Presentation is loading. Please wait.

Presentation is loading. Please wait.

ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS Update and plans for the next six months Heraklion, 4 th June 2007.

Published byJustin Black Modified over 9 years ago

Similar presentations

Presentation on theme: "ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS Update and plans for the next six months Heraklion, 4 th June 2007."— Presentation transcript:

1 ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS Update and plans for the next six months Heraklion, 4 th June 2007

2 ICS-FORTH WISDOM WP3: New security algorithm design Objectives Identify critical security application components which can be efficiently implemented in the optical domain. Characterise constraints to algorithmic components and develop novel analytical techniques for simplified pattern matching. Design a Security Application Programming Interface (SAPI) which will be the interface between high-level security applications and low-level optical implementation Tasks - Deliverables WP 3.1: Security Applications Partitioning (M12) WP 3.2: Identification of simplified Security Algorithm Components (M24) WP 3.3: Definition of a Security Application Programming Interface: SAPI (M27)

3 ICS-FORTH WP3.1 Security Applications Partitioning Identify components which can be effectively and efficiently implemented in the optical domain e.g., optical bit filtering, simple optical bit pattern matching Partitioning of security-related applications (Firewalls, DoS attacks detection, IDS/IPS) into -high-level part (electronic) -low-level part (optical) WP2 outcome crucial to WP3 restrictions from optical hardware D3.1 report M12

4 ICS-FORTH WP3.1 Security Applications Partitioning Identify efficient operations in optical domain by considering basic firewall functionality prevent communication for specific servers and services basic IDS/IPS functionality signature, anomaly based detection packet structure and decoding TCP/IP, UDP, ICMP, etc optical hardware optical data format, optical bit filtering, optical pattern matching, buffer (delays)

5 ICS-FORTH WP3.1 Security Applications Partitioning Optical hardware Return-to-zero data format NRZ to RZ, DPKS to RZ conversion possible Baseline data rate at 40 Gb/s 25 ps bit period 100 Gb/s and up will be considered later Synchronous operation Optoelectronic clock recovery Delays (variable?) Short term storage of packets in recirculating buffer memory Delays proportional to packet size and to bit rate 40 bits (5 bytes) at 40 Gb/s translates to 20 cm buffer and 1ns propagation delay

6 ICS-FORTH WP3.1 Security Applications Partitioning Optical hardware Optical processing units -Pattern recognition system For n bits compared with N-bit target latency Nn bit periods Target length set electronically Sequence length should be equal to recirculating loop (note readily variable) -Optical switch Gate packets according to packet inspection Sub-nanoseconds switching times Reconfigurable in nanoseconds

7 ICS-FORTH WP3.1 Security Applications Partitioning Packet structure and decoding Header (fixed length), Payload (variable length) Optical processing for headers only Optical filtering to extract specific fields from headers Complication: need to check options length.

8 ICS-FORTH WP3.1 Security Applications Partitioning Basic firewall functionality in the optical domain Look at port numbers Block traffic for specific ports Optical filtering, optical pattern matching Look at IP addresses Block traffic for specific IP addresses Optical filtering, optical/electronic pattern matching Look at IP protocol Block traffic for certain protocols Headers only Less than 10% of rules, more than 90% of alerts What happens to payload in the meantime? (sampling, randomized, heuristic…)

9 ICS-FORTH WP3.1 Security Applications Partitioning Firewall rule example Inspection Deny all incoming traffic with IP matching internal IP source IP address Deny incoming from black-listed IP addresses source IP address Deny all incoming ICMP traffic IP protocol Deny incoming TCP/UDP 135/445 (RPC, Windows Sharing) destination port Deny incoming/outgoing TCP 6666/6667 destination port Allow incoming TCP 80, 443 (http, https) destination port to internal web server (destination IP address) Deny incoming TCP 25 to SMTP server destination port from external IP addresses (destination)/source IP address Allow UDP 53 to internal destination port DNS server (destination IP address) typical port assignments for some other services/applications ftp TCP 21, ssh TCP 22, telnet TCP 23, POP3 TCP 110, IMAP 143

10 ICS-FORTH WP3.1 Security Applications Partitioning Filtering out e-mail traffic

11 ICS-FORTH WP3.1 Security Applications Partitioning Matching IP address

12 ICS-FORTH WP3.1 Security Applications Partitioning proposed optical DoS attack detection DoS attacks SYN bit optical counter?

13 ICS-FORTH WP3.1 Security Applications Partitioning Basic Firewall, NIDS/NIPS functionality Simple pattern matching optical for packet header, electronic for payload Stateful inspection no obvious implementation in the optical Anomaly detection optical (e.g. simple DoS attacks) and electronic

14 ICS-FORTH WP3.2 Identification of Simplified Security Algorithms Components Optical pre-processing for more complex pattern recognition Restrictions in optical domain (buffering, level of integration, etc) Scalability of security pattern matching algorithms, optimum balance between optical and electronic processing (WP6 ) Develop algorithms that will allow optical bit-serial processing subsystems to operate as a pre-processor to more complex pattern recognition techniques. D3.2 Identification of simplified Security Algorithms Components (M24)

15 ICS-FORTH WP 3.3 Definition of a Security Application Programming Interface (SAPI) SAPI will bridge the gap between optical execution of key components and programming of security applications High-level programming, abstract all low-level details Monitoring Application Programming Interface (MAPI) D3.3 Definition of SAPI (M27)

16 ICS-FORTH Next six months D3.2 Identification of simplified Security Algorithms Components Tree-like structures Hash functions Bloom filters Heuristics Parallel use of optical devices up to a dozen “on a chip” Parallel/Distributed Architectures

17 ICS-FORTH Modeling and simulation Physical models of optical hardware from WP4 but useful for WP3 Functional models of optical devices and simulators Optical bit matching Conventional electronics

Download ppt "ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS Update and plans for the next six months Heraklion, 4 th June 2007."

Similar presentations

Firewall Simulation Teaching Information Security Using: Visualization Tools, Case Studies, and Hands-on Exercises May 23, 2012.

Firewall Simulation Teaching Information Security Using: Visualization Tools, Case Studies, and Hands-on Exercises May 23, 2012.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.
CCNA 1 v3.1 Module 11 Review.

CCNA 1 v3.1 Module 11 Review.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &

1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &
CLIENT / SERVER ARCHITECTURE AYRİS UYGUR & NİLÜFER ÇANGA.

CLIENT / SERVER ARCHITECTURE AYRİS UYGUR & NİLÜFER ÇANGA.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Chapter 2 Networking Overview. Figure 2.1 Generic protocol layers move data between systems.

Chapter 2 Networking Overview. Figure 2.1 Generic protocol layers move data between systems.
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.
1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.

1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.
Data Communications and Networks

Data Communications and Networks
OSI Model Routing Connection-oriented/Connectionless Network Services.

OSI Model Routing Connection-oriented/Connectionless Network Services.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Intrusion Protection Mark Shtern. Protection systems Firewalls Intrusion detection and protection systems Honeypots System Auditing.

Intrusion Protection Mark Shtern. Protection systems Firewalls Intrusion detection and protection systems Honeypots System Auditing.
Workpackage 3 New security algorithm design ICS-FORTH Heraklion, 3 rd June 2009.

Workpackage 3 New security algorithm design ICS-FORTH Heraklion, 3 rd June 2009.
ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS The next six months Cork, 29 January 2007.

ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS The next six months Cork, 29 January 2007.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Workpackage 3 New security algorithm design ICS-FORTH Paris, 30 th June 2008.

Workpackage 3 New security algorithm design ICS-FORTH Paris, 30 th June 2008.
January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.

January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.
 TCP/IP is the communication protocol for the Internet  TCP/IP defines how electronic devices should be connected to the Internet, and how data should.

 TCP/IP is the communication protocol for the Internet  TCP/IP defines how electronic devices should be connected to the Internet, and how data should.

Similar presentations

Ads by Google