Presentation on theme: "A Full Bandwidth ATM Firewall Olivier Paul, Maryline Laurent, Sylvain Gombault ENST de Bretagne in collaboration with France Telecom R&D DRET."— Presentation transcript:
A Full Bandwidth ATM Firewall Olivier Paul, Maryline Laurent, Sylvain Gombault ENST de Bretagne in collaboration with France Telecom R&D DRET
Introduction n ATM (Asynchronous Transfer Mode) : –Specified to transport various kind of flows. –Allows applications to request Quality of Service. –Connection oriented. –Data transported through small packets (cells). –High Speed (155M->2.4Gb/s). –Usage: n Directly: Some native ATM applications (ANS, VoD). n Indirectly: IP over ATM (IPOA, LANE, MPOA, MPLS): most common use.
Which problems ? Public Network Private Network n Protect the Private network from the outside. n Control Actions of Private Network users. n Protect the Public Network from customers. Firewall
Access Control Process ReassemblyFragmentation Classification Buffer Firewall n Classification Policy n Content of the packet ACTION
Access Control Process ReassemblyFragmentation Classification Buffer Firewall n The classification process usually requires a lot of power. –Poor performance.
Access Control Process ReassemblyFragmentation Classification Buffer Firewall n The classification process is not aware of QoS requirements. –QoS may not be respected.
Access Control Process ReassemblyFragmentation Classification Buffer Firewall n Whole architecture has to be able to deal with high throughputs. –The PC architecture is currently not well suited for this task.
CARAT - Goals n Security level similar to a stateless packet filter. n Improving access control on ATM Signalling. n High speed. –Worst case throughput = 620 Mb/s. n QoS preservation. –Delay has to be small and bounded. n Easy to manage.
Architecture n Located between public and private networks. n Made of three modules: –Manager. –Signalling Filter. –Cell-Level Filter. n Integrates to an existing switch. –Signalling flows are directed to the signalling filter. –User flows are directed to the cell-level filter.
Access Control Policy Description Example: Authorize workstation with the 188.8.131.52 address to use external WWW servers: 1 : IF (IP SRC ADDRESS = 184.108.40.206) AND (IP DST ADDRESS > 0.0.0.0) AND (TCP SRC PORT > 1023) AND (TCP DST PORT = 80) THEN PERMIT. 2 : IF (IP SRC ADDRESS > 0.0.0.0) AND (IP DST ADDRESS = 220.127.116.11) AND (TCP SRC PORT = 80) AND (TCP DST PORT > 1023) AND (TCP FLAG = SYN) THEN DENY. 3 : IF (IP SRC ADDRESS > 0.0.0.0) AND (IP DST ADDRESS = 18.104.22.168) AND (TCP SRC PORT = 80) AND (TCP DST PORT > 1023) THEN PERMIT. n ATM level access control policy n TCP/IP level access control policy.
Splitting the Access Control Policy Manager signalling FilterCell-Level Filter Sig. A.C. PolicyTCP/IP static policy Security Officer A.C. Policy
The Signalling Filter n GOAL : Improve signalling access control parameters. –Addressing Information. –QoS Descriptors. –Service Descriptors. n Based on a SUN ATM signalling protocol stack. n Modifications on the protocol stack. n Filter (UNI 3.1 IEs filtering capability).
Cell-level filter n IFT (Internet Fast Translator) NICs: –Designed and manufactured by France Telecom RD. –Mono-directional. –Made of two parts: n OC 12 (620 Mb/s) Phys. connector. n Filtering Process. –On the fly configuration modification. Filtering Process OC 12 Phys. connector Solaris PC Filtering Process n IFT Driver IFT DriverRPC Demon n RPC demon. –Remote configuration.
Filtering Process n Cells Extraction Process –Extracts the 1st cell of the AAL5 frames. –Propagates A.C. decision to the relevant ATM Cells. Filtering Process Interface to IFT driver Trie Memory Static Part Dynamic Part Analysis Automaton 1st Cell Extraction Process 1st Cell AAL 5 frames
What’s inside the 1st cell ? IP HeaderTCP/UDP/ICMP IP HeaderTCP/UDP/ICMP SNAP/LLC IP HeaderTCP/UDP/ICMP SNAP/LLC AAL5 IP HeaderTCP/UDP/ICMP SNAP/LLC ATM TCP/UDP/ICMP IP SNAP/LLC AAL5 ATM 53 bytes IP header w options/ v6 TCP/UDP/ICMP SNAP/LLC ATM
Protocols used over ATM TCP/UDP/ICMP IP SNAP/LLC AAL5 NULL Encaps SNAP/LLC LANE SNAP/LLC MPOA Native ATM Applications & Services ATM ? Where can we find the usefull Information in ATM Cells ?
Linking ATM Connections to TCP/IP Access Control Policy Manager signalling FilterCell-Level Filter New connection (encaps,vpi,vci) Sig. A.C. PolicyTCP/IP static policy Dynamic Part of the A.C. Policy (encaps,vpi,vci) Security Officer A.C. Policy Connection Establishment
Manager Signalling FilterCell-Level Filter Connection shutdown(vpi,vci)Clearing (vpi,vci) Connection Shutdown Linking ATM Connections to TCP/IP Access Control Policy
Filtering Process n Cells Extraction Process –Extracts the 1st cell of the AAL5 frames. –Propagates A.C. decision to the relevant ATM Cells. Filtering Process Interface to IFT driver Trie Memory Static Part Dynamic Part Analysis Automaton 1st Cell Extraction Process A.C. Decision 1st Cell n Analysis Automaton –Driven by the Trie Memory Content. n Trie Memory : 2 parts : –Dynamic, small : VPI/VCI, Encaps. –Static, big : All other fields. –Memory Size : 4 M bytes. n Interface to IFT driver AAL 5 frames
Classification Algorithm n Classification Algorithm = Content of the Trie Memory Existing Determinist Classification Algorithms n Algorithms for Static Policies –Fast. –Take advantage of access control policies redundancies. –Unbounded temporal & spatial complexities. –Generation & Update of the classification structure are slow. n Algorithms for Dynamic Policies –Comparatively slow. –Bounded temporal & spatial complexities. –Bounded complexities for Generation & update of the classification structure. –Has to run on Trie Memory
Trie Memory Configuration n Static Part –Complexities of the classification algorithm height and size of the classification structure stored in trie memory. n We have developed algorithms that are able to build a classification structure with: –Temporal Complexity : O(d). –Max. Spatial Complexity : O((2n+1) d ). –d : number of fields to analyse, n number of rules in the policy. Good, independent from number of rules Unusable for d = 4 and n = 50 HOWEVER ! n In practice we succeed to implement large policies by taking advantage: –The redundancy in the expression of A.C. Policies. –The ability of Trie Memory to use this redundancy to minimise the memory needed to store the policy.
Trie Memory Configuration n Practical examples, analysis of 9 fields, using 15 ns analysis cycle. n Standing the load ? < 1,31 * 53 * 8 = 555 Mb/s Min. Classification Capability Cell Size Min. Classification Capacity : 620 * 26/27= 599 Mb/s OC 12 Phys. Throughput Physical layer Overhead Max. Throughput to classify: Buffering (8192 bytes) Max. delay = 120 s
Conclusion n Security –Similar to a stateless packet filter. n Good performance –High Speed (577 Mb/s) and small delay (<120 s) –Throughput and delay don’t depend on policy and packets sizes. n Improved ATM signalling access control. –Almost all the information provided by signalling IEs can be used. n Easy to manage –Single access control policy definition language. n However some problems remain to be solved: –IP options problem and IPv6.
Future n Possible evolutions for our prototype –Tests in real networks. –Translators for popular router filtering languages. –Classification algorithms improvements. n Possible evolutions for the IFTs –IP Version (Without ATM support). –New physical connector (1Gb/s). –In deep analysis (255 bytes). –New tools to improve classification algorithms. n QUESTION : Can we still take advantage of rules redundancy with application level policies ?