您的当前位置:首页正文

Telecommunication

2024-07-17 来源:小奈知识网
In Poster Session of 9th IFIP/IEEE International Symposium on Integrated Network 󰀀Management (IM 2005), Nice, France, May 2005.󰀀TowardsDistributedNetworkIntrusion

PreventionwithRespecttoQoSRequirements

AndreasHess,MathiasBohge,G¨unterSch¨aferTelecommunicationNetworksGroupTechnischeUniversit¨atBerlin

Einsteinufer25,10587Berlin,Germany

Email:[hess,bohge,schaefer]@tkn.tu-berlin.de

Abstract

AnIntrusionPreventionSystem(IPS)analyzeseachpacketformaliciouscontentbeforeforwardingitanddropspacketsthatoriginatebyanintruder.Todoso,theIPShastobephysicallyintegratedintothenetworkandneedstoprocesstheactualpacketsthatrunthroughit,insteadofprocessingcopiesofthepacketsatsomeplaceoutsidethenetwork.Therefore,independentofthewaytheyarebuilt,allIPSsharethesameproblem—ade-creaseinperformanceofthenetworktheytrytoprotect.Therefore,themainobjectiveinimprovingIPSperformanceistodevelopanarchitecturethatminimizestheoveralldelayandmaximizesthenetwork’sthroughputwhileensuringasufficientlevelofsecurity.Keywords

networksecurity,intrusionprevention,programmablerouters,loaddistribution

1.DistributedandDemand-drivenIntrusionPrevention

Inordertorelievethestrainonend-usersandadministratorsofcontinuouslyhavingtodealwithtoday’smassiveamountofsecuritychallenges,weproposetoinstallmodularintrusionpreventionsystems(IPSs)ontopofprogrammableroutersasanadditionallineofdefense.Ourlong-termgoalistheefficientprotectionoftheend-systemsthatarepartofanadministrativedomain(AD)asforexampleshowninFigure2.EachrouterintheADcaneitherbeofpassiveorprogrammablenature.TheonlyconstrainttobearinmindwhensettinguptheADisthattherehastobeatleastoneprogrammablerouteronthepathbetweentheInternetandeachsubnet.

Assuming,forexample,thatsubnetN7offigure2consistsofthreehostswhereaseachonerequeststheinstallationofthesamefiveprotectionservices(s1,s2,...,s5),then45∗3(=1.073.741.824)possibilitiesexisttofulfilltherequirementoffilteringalltrafficbetweentheInternetandallsubnets.Onaperrouterbasis,wedifferentiatebetweenthreetypesoftraffic:trafficthatisforwardedbytherouterwithoutbeinganalyzed,trafficthatmustbeanalyzedbyatleastonesecurityservicethatisrunningontherouterandtrafficthatisfiltered/blockedbytherouterwithoutbeinganalyzed.

Consequently,thequestionariseshowtoconfigureeachrouteroftheADinordertosatisfythesecurityrequirementsofallend-systemswhilesimultaneouslynotdecreasingthenetworkperformance.

0-7803-9088-1/05/$20.00 (C) 2005 IEEE

ActiveNodeManagementModuleOp-nSecurityPolicyQueuePacketsTrafficSelectorForwardControlModuleOp-11Op-10Op-9Op-8Op-7Op-6Op-5Op-4Op-3Op-2Op-1esulod-MOpDropNetworkFigure1:TheFIDRAN-architecture

2.TheFIDRANArchitecture

Thissectionshortlydescribestheflexibleintrusiondetectionandresponseframeworkforactivenetworks(FIDRAN);foradetaileddiscussionwereferto[2]and[1].Theframe-workconsistsofcorecomponentsthatarerequiredtorunandofadd-oncomponents—thesecurityservices—whicharedynamicallyintegratedintothesystemwhenneeded(cf.Figure1).Thecorefunctionalitycomprisesthetrafficselector,thesecuritypolicy,thecontrol/managementmoduleandthedefaultqueuingdiscipline.Securityservicesareimplementedasoperational-modulesfeaturingIPSspecificnetworkingservices.Thesys-temisdesignedinamannersuchthatadynamicreconfigurationatruntime—insertionanddeletionofsecurityservices—ispossible.

Thecompletenetworktrafficisredirectedtothetrafficselector,which—accordingtotherulesspecifiedinthesecuritypolicy—assignsthetraffictooneofthecategories:forward,processordrop.Trafficthatisassignedtothecategoryforwardisdirectlyfor-wardedandnotanalyzedbyanyinstalledop-module(seefigure1).Anothertaskofthesecuritypolicyistoinformthetrafficselectorabouthowtoqueuewhichnetworktrafficofcategoryprocess.Moreover,itspecifieswhichtrafficmustbeanalyzedbywhichsecurityservicesandhowtoreactincaseofadetectedattack.

Weevaluatedtheperformanceoftheprototypebyconductingseveralsetsofexperi-mentsbyvaryingtheload(constantbitrate,UDP)andthenumberofintegratedservicesontheFIDRANhost.Inordertofacilitatethetaskofcomparingtheresults,allserviceswereofthesametype—delayingapacketeither10µsor100µs.Consecutively,wedeterminedanapproximationfunction(seeequation1whereasλrepresentstheloadinMBit/sandnthenumberofservices)forthemeasuredvaluesfortheservicethatdelaysapacketfor100µswhichweusedforasimulativestudyofthreedifferentsecurityservicesdeploymentstrategies.

󰀁

−0.095680671+0,10422221∗n+0.033666753∗λ;0≤λ≤5

f(λ,n)=

−0.64071440+0.15794931∗n+0.095781562∗λ;λ>5

(1)

0-7803-9088-1/05/$20.00 (C) 2005 IEEE

N6N7N6N7N6N7N4N2R6R5R3R7N4N2R6R5R3R7N4N2R6R5R3R7R4R4R4R2R1InternetR2R1InternetR2R1Internet(a)S1:late(b)S2:early(c)S3:adaptive

Figure2:Exampledeploymentstrategies

15 14 13 12 11 10 9 8 7

15 14 13 12 11 10 9 8 7

15 14 13 12 11 10 9 8 7

Throughput [MBit/s]Throughput [MBit/s] 20 40 60 80 100 120 140

Time [s]

20 40 60 80 100 120 140

Time [s]

Throughput [MBit/s]Throughput N7: S1Throughput N7: S2Throughput N7: S3 20 40 60 80 100 120 140

Time [s]

(a)S1:late(b)S2:early(c)S3:adaptive

Figure3:SubnetN7:Comparisonofthroughput(late,early,adaptive)

3.SecurityServiceDeploymentStrategiesandSimulation

TheFigures2(a)and2(b)showtwooppositionaldeploymentstrategies.Thelate-deploymentstrategyplacestherequestedsecurityservicesascloseaspossibletotherequestingsubnet/end-system.Incontrastthereto,theearly-deploymentstrategyusesthefirstavailablerouteronthepathfromtheInternettotherequestingsubnet/end-system.Fi-nally,Figure2(c)depictsastrategythatisadaptedtothesituation,i.e.servicesforsubnetN7aresplitamongtheprogrammableroutersR5andR7.

Wesimulatedthethreestrategiesusingtheomnet++simulationenvironment.Astrafficsource,weimplementedtwotrafficgenerators,aconstantbit-rategeneratorandaPois-songeneratorthatwereconnectedinparalleltothegatewayrouterR1.Weimplementedtherouters’corefunctionalities(receivingapacket,tablelookup,forwarding,dropping)andaddedsomeprogrammable-nodefeatures,namelyclassifyingincomingpacketsandprocessingtherelevantones.Insteadofactuallyprocessingapacket,theprogrammablerouterinoursimulation,justdelaysthepacketbeforeforwardingit.Itcomputesthematchingdelayusingthelinearapproximateddelayfunction.Anon-programmablerouterdelaysapacket11µs.

0-7803-9088-1/05/$20.00 (C) 2005 IEEE

100Queue-Length 80 60 40 20 0

Queue R7: S1Queue-Length 100 80 60 40 20 0

Queue R1: S2Queue-Length 100 80 60 40 20 0

Queue R5: S3Queue-Length 100 80 60 40 20 0

Queue R7: S3 20 40 60 80 100 120 140

Time [s]

20 40 60 80 100 120 140

Time [s]

20 40 60 80 100 120 140

Time [s]

20 40 60 80 100 120 140

Time [s]

(a)S1:R7(b)S2:R1(c)S3:R5(d)S2:R7

Figure4:Routerwaitingqueues(late,early,adaptive)

Forthesimulation,wemadethefollowingassumptions:about80%ofthecompleteInternet-traffic(15MBit/s)isdestinedtosubnetN7.TheremainingtrafficwasuniformlydistributedamongnetworksN2,N4andN6andeachrouteriscapabletobuffer80pack-ets.Additionally,allsubnetsrequestthesamesetofsecurityservices(threeserviceswhereaseachonedelaysapacket100µs).Thesimulationresults—focusingonsub-netN7—intermsofthroughputandrouterstatusaregiveninfigures3and4.Thefirstrowoffigure3consistsofthethreecurves,oneforeachstrategy,depictingthethrough-putforsubnetN7.Accordingly,figure4depictsforeachstrategythebuffer-statesoftheprogrammablerouters.

Asaresult,itcanbeseenthatalreadyforsmallADsthedecisionoftheIPSdeploy-mentcanhavearemarkableinfluenceonthenetworkperformance.Consequently,itdoesmakesensetosplitIPSamongseveralroutersinordertominimizetheimpactontheperformance.

4.FutureWork

Infuturework,weplantostudytheinfluenceofmorecomplexdeploymentstrategiesonthenetworkperformanceforbiggeradministrativedomains.Moreover,weaimatdevel-opingaservicedeploymentalgorithmthatallowstoautomaticallydistributetherequestedservicesinanintelligentmanner,asourlongtermgoalistoextendourworktowardsaself-organizingnetwork,thatisabletoautonomouslyrecognizeandsatisfythesecurityrequirementsthatareposedbytheend-systemofanadministrativedomain,whileatthesametimeaimingtosatisfygivenQoSobjectives.

References

[1]A.Hess,M.Jung,andG.Schaefer.Fidran:Aflexibleintrusiondetectionandresponse

frameworkforactivenetworks.In8thIEEESymposiumonComputersandCommunications(ISCC’2003),Kemer,Antalya,Turkey,July2003.[2]A.HessandG.Sch¨afer.ISP-OperatedProtectionofHomeNetworkswithFIDRAN.InFirst

IEEEConsumerCommunicationsandNetworkingConference(CCNC’2004),January2004.

0-7803-9088-1/05/$20.00 (C) 2005 IEEE

因篇幅问题不能全部显示,请点此查看更多更全内容