PreventionwithRespecttoQoSRequirements
AndreasHess,MathiasBohge,G¨unterSch¨aferTelecommunicationNetworksGroupTechnischeUniversit¨atBerlin
Einsteinufer25,10587Berlin,Germany
Email:[hess,bohge,schaefer]@tkn.tu-berlin.de
Abstract
AnIntrusionPreventionSystem(IPS)analyzeseachpacketformaliciouscontentbeforeforwardingitanddropspacketsthatoriginatebyanintruder.Todoso,theIPShastobephysicallyintegratedintothenetworkandneedstoprocesstheactualpacketsthatrunthroughit,insteadofprocessingcopiesofthepacketsatsomeplaceoutsidethenetwork.Therefore,independentofthewaytheyarebuilt,allIPSsharethesameproblem—ade-creaseinperformanceofthenetworktheytrytoprotect.Therefore,themainobjectiveinimprovingIPSperformanceistodevelopanarchitecturethatminimizestheoveralldelayandmaximizesthenetwork’sthroughputwhileensuringasufficientlevelofsecurity.Keywords
networksecurity,intrusionprevention,programmablerouters,loaddistribution
1.DistributedandDemand-drivenIntrusionPrevention
Inordertorelievethestrainonend-usersandadministratorsofcontinuouslyhavingtodealwithtoday’smassiveamountofsecuritychallenges,weproposetoinstallmodularintrusionpreventionsystems(IPSs)ontopofprogrammableroutersasanadditionallineofdefense.Ourlong-termgoalistheefficientprotectionoftheend-systemsthatarepartofanadministrativedomain(AD)asforexampleshowninFigure2.EachrouterintheADcaneitherbeofpassiveorprogrammablenature.TheonlyconstrainttobearinmindwhensettinguptheADisthattherehastobeatleastoneprogrammablerouteronthepathbetweentheInternetandeachsubnet.
Assuming,forexample,thatsubnetN7offigure2consistsofthreehostswhereaseachonerequeststheinstallationofthesamefiveprotectionservices(s1,s2,...,s5),then45∗3(=1.073.741.824)possibilitiesexisttofulfilltherequirementoffilteringalltrafficbetweentheInternetandallsubnets.Onaperrouterbasis,wedifferentiatebetweenthreetypesoftraffic:trafficthatisforwardedbytherouterwithoutbeinganalyzed,trafficthatmustbeanalyzedbyatleastonesecurityservicethatisrunningontherouterandtrafficthatisfiltered/blockedbytherouterwithoutbeinganalyzed.
Consequently,thequestionariseshowtoconfigureeachrouteroftheADinordertosatisfythesecurityrequirementsofallend-systemswhilesimultaneouslynotdecreasingthenetworkperformance.
0-7803-9088-1/05/$20.00 (C) 2005 IEEE
ActiveNodeManagementModuleOp-nSecurityPolicyQueuePacketsTrafficSelectorForwardControlModuleOp-11Op-10Op-9Op-8Op-7Op-6Op-5Op-4Op-3Op-2Op-1esulod-MOpDropNetworkFigure1:TheFIDRAN-architecture
2.TheFIDRANArchitecture
Thissectionshortlydescribestheflexibleintrusiondetectionandresponseframeworkforactivenetworks(FIDRAN);foradetaileddiscussionwereferto[2]and[1].Theframe-workconsistsofcorecomponentsthatarerequiredtorunandofadd-oncomponents—thesecurityservices—whicharedynamicallyintegratedintothesystemwhenneeded(cf.Figure1).Thecorefunctionalitycomprisesthetrafficselector,thesecuritypolicy,thecontrol/managementmoduleandthedefaultqueuingdiscipline.Securityservicesareimplementedasoperational-modulesfeaturingIPSspecificnetworkingservices.Thesys-temisdesignedinamannersuchthatadynamicreconfigurationatruntime—insertionanddeletionofsecurityservices—ispossible.
Thecompletenetworktrafficisredirectedtothetrafficselector,which—accordingtotherulesspecifiedinthesecuritypolicy—assignsthetraffictooneofthecategories:forward,processordrop.Trafficthatisassignedtothecategoryforwardisdirectlyfor-wardedandnotanalyzedbyanyinstalledop-module(seefigure1).Anothertaskofthesecuritypolicyistoinformthetrafficselectorabouthowtoqueuewhichnetworktrafficofcategoryprocess.Moreover,itspecifieswhichtrafficmustbeanalyzedbywhichsecurityservicesandhowtoreactincaseofadetectedattack.
Weevaluatedtheperformanceoftheprototypebyconductingseveralsetsofexperi-mentsbyvaryingtheload(constantbitrate,UDP)andthenumberofintegratedservicesontheFIDRANhost.Inordertofacilitatethetaskofcomparingtheresults,allserviceswereofthesametype—delayingapacketeither10µsor100µs.Consecutively,wedeterminedanapproximationfunction(seeequation1whereasλrepresentstheloadinMBit/sandnthenumberofservices)forthemeasuredvaluesfortheservicethatdelaysapacketfor100µswhichweusedforasimulativestudyofthreedifferentsecurityservicesdeploymentstrategies.
−0.095680671+0,10422221∗n+0.033666753∗λ;0≤λ≤5
f(λ,n)=
−0.64071440+0.15794931∗n+0.095781562∗λ;λ>5
(1)
0-7803-9088-1/05/$20.00 (C) 2005 IEEE
N6N7N6N7N6N7N4N2R6R5R3R7N4N2R6R5R3R7N4N2R6R5R3R7R4R4R4R2R1InternetR2R1InternetR2R1Internet(a)S1:late(b)S2:early(c)S3:adaptive
Figure2:Exampledeploymentstrategies
15 14 13 12 11 10 9 8 7
15 14 13 12 11 10 9 8 7
15 14 13 12 11 10 9 8 7
Throughput [MBit/s]Throughput [MBit/s] 20 40 60 80 100 120 140
Time [s]
20 40 60 80 100 120 140
Time [s]
Throughput [MBit/s]Throughput N7: S1Throughput N7: S2Throughput N7: S3 20 40 60 80 100 120 140
Time [s]
(a)S1:late(b)S2:early(c)S3:adaptive
Figure3:SubnetN7:Comparisonofthroughput(late,early,adaptive)
3.SecurityServiceDeploymentStrategiesandSimulation
TheFigures2(a)and2(b)showtwooppositionaldeploymentstrategies.Thelate-deploymentstrategyplacestherequestedsecurityservicesascloseaspossibletotherequestingsubnet/end-system.Incontrastthereto,theearly-deploymentstrategyusesthefirstavailablerouteronthepathfromtheInternettotherequestingsubnet/end-system.Fi-nally,Figure2(c)depictsastrategythatisadaptedtothesituation,i.e.servicesforsubnetN7aresplitamongtheprogrammableroutersR5andR7.
Wesimulatedthethreestrategiesusingtheomnet++simulationenvironment.Astrafficsource,weimplementedtwotrafficgenerators,aconstantbit-rategeneratorandaPois-songeneratorthatwereconnectedinparalleltothegatewayrouterR1.Weimplementedtherouters’corefunctionalities(receivingapacket,tablelookup,forwarding,dropping)andaddedsomeprogrammable-nodefeatures,namelyclassifyingincomingpacketsandprocessingtherelevantones.Insteadofactuallyprocessingapacket,theprogrammablerouterinoursimulation,justdelaysthepacketbeforeforwardingit.Itcomputesthematchingdelayusingthelinearapproximateddelayfunction.Anon-programmablerouterdelaysapacket11µs.
0-7803-9088-1/05/$20.00 (C) 2005 IEEE
100Queue-Length 80 60 40 20 0
Queue R7: S1Queue-Length 100 80 60 40 20 0
Queue R1: S2Queue-Length 100 80 60 40 20 0
Queue R5: S3Queue-Length 100 80 60 40 20 0
Queue R7: S3 20 40 60 80 100 120 140
Time [s]
20 40 60 80 100 120 140
Time [s]
20 40 60 80 100 120 140
Time [s]
20 40 60 80 100 120 140
Time [s]
(a)S1:R7(b)S2:R1(c)S3:R5(d)S2:R7
Figure4:Routerwaitingqueues(late,early,adaptive)
Forthesimulation,wemadethefollowingassumptions:about80%ofthecompleteInternet-traffic(15MBit/s)isdestinedtosubnetN7.TheremainingtrafficwasuniformlydistributedamongnetworksN2,N4andN6andeachrouteriscapabletobuffer80pack-ets.Additionally,allsubnetsrequestthesamesetofsecurityservices(threeserviceswhereaseachonedelaysapacket100µs).Thesimulationresults—focusingonsub-netN7—intermsofthroughputandrouterstatusaregiveninfigures3and4.Thefirstrowoffigure3consistsofthethreecurves,oneforeachstrategy,depictingthethrough-putforsubnetN7.Accordingly,figure4depictsforeachstrategythebuffer-statesoftheprogrammablerouters.
Asaresult,itcanbeseenthatalreadyforsmallADsthedecisionoftheIPSdeploy-mentcanhavearemarkableinfluenceonthenetworkperformance.Consequently,itdoesmakesensetosplitIPSamongseveralroutersinordertominimizetheimpactontheperformance.
4.FutureWork
Infuturework,weplantostudytheinfluenceofmorecomplexdeploymentstrategiesonthenetworkperformanceforbiggeradministrativedomains.Moreover,weaimatdevel-opingaservicedeploymentalgorithmthatallowstoautomaticallydistributetherequestedservicesinanintelligentmanner,asourlongtermgoalistoextendourworktowardsaself-organizingnetwork,thatisabletoautonomouslyrecognizeandsatisfythesecurityrequirementsthatareposedbytheend-systemofanadministrativedomain,whileatthesametimeaimingtosatisfygivenQoSobjectives.
References
[1]A.Hess,M.Jung,andG.Schaefer.Fidran:Aflexibleintrusiondetectionandresponse
frameworkforactivenetworks.In8thIEEESymposiumonComputersandCommunications(ISCC’2003),Kemer,Antalya,Turkey,July2003.[2]A.HessandG.Sch¨afer.ISP-OperatedProtectionofHomeNetworkswithFIDRAN.InFirst
IEEEConsumerCommunicationsandNetworkingConference(CCNC’2004),January2004.
0-7803-9088-1/05/$20.00 (C) 2005 IEEE
因篇幅问题不能全部显示,请点此查看更多更全内容