Deep Packet Inspection of Next Generation Network Devices

Similar documents
Making Network Functions Software-Defined

A Software-Defined Framework for Improved Performance and Security of Network Functions

Deep Packet Inspection as a Service

Switch and Router Design. Packet Processing Examples. Packet Processing Examples. Packet Processing Rate 12/14/2011

Encoding Short Ranges in TCAM Without Expansion: Efficient Algorithm and Applications

Towards A Fast Packet Inspection over Compressed HTTP Traffic

Space-Time Tradeoffs in Software-Based Deep Packet Inspection

Design and Implementation of a Data Plane for the OpenBox Framework

VNF Chain Allocation and Management at Data Center Scale

Design of Deterministic Finite Automata using Pattern Matching Strategy

BUILDING A NEXT-GENERATION FIREWALL

Container Network Functions: Bringing NFV to the Network Edge

Towards a Fast Regular Expression Matching Method over Compressed Traffic

소프트웨어기반고성능침입탐지시스템설계및구현

Hash-Based String Matching Algorithm For Network Intrusion Prevention systems (NIPS)

Snort Virtual Network Function with DPI Service

Software-Defined Networking (SDN) Overview

CellSDN: Software-Defined Cellular Core networks

Thomas Lin, Naif Tarafdar, Byungchul Park, Paul Chow, and Alberto Leon-Garcia

G-NET: Effective GPU Sharing In NFV Systems

Ruler: High-Speed Packet Matching and Rewriting on Network Processors

Project Proposal. ECE 526 Spring Modified Data Structure of Aho-Corasick. Benfano Soewito, Ed Flanigan and John Pangrazio

Lecture 14 SDN and NFV. Antonio Cianfrani DIET Department Networking Group netlab.uniroma1.it

15-744: Computer Networking. Middleboxes and NFV

Dynamic Pipelining: Making IP- Lookup Truly Scalable

IP Forwarding. CSU CS557, Spring 2018 Instructor: Lorenzo De Carli

New Cisco 2800 And 3800 Series Integrated Services Router Wan Optimization Bundles

IJSRD - International Journal for Scientific Research & Development Vol. 3, Issue 12, 2016 ISSN (online):

Configurable String Matching Hardware for Speeding up Intrusion Detection

Lecture 11: Packet forwarding

FPGA Implementation of Token-Based Clam AV Regex Virus Signatures with Early Detection

Building Security Services on top of SDN

Design and Implementation of Virtual TAP for Software-Defined Networks

Project Proposal. ECE 526 Spring Modified Data Structure of Aho-Corasick. Benfano Soewito, Ed Flanigan and John Pangrazio

Professor Yashar Ganjali Department of Computer Science University of Toronto.

Fundamental Questions to Answer About Computer Networking, Jan 2009 Prof. Ying-Dar Lin,

SDN Use-Cases. internet exchange, home networks. TELE4642: Week8. Materials from Prof. Nick Feamster is gratefully acknowledged

Shift-based Pattern Matching for Compressed Web Traffic

SDN (Software-Defined Networking) Enabling Network Innovation from Edge

Video-Aware Networking: Automating Networks and Applications to Simplify the Future of Video

Hardware Acceleration in Computer Networks. Jan Kořenek Conference IT4Innovations, Ostrava

Dynamic Analytics Extended to all layers Utilizing P4

Introducing Avaya SDN Fx with FatPipe Networks Next Generation SD-WAN

Stochastic Pre-Classification for SDN Data Plane Matching

A Ten Minute Introduction to Middleboxes. Justine Sherry, UC Berkeley

HEX Switch: Hardware-assisted security extensions of OpenFlow

40Gbps+ Full Line Rate, Programmable Network Accelerators for Low Latency Applications SAAHPC 19 th July 2011

Network function virtualization

Software Defined Networking

P51: High Performance Networking

Network Function Virtualization. CSU CS557, Spring 2018 Instructor: Lorenzo De Carli

NOISE ELIMINATION USING A BIT CAMS

Pulse Secure Application Delivery

Implementation of Boundary Cutting Algorithm Using Packet Classification

HIGH-PERFORMANCE PACKET PROCESSING ENGINES USING SET-ASSOCIATIVE MEMORY ARCHITECTURES

Accelerating String Matching Algorithms on Multicore Processors Cheng-Hung Lin

How DPI enables effective deployment of CloudNFV. David Le Goff / Director, Strategic & Product Marketing March 2014

Curriculum Vita: Anat Bremler-Barr

Rule-Based Forwarding

A Routing Infrastructure for XIA

UTM Firewall Registration & Activation Manual DFL-260/ 860. Ver 1.00 Network Security Solution

Enabling Efficient and Scalable Zero-Trust Security

DPX19000 Next Generation Cloud-Ready Service Core Platform

NetDefend Firewall UTM Services

A Unified Threat Defense: The Need for Security Convergence

NaaS Network-as-a-Service in the Cloud

ETSI FUTURE Network SDN and NFV for Carriers MP Odini HP CMS CT Office April 2013

SteelGate Overview. Manage perimeter security and network traffic to ensure operational efficiency, and optimal Quality of Service (QoS)

Fast Deep Packet Inspection with a Dual Finite Automata

Packet Inspection on Programmable Hardware

Improving Signature Matching using Binary Decision Diagrams

Reliably Scalable Name Prefix Lookup! Haowei Yuan and Patrick Crowley! Washington University in St. Louis!! ANCS 2015! 5/8/2015!

Large-scale Multi-flow Regular Expression Matching on FPGA*

Scalable Name-Based Packet Forwarding: From Millions to Billions. Tian Song, Beijing Institute of Technology

SCALING SOFTWARE DEFINED NETWORKS. Chengyu Fan (edited by Lorenzo De Carli)

Lecture 10.1 A real SDN implementation: the Google B4 case. Antonio Cianfrani DIET Department Networking Group netlab.uniroma1.it

Accelerating SDN and NFV Deployments. Malathi Malla Spirent Communications

Architecture for Building Hybrid Kernel-User Space Virtual Network Functions

Slicing a Network. Software-Defined Network (SDN) FlowVisor. Advanced! Computer Networks. Centralized Network Control (NC)

Two Level State Machine Architecture for Content Inspection Engines

Firefly Perimeter ( vsrx ) Technical information 12.1 X47 D10.2. Tuncay Seyran

Forwarding Architecture

Extensible Network Security Services on Software Programmable Router OS. David Yau, Prem Gopalan, Seung Chul Han, Feng Liang

Enabling Agile Service Chaining with Service Based Routing

Problem Statement. Algorithm MinDPQ (contd.) Algorithm MinDPQ. Summary of Algorithm MinDPQ. Algorithm MinDPQ: Experimental Results.

Seven Criteria for a Sound Investment in WAN Optimization

Data Center Virtualization: VirtualWire

PUSHING THE LIMITS, A PERSPECTIVE ON ROUTER ARCHITECTURE CHALLENGES

Efficient Signature Matching with Multiple Alphabet Compression Tables

Network Functions Virtualisation. Kazuaki OBANA Media Innovation Laboratory, NTT Network Innovation Laboratories

Network Processors. Nevin Heintze Agere Systems

VM-SERIES FOR VMWARE VM VM

Data Sheet. DPtech Anti-DDoS Series. Overview. Series

PacketShader: A GPU-Accelerated Software Router

Decompression-free inspection: DPI for shared dictionary compression over HTTP

Network Wide Policy Enforcement. Michael K. Reiter (joint work with V. Sekar, R. Krishnaswamy, A. Gupta)

Accelerating String Matching Using Multi-threaded Algorithm

Multi-pattern Signature Matching for Hardware Network Intrusion Detection Systems

Router Architectures

Network Virtualisation Vision and Strategy_ (based on lesson learned) Telefónica Global CTO

Transcription:

Deep Packet Inspection of Next Generation Network Devices Prof. Anat Bremler-Barr IDC Herzliya, Israel www.deepness-lab.org This work was supported by European Research Council (ERC) Starting Grant no. 259085

Deepness - DPI Engineering for Enhanced Performance of Network Elements and Security Systems http://www.deepness-lab.org/ - detailed publication list Deepness Lab was founded in November 2010 by Prof. Anat Bremler-Barr and Prof. David Hay Group: more than 20 master, PhD and post doc students More than 40 papers and several patents Currently 1 PhD & 2 Masters AT&T Post-doc Princeton Post-doc Princeton Chief Scientist Post-doc Berkeley CTO and Co-Founder 2

Deep Packet Inspection (DPI) Classify packets according to: Packet payload (data) Against known set of patterns: strings or regular expressions Internet IP packet Evil Firewall Evil -> Common task in Network function (Middleboxes) 3

DPI-Based Network Functions Intrusion Detection System Network Analytic Traffic Shaper Network Anti-Virus Copyright Enforcement Lawful Interception L7 Firewall L7 Load Balancer Leakage Prevention System 4

DPI Engine Complicated Challenge DPI engine is considered a system bottleneck in many of todays NFs (30%-80%) [Laboratory simulations over real deployments of Snort and ClamAV] A well-studied problem in Computer Science but with no sufficient solutions to current demands. Hundreds of academic papers over recent years scalability throughput latency power resiliency updates compression 5

Major Challenges Scalability: Rate - greater than 10 or even 100 Gbps Memory - handling thousands of patterns Handling non clear-text traffic Compressed traffic Security of the DPI itself: resilient to Distributed Denial of Service (DDoS) attack Opportunities: DPI in Software Defined Networks(SDN) and Network Function Virtualization(NFV) 6

Challenge #1: Scalability Anat Bremler-Barr, Yaron Koral, David Hay, "CompactDFA: Scalable Pattern Matching using Longest Prefix Match Solutions", in IEEE/ACM Transactions on Networking, 2013 7

Regular expression classical solutions: Deterministic vs. Non-Deterministic Finite Automaton NFA * 0 a b c a 1 RegEx: (1).*a + bc (2).*bcd + (3).*cde a: 1-10 b c 2 3/1 DFA d 4 c 5 d 6/2 0 d 7 8 e 9/3 1 b 2 c 3/1 a b: 2-10 d d b 4 c 5 d 6/2 d 7/2 c e d e 8 9 10/3 time NFA c: 1,3,5-10 DFA Text: d a b c d memory In practical cases single DFA infeasible!

Feasible Solutions to Regular expressions Common approach (e.g. Snort) implement two-phase approach: 1. String matching over all strings that appeared in the combined set of regular expressions 2. Running a single regular expression DFA <\x21doctype\s+[^>]*system[^>]*>.*\x2eparseerror <\x21doctype SYSTEM \x2eparseerror Multi Regex Matching Multi + String Single Regex Matching Matching 9

The challenge in string-matching 1 Current Sym A Next State 0000 (s 0 ) Common algorithm Aho-Corasick 2 3 4 5 6 7 0001(s 1 ) B C D E F A 0110(s 6 ) 1100(s 12 ) 0001(s 1 ) Common implementation full table DFA : States Alphabet Cannot be fully in fast SRAM: Snort: 73MB 8 0001(s 1 ) B 0010(s 2 ) ClamAV: 1.5GB 9 0001(s 1 ) C 10 0001(s 1 ) D 11 0001(s 1 ) E 12 0001(s 1 ) F 13 0010(s 2 ) A 14 0010(s 2 ) B 0100(s 4 ) 15 0010(s 2 ) C 0011(s 3 ) 16 0010(s 2 ) D 84 1101(s 13 ) F 0000 (s 0 ) 10

Current Sym Next State 1 A 0000 (s 0 ) 2 B 0110(s 6 ) 3 C 1100(s 12 ) 4 D 5 E 0001(s 1 ) 6 F 7 0001(s 1 ) A 8 0001(s 1 ) B 0010(s 2 ) 9 0001(s 1 ) C 10 0001(s 1 ) D 11 0001(s 1 ) E 12 0001(s 1 ) F 13 0010(s 2 ) A 14 0010(s 2 ) B 0100(s 4 ) 15 16 0010(s 2 ) 0010(s 2 ) C D 0011(s 3 ) DFA CompactDFA Snort: 73MB 0.6MB ClamAV: 1.5GB 26MB 84 1101(s 13 ) F 0000 (s 0 ) Observation : degree of freedom of encoding states name

CompactDFA Reducing the problem of pattern matching to IP lookup Longest prefix match Using TCAM to represent a huge DFA in a compact manner TCAM Fully associative ternary memory Common in today routers

Challenge #2: Compressed Traffic A. Bremler-Barr, Y. Koral " Accelerating Multi-patterns Matching on Compressed HTTP Traffic ", in IEEE/ACM Transaction on Networking 2011 Yehuda Afek, Anat Bremler-Barr, Yaron Koral, "Efficient Processing of Multi- Connection Compressed Web Traffic", in Computer Communication 2012 Michela Becchi, Anat Bremler-Barr, David Hay, Omer Kochba, Yaron Koral, "Accelerating Regular Expression Matching Over Compressed HTTP". In IEEE INFOCOM, April 2015 13

Motivation: Compressed HTTP 76% of all the sites compress traffic. Goal: reduce Bandwidth! Data compression is done by adding references (pointers) to repeated data: GZIP (+Huffman) Current security tools do not deal with compressed traffic due to the high challenges in time and space 14

Compressed Traffic : Time Challenge Need to decompress prior to pattern matching HTTP compression is an adaptive compression The same string will be encoded differently depending on its location in the text General belief: Decompression + pattern matching >> pattern matching 15

Our solution: Accelerating DPI Compression is done by compressing repeated sequences of bytes, so store information about the pattern matching results No need to fully perform again pattern matching on repeated sequences which were already scanned x 2-3 time reduction Decompression + pattern matching << pattern matching We also dealt with regular expression [Infocom 2015] We also dealt with SDCH [Infocom 2012] 16

Compressed Traffic : Space Challenge Thousands of concurrent sessions Compressed traffic: 32KB/session

Our solution: Space Reduction Observation: The 32KB needed for decompression are not used most of the time Key idea: therefore the 32KB can be kept in compressed form most of the time Some light version on the compressed form of the traffic x5 space reduction Overall: improve space by 80% and Time by 40% 18

The Other Side of the Coin: Acceleration by Identifying Repetitions in Uncompressed Traffic There are repetitions in uncompressed HTTP traffic Entire files (e.g., images) Parts of the files (e.g., HTML tags, javascripts) We keep scanning again and again the same thing (and get the same scanning results..) 1. Identify frequently repeated data 2. Perform DPI on the data once and remember the results 3. When encountering a repetition, recover the state without re-scanning Anat Bremler-Barr, Shimrit Tzur David, Yotam Harchol, and David Hay: Leveraging Traffic Repetitions for High-Speed Deep Packet Inspection. Infocom, 2015 19

Challenge #3: Securing the DPI Yehuda Afek, Anat Bremler-Barr, Yotam Harchol, David Hay, Yaron Koral, "Making DPI Engines Resilient to Algorithmic Complexity Attacks". In IEEE/ACM Transactions on Networking, Volume 24, Issue 6, 2016 20

Complexity DoS Attack Over NIDS Regular operation 2 Steps attack: Attacker normal malicious heavy 1. Kill IPS/FW Internet 2. Launch original attack (e.g., steal credit cards)

Complexity DDoS Attack Over IDS Easy to craft very hard to process packets 2 Steps attack: Attacker 1. Kill IPS/FW normal malicious heavy Internet 2. Sneak into the network

Attack on Security Elements Combined Attack: DDoS on Security Element exposed the network theft of customers information

Deep Packet Inspection: the environment High Capacity Slow Memory (D)RAM Locality-based Low Capacity Fast Memory Cache Memory In reality, in security network function,most memory accesses are done to the cache. BUT One can attack the implementation by reducing its locality, getting it out of cache - and making it much slower! 24

Attack on Snort Heavy packets rate We present a multi-core (multi- VMs) system architecture, which is robust against complexity DDoS attacks

Solution Outline Alg for Regular traffic NIC Q Core #1 Q Core #2 Alg for Heavy traffic Q Core #8 Processor Chip Q Q Dedicated Core #9 Dedicated Core #10 B B B

System Throughput Over Time

DPI in SDN & NFV Anat Bremler-Barr, Yotam Harchol, David Hay, Yaron Koral, "Deep Packet Inspection as a Service". in ACM CoNEXT, 2014 Anat Bremler-Barr, Yotam Harchol, David Hay, "OpenBox: A Software-Defined Framework for Developing, Deploying, and Managing Network Functions", in SIGCOMM, 2016 28

Network Function Service Chains Each packet is scanned multiple times causing waste of computation resources Each NF implements its own DPI engine (higher NF costs, reduced features) 29

Our Solution: DPI as a Service Contribution: The idea of having a centralized DPI service instead of multiple instances of it at each Network Function Benefits: Innovation Lower entry barriers Reduced costs Cheaper NF HW/SW Improved performance - Scan each packet once Beneficial - time requirement is sub linear with #patterns Rich DPI functionality Invest once for all NF 30

Solution Outline Architecture aspects of DPI as a service DPI Instance One or multiple DPI instances DPI controller Received the patterns sets from all the NFs Divide the patterns to different sets of DPI instances Mechanism for passing results from the DPI to the NFs: Network Service Header (NSH)

Service chain of NFs in NFV SDN Controller Traffic Steering AV1 VM VM TS S1 S2 S4 IDS1 VM S3 AV2 VM VM IDS2 L7 FW1 VM

DPI as a Service SDN Controller Traffic Steering Modified Service Chain: DPI AV1 IDS1 L7 FW1 TS AV1 TS DPI S1 S2 S4 S3 AV2 IDS2 IDS1 L7 FW1

Observation Most network functions do very similar processing steps (DPI, Header Classifier ) But there is no re-use OpenBox [sigcomm 2016] framework is based on this observation 34

OpenBox www.openboxproject.org github.com/openboxproject OpenBox: A new software-defined framework for network functions Decouples network function control from their data plane OpenBox Instances (OBI): Data plane entities (e.g. DPI, packet classification) OpenBox Controller : Logically centralized control plane NFs are written as OpenBox applications on top of OpenBox Controller using north bound programming API Benefits: Easier, unified control Better performance Scalability Flexible deployment Inter-tenant isolation Innovation OBI OBI OpenBox Controller OBI

DPI: Conclusion Evolving area SDN & NFV change the field of Network Function and among other the DPI area Thank You!!! 36

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback