A hybrid hardware/software approach to cyber security is presented that can help solve problems with rising data rates. Standard software tools have challenges processing high data rates. Offloading processing to specialized network adapters can help filter traffic and detect threats while reducing CPU load. This allows capturing more data without loss even at high speeds like 10Gbps.
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Cyber security2012 hybrid-hardware-software
1. A Hybrid Approach to Cyber Security
Presented by Steve Patton
Where innovative thinking
meets engineering excellence
2. What this session is about / what will I learn?
Standard building blocks of Cyber Security
Systems
Some of the problems system builders face
as data rates rise
How a hybrid hardware/software approach
can solve these problems
…alternative title “using a combination of
hardware and software to build cyber
security systems”
2 www.telesoft-technologies.com
Copyright 2012 by Telesoft Technologies. All rights reserved
3. High Level Cyber Security Design Objectives
Capture and analyse flows
Filtering through Gb’s of packet data
Identify threat signatures
100% visibility – no data loss
Build to a cost
End Game = detect
& prevent intrusions
3 www.telesoft-technologies.com
Copyright 2012 by Telesoft Technologies. All rights reserved
4. What tools do we have?
Off the Shelf Software Applications
– DPI (primarily in software)
• Flow tracking
• N-tuple
• Traffic Analysis
• Pattern & Signature Matching
Open source / Freeware
– ACARM-ng, AIDE, Bro NIDS, OSSEC
HIDS, Prelude Hybrid
IDS, Samhain, Snort, Suricata
Off the shelf servers with GbE ports
4 www.telesoft-technologies.com
Copyright 2012 by Telesoft Technologies. All rights reserved
5. DPI?
Deep Packet Inspection (DPI) is the act of
any IP network equipment which is not an
endpoint of a communication using non-
header content (typically the actual payload)
for some purpose.
In IP this generally means content above
the TCP/UDP layer
Used for identification and filtering
5 www.telesoft-technologies.com
Copyright 2012 by Telesoft Technologies. All rights reserved
6. Flow Tracking
First basic filtering operation, not really DPI
Based on 5-tuple flow identifier using packet
header parameters
Common concept in network security
equipment e.g. Firewalls
End goal: Determine
which packets belong to
a communication (“flow”)
between two computers
6 www.telesoft-technologies.com
Copyright 2012 by Telesoft Technologies. All rights reserved
7. N-tuple
Is a collection of attributes. Commonly (5):
– Source IP address
– Source port (typically: any)
– Destination IP address
– Destination port (80 or 443)
– Destination protocol (typically TCP)
How are they used?
– Filtering
– Define access requirements
– Identify suspect flows
7 www.telesoft-technologies.com
Copyright 2012 by Telesoft Technologies. All rights reserved
8. N-tuple in practice
8 www.telesoft-technologies.com
Copyright 2012 by Telesoft Technologies. All rights reserved
9. Where 5-tuple is not enough
Identify specific protocols
Identify malware, badly behaving
applications
Identify signatures
Use enhanced filtering to
inspect deeper into the data
9 www.telesoft-technologies.com
Copyright 2012 by Telesoft Technologies. All rights reserved
10. Pattern & Signature Matching
Second basic filtering operation
Search for strings, numbers at certain
positions
– usually several patterns for each protocol
10 www.telesoft-technologies.com
Copyright 2012 by Telesoft Technologies. All rights reserved
11. 11 www.telesoft-technologies.com
Copyright 2012 by Telesoft Technologies. All rights reserved
12. Traffic Analysis
Third basic DPI operation
Why do we do this?
– Pattern matching impossible for encrypted traffic
Instead, analyse traffic patterns:
– Packet sizes
– Packet size sequences
– Data rates
– Packet rates
– Number of concurrent flows
– Flow arrival rate
12 www.telesoft-technologies.com
Copyright 2012 by Telesoft Technologies. All rights reserved
13. Let’s build a 1GbE IDS
Build using standard server hardware
– Add in commodity 1GbE adapters where
necessary
Use custom or off the shelf software
applications
– IDS/IPS (Snort?)
– DPI software
13 www.telesoft-technologies.com
Copyright 2012 by Telesoft Technologies. All rights reserved
14. Challenges
Rising data rates
– Enterprise:
• 1Gb common
• 10Gb becoming more common
– Datacentre
• 40Gb, multiple 100Gb
Ever growing protocol diversity
Both consume CPU resources
Drives up cost
14 www.telesoft-technologies.com
Copyright 2012 by Telesoft Technologies. All rights reserved
15. Let’s build a 10GbE IDS
Same basic components as the 1Gb IDS
But:
– Server needs to process 10 times the data
throughput
– Add in a 10GbE interface card
15 www.telesoft-technologies.com
Copyright 2012 by Telesoft Technologies. All rights reserved
16. Data loss is the enemy
What causes data loss?
– Dropped packets – CPU can’t keep up
• We can buffer in the server – but can overrun
• Need more powerful CPUs/Servers
– Delay between detecting that we want to monitor
something, and actually monitoring it! (latency)
– Larger delays – detecting half way through a
session that we want to monitor something – but
seconds have passed
16 www.telesoft-technologies.com
Copyright 2012 by Telesoft Technologies. All rights reserved
17. More CPU, more memory, more speed
40Gb/s typically 15 x the cost of 2Gb/s
35
30
25
20
Cores
Memory
15
Cost
10
5
0
2 4 10 20 40
17 www.telesoft-technologies.com
Copyright 2012 by Telesoft Technologies. All rights reserved
18. What can we do to offload processing?
Categorise flows (hash) and forward route
to multiple lower cost servers for processing
– Each flow belongs to the same set of
• Source IP address
• Source port (typically: any)
• Destination IP address
• Destination port (80 or 443)
• Destination protocol (typically TCP)
Intelligent line adapter allows flows to be
split and routed with virtually zero CPU
overhead
18 www.telesoft-technologies.com
Copyright 2012 by Telesoft Technologies. All rights reserved
19. How could an intelligent xGbE adapter help?
Using 5-tuple filtering to route
flows to distributed, low cost
IDS Servers
19 www.telesoft-technologies.com
Copyright 2012 by Telesoft Technologies. All rights reserved
20. If multiple systems are not an option
Use a powerful server/compute platform
OR
Offload as much processing as possible
onto a Hardware Accelerated Network
Adapter
20 www.telesoft-technologies.com
Copyright 2012 by Telesoft Technologies. All rights reserved
21. Accelerated Network Adapters
Specialised packet interface and processing
cards
– Assist with layer 2, 3 & 4 filtering and
classification
– Load balancing flows to multiple processing
engines
– Pre-filtering on other layers (i.e. L7 content)
– Keyword and signature matching
21 www.telesoft-technologies.com
Copyright 2012 by Telesoft Technologies. All rights reserved
22. Basic NIC Card
22 www.telesoft-technologies.com
Copyright 2012 by Telesoft Technologies. All rights reserved
23. Accelerated Card – With Filtering
23 www.telesoft-technologies.com
Copyright 2012 by Telesoft Technologies. All rights reserved
24. Missing packets due to start delay
24 www.telesoft-technologies.com
Copyright 2012 by Telesoft Technologies. All rights reserved
25. Sometimes the session control is separate
25 www.telesoft-technologies.com
Copyright 2012 by Telesoft Technologies. All rights reserved
26. How can we guard against this?
Store everything on the host server or
separate? storage device
– More complex = more cost
Implement packet buffers in line cards
– Needs to be in the order of 300ms to combat
latency
– May need to be as long as 2 to 3s for
separate control signalling
26 www.telesoft-technologies.com
Copyright 2012 by Telesoft Technologies. All rights reserved
27. Integrated, filtering interface/adapter card
AKA
– Hardware Accelerator Cards
– Accelerating Capture Cards
– Load balancing NIC
– Network Analysis Adapter
27 www.telesoft-technologies.com
Copyright 2012 by Telesoft Technologies. All rights reserved
28. Summary
By sharing the filtering and processing load
for a Cyber Security application between
the host CPU and the line card we can:
– Build physically smaller systems
– Save on power
– Save on component cost
– Save on space
– Eliminate packet loss
Small but powerful!
28 www.telesoft-technologies.com
Copyright 2012 by Telesoft Technologies. All rights reserved
29. For more information
Talk to Telesoft today
Visit www.telesoft-technologies.com
Thank you
The definition of insanity is people
trying to do the same thing and
expecting different results
Einstein
29 www.telesoft-technologies.com
Copyright 2012 by Telesoft Technologies. All rights reserved
30. Headquarters: Americas: India:
Telesoft Technologies Ltd Telesoft Technologies Inc Telesoft Technologies Ltd (Branch Office)
Observatory House Suite 601 Building FC-24
Blandford Dorset 4340 Georgetown Square Sector-16A, Noida 201301
DT11 9LQ UK Atlanta GA 30338 USA Uttar Pradesh, INDIA
T. +44 (0)1258 480 880 T. +1 770 454 6001 T. +91 120 466 0300
F. +44 (0)1258 486 598 F. +1 770 452 0130 F. +91 120 466 0301
E. sales@telesoft-technologies.com E. salesusa@telesoft-technologies.com E. salesindia@telesoft-technologies.com
www.telesoft-technologies.com Copyright 2010 by Telesoft Technologies. All rights reserved.