ENST Bretagne Access Control in ATM Networks Olivier Paul IBM Zurich, March 1 st ENST Bretagne RSM Department
IBM ZurichENST Bretagne 2 Agenda Introduction Access Control Parameters Access Control Architectures Access Control management Conclusion
IBM ZurichENST Bretagne 3 Introduction Access Control: –Security service providing a protection against an unauthorised used by an entity or group of entities (ISO). Network ClientServer Firewall access-list 101 permit tcp any gt 1023 126.96.36.199 0.0.0.0 eq 80 Source and destination addresses Protocol Application or Service identifiers Action
IBM ZurichENST Bretagne 4 Introduction ATM (Asynchronous Transfer Mode) : –Specified to transport various kind of flows. –Allows applications to request Quality of Service. –High Speed (Mb/s -> Gb/s). –Connection oriented. –Data transported through small packets (cells). –Usage: Directly: Some native ATM applications (ANS, VoD). Indirectly: IP over ATM (IPOA, LANE, MPOA, MPLS): most common use.
IBM ZurichENST Bretagne 5 Introduction Reassembly Operations Fragmentation Classification Buffer Firewall Bus / Switch The impact on the QoS depends on the buffer characteristics. Classification and copy(bus) operations are generally considered as the bottleneck in the firewall architecture.
IBM ZurichENST Bretagne 6 The flow classification problem Classifier Proto Source ports Dest AddressSourceAddress Flags Dest ports If Cond1 and Cond2 and Cond3 then action1 If Cond4 and Cond5 then action2 If Cond6 then action1 n rules carrying on d fields Theoretical bounds : Temporal Comp. : O(log n), Spatial Comp. : O(n d ). Temporal Comp.: O(n), Spatial Comp.: O(log d-1 n). d fields Lakshman & al. [ACM SIGCOMM 98]
IBM ZurichENST Bretagne 7 Introduction In the case of ATM networks: ThroughputQuality of Service Access Control Parameters ReassembleFragmentation Classification Buffer Firewall Bus / Switch The impact on the QoS depends on the buffer characteristics. Classification and copy(bus) operations are generally considered as the bottleneck in the firewall architecture.
IBM ZurichENST Bretagne 8 Agenda Introduction Access Control Parameters Access Control Architectures Access Control Management Conclusion
IBM ZurichENST Bretagne 9 Access Control parameters ATM parameters TCP/IP parameters Already Well KnownAddresses Information generated by the ATM model Existing Parameter s New attacks Analogies with parameters used in existing protocols New ATM Access Control Parameters Access Control Parameters Classification Analysis of ATM applications & services Application Access Control profiles
IBM ZurichENST Bretagne 10 Access Control parameters Information generated by the signalling protocol Service descriptors Quality of Service Descriptors New addressing information Other parameters Information generated by ATM cell headers Connection identifiers Type of flow ATM parameters TCP/IP parameters Already Well KnownAddresses Existing Parameter s
IBM ZurichENST Bretagne 11 Agenda Introduction Access Control Parameters Access Control Architectures Access Control Management Conclusion
IBM ZurichENST Bretagne 12 Access Control Architectures Two main problems to solve: Classification process efficiency QoS insurance Agents based access control architecture Centralised Access Control Architecture Distributed access control process Non blocking Access Control Process Fast packet classification Algorithm Classification Algorithm with bounded complexities Goal: Provide an Access Control service –For ATM native applications By using our new access control parameters – For IP over ATM applications By using well known TCP/IP access Control Parameters
IBM ZurichENST Bretagne 13 Agents based access control architecture Improving access control performance Controller Internal Network External Network Policy Controller Policy Concurrent access control processes Schuba [Ph. D. Thesis, Purdue University, 97]
IBM ZurichENST Bretagne 14 Agents based access control architecture Improving access control performance Controller Internal Network 1 External Network Controller Internal Network 2Internal Network 3 Policy 1 Policy 2 Policy 3 Controllers specialisation through policy segmentation
IBM ZurichENST Bretagne 15 Agent based access control architecture Are performance improvements sufficient to solve the QoS problem ? If we can prove that – The classification process is always fast enough. – The delay introduced by the classification process is small and bounded. Then: Yes. Do existing access control devices comply with these conditions ? Respect of the QoS has to be insured through other means Basic Idea: Using a non blocking access control process The Access Control decision is taken independently from the flows transported over the network. Sometimes No
IBM ZurichENST Bretagne 16 If we don t block the flows, where can we find the useful access control information ? > In the network devices protocol stacks. Network devices keep information about ongoing communications in their protocol stack. ATM End System 1 ATM Switch ATM End System 2 External network Line 1 Line 3 This information can be accessed though external programs. E. P. Line 2 ATM Switch Most of the useful access control information can be found there. Agent based access control architecture
IBM ZurichENST Bretagne 17 The basic idea is to extend such a program (later referred to as agent) with access control capabilities. ATM End System 1 ATM Switch ATM End System 2 External network Line 1 Line 3 Agent It then compares this information with a description of allowed communications. Periodically the agent polls the information located in the protocol stacks. If the communication is not allowed then the agent interacts with the protocol stack to stop the communication. ATM Switch Line 2 Agent based access control architecture
IBM ZurichENST Bretagne 18 Conclusions New architecture –Distributed. –Asynchronous. Traditional Classification algorithm Agent Based Architecture Performance improvement is difficult to evaluate. Security is not guaranteed. How to manage access control agents.
IBM ZurichENST Bretagne 19 Agenda Introduction Access Control Parameters Access Control Architectures – Agents based Access Control Architecture – Centralised Access Control Architecture. Access Control Management Conclusion
IBM ZurichENST Bretagne 20 Classification Algorithms Existing Determinist Classification Algorithms Algorithms for Static Policies –Fast. –Take advantage of access control policies redundancies. –Unbounded temporal & spatial complexities. –Generation & Update of the classification structure are slow. Algorithms for Dynamic Policies –Comparatively slow. –Bounded temporal & spatial complexities. –Bounded complexities for Generation & update of the classification structure. –Implementable.
IBM ZurichENST Bretagne 21 Classification Algorithm New flow classification algorithm: –Temporal Complexity : O(d). –Spatial Complexity. : O((2n+1) d ). –d : number of fields to analyse, n number of rules in the classification policy. Independent from the number of rules Unusable when d = 4 and n = 50 However ! In practice we succeed to implement large policies by taking advantage of: –The redundancy in the classification structure.
IBM ZurichENST Bretagne 22 Implementation IFT Traffic Analysis Cards (Designed by France Telecom R&D) Characteristics: –Mono-directional. –Physical connector: OC12 (622 Mb/s). –Unspecified Classification algorithm. –Action (1st Cell from an AAL5 frame, classification policy) : AAL5 switching. Classification Buffer IFT Physical Connector Physical Connector Switching operations Policy
IBM ZurichENST Bretagne 23 Content of the first ATM cell IP HeaderTCP/UDP/ICMP IP HeaderTCP/UDP/ICMP SNAP/LLC IP HeaderTCP/UDP/ICMP SNAP/LLC AAL5 IP HeaderTCP/UDP/ICMP SNAP/LLC ATM TCP/UDP/ICMP IP SNAP/LLC AAL5 ATM 53 bytes IP Header with options/ v6TCP/UDP/ICMP SNAP/LLC ATM
IBM ZurichENST Bretagne 24 Centralised Architecture Goals: –Design an architecture allowing IFTs to be used to provide the relevant access control service. –Test our new classification algorithm to check if the performance bottleneck and QoS insurance problems could be solved. IFT Traffic Analysis Cards (Designed by France Telecom R&D) Characteristics: –Mono-directional. –Physical connector: OC12 (622 Mb/s). –Unspecified Classification algorithm. –Action (1st Cell from an AAL5 frame, classification policy) : AAL5 switching. Classification Buffer IFT Physical Connector Physical Connector Switching operations Policy
IBM ZurichENST Bretagne 25 Architecture Located between a private network and public network. Made of three modules: –Manager –Signalling Filter. –Cell-Level Filter Integrates to an existing ATM switch.
IBM ZurichENST Bretagne 26 Tests Throughput and QoS. < 1,31 * 53 * 8 = 555 Mb/s Min Classification capabilities Size of ATM Cells Min. Classification capacity : 622 * 26/27= 599 Mb/s Phys. Connector Max. Throughput Physical Layer Overhead Max. Throughput to classify: Buffer (8192 bytes) Max. Delay= 120 s Memory requirements : Practical examples, analysis of 9 fields, using 15 ns analysis cycle.
IBM ZurichENST Bretagne 27 Conclusions Centralised Architecture Old architecture New Classification algorithm –Determinist. –Delay introduced by the access control process can be bounded. –Minimal throughput can be bounded. –Resistant to DoS attacks. IPv6 problem. Algorithm is currently only able to deal with static policies.
IBM ZurichENST Bretagne 28 Agenda Introduction Access Control parameters Access Control Architectures Access Control Management – Distribution Criteria. – A Distributed Access Control Management Architecture. Conclusion
IBM ZurichENST Bretagne 29 Access Control Management –Make sure that the whole access control architecture will provide the access control service defined by the security officer. Efficiency Insurance Security Insurance –Configure each device with the smallest subset of access control rules allowing the policy to be enforced. Criteria have to be defined to build these sets. Problem 1: Manage a set of devices with proprietary access control configuration interfaces. (Heterogeneity problem). Answer: Generic and ergonomic way to define the access control policy. Constraint s Problem 2: Manage distributed access control architectures (A big number of access control devices have to be configured remotely). Answer: Automatic configuration architectures.
IBM ZurichENST Bretagne 30 Criteria Criterion 1: Device Access Control Capabilities. –A rule r should not be attributed to a device if this device is not located between the source and the destination described by r. SourceDestination A.C. Criterion 2: Network Topology. IF SRC_ADDRESS = Source AND DST_ADDRESS = Destination THEN PERMIT A.C. –A rule can not be attributed to a device if this device is not able to implement the rule.
IBM ZurichENST Bretagne 31 Criteria Criterion 3 (new): Type of rule (permit/ deny) –A deny rule r has to be attributed to a single device. This device is the closest from the source or the destination described by r. SourceDestination A.C. IF SRC_ADDRESS = Source AND DST_ADDRESS = Destination THEN DENY A.C.
IBM ZurichENST Bretagne 32 Centralised A.C. Management Architectures Device 1 Device 3 Console Device 2 Security Officer Access Control Policy Network Model Filtering Postures, J. Guttman, IEEE S&P 97. Firmato toolkit, Bartal & al., IEEE S&P 99. Policy based management, S. Hinrichs, ACSAC 99. An Asynchronous Distributed Access Control Architecture For IP Over ATM Networks, Paul & al., ACSAC 99. Managing Security In Dynamic networks, Konstantinou & al., LISA 99.
IBM ZurichENST Bretagne 33 Acyclic Network model SourceDestination A.C. IF SRC_ADDRESS = Source AND DST_ADDRESS = Destination THEN PERMIT IF SRC_ADDRESS = Source AND DST_ADDRESS = Destination THEN DENY
IBM ZurichENST Bretagne 34 Acyclic Network Model Distribution enforces the three criteria. Topology changes force the Security Officer to reconfigure access control devices. SourceDestination A.C.
IBM ZurichENST Bretagne 35 Acyclic Model The delay between topology changes and access control devices reconfiguration can introduce security holes. SourceDestination A.C. X
IBM ZurichENST Bretagne 36 SourceDestination A.C. X X Acyclic Model The delay between topology changes and access control devices reconfiguration can introduce security holes.
IBM ZurichENST Bretagne 37 Distributed A.C. Management Architecture Device 1 Device 3 Console Security Officer Access Control Policy Device 2 Management of network security application, Hyland & Sandhu, NISSC 98. Integrated management of network and host based security mechanisms, Falk & al., ACISP 98.
IBM ZurichENST Bretagne 38 Our proposal The agents interact with the other elements. Device 1 Routing Agent Device 3 Routing Agent Device 2 Routing Agent Device 4 Routing Agent Management agents located on access control devices. A.C.M. Agent Device 5 A.C. Manager The agents generate efficient configurations using our three criteria.
IBM ZurichENST Bretagne 39 Our Proposal Key features: –Continuous interaction between the agent and its environment. Local Access Control Policy automatic adaptation. Routing Agent Access Control Management Agent Access Control Mechanisms Routing Table –Topology changes can be used when a new access control posture has been computed and implemented. Security holes can be avoided.
IBM ZurichENST Bretagne 40 Simulation Results The usage of the three criteria leads to a number of rules equivalent to the one generated through a manual configuration The number of rules without optimisation grows in a polynomial way with the number of access control devices whereas the number of rules after optimisation grows linearly.
IBM ZurichENST Bretagne 41 Conclusions The security officer learns a posteriori what happened in the network. The whole access control policy has to be sent to the agents. Generates more efficient configuration through the use of an additional distribution criterion. Reduces the interactions between the security officer and the access control management architecture. Prevents temporary security holes. Distributed Access Control Management Architecture
IBM ZurichENST Bretagne 42 Introduction Access Control Parameters Access Control Architectures Access Control Management Conclusion Agenda
IBM ZurichENST Bretagne 43 Conclusion ATM Access Control parameters analysis –Application Protection Profiles. –Access Control Parameters have been classified. Two IP over ATM Access Control Architectures – Able to take new ATM access control parameters into account. – New access control architecture/ Old classification Algorithm. – Traditional access control Architecture/New classification Algorithm. – Implementation through IFT cards. Distributed Automatic Access Control Management Architecture – New distribution criterion. – Distributed access control management architecture allowing security holes to be avoided. – Implementation using the ns simulator.
IBM ZurichENST Bretagne 44 Future work New application level access control parameters Improvements to our classification algorithm New version of IFTs. –Higher Throughput (1Gb/s). –Wider analysis capability. –New classification functions. Application in new areas (Intrusion Detection, Application level Access Control). Adaptation to other security services. Taking mobility into account. Taking access control service integrity into account.