Post on 30-Jan-2016
RAID2005
CardGuard:
Towards software-based signature detectionfor intrusion prevention on the network card
Herbert Bos and Kaiming Huangpresented by Willem de Bruijn
RAID2005
IDS is insufficient
intrusion prevention is preferable over detectionactive guardingnullifies evasion & insertion attemps
but, prevention problematic at traditional firewallsperformance issueslack of knowledgeinternal nodes expected saferigid, leading to circumvention
RAID2005
Move IPS to the edge
using a software based solutionon the network card
full payload scanning ,at line-rate*
to create a (crude) cost-effective local IPS
CardGuard implements
RAID2005
IntroductionArchitecture
ImplementationResults
RAID2005
distributed firewalling
signature detection is easier at the network edge
can overwhelm CPU69Mbps max on 1.8 Ghz P4
a solution is to offload to the NIC: unobtrusive & difficult to subverge
RAID2005
Network Processors
Programmable NICs that combinecheap software with fast hardware
they contain ●stream processors●asynchronous memory●hardware assist (e.g., CAM)
RAID2005
Efficient Pattern Matching
snort ruleset >28.000 pattern-based rulesrequires parallel processing
Aho Corasickpattern-matching algorithm
single-passcomplexity independent of #patterns
RAID2005
Aho Corasick Example
a deterministic finite automaton (DFA)for the Slammer wormidentifies 5 different patterns
RAID2005
IntroductionArchitecture
ImplementationResults
RAID2005
IXP1200
PCI daughterboardor stand-alone box
two 1Gbps ports6 stream µEngines
4 HW threads/engine1 StrongARM CPU @ 200MhzIXP 2XXX
RAID2005
software mapping
Cp
RxTx ToE
AC
AC
ToE
RegEx=
RAID2005
Flow handling
TCP reconstruction light:basic flow-accountingdatastream sanitisation
Out-of-order handling:put on hold, ortwo-pass scan
CpRx ACToE
TxCp ACToE
RAID2005
efficient memory use
size
latency Scratch, 16KB, 12..14 cycles
SRAM : 8 MB , 16..20 cycles
SDRAM : 256 MB , 30...40 cycles
Istore, 1KB, 1 cycle
Registers, 512B, 1 cycle; shared
inline DFA
in-memory DFA
memory access is the bottleneck
RAID2005
IntroductionArchitecture
ImplementationResults
RAID2005
inline DFA
in-memory DFA
inline in-memory0
100
200
300
400
500
600
700
800
900
cost of 10 state-transitionsReg SDRAM
#cy
cles
RAID2005
benchmarks
64 300 600 900 1200 15000
10000
20000
30000
40000
50000
60000
packetsize
cycl
es
processing costs scale linearly with datarate, not packetrate
Full TCP scan sustainable at 100Mbit
RAID2005
conclusions
intrusion prevention is feasible at the network edgeNP-based solutions are cheap and unobtrusive
caveatCardGuard is only a crude prototype
lacks a sophisticated management plane