Presentation is loading. Please wait.

Presentation is loading. Please wait.

Department of Computer Science and Engineering Applied Research Laboratory Architecture for a Hardware Based, TCP/IP Content Scanning System David V. Schuehler.

Published byBethanie Oliver Modified over 8 years ago

Similar presentations

Presentation on theme: "Department of Computer Science and Engineering Applied Research Laboratory Architecture for a Hardware Based, TCP/IP Content Scanning System David V. Schuehler."— Presentation transcript:

1 Department of Computer Science and Engineering Applied Research Laboratory Architecture for a Hardware Based, TCP/IP Content Scanning System David V. Schuehler dvs1@arl.wustl.edu http://www.arl.wustl.edu/arl/projects/fpx/

2 Department of Computer Science and Engineering Applied Research Laboratory Outline Problem Statement and Motivation Overview of Content Scanning System Description of Architecture Initial Target Hardware Platform Conclusion

3 Department of Computer Science and Engineering Applied Research Laboratory Problem Statement Scan TCP data flows at backbone data rates –Intrusion Detection Systems –Virus detection and elimination –Content based routing –Extensible networking solutions Support enhanced flow manipulation –Blocking –Unblocking –Termination –Modification

4 Department of Computer Science and Engineering Applied Research Laboratory Motivation Internet has become both dangerous and costly Viruses spread to machines world wide –Consume computing resources –Reduce network throughput Email accounts flooded with spam –Consume disk space –Inconvenience users Current prevention techniques inadequate –Users fail to apply security patches –Anti-virus software doesn’t prevent all attacks

5 Department of Computer Science and Engineering Applied Research Laboratory Dept B University X Location A C B Dept A B C Carrier NAP Los Angeles NAP St. Louis NAP Dept A Carrier NAP Small Town U.S.A. NAP Widespread Virus Migration

6 Department of Computer Science and Engineering Applied Research Laboratory Dept B University X Location A C B Dept A B C Carrier NAP Los Angeles NAP St. Louis NAP Dept A Carrier NAP Small Town U.S.A. NAP Virus Containment

7 Department of Computer Science and Engineering Applied Research Laboratory Solution A hardware based, TCP/IP content scanner Reconstruct TCP byte streams from data packets Scan TCP stream data for digital signatures Provide enhanced flow management features –Quarantine or eliminate viruses Operate at Internet backbone data rates –Multi gigabit/second data rates

8 Department of Computer Science and Engineering Applied Research Laboratory Types of Monitoring Systems In-Band Monitor –Able to block or alter transmitted data Out-of-Band Monitor –Always a passive solution –Limited to detection systems

9 Department of Computer Science and Engineering Applied Research Laboratory Content Scanning System

10 Department of Computer Science and Engineering Applied Research Laboratory Environment High data rates –OC-48 (2.5Gb/s) ~200 ns to process 64 byte packet –OC-192 (10Gb/s) ~51 ns to process 64 byte packet Backbones support millions of active flows Large amounts of per-flow state information

11 Department of Computer Science and Engineering Applied Research Laboratory Competing Solutions Firewall –Filter based on header fields (address & port) Anti-virus software –Only protects one system Snort –Software based detection system IDS Systems –Traffic rates < 1Gbps TCP-Splitter –Limited to monitoring

12 Department of Computer Science and Engineering Applied Research Laboratory Input Buffer Buffers packets during downstream processing delays Ensures data loss occurs in whole packet increments

13 Department of Computer Science and Engineering Applied Research Laboratory TCP Protocol Processing Engine

14 Department of Computer Science and Engineering Applied Research Laboratory Handling Improper Flow Termination TCP protocol supports idle flows Cannot differentiate between idle flow and abnormal termination How to handle idle flows? –Timer based termination –Least recently used age out policy –Random age out policy

15 Department of Computer Science and Engineering Applied Research Laboratory Simple interface Supports multiple hashing algorithms 512 MByte SDRAM module 64 bytes of state per flow –32 bytes used by TCP Processing Engine –32 bytes available for Content Scanner 8 million active flows supported State Store Manager Features

16 Department of Computer Science and Engineering Applied Research Laboratory State Store Manager

17 Department of Computer Science and Engineering Applied Research Laboratory Per-Flow State Store Record

18 Department of Computer Science and Engineering Applied Research Laboratory Hash Implementation Tradeoffs Unlimited hash entry chaining –Pro: Best option for fully monitoring all flows –Con:Excessive time required to perform lookup No hash entry chaining –Pro:Easy to implement Fast –Con:Potential for incomplete monitoring of flows Limited hash entry chaining –Pro:Bounded time to perform lookup –Con:Potential for incomplete monitoring of flows Excessive time required to perform lookup

19 Department of Computer Science and Engineering Applied Research Laboratory Single Content Scanning Module RE[1] n Output Buffer Logic Controller RE[2]RE[3] RE[n-1] … 32 Alert Packet Generator 1 n 32 8 RE[n] Regular Expression Buffer 32

20 Department of Computer Science and Engineering Applied Research Laboratory RE[N] RE[N-1] RE[2] RE[1] … RE[3] n 8 32 Four Parallel Scanners Dispatcher Flow Control RE[N] RE[N-1] RE[2] RE[1] … RE[3] n 8 32 RE[N] RE[N-1] RE[2] RE[1] … RE[3] n 8 32 RE[N] RE[N-1] RE[2] RE[1] … RE[3] n 8 32

21 Department of Computer Science and Engineering Applied Research Laboratory Enhanced Flow Management

22 Department of Computer Science and Engineering Applied Research Laboratory Target Hardware Platform Field Programmable Port Extender (FPX) Oscillators Static Ram NID (XCV600E) RAD (XCV2000E) PROM

23 Department of Computer Science and Engineering Applied Research Laboratory FPX Based Network Appliance

24 Department of Computer Science and Engineering Applied Research Laboratory Conclusion Architecture for TCP/IP content scanning system Hardware based solution –OC-48 line rates (target clock rate 75–80 MHz) Scalable design –Should support OC-192 rates using latest technology Regular expression based content matching Large capacity state store –8 million active flows –64 bytes of per flow storage (32 bytes for scanning engine) Enhanced flow manipulation features –Flow blocking, unblocking, termination and modification

25 Department of Computer Science and Engineering Applied Research Laboratory Architecture for a Hardware Based, TCP/IP Content Scanning System David V. Schuehler dvs1@arl.wustl.edu http://www.arl.wustl.edu/arl/projects/fpx/

Download ppt "Department of Computer Science and Engineering Applied Research Laboratory Architecture for a Hardware Based, TCP/IP Content Scanning System David V. Schuehler."

Similar presentations

Computer-System Structures Er.Harsimran Singh www.ProgrammingPlaza.com.

Computer-System Structures Er.Harsimran Singh
Business Solutions Network Security Solutions Gateway Security

Business Solutions Network Security Solutions Gateway Security
Fast and Scalable Pattern Matching for Content Filtering Sarang Dharmapurikar John Lockwood.

Fast and Scalable Pattern Matching for Content Filtering Sarang Dharmapurikar John Lockwood.
Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.

Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Silberschatz, Galvin and Gagne  2002 2.1 Operating System Concepts Chapter 2: Computer-System Structures Computer System Operation I/O Structure Storage.

Silberschatz, Galvin and Gagne  Operating System Concepts Chapter 2: Computer-System Structures Computer System Operation I/O Structure Storage.
Reviewer: Jing Lu Gigabit Rate Packet Pattern- Matching Using TCAM Fang Yu, Randy H. Katz T. V. Lakshman UC Berkeley Bell Labs, Lucent ICNP’2004.

Reviewer: Jing Lu Gigabit Rate Packet Pattern- Matching Using TCAM Fang Yu, Randy H. Katz T. V. Lakshman UC Berkeley Bell Labs, Lucent ICNP’2004.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) SriramGopinath(1203800749)

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) SriramGopinath( )
1 An Open Source Hardware Module for High-Speed Network Monitoring on NetFPGA NetFPGA European Developers Workshop 2010 Gianni Antichi, Stefano Giordano.

1 An Open Source Hardware Module for High-Speed Network Monitoring on NetFPGA NetFPGA European Developers Workshop 2010 Gianni Antichi, Stefano Giordano.
OS2-1 Chapter 2 Computer System Structures. OS2-2 Outlines Computer System Operation I/O Structure Storage Structure Storage Hierarchy Hardware Protection.

OS2-1 Chapter 2 Computer System Structures. OS2-2 Outlines Computer System Operation I/O Structure Storage Structure Storage Hierarchy Hardware Protection.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Silberschatz, Galvin and Gagne  2002 2.1 Operating System Concepts Chapter 2: Computer-System Structures Computer System Operation I/O Structure Storage.

Silberschatz, Galvin and Gagne  Operating System Concepts Chapter 2: Computer-System Structures Computer System Operation I/O Structure Storage.
Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.

Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Students:Gilad Goldman Lior Kamran Supervisor:Mony Orbach Mid-Semester Presentation Spring 2005 Network Sniffer.

Students:Gilad Goldman Lior Kamran Supervisor:Mony Orbach Mid-Semester Presentation Spring 2005 Network Sniffer.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Deep Packet Inspection with Regular Expression Matching Min Chen, Danny Guo {michen, CSE Dept, UC Riverside 03/14/2007.

Deep Packet Inspection with Regular Expression Matching Min Chen, Danny Guo {michen, CSE Dept, UC Riverside 03/14/2007.
Belnet Antispam Pro A practical example Belnet – Aris Adamantiadis BNC – 24 November 2011.

Belnet Antispam Pro A practical example Belnet – Aris Adamantiadis BNC – 24 November 2011.

Similar presentations

Ads by Google