A Hybrid Approach to Cyber SecurityPresented by Steve PattonWhere innovative thinkingmeets engineering excellence
What this session is about / what will I learn? Standard building blocks of Cyber Security  Systems Some of the problems...
High Level Cyber Security Design Objectives   Capture and analyse flows   Filtering through Gb’s of packet data   Ident...
What tools do we have?     Off the Shelf Software Applications              – DPI (primarily in software)                ...
DPI?     Deep Packet Inspection (DPI) is the act of      any IP network equipment which is not an      endpoint of a comm...
Flow Tracking     First basic filtering operation, not really DPI     Based on 5-tuple flow identifier using packet     ...
N-tuple     Is a collection of attributes. Commonly (5):              –        Source IP address              –        So...
N-tuple in practice8   www.telesoft-technologies.com    Copyright 2012 by Telesoft Technologies. All rights reserved
Where 5-tuple is not enough     Identify specific protocols     Identify malware, badly behaving      applications     ...
Pattern & Signature Matching      Second basic filtering operation      Search for strings, numbers at certain       pos...
11   www.telesoft-technologies.com     Copyright 2012 by Telesoft Technologies. All rights reserved
Traffic Analysis      Third basic DPI operation      Why do we do this?               – Pattern matching impossible for ...
Let’s build a 1GbE IDS      Build using standard server hardware               – Add in commodity 1GbE adapters where    ...
Challenges      Rising data rates               – Enterprise:                             • 1Gb common                   ...
Let’s build a 10GbE IDS      Same basic components as the 1Gb IDS      But:               – Server needs to process 10 t...
Data loss is the enemy      What causes data loss?               – Dropped packets – CPU can’t keep up                   ...
More CPU, more memory, more speed      40Gb/s typically 15 x the cost of 2Gb/s       35       30       25       20       ...
What can we do to offload processing?      Categorise flows (hash) and forward route       to multiple lower cost servers...
How could an intelligent xGbE adapter help?                                                                    Using 5-tup...
If multiple systems are not an option      Use a powerful server/compute platform     OR      Offload as much processing...
Accelerated Network Adapters      Specialised packet interface and processing       cards               – Assist with lay...
Basic NIC Card22   www.telesoft-technologies.com     Copyright 2012 by Telesoft Technologies. All rights reserved
Accelerated Card – With Filtering23   www.telesoft-technologies.com     Copyright 2012 by Telesoft Technologies. All right...
Missing packets due to start delay24   www.telesoft-technologies.com     Copyright 2012 by Telesoft Technologies. All righ...
Sometimes the session control is separate25   www.telesoft-technologies.com     Copyright 2012 by Telesoft Technologies. A...
How can we guard against this?      Store everything on the host server or       separate? storage device               –...
Integrated, filtering interface/adapter card  AKA            –       Hardware Accelerator Cards            –       Accele...
Summary      By sharing the filtering and processing load       for a Cyber Security application between       the host C...
For more information                          Talk to Telesoft today                          Visit www.telesoft-technol...
Headquarters:                         Americas:                                    India:Telesoft Technologies Ltd        ...
Upcoming SlideShare
Loading in …5
×

Cyber security2012 hybrid-hardware-software

666 views

Published on

This presentation details hardware based design approaches to the building of cyber security systems.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
666
On SlideShare
0
From Embeds
0
Number of Embeds
24
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Cyber security2012 hybrid-hardware-software

  1. 1. A Hybrid Approach to Cyber SecurityPresented by Steve PattonWhere innovative thinkingmeets engineering excellence
  2. 2. What this session is about / what will I learn? Standard building blocks of Cyber Security Systems Some of the problems system builders face as data rates rise How a hybrid hardware/software approach can solve these problems …alternative title “using a combination of hardware and software to build cyber security systems” 2 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
  3. 3. High Level Cyber Security Design Objectives Capture and analyse flows Filtering through Gb’s of packet data Identify threat signatures 100% visibility – no data loss Build to a cost End Game = detect & prevent intrusions3 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
  4. 4. What tools do we have?  Off the Shelf Software Applications – DPI (primarily in software) • Flow tracking • N-tuple • Traffic Analysis • Pattern & Signature Matching  Open source / Freeware – ACARM-ng, AIDE, Bro NIDS, OSSEC HIDS, Prelude Hybrid IDS, Samhain, Snort, Suricata  Off the shelf servers with GbE ports4 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
  5. 5. DPI?  Deep Packet Inspection (DPI) is the act of any IP network equipment which is not an endpoint of a communication using non- header content (typically the actual payload) for some purpose.  In IP this generally means content above the TCP/UDP layer  Used for identification and filtering5 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
  6. 6. Flow Tracking  First basic filtering operation, not really DPI  Based on 5-tuple flow identifier using packet header parameters  Common concept in network security equipment e.g. Firewalls  End goal: Determine which packets belong to a communication (“flow”) between two computers6 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
  7. 7. N-tuple  Is a collection of attributes. Commonly (5): – Source IP address – Source port (typically: any) – Destination IP address – Destination port (80 or 443) – Destination protocol (typically TCP)  How are they used? – Filtering – Define access requirements – Identify suspect flows7 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
  8. 8. N-tuple in practice8 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
  9. 9. Where 5-tuple is not enough  Identify specific protocols  Identify malware, badly behaving applications  Identify signatures  Use enhanced filtering to inspect deeper into the data9 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
  10. 10. Pattern & Signature Matching  Second basic filtering operation  Search for strings, numbers at certain positions – usually several patterns for each protocol10 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
  11. 11. 11 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
  12. 12. Traffic Analysis  Third basic DPI operation  Why do we do this? – Pattern matching impossible for encrypted traffic  Instead, analyse traffic patterns: – Packet sizes – Packet size sequences – Data rates – Packet rates – Number of concurrent flows – Flow arrival rate12 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
  13. 13. Let’s build a 1GbE IDS  Build using standard server hardware – Add in commodity 1GbE adapters where necessary  Use custom or off the shelf software applications – IDS/IPS (Snort?) – DPI software13 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
  14. 14. Challenges  Rising data rates – Enterprise: • 1Gb common • 10Gb becoming more common – Datacentre • 40Gb, multiple 100Gb  Ever growing protocol diversity  Both consume CPU resources  Drives up cost14 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
  15. 15. Let’s build a 10GbE IDS  Same basic components as the 1Gb IDS  But: – Server needs to process 10 times the data throughput – Add in a 10GbE interface card15 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
  16. 16. Data loss is the enemy  What causes data loss? – Dropped packets – CPU can’t keep up • We can buffer in the server – but can overrun • Need more powerful CPUs/Servers – Delay between detecting that we want to monitor something, and actually monitoring it! (latency) – Larger delays – detecting half way through a session that we want to monitor something – but seconds have passed16 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
  17. 17. More CPU, more memory, more speed  40Gb/s typically 15 x the cost of 2Gb/s 35 30 25 20 Cores Memory 15 Cost 10 5 0 2 4 10 20 4017 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
  18. 18. What can we do to offload processing?  Categorise flows (hash) and forward route to multiple lower cost servers for processing – Each flow belongs to the same set of • Source IP address • Source port (typically: any) • Destination IP address • Destination port (80 or 443) • Destination protocol (typically TCP)  Intelligent line adapter allows flows to be split and routed with virtually zero CPU overhead18 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
  19. 19. How could an intelligent xGbE adapter help? Using 5-tuple filtering to route flows to distributed, low cost IDS Servers19 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
  20. 20. If multiple systems are not an option  Use a powerful server/compute platform OR  Offload as much processing as possible onto a Hardware Accelerated Network Adapter20 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
  21. 21. Accelerated Network Adapters  Specialised packet interface and processing cards – Assist with layer 2, 3 & 4 filtering and classification – Load balancing flows to multiple processing engines – Pre-filtering on other layers (i.e. L7 content) – Keyword and signature matching21 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
  22. 22. Basic NIC Card22 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
  23. 23. Accelerated Card – With Filtering23 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
  24. 24. Missing packets due to start delay24 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
  25. 25. Sometimes the session control is separate25 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
  26. 26. How can we guard against this?  Store everything on the host server or separate? storage device – More complex = more cost  Implement packet buffers in line cards – Needs to be in the order of 300ms to combat latency – May need to be as long as 2 to 3s for separate control signalling26 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
  27. 27. Integrated, filtering interface/adapter card  AKA – Hardware Accelerator Cards – Accelerating Capture Cards – Load balancing NIC – Network Analysis Adapter27 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
  28. 28. Summary  By sharing the filtering and processing load for a Cyber Security application between the host CPU and the line card we can: – Build physically smaller systems – Save on power – Save on component cost – Save on space – Eliminate packet loss Small but powerful!28 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
  29. 29. For more information  Talk to Telesoft today  Visit www.telesoft-technologies.com  Thank youThe definition of insanity is peopletrying to do the same thing andexpecting different resultsEinstein 29 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
  30. 30. Headquarters: Americas: India:Telesoft Technologies Ltd Telesoft Technologies Inc Telesoft Technologies Ltd (Branch Office)Observatory House Suite 601 Building FC-24Blandford Dorset 4340 Georgetown Square Sector-16A, Noida 201301DT11 9LQ UK Atlanta GA 30338 USA Uttar Pradesh, INDIAT. +44 (0)1258 480 880 T. +1 770 454 6001 T. +91 120 466 0300F. +44 (0)1258 486 598 F. +1 770 452 0130 F. +91 120 466 0301E. sales@telesoft-technologies.com E. salesusa@telesoft-technologies.com E. salesindia@telesoft-technologies.comwww.telesoft-technologies.com Copyright 2010 by Telesoft Technologies. All rights reserved.

×