Presentation is loading. Please wait.

Presentation is loading. Please wait.

Workpackage 3 New security algorithm design ICS-FORTH Paris, 30 th June 2008.

Published byJeffrey Nelson Modified over 9 years ago

Similar presentations

Presentation on theme: "Workpackage 3 New security algorithm design ICS-FORTH Paris, 30 th June 2008."— Presentation transcript:

1 Workpackage 3 New security algorithm design ICS-FORTH Paris, 30 th June 2008

2 WISDOM WP3: New security algorithm design Objectives Identify critical security application components which can be efficiently implemented in the optical domain. Characterise constraints to algorithmic components and develop novel analytical techniques for simplified pattern matching. Design a Security Application Programming Interface (SAPI) which will be the interface between high-level security applications and low-level optical implementation Tasks - Deliverables WP 3.1: Security Applications Partitioning (M12) WP 3.2: Identification of simplified Security Algorithm Components (M24) WP 3.3: Definition of a Security Application Programming Interface: SAPI (M27)

3 WP3.1 Security Applications Partitioning Critical security operations in the optical domain Basic firewall functionality, inspect packet headers Less than 10% of rules, more than 90% of alerts Look at specific packet header field Block or filter traffic for specific protocols, ports, etc Optical filtering, optical pattern matching, optical routing Block or filter traffic for specific IP addresses Optical possible but not efficient Combined inspections of two header fields From specific IP addresses to specific ports Optical possible but combination of optical and electronic more efficient

4 WP3.1 Security Applications Partitioning Firewall rule example Inspection Deny all incoming traffic with IP matching internal IP source IP address Deny incoming from black-listed IP addresses source IP address Deny all incoming ICMP traffic IP protocol Deny incoming TCP/UDP 135/445 (RPC, Windows Sharing) destination port Deny incoming/outgoing TCP 6666/6667 destination port Allow incoming TCP 80, 443 (http, https) destination port to internal web server (destination IP address) Deny incoming TCP 25 to SMTP server destination port from external IP addresses (destination)/source IP address Allow UDP 53 to internal destination port DNS server (destination IP address) typical port assignments for some services/applications ftp TCP 21, ssh TCP 22, telnet TCP 23, POP3 TCP 110, IMAP TCP 143

5 WP3.1 Security Applications Partitioning Security OperationInspectionApplication Example Match network packet targeting a specific service Destination Port Number Filtering out e-mail traffic Match network packet originating from a specific service Source Port Number Filtering out a Web server’s response Match network packet targeting specific computer(s) Destination IP Address Preventing contact with a computer Match network packet originating from specific computer(s) Source IP Address Preventing access from a computer Match network packet with specific properties IP protocol header field Filtering out ICMP traffic Match network packet targeting a specific service and originating from specific computers Destination Port Number and Source IP Address SPAM filter Denial of Service attack detectionSYN flag Preventing TCP SYN flood attacks

6 WP3.2 Identification of Simplified Security Algorithms Components Optical pre-processing for more complex pattern recognition Restrictions in optical domain (buffering, level of integration, etc) Scalability of security pattern matching algorithms, optimum balance between optical and electronic processing (WP6 ) Develop algorithms that will allow optical bit-serial processing subsystems to operate as a pre-processor to more complex pattern recognition techniques in the electronic domain. D3.2 Identification of simplified Security Algorithms Components (M24)

7 WP3.2 Identification of Simplified Security Algorithms Components Identify feasible and efficient all-optical operations Extraction of specific fields in packet headers (protocol number, port number, etc) Pattern matching Routing Keep all options for conventional (electronic) IDS Design high speed optical pre-processing that makes electronic processing more efficient Demonstration of key security functions Example applications with efficient and reliable operation of a hybrid system consisting of both all-optical and electronic components

8 WP3.2 Identification of Simplified Security Algorithms Components Combine optical and electronic signature-based detection Optical traffic splitter optical header processing group packets, e.g., according to port number Multiple “specialized” (electronic) processors less packets to inspect per processor more efficient payload inspection by performing same operations to same type of packets A lot of issues to consider, such as load balancing, parallel/distributed configurations, anomaly-based detection, etc.

9 WP3.2 Identification of Simplified Security Algorithms Components “Pragmatic” approach All-optical inspection of packet headers only A few well chosen rules optically implemented Restrictions in memory and level of integration imply small number of selected rules can be implemented in optical domain Reconfigurable optical systems Seamless coupling of optics with electronics Security applications (including payload inspection) in electronic domain with more conventional NIDS tools Several NIDS/NIPS approaches and methods, as described in previous project deliverables

10 WP3.2 Identification of Simplified Security Algorithms Components Select rules through network traffic monitoring Monitoring Application Programming Interface (MAPI

11 WP3.2 Identification of Simplified Security Algorithms Components Network traffic monitoring and classification

12 WP3.2 Identification of Simplified Security Algorithms Components Statistics on suspect packets NoAH honeypots statistics Protocol Port

13 182062.1.223.32 1857195.113.147.61 191562.1.180.164 2022200.243.156.5 203060.222.231.188 2087221.130.198.244 225058.255.150.159 2286218.57.24.97 250062.1.60.51 271862.1.19.19 286462.1.131.43 308162.1.51.100 316862.1.179.230 333361.134.43.254 422462.1.249.141 453658.20.15.126 456762.1.178.45 4585139.91.100.101 461884.244.147.70 542072.51.18.124 Country Packet Count Source IP 13885900 141023657 153625 1568620 1917704 1984637 22972967 329821 366823 41381433 41531027 430322 4669443 48891026 628480 9092137 130221434 15014135 16289139 57843445 Trend Packet Count Destination Port

14 WP3.2 Identification of Simplified Security Algorithms Components Network traffic monitoring Deployment of network of sensors for global view Protocols ICMP often used in attacks TCP most popular, UDP also heavily used Ports HEAnet Some high level applications use TCP/IP with pre-assigned port numbers Others use dynamically assigned port numbers, different for different connections Some attacks work on specific ports

15 WP3.2 Identification of Simplified Security Algorithms Components Benefits from optical splitting for electronic processing Similar approaches already proved successful in intensive NIDS applications Early filtering and forwarding Packets of the same type are grouped by the splitter and forwarded to specialized electronic processors Performance benefits (about 20%) with the use of digital network processors Clustering of packets with same destination port number improves performance of conventional IDS 40% increase in packet processing throughput 60% improvement in packet loss rate

16 WP3.2 Identification of Simplified Security Algorithms Components Available hybrid integrated optical circuits: XOR, AND logic gates buffer memory (limited) routing switch Bit pattern matching circuit Target pattern generator Pseudo random bit sequence generator Header sampler (proposal) CRC (proposal)

17 WP3.2 Identification of Simplified Security Algorithms Components Input: flux of packets, consisting of RZ pulses T Output: packets dropped or allowed to proceed Box: Header sampler Bit pattern matching Routing switch Buffer memory Latency approx. 150 T MZI1 CRC

18 WP3.2 Identification of Simplified Security Algorithms Components Same components, simplistic pipelined configuration Latency approx. 150 T (8 bit pattern matching) left box 450 T (16 bit pattern matching) center, right boxes Packet collisions, bottleneck

19 WP3.2 Identification of Simplified Security Algorithms Components “router”: round-robin, CRC

20 WP3.2 Identification of Simplified Security Algorithms Components Functional models of optical devices and simulator 1) Simple, basic building blocks are logic gates Useful for design and testing efficiency of proposed configurations, more complex algorithms, hybrid optical/electronic detection, etc. 2) Include physical models for actual optical components Useful in device development. Much more demanding… Building simulator starting with (1) and expand to (2), when necessary.

21 WP 3.3 Definition of a Security Application Programming Interface (SAPI) SAPI will bridge the gap between optical execution of key components and programming of security applications High-level programming, abstract all low-level details operate independent of system modifications, allow for integration of additional software and hardware components of increasing complexity Hardware – software interface fast optical processing, reconfigurable at much slower rates user interventions rare, at conventional speed of electronics D3.3 Definition of SAPI (M27)

Download ppt "Workpackage 3 New security algorithm design ICS-FORTH Paris, 30 th June 2008."

Similar presentations

Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Firewall Simulation Teaching Information Security Using: Visualization Tools, Case Studies, and Hands-on Exercises May 23, 2012.

Firewall Simulation Teaching Information Security Using: Visualization Tools, Case Studies, and Hands-on Exercises May 23, 2012.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)

1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &

1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Chapter 9 Classification And Forwarding. Outline.

Chapter 9 Classification And Forwarding. Outline.
1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)

1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.
1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.

1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
Protocols and the TCP/IP Suite Chapter 4. Multilayer communication. A series of layers, each built upon the one below it. The purpose of each layer is.

Protocols and the TCP/IP Suite Chapter 4. Multilayer communication. A series of layers, each built upon the one below it. The purpose of each layer is.
OSI Model Routing Connection-oriented/Connectionless Network Services.

OSI Model Routing Connection-oriented/Connectionless Network Services.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Intrusion Protection Mark Shtern. Protection systems Firewalls Intrusion detection and protection systems Honeypots System Auditing.

Intrusion Protection Mark Shtern. Protection systems Firewalls Intrusion detection and protection systems Honeypots System Auditing.
Workpackage 3 New security algorithm design ICS-FORTH Heraklion, 3 rd June 2009.

Workpackage 3 New security algorithm design ICS-FORTH Heraklion, 3 rd June 2009.
ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS The next six months Cork, 29 January 2007.

ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS The next six months Cork, 29 January 2007.

Similar presentations

Ads by Google