ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS Update and plans for the...
-
Upload
justin-black -
Category
Documents
-
view
220 -
download
0
description
Transcript of ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS Update and plans for the...
ICS-FORTH
WISDOM
Workpackage 3:New security algorithm design
FORTH-ICS
Update and plans for the next six months
Heraklion, 4th June 2007
ICS-FORTH
WISDOM WP3: New security algorithm design
Objectives • Identify critical security application components which can
be efficiently implemented in the optical domain. • Characterise constraints to algorithmic components and
develop novel analytical techniques for simplified pattern matching.
• Design a Security Application Programming Interface (SAPI) which will be the interface between high-level security applications and low-level optical implementation
Tasks - Deliverables• WP 3.1: Security Applications Partitioning (M12)• WP 3.2: Identification of simplified Security Algorithm
Components (M24)• WP 3.3: Definition of a Security Application Programming
Interface: SAPI (M27)
ICS-FORTH
WP3.1 Security Applications Partitioning
• Identify components which can be effectively and efficiently implemented in the optical domaine.g., optical bit filtering, simple optical bit pattern matching
• Partitioning of security-related applications (Firewalls, DoS attacks detection, IDS/IPS) into - high-level part (electronic) - low-level part (optical)
WP2 outcome crucial to WP3restrictions from optical hardware
D3.1 report M12
ICS-FORTH
WP3.1 Security Applications PartitioningIdentify efficient operations in optical domain by considering
• basic firewall functionalityprevent communication for specific servers and services
• basic IDS/IPS functionality signature, anomaly based detection
• packet structure and decodingTCP/IP, UDP, ICMP, etc
• optical hardwareoptical data format, optical bit filtering, optical pattern matching,
buffer (delays)
ICS-FORTH
WP3.1 Security Applications Partitioning Optical hardware•Return-to-zero data formatNRZ to RZ, DPKS to RZ conversion possible•Baseline data rate at 40 Gb/s25 ps bit period100 Gb/s and up will be considered later•Synchronous operationOptoelectronic clock recovery•Delays (variable?)Short term storage of packets inrecirculating buffer memory Delays proportional to packet sizeand to bit rate40 bits (5 bytes) at 40 Gb/stranslates to 20 cm buffer and 1ns propagation delay
ICS-FORTH
WP3.1 Security Applications Partitioning Optical hardware•Optical processing units
-Pattern recognition systemFor n bits compared with N-bit targetlatency Nn bit periodsTarget length set electronicallySequence length should be equal to recirculating loop (note readily variable)
-Optical switchGate packets according to packetinspectionSub-nanoseconds switching timesReconfigurable in nanoseconds
ICS-FORTH
WP3.1 Security Applications Partitioning Packet structure and decoding
16-bit total length
16-bit header checksum
32-bit source IP address
32-bit destination IP address
TOS4 IHL
16-bit identification
TTL protocol
flags 13-bit fragment offset
options (if any)
16-bit source port 16-bit destination port
32-bit sequence number
32-bit acknowledgment numberOffset Reserved Flags 16-bit window
16-bit checksum urgent pointer
Options (if any)
Application data
Header (fixed length), Payload (variable length)Optical processing for headers onlyOptical filtering to extract specific fields from headersComplication: need to check options length.
ICS-FORTH
WP3.1 Security Applications Partitioning
Basic firewall functionality in the optical domain• Look at port numbersBlock traffic for specific portsOptical filtering, optical pattern matching• Look at IP addressesBlock traffic for specific IP addressesOptical filtering, optical/electronic pattern matching• Look at IP protocolBlock traffic for certain protocols
Headers onlyLess than 10% of rules, more than 90% of alertsWhat happens to payload in the meantime?(sampling, randomized, heuristic…)
ICS-FORTH
WP3.1 Security Applications PartitioningFirewall rule example Inspection• Deny all incoming traffic with IP matching internal IP source IP address• Deny incoming from black-listed IP addresses source IP address• Deny all incoming ICMP traffic IP protocol• Deny incoming TCP/UDP 135/445 (RPC, Windows Sharing) destination port• Deny incoming/outgoing TCP 6666/6667 destination port
• Allow incoming TCP 80, 443 (http, https) destination port
to internal web server (destination IP address)• Deny incoming TCP 25 to SMTP server destination port
from external IP addresses (destination)/source IP address
• Allow UDP 53 to internal destination portDNS server (destination IP address)
typical port assignments for some other services/applications
ftp TCP 21, ssh TCP 22, telnet TCP 23, POP3 TCP 110, IMAP 143
ICS-FORTH
WP3.1 Security Applications Partitioning
Filtering out e-mail traffic
ICS-FORTH
WP3.1 Security Applications Partitioning
Matching IP address
ICS-FORTH
WP3.1 Security Applications Partitioning
proposed optical DoS attack detection
DoS attacks SYN bit optical counter?
ICS-FORTH
WP3.1 Security Applications Partitioning
Basic Firewall, NIDS/NIPS functionality
• Simple pattern matchingoptical for packet header, electronic for payload
• Stateful inspectionno obvious implementation in the optical
• Anomaly detectionoptical (e.g. simple DoS attacks) and electronic
ICS-FORTH
WP3.2 Identification of Simplified Security Algorithms Components
• Optical pre-processing for more complex pattern recognition Restrictions in optical domain (buffering, level of integration, etc)Scalability of security pattern matching algorithms, optimum balance between optical and electronic processing (WP6)
Develop algorithms that will allow optical bit-serial processing subsystems to operate as a pre-processor to more complex pattern recognition techniques.
D3.2 Identification of simplified Security Algorithms Components (M24)
ICS-FORTH
WP 3.3 Definition of a Security Application Programming Interface (SAPI)
• SAPI will bridge the gap between optical execution ofkey components and programming of securityapplications
• High-level programming, abstract all low-level details
Monitoring ApplicationProgramming Interface(MAPI)
D3.3 Definition of SAPI (M27)
ICS-FORTH
Next six months
D3.2 Identification of simplified Security Algorithms Components
• Tree-like structures• Hash functions• Bloom filters• Heuristics • Parallel use of optical devices
up to a dozen “on a chip”
• Parallel/Distributed Architectures
ICS-FORTH
Modeling and simulation
• Physical models of optical hardwarefrom WP4 but useful for WP3
• Functional models of optical devices and simulators
Optical bit matching Conventional electronics