Design and Implementation of Security Gateway System for Intrusion Detection on High-speed Links

1
Design and Implementation of Security Gateway
Systemfor Intrusion Detection on High-speed Links

• Byoung-Koo Kim, Ik-Kyun Kim, Jong-kook Lee,
  Ki-Young Kim and Jong-Soo Jang
• Security Gateway System Team
• Electronics and Telecommunications Research
  Institute
• 161 Gajeong-Dong, Yuseong-Gu, Daejeon, 305-350,
  KOREATel 82-42-860-4888, Fax
  82-42-860-5611E-mail kbg63228, ikkim21,
  ljk63466, kykim, jsjang_at_etri.re.kr

2
Introduction

• Overview of NSCS Environment

CPCS
CPCS
CPCS
SGS
SGS
SGS
SGS
SGS

• CPCS Cyber Patrol Control System
• SGS Security Gateway System

3
Architecture of NSCS
4
Detailed SGS Architecture
Local GUI
Response Manager
SNMP Agent
Database Manager
Local Alert Manager
COPS / IAP Client
Local Policy Manager
Filesystem /Database
System Manager
Application Task
IOCTL I/F
Socket I/F
Rule Manager
Payload Pattern Matching
IP defragmentation
TCP reassembly
Application decode
Portscan detection
Preprocessor
IDAB Kernel Module
PCI Bus
Preprocessor Filter
Fixed Field Pattern Matching
Flow Statistics
Sensing
Blocking
Forwarding
PSAB FPGA Logic
5
Detection Rule Configuration
TCP Group
UDP Group
ICMP Group
IP Group
Fixed Field Pattern Source IP Address Destination
IP Address Source Port Destination Port TTL IP
ID Fragbits TCP Flags Seq Ack Etc
Payload Pattern Data size Content Offset Depth Ur
icontent Etc Attack name Signature ID Etc
Payload Pattern Data size Content Offset Depth Ur
icontent Etc Alert Message Signature ID Etc
Fixed Field Pattern Source IP Address Destination
IP Address Source Port Destination Port TTL IP
ID Fragbits TCP Flags Seq Ack Etc
Payload Pattern Data size Content Offset Depth Ur
icontent Etc Alert Message Signature ID Etc
Fixed Field Pattern Source IP Address Destination
IP Address Source Port Destination Port TTL IP
ID Fragbits TCP Flags Seq Ack Etc
Payload Pattern Data size Content Offset Depth Ur
icontent Etc Alert Message Signature ID Etc
Fixed Field Pattern Source IP Address Destination
IP Address Source Port Destination Port TTL IP
ID Fragbits TCP Flags Seq Ack Etc
Detection related Fields
1N matching
Alert related Fields
H/W Logic Rule Mirror Table
Kernel Logic Rule Table
6
H/W Rule Table
Protocol TCP UDP ICMP IP
SRC IP
DST IP
TTL
IP ID
Fragbits
TCP Flags
SRC Port
DST Port
Seq
Ack
ICMP type
ICMP code
ICMP ID
ICMP Seq
Matching ID
7
Detection Algorithm H/W
Kernel Preprocessing necessary?
PP Flag1
YES
KERNEL LOGIC
PP Filter Check
NO
PP Flag0
PCI Bus
Packet Monitor
PP Flag 1 Or FF Flag 1
Packet Send
YES
NO
FF Flag0
FF Pattern Search
NO
FF Pattern Matching?
FF Flag1
YES

• PP Preprocessor
• FF Fixed Field

8
Detection Algorithm Kernel
Detection Algorithm
Packet Decode
Pre process
PCI Bus
PP Flag 1
YES
NO
FPGA LOGIC
Preprocessor Detection?
FF Flag 1
YES/NO
NO
YES
YES
Payload Pattern Search
Alert Send
Socket Interface
NO
Payload Pattern Matching?
CPAB
YES
9
SGS Prototype for NSCS

• FPGA Logic(H/W) Functions
• Wire-Speed Forwarding
• 5-Tuple based Flow Classification
• Statistics/Blocking/Sensing/Fixed Field Pattern
  Matching
• Kernel Logic Functions
• Linux kernel-2.4.2 based Kernel Module
  Programming
• Payload Pattern Matching/Alert Generation

10
Conclusion Future Work

• Present the architecture of NSCS
• Design the SGS of NSCS
• Design the architecture of SGS
• Design the ruleset configuration of SGS
• Design the FPGA logic and kernel logic of SGS
• Develop the prototype of SGS
• Future Work
• Improve the detection mechanism on high-speed
  links
• Guarantee the secure transmission of messages
  among the prototype systems
• Resolve the problem derived from the verification
  of implemented system

11
(No Transcript)