260 likes | 440 Views
CS 551/651 SOFTWARE SECURITY. Design of a High-Performance ATM Firewall. Written by Jun Xu and Mukesh Singhal Presented by Yiting Nan March 27, 2000. Index. Motivation Existing approaches QoF logical design QoF physical design. Firewall. Definition:
E N D
CS 551/651 SOFTWARE SECURITY Design of a High-Performance ATM Firewall Written by Jun Xu and Mukesh Singhal Presented by Yiting Nan March 27, 2000
Index • Motivation • Existing approaches • QoF logical design • QoF physical design
Firewall • Definition: A network firewall is a device that controls communications across the boundary between trusted and untrusted network. • Purpose: To control access by denying unauthorized communications. It also provides a single point where security and auditing can be imposed. • Where to put Typically operate at the IP, TCP, and/or application layer in the OSI reference model.
ATM and Traditional Network • ATM • Switched virtual connections • Fixed length cells • Tradition Network • Connectionless • Share medium • Various length cells • Broadcast network
Motivation • packet-filtering needs to terminate an end-to-end ATM connection in the middle in order to extract IP packets for inspection. High SAR* overhead • Filtering bandwidth is below 100Mbps, much less than ATM rate of OC-3c, OC-12c** *SAR: Segmentation and Reassemble. ** OC-3c:155Mbps, OC-12c: 622Mbps
Packet-level filtering is indispensable • ATM forum: avoid packet filtering, exert discretion at connection establishment time • no way to check the contents after the connection established. • SVC is requested when each new service started. • Considerable change to the whole TCP/IP stack and existing applications • SVC explosion - a new SVC for each transport layer flow • Apply cryptographic measures end-to-end, • authentication and encryption do not automatically ensure proper access control, • need to inspect content after connection • need to connect between untrusted parties * SVC - Switched virtual connection
Existing approaches - ATLAS A line filter that scans an ATM physical link to perform packet-level filtering at OC-3c. • To avoid SAR, for each packet it only checks the first cell. Pass or fail! • Use a policy cache architecture to speed up. Core unit is policy cache. (CAM) If hit cache, the packet’s cells are forwarded. Otherwise the first cell go through a software-screening process and other cells are buffered in a queue.
Limitation and drawbacks of ATLAS • Does not accept IP packets with IP option fields • CAM is not scalable. • Not friendly for management and administration.
Quality of Firewall (QoF) Applies security measures of different strength to traffic with different risk levels in order to achieves a nice tradeoff between performance and security. Four classes (High QoF will be applied to the more dangerous connections) A B C D Safest dangerous
Logical design of ATM firewall Call Screening VC-Specific Proxy Option VC-Specific TCP/IP rules VC-Specific TCP/IP rules Proxy Traffic Monitoring Packet Filtering D B C Unsafe Packets Traffic Profile Unsafe Packets Traffic Profile Unsafe Packets Traffic Profile Firewall Management Call Screening Rules Management Commands Invalid Calls Signaling Profile
Call-Screening Service Call-screening rules includes: 1. Source identity 2. Destination identity 3. Authentication information 4. QoF of the new connection to be established 5. Information needed for packet-level inspection
Packet-Filtering Service • filtering the first (or two) cell only • A layer-4-route cache architecture A forward decision is made not only on the basis of destination address, but also on source address, port numbers, protocol, and possibly some other fields. • Last Cell Hostage (LCH) All cells of a packet except the last one is “hostage” before the software inspection is finished.
Traffic-Monitoring Service • Nearly as secure as the packet-filtering service for TCP traffic and introduces no latency even when a cache miss occurs (after-the-fact nature). • Monitor the headers of IP packets contained in class B connections. • Might used with SSH or VPN cryptography and maintaining state information for half-open connections.
Proxy Service • Acts as an application-level gateway (a proxy server) for a number of Internet protocols. • Unlike the packet-filtering service which looks only at the header of the packet, proxy service monitors the execution of the protocol and filters at the application level. • Since it need to understand the protocol and requires SAR, it commonly be performed at the rate of a traditional firewall. • Another usage is to “oversee” the execution of ISAKMP.
Firewall Management Service Controls and manages other security services in the ATM firewall and provides user-friendly administration tools to network managers. Log two types of events: 1. The violation of security policy. 2. The profile information on each connection.
Physical components of the ATM firewall ATM Firewall Switch Trusted ATM LAN Untrusted ATM LAN Firewall Management Server Traffic Monitoring Server Proxy Server
ATM Switch SM CAC OAM Cells Signaling Cells SONET SONET IM OM CSF OM IM Internal structure of an ATM switch
ATM Firewall Switch - IM CAC OM TCP/IP Software Check IP option check Signaling Cells TCP/IP Express Check Management cells User Cells Signaling cells filter Management cells filter Enhanced header translation cells Enhanced VP/VC Table
ATM Firewall Switch (Continue) • OM • Involved in implementing the LCH scheme • CAC • Implement call screening service and cryptograph • SM • Add firewall management • CSF • handle processing of T-Monitor bit.
Other components • Traffic-Monitoring Server • An ATM-attached workstation equipped with policy cache hardware to perform header checking at high speed. • Proxy Server • A traditional proxy firewall equipped with ATM interfaces.
Links related to ATM security • ATM Firewall Performance Evaluation http://tebbit.eng.umd.edu/people/carrozzi/project.html • ATM Security page, http://www.itr.unisa.edu.au/~dstowww/atm_security • Carsten Benecke Uwe Ellermann,“Securing 'Classical IP over ATM Networks’” Firewall-Laboratory for High-Speed Networks Fachbereich Informatik, Universit at Hamburg http://www.fwl.dfn.de/eng/team/cb • Firewall Laboratory for High-Speed Networks http://www.cert.dfn.de/eng/fwl/
ATLAS ATM-Line-Access-And-Security. • An ATM-Firewall filtering cells with a speed of OC-3c. • Supports Classical-IP, LAN-Emulation and FORE-IP over ATM, MPOA over ATM. CISCO´s 7513 is not able to filter on layer 3 (needed for MPOA) but ATLAS will. • Can set more then 1000 Filters without any performance degradation. • If two ATLAS-Systems talk to each other across an ATM-Network you can encrypt the data as well.
Limitations of Firewall • Cannot protect against attacks that do not pass through the firewall. Proprietary data can also be transmitted via modem or media. • Cannot protect very well against viruses.
ATM basics • ATM cells ATM is based on 53-byte cell structure. Application data is placed into ATM Protocol Data Units (PDU) of up to 9180 bytes that are segmented into fixed sized cells. Cells are multiplexed onto network links and reassembled into PDUs at the endpoint of the ATM network. Each fixed size cell ahs a 5-byte header followed by 48-byte payload. The head identifies the payload-type, VPI(Virtual path identifier), VCI(virtual channel identifier), and header error check. VPI and VCI make up the VC(Virtual circuit) identifier. The VC label is used to perform a table lookup in a switch table and a label swapping function is done in hardware to quickly switch the fixed size cells.
ATM basics (Continue) ATM cell payload structure is dependent on the type of service being used. The ATM Adaptation Layer (AAL) was designed to support different services and types of traffic. The AAL maps the ATM layer services to the upper layers of the protocol stack through the Convergence Sublayer (CS) and SAR functions. The ATM Layer is mainly concerned with management of the cell headers during receiving and sending of ATM cells. ATM is efficient in its use of bandwidth because it multiplexes multiple streams of traffic onto network links using a technique known as cell interleaving. Cells from many different flows can be interleaved on a physical link avoiding the problem encountered in data networks where a small, real-time packets can get stuck in a transmission queue behind large packets.