ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS Update and plans for the...

17
ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS Update and plans for the next six months Heraklion, 4 th June 2007

description

ICS-FORTH WP3.1 Security Applications Partitioning Identify components which can be effectively and efficiently implemented in the optical domain e.g., optical bit filtering, simple optical bit pattern matching Partitioning of security-related applications (Firewalls, DoS attacks detection, IDS/IPS) into -high-level part (electronic) -low-level part (optical) WP2 outcome crucial to WP3 restrictions from optical hardware D3.1 report M12

Transcript of ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS Update and plans for the...

Page 1: ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS Update and plans for the next six months Heraklion, 4 th June 2007.

ICS-FORTH

WISDOM

Workpackage 3:New security algorithm design

FORTH-ICS

Update and plans for the next six months

Heraklion, 4th June 2007

Page 2: ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS Update and plans for the next six months Heraklion, 4 th June 2007.

ICS-FORTH

WISDOM WP3: New security algorithm design

Objectives • Identify critical security application components which can

be efficiently implemented in the optical domain. • Characterise constraints to algorithmic components and

develop novel analytical techniques for simplified pattern matching.

• Design a Security Application Programming Interface (SAPI) which will be the interface between high-level security applications and low-level optical implementation

Tasks - Deliverables• WP 3.1: Security Applications Partitioning (M12)• WP 3.2: Identification of simplified Security Algorithm

Components (M24)• WP 3.3: Definition of a Security Application Programming

Interface: SAPI (M27)

Page 3: ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS Update and plans for the next six months Heraklion, 4 th June 2007.

ICS-FORTH

WP3.1 Security Applications Partitioning

• Identify components which can be effectively and efficiently implemented in the optical domaine.g., optical bit filtering, simple optical bit pattern matching

• Partitioning of security-related applications (Firewalls, DoS attacks detection, IDS/IPS) into - high-level part (electronic) - low-level part (optical)

WP2 outcome crucial to WP3restrictions from optical hardware

D3.1 report M12

Page 4: ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS Update and plans for the next six months Heraklion, 4 th June 2007.

ICS-FORTH

WP3.1 Security Applications PartitioningIdentify efficient operations in optical domain by considering

• basic firewall functionalityprevent communication for specific servers and services

• basic IDS/IPS functionality signature, anomaly based detection

• packet structure and decodingTCP/IP, UDP, ICMP, etc

• optical hardwareoptical data format, optical bit filtering, optical pattern matching,

buffer (delays)

Page 5: ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS Update and plans for the next six months Heraklion, 4 th June 2007.

ICS-FORTH

WP3.1 Security Applications Partitioning Optical hardware•Return-to-zero data formatNRZ to RZ, DPKS to RZ conversion possible•Baseline data rate at 40 Gb/s25 ps bit period100 Gb/s and up will be considered later•Synchronous operationOptoelectronic clock recovery•Delays (variable?)Short term storage of packets inrecirculating buffer memory Delays proportional to packet sizeand to bit rate40 bits (5 bytes) at 40 Gb/stranslates to 20 cm buffer and 1ns propagation delay

Page 6: ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS Update and plans for the next six months Heraklion, 4 th June 2007.

ICS-FORTH

WP3.1 Security Applications Partitioning Optical hardware•Optical processing units

-Pattern recognition systemFor n bits compared with N-bit targetlatency Nn bit periodsTarget length set electronicallySequence length should be equal to recirculating loop (note readily variable)

-Optical switchGate packets according to packetinspectionSub-nanoseconds switching timesReconfigurable in nanoseconds

Page 7: ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS Update and plans for the next six months Heraklion, 4 th June 2007.

ICS-FORTH

WP3.1 Security Applications Partitioning Packet structure and decoding

16-bit total length

16-bit header checksum

32-bit source IP address

32-bit destination IP address

TOS4 IHL

16-bit identification

TTL protocol

flags 13-bit fragment offset

options (if any)

16-bit source port 16-bit destination port

32-bit sequence number

32-bit acknowledgment numberOffset Reserved Flags 16-bit window

16-bit checksum urgent pointer

Options (if any)

Application data

Header (fixed length), Payload (variable length)Optical processing for headers onlyOptical filtering to extract specific fields from headersComplication: need to check options length.

Page 8: ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS Update and plans for the next six months Heraklion, 4 th June 2007.

ICS-FORTH

WP3.1 Security Applications Partitioning

Basic firewall functionality in the optical domain• Look at port numbersBlock traffic for specific portsOptical filtering, optical pattern matching• Look at IP addressesBlock traffic for specific IP addressesOptical filtering, optical/electronic pattern matching• Look at IP protocolBlock traffic for certain protocols

Headers onlyLess than 10% of rules, more than 90% of alertsWhat happens to payload in the meantime?(sampling, randomized, heuristic…)

Page 9: ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS Update and plans for the next six months Heraklion, 4 th June 2007.

ICS-FORTH

WP3.1 Security Applications PartitioningFirewall rule example Inspection• Deny all incoming traffic with IP matching internal IP source IP address• Deny incoming from black-listed IP addresses source IP address• Deny all incoming ICMP traffic IP protocol• Deny incoming TCP/UDP 135/445 (RPC, Windows Sharing) destination port• Deny incoming/outgoing TCP 6666/6667 destination port

• Allow incoming TCP 80, 443 (http, https) destination port

to internal web server (destination IP address)• Deny incoming TCP 25 to SMTP server destination port

from external IP addresses (destination)/source IP address

• Allow UDP 53 to internal destination portDNS server (destination IP address)

typical port assignments for some other services/applications

ftp TCP 21, ssh TCP 22, telnet TCP 23, POP3 TCP 110, IMAP 143

Page 10: ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS Update and plans for the next six months Heraklion, 4 th June 2007.

ICS-FORTH

WP3.1 Security Applications Partitioning

Filtering out e-mail traffic

Page 11: ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS Update and plans for the next six months Heraklion, 4 th June 2007.

ICS-FORTH

WP3.1 Security Applications Partitioning

Matching IP address

Page 12: ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS Update and plans for the next six months Heraklion, 4 th June 2007.

ICS-FORTH

WP3.1 Security Applications Partitioning

proposed optical DoS attack detection

DoS attacks SYN bit optical counter?

Page 13: ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS Update and plans for the next six months Heraklion, 4 th June 2007.

ICS-FORTH

WP3.1 Security Applications Partitioning

Basic Firewall, NIDS/NIPS functionality

• Simple pattern matchingoptical for packet header, electronic for payload

• Stateful inspectionno obvious implementation in the optical

• Anomaly detectionoptical (e.g. simple DoS attacks) and electronic

Page 14: ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS Update and plans for the next six months Heraklion, 4 th June 2007.

ICS-FORTH

WP3.2 Identification of Simplified Security Algorithms Components

• Optical pre-processing for more complex pattern recognition Restrictions in optical domain (buffering, level of integration, etc)Scalability of security pattern matching algorithms, optimum balance between optical and electronic processing (WP6)

Develop algorithms that will allow optical bit-serial processing subsystems to operate as a pre-processor to more complex pattern recognition techniques.

D3.2 Identification of simplified Security Algorithms Components (M24)

Page 15: ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS Update and plans for the next six months Heraklion, 4 th June 2007.

ICS-FORTH

WP 3.3 Definition of a Security Application Programming Interface (SAPI)

• SAPI will bridge the gap between optical execution ofkey components and programming of securityapplications

• High-level programming, abstract all low-level details

Monitoring ApplicationProgramming Interface(MAPI)

D3.3 Definition of SAPI (M27)

Page 16: ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS Update and plans for the next six months Heraklion, 4 th June 2007.

ICS-FORTH

Next six months

D3.2 Identification of simplified Security Algorithms Components

• Tree-like structures• Hash functions• Bloom filters• Heuristics • Parallel use of optical devices

up to a dozen “on a chip”

• Parallel/Distributed Architectures

Page 17: ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS Update and plans for the next six months Heraklion, 4 th June 2007.

ICS-FORTH

Modeling and simulation

• Physical models of optical hardwarefrom WP4 but useful for WP3

• Functional models of optical devices and simulators

Optical bit matching Conventional electronics