as a bottleneck  The ACE SDK generates too much overhead on the StrongArm Current Status & Lessons Learned  Implementation of a fully distributed IDS  Adaptation in the NIDS Integration of detection and response Agile context dependent reconfiguration multiple of IDS methods such as pattern-matching and behavioral models.  Unified framework for network policies Common response mechanisms for QoS, Fault Detection, NIDS Load Balancing Future Steps