Network Wide Policy Enforcement. Michael K. Reiter (joint work with V. Sekar, R. Krishnaswamy, A. Gupta)

Transcription

1 Network Wide Policy Enforcement Michael K. Reiter (joint work with V. Sekar, R. Krishnaswamy, A. Gupta) 1

2 Enforcing Policy in Future Networks MF vision includes enforcement of rich policies in the network E.g., intentional data receipt Only if (or if not) from these addresses Only if a well formed request Only if it s not malicious How can we scale rich policy enforcement? Use modern intrusion detection/prevention policies as examples to drive the research 2

3 Scaling intrusion detection & prevention Traffic increase More packets to process User applications changing More functions/modules Attacks evolving Larger set of rules to apply 3

4 Traditional approaches for scaling NIDS/NIPS 1. Build clusters 2. Better algorithms. Single vantage point solutions designed for perimeter deployments (gateway between internal/external network) 4

5 Single vantage view is restrictive Capacity of each installation = 50 units N1: N2: 50 Overloaded! Offload to N3? 15 N4:50 15 N3:50 Many NIDS/NIPS infrastructures are multi node deployments e.g., ISPs, large enterprises, datacenters 5

6 Alternative: Network wide scaling N1: N2: Offload to N3 15 N4:50 15 N3:50 Treat NIDS/NIPS infrastructure as one system Leverage on path opportunities for distributing work Complements single vantage scaling 6

7 Key requirements Scan 3. Network wide objectives 1. Resource Constraints 2. Placement Affinity HTTP Flood Systematic designs for network wide NIDS/NIPS deployment 7

8 Outline Motivation for network wide approach NIDS deployment NIPS deployment Discussion and summary 8

9 System model Provide functionality equivalent to a single NIDS on all traffic Minimize the maximum load (CPU/Memory) across the network Scan Telnet HTTP Scan Telnet HTTP Scan Telnet HTTP Scan Telnet HTTP Scan Telnet HTTP 9

10 Identifying candidate nodes for offloading Partition traffic spatially; Identify a set of nodes for each partition Any node in that set can provide the NIDS function Coordination Unit N1 N2 Partition1: {N1,N5,N3} N5 Coordination Units Partition2: {N2,N5,N4} N4 N3 Partitions 10

11 Identifying candidate nodes for offloading Partition traffic spatially; Identify a set of nodes for each partition Any node in that set can provide the NIDS function Coordination Unit H1 N1 Scan N2 H2 Partitions N4 N5 N3 Coordination Units H4 Scan Partition 1: {N1} Scan Partition 2: {N2} Scan Partition 3: {N3} Scan Partition 4: {N4} H3 11

12 System model Provide functionality equivalent to a single NIDS on all traffic Minimize the maximum load (CPU/Memory) across the network [0,0.25] [0,1] Scan [0,0.25] [0,1] Scan [0.25,0.75] [0.25,0.75] [0.75,1] [0,1] [0.75,1] [0,1] Scan Scan Control fraction of traffic each node processes per module/coordination unit 12

13 NIDS optimization framework Inputs: Network information 1. Coordination units 2. Traffic specification 3. Routing information Resource footprints Mem/CPU profile for Each NIDS module Node capacities Memory/CPU Objective: Provide equivalent coverage Minimize maximum load Network wide optimization using linear programming Fraction of traffic each node processes per NIDS module Non overlapping hash ranges per coordination unit 13

14 Prototype implementation in Bro HTTP Telnet Filtered event stream HTTP Telnet Hash Check Hash Check Hash Check Hash Check Policy Engine Event Engine Hash Check Hash Scan Easy to Check implement, Some but inefficient! modules still need checks here Hash Check Hash Basic Check Hash check: Compute hash(header) If hash in range assigned for module Process the packet Else Ignore packet Traffic Raw packet stream Early drop; More efficient! 14

15 Evaluation: CPU scaling Emulated Abilene topology: 100,000 sessions; gravity model matrix Result shows maximum processing footprint across 11 network nodes Number of NIDS modules enabled Reduces maximum processing footprint by 50%! 15

16 Outline Motivation for network wide approach NIDS deployment NIPS deployment Discussion and summary 16

17 System model Payload signature, ACL, Firewall N1 Set of rules Drop traffic that matches the rules Any node on path can apply the rule N2 N4 N5 N3 Hardware Accelerated e.g., TCAM N3 Rule capacity constraints (in addition to CPU, memory) 17

18 NIPS optimization framework Inputs: Network information Traffic, Routing NIPS rules Rule match rates Resource footprints Mem/CPU profile TCAM per rule Node capacities Mem/Processing capacity TCAM capacity Objective: Reduce footprint of unwanted traffic = (match * volume) Network Wide optimization NP hard! Enable introduces binary variables Becomes an Integer linear Program What rules to enable on each node (TCAM constraint) Fraction of traffic to apply enabled rules on (Mem/CPU constraint) 18

19 Performance of our approx. algorithm Different PoP level topologies from Rocketfuel TCAM capacity per node as fraction of total #rules Achieves more than 92% of LP upperbound (and hence OPT) 19

20 Other issues Providing redundant coverage for NIDS Making NIPS robust to adversarial evasion Network dynamics Time to recompute optimal solutions Conservative traffic inputs Correctness under routing changes Provisioning/upgrades 20

21 Conclusions Exploit spatial opportunities for load balancing Complements ongoing work in better single vantage point solutions Key issues: Resource constraints, placement affinity, network wide goals Best addressed using network wide coordinated approach NIDS deployment Formulation as a linear program Network wide NIDS prototype in Bro NIPS deployment Formulation as a Integer Linear program Rounding based approximation algorithm 21