State-of-the-art
A comparison with the state-of-the-art clearly outlines the advantages of the approach. An important challenge that has to be met is protection against DDoS attacks. The distributed component of these attacks is the core problem with which the mechanisms of defense are confronted. Attacking agents are typically diffused through the inter-connected networks. This dispersion is frequently combined with techniques of source-address spoofing. The association of these two factors then makes extremely difficult the localization and the traceback to the attacking computers.
The created traffic constitute a second important component of DDoS. The similarity between the legitimate and illegitimate traffic entails many difficulties for the detection and the classification of flows. However, the flooding generated and the protocols used by the attacks reveal certain information that may allow detection, but that is not always sufficient. For example, the distinction between a flash event and a DOS (Denial of Service) attack requires a thorough characterization of the traffic types.
The significant number of non-protected equipment connected to the Internet provides a very fertile ground to the recruitment of new agents and the automation of the attacks. This new threat, which takes in particular the form of worms, expressed its effectiveness at several occasions.
Many academic and industrial solutions were proposed to solve the problem of the attacks by DDoS. They tackle the question in two manners mainly. A first type of defense consists in traceback the sources of the attack. For that, the routers present on the network are put at contribution and they provide the necessary information for the reconstitution of the path used by flows. Information is forwarded within the packets (packet marking) or with dedicated messages. The IETF has chosen the latter model and proposes a mechanism that is called iTrace. However, so far, these approaches are not very effective. From a router manufacturer’s point of view, the introduction of new functions in the fast path of routers is in contradiction to a general “simplify to scale” objective for core routers. Therefore, it cannot be expected that the mechanisms will be generally available soon.
The second type of defense is based on traffic filtering. Malicious packets are identified and removed, based on a particular signature in the packet (voluntary malformations and falsifications placed by the attacker). However, slow deployment of ingress filtering [RFC2827] has demonstrated that network operators show little intent in implementing security measures that mainly benefit customers of other operators.
The mechanisms of filtering and traceback allow us to fight against DDoS. But they do not provide the infrastructure necessary for an effective management of the problem. To this end, architectures were proposed that allow a dynamic coordination of the actions to be taken, and thus to remove these restrictions. They introduce a cooperation between equipment. This cooperation can either use a central entity which distributes the necessary rules to the equipment (policy-based network paradigm), or be based on an inter-router peer-to-peer communication model. However, all existing architectures do not offer a complete defense against the problem and do not answer the three principal phases of defense, i.e. the detection of, the tracing of, and the answer to an intrusion.
The approach pursued in this project is to develop a comprehensive approach for protection against a wide range of attacks and other malfunctions, by combining co-operating high-speed edge devices that (i) allow all the information needed to detect attacks or malfunctioning to be collected, (ii) are capable of performing all necessary countermeasures, and (iii) are coordinated in a coherent way using policy-based mechanisms, to ensure flexibility for a wide range of scenarios and applications.
Objectives
The vision of the project is to develop a novel and comprehensive security solution that solves the upcoming challenge of providing secure broadband services, by combining key know-how of a number of areas, in particular:
- flexible implementation techniques for high-speed packet processing,
- algorithms for intrusion detection, and
- policy-based techniques for automated configuration and decision-handling.
The general goal of the project is the development and deployment of innovative network components that enable service providers to offer to their customers secure broadband services in an effective and cost-efficient way. In order to achieve this, the project pursues the following individual objectives:
- Design and implement an innovative architecture for provider-controlled distributed high-speed edge devices, intended to become a new generation of distributed high-speed firewalls with policy-based control, and suitable for providing a comprehensive security solution meeting the needs of customers and service providers.
- Develop and deploy enhanced techniques capable of detecting a wide range of security violations, in particular focused on DDOS (Distributed Denial of Service) attacks, but also suitable for detecting and identifying all types of malfunctioning, such as activities that cause unintended service interruptions. Achieve enhanced detection capabilities by designing and implementing flexible and effective solutions for distributed monitoring of application traffic.
- Establish techniques for intelligent response to security violations, in particular providing an effective protection against DDOS attacks.
- Ensure fair, coherent, and efficient enforcement of security policies by management and control of the distributed firewall components using policy-based techniques.
- Develop applications for the new technology, deploy them in meaningful testbeds, and work on adoption of the new technologies, by disseminating know-how and training of target people.
To realize these objectives, the project will develop and demonstrate an architecture with the following unique combination of features:
- Cooperating edge devices complement the traditional firewall approach by protecting not only the networks attached to a provider network against certain attacks, but that also protect key properties of the provider network, the previously unsecured interior network, against attacks.
- The architecture ensures high performance in combination with functional flexibility by supporting high-performance algorithms for classification, filtering, sampling and measurements, and high-performance implementations using network processors and programmable hardware.
- Distributed measurement technology allows to exploit a large overview on network activities for detection purposes.
- Policy-based schemes perform management and control of the distributed solution, and can exploit the flexibility of the high-speed components within the data plane.
- The project is committed to develop a Linux-based software solution that will be made available as open-source, thereby supporting wide adoption of the approach.
Potential impact
The current firewalls are software or hardware entities applying various forms of ACLs to network traffic exiting or entering a controlled network. They are located between the network and the servers. Therefore, they tend to be a bottleneck due to amount of traffic they handle. Also, these firewalls have no control over the traffic that is internal to the network. State based protocols that use random ports for data transfer after the control messages are exchanged also cause firewalls to be very complex and require extensive state keeping. As e-commerce transactions become cost-effective and prevalent, there is a need to open parts of the enterprise network to customers and/or suppliers. This dictates an additional layer of complexity. End-to-End encryption of traffic is affected due to the firewalls having to proxy the secure connections. This is also the case in the context of SOHO and SME. Dealing with security only at the edge of the network does not prevent massive attacks (such as “Distributed Denial of Service”).
Just to give an idea of the primary issue of the problem studied by DIADEM FIREWALL, since 2000, the cost of security attacks in the world have been approximately evaluated to 1.600 billion of Dollars according to InformationWeek Research and PriceWaterHouseCoopers. Moreover, and 50% of all the companies have been attacked in 1998, this ratio has climbed to 74% in 2002. With the generalization of broadband networks, we may expect even more. And new attacks should come soon with the advent and the generalization of broadband access networks. We think that the security solutions have to take into account new generation networks characteristics: generalized broadband, QoS support, mobility issue, etc. Moreover, security must be treated accordingly to QoS management and at a lower degree with heterogeneity of access networks (fixed or mobile).
Another problem consists in the rapid emergence of new services and protocols (standard or proprietary) particularly in the multimedia domain. All the providers and operators upgrade the associated protocols and services. But currently, security solutions are rather static and processed manually. The limits of this approach can be overseen today when introducing multimedia application that dynamically open communication channels and introduce real-time constraints. We may consider for simplicity at least two types of media: discrete media (a still frame, a text) and continuous streams (audio, video). The latter entail time constraints, which are more or less restricting depending on the type of application used. In order to take these new applications and associated protocols into account, the firewall architecture must be rethought, as well as the architecture of all the functionalities. In particular, with 3G Internet, mobility and always evolving data rates, it is necessary to combine the security mechanisms with the mechanisms for high data rate processing and mobility (for instance secure MPLS pipes based on Ipv6). The challenge of the DIADEM FIREWALL project is not only to react on demand to the frequent changes at the edge of the network but also inside the network by separating concerns between transfert/control/services planes (NGN architecture) and introducing more programmability within the control plane. The project includes the requirements for DIADEM FIREWALL and the various elements that constitute the framework and the future security network solution for the high data bit rate. Using this approach, the security policies can be defined in a flexible but secure way to be corporate wide as well as tailored to specific partitions of the network. Business relationships can be translated into dynamic rules installed possibly as an overlay, without change in the baseline security rules of other nodes.
On the other hand, it is not enough to protect servers against attacks coming from inside by managing the whole chain between clients and servers, but we need also to preserve each network inside a domain against interconnected networks. In this project we propose high data rates solutions and we will provide solutions for interconnection based on available routers. With the DIADEM FIREWALL solution, the DDOS attack will not be able to propagate between different network domains, and it is an important point for the operators. The project permits a new approach for the exchanges between the different actors (operators, clients, providers, etc.). The interface development between the different equipments in the network will be the first step for the operator interactions. We will deploy the solution into a real-scale experimentation between two operators.
Partners
Seven European partners participate in DIADEM FIREWALL:
