Tackling Sophisticated Cyberattacks Head On



How open hardware architecture and platform scalability are bringing 100G+ detection and prevention into the IoT era.

Meeting New Challenges for Detection and Prevention
As network protection increasingly demands more sophisticated and diversified capabilities, intrusion detection systems (IDS) and intrusion prevention systems (IPS) are becoming indispensable components for effective network security systems. An IDS monitors network operations security by gathering and analyzing network-wide information in order to instruct the operator on the required security rules adjustments, while an IPS blocks intrusions by executing security rules in real time after in-depth analysis of network data.

The 4U space supports four dual Intel® Xeon® Processor E5-2600 v3/v4 boards or Intel® Xeon® Scalable Processor compute nodes to provide industry-leading processing performance and density.

To enhance detection rates and minimize error rates, both IDS and IPS come with comprehensive detection technologies including feature matching, protocol analysis, and anomaly detection.

Feature matching is by far the most commonly used due to its high accuracy and speed. Maximum feature matching efficiency depends on the accuracy of the overall feature library and the equipment’s feature matching capacity.

  • By discerning protocol operating principles (usually based on Request for Comments or RFC standards), protocol analysis searches for suspicious visit behaviors to detect overflow and denial of service (DoS) attacks. Effective use of this technology enables a high detection rate and a near-zero error rate.
  • Anomaly detection discovers unexpected abnormal traffic by learning and adjusting to a specific network environment’s normal traffic criteria, sending an alarm when the traffic statistics exceed the threshold value for a given traffic criterion.

Despite their advantages, each technology has its flaws. For example, feature matching requires regular updates of the feature library to avoid omissions. Due to the wide variances in each protocol’s implementation and unavailability of complete details for proprietary protocols, protocol analysis can usually only be realized for common protocols such as HTTP, FTP, and SMTP. When threshold values are set improperly, anomaly detection can result in false positives. As the number of web-based networks and advanced persistent threats (APTs) continues to increase, relying on traditional technologies when deploying IDS/IPS will be inadequate.

Figure 1: TCP port traffic rankings released by CNCERT

Challenges of Protecting Web-based Networks
HTTP is by far the most common source of network traffic. According to the TCP port traffic ranking statistics of the National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT), the traffic on port 80 is far higher than that of other ports. Under such circumstances, increasing numbers of viruses, Trojans, and botnets will naturally launch attacks via HTTP. New-generation web threats and cyberattacks are increasingly covert as a result of interest orientation.

Enterprises are often prone to attacks hidden in legitimate traffic on the web due to enterprises’ dependency on the Internet for routine operations.

A built-in web reputation mechanism allows IDS and IPS to send timely warnings (IDS) or to block attacks (IPS) when users visit a webpage on which a Trojan has been implemented in order to   effectively prevent infiltration of network security threats into the corporate intranet, leakage of sensitive data, and other information security incidents.

Application of Deep Packet Inspection Technology
Unlike a traditional firewall, an IPS can perform deep packet inspection (DPI) of packet contents. If a hacker launches attacks through the vulnerability in Layers 2-7, an IPS can detect and then block such attacks from the data flow. By contrast, the traditional firewall can only detect the quintuple of a data packet (source IP address, source port, target IP address, target port, and protocol at the transmission layer), without detecting the contents at the application layer or individual bytes, thus overlooking many attacks. As an IPS checks each byte of data traffic, it identifies most mainstream application protocols based on its protocol recognition framework. Then, through nuanced management of the identified information, it can detect the security vulnerabilities in these applications and take the initiative to prevent web attacks.

Application identification using DPI generally requires equipment with large-scale parallel computing ability to filter and detect tens of thousands of packets per second, as well as being able to perform IP defragmentation, TCP stream aggregation, and data flow status tracking.

User-based Behavioral Analysis
With the mobile network becoming an important infrastructure for enterprises, the number of intranet infiltration incidents via wireless networks is growing. In wireless network deployment, open Wi-Fi hotspots for visitors, allowing unauthenticated access to the corporate network, have become increasingly popular. In addition, employees working off-site may access the company network from their homes, airports, and customer premises. These wireless networks often lack effective management, allowing hackers to easily bypass the company’s firewalls, making wireless networks a stepping stone into the company’s intranet.

As the second security gateway after the firewall, IDS/IPS offers user identity and user access control to resolve broken access control (BAC) problems brought about by the roaming of unauthenticated equipment and employees. Statistical analysis of a company’s employee network visit activities can establish a normal web visit pattern based on user identity, geographical location, operating time, visit contents, and visit frequency. The system can accurately detect abnormal behavior deviating from the normal visit pattern and send alarms (IDS) or block the activity (IPS).

Advanced Persistent Threats
Stealing core data is often the goal of APTs. Web attacks and intrusions launched on corporate users are often premeditated over a long period of time and highly concealed. APT attacks are like a special forces team equipped with comprehensive and sophisticated weapons that can paralyze the defensive power of the corporate web environment’s traditional firewalls and antivirus programs.

IDS/IPS bring better probability for successfully dealing with APTs. By performing network traffic visualization, an IDS will send alarms after detecting traffic anomalies to minimize the losses caused by APTs. Through collaboration with the local threat analysis system and based on the APT sample, behavior analysis, and virtual execution technologies, an IPS can discover advanced malicious codes hidden in the traffic and dynamically adjust its protection strategy to block malicious traffic in real time.

How Hardware Platform Characteristics Support Advanced IDS and IPS
New IDS and IPS solutions are coming online, including from NSFOCUS,  enabling customers to monitor for, detect, and prevent attacks (Figure 2).

  • In addition to a having an advanced attack rule feature library for detecting known security threats, NSFOCUS’ NIDS has a continually updated reputation feature library that can reduce hazards brought by unknown malware and prevent persistent intranet infiltration with its intranet security function, thus minimizing sensitive data leaks and abnormal external connections to servers.
  • NSFOCUS’ NIPS is equipped with an attack feature library and real-time reputation library. To respond to advanced threats, an integrated sandbox detection capability offers 3D protection for both known and unknown threats. Flow virus detection technology captures hotspot viruses to maximally enhance antivirus capacity. The integrated mobile phone housekeeper makes secure enquiry push and secure status real-time monitoring possible, cutting maintenance and operation workloads.

Figure 2: NSFOCUS NIPS features.

High Throughput Capacity and I/O Density
To better meet the demands of core networks, cloud computing centers, large enterprises, and IDC outlets, NSFOCUS sought support of the 100GB interface on computing platforms for its IDS/IPS products, with each piece of equipment supporting a minimum of 800G traffic connection and a minimum of 64x 10GB ports. The network ports must support upstream and downstream port consistency and RSS.

Parallel Computing and Computing Density
Parallel processing capability to support deep packet inspection and other detection methods also needed to be part of the feature set. In particular, network packet processing platforms needed wire speed transceiving capability, the maximum possible computing density per rack unit, and a zero packet loss rate for small packets of 64 bytes.

Load Balancing, Same Source and Same Host
In NSFOCUS’ NIDS/NIPS, all data traffic is connected by means of a switch board, which balances the traffic load to individual processor boards. When processor board errors are detected, the switch board can redirect the traffic. To ensure processing of the same conversation at the same CPU node, the switch board must support the same source and the same host to automatically merge the data flow of the same conversation.

Carrier-grade High Availability
As a NIPS platform must be incorporated into the traffic path, the modularization of computing platforms in a carrier-grade industrial design provides uninterrupted services for users with hot swap capability for faulty components (compute, switch, PSU, fan, and storage).

Support for Standardized API Management
Support for standardized API management of hardware platforms with a set of standardized APIs for traffic and hardware management of all components on the rack, port and VLAN management, commonly used L2/L3 switch protocol stacks, and remote reboot reduces low-level development burdens.

Figure 3: CSA-7400, next-gen high-performance telecommunications COTS

COTS DPI and Network Security Platform
As a next-generation high-performance telecommunications COTS DPI and network security platform, the CSA-7400, built on ADLINK’s Open Compute Carrier-grade Edge Reference Architecture (OCCERA), achieves high-speed interconnection of compute nodes with dual-redundant switch nodes to offer front panel I/O up to 800GB. The CSA-7400 supports hot swapping of major chassis components to protect uninterrupted business, making it suitable for the next-generation high-performance IDS/IPS. The main features of the CSA-7400 are summarized as follows:

  • Up to four compute nodes with dual Intel® Xeon® Processor E5-2600 v3/v4 or Intel® Xeon® Scalable Processors with support for single sled upgrade or hybrid deployment.
  • Dual-redundant switch design with bandwidth of 4x 50GB per node for internal interconnection of four compute nodes, including 4x 100GB or 36x 10G upstream panel I/O.
  • Switch supports accelerated processing of NVGRE/VXLAN tunneling protocols to meet the needs of Layer 2 network in cloud computing.
  • ADLINK PacketManager software that provides commonly used Layer 2, Layer 3 switch protocol stacks and flow-based strategic control API, load balancing, same source and same host functions to accelerate application development.
  • Supports smart system management using IPMI-based specifications for remote system diagnosis, redirection, shutdown, and startup.

Table 1 lists the requirements for the NSFOCUS next-generation NIDS/NIPS computing platforms, with the corresponding features of the CSA-7400 from ADLINK shown in the right column.

Table 1: The CSA-7400’s high bandwidth, high density, high performance, and high reliability features meet the overall high computing capability requirements of today’s network security products (click to enlarge).

According to NSFOCUS, with our expertise in attack prevention developed over the years, this in-depth collaboration with ADLINK enables both parties to build IDS/IPS products meeting the demands of high-end application scenarios such as core networks for operations, cloud computing, large enterprises, and data centers. The interconnected redundant module design and hot swap support for both computing nodes and switches of the OCCERA-based CSA-7400 platform from ADLINK offer users uninterrupted delivery service.

NSFOCUS’ NIPS products are equipped with various advanced technologies such as the NSFOCUS global threat intelligence system and NSFOCUS unknown threat detection can demonstrate better protection on the CSA-7400. In the future, NSFOCUS will continue close collaboration with ADLINK for its IDS/IPS products to maximize the effectiveness of the excellent features of NSFOCUS’ NIDS/NIPS products on CSA-7400 platform for the network security market.

Other Applications for Network Security and Telecommunications
ADLINK further integrates the latest virtual machine (VM) technology for information and communications into the hardware platform to provide the requisite features for developing security application products. In addition to IDS/IPS computing platforms, the CSA-7400 can be used for next-generation firewalls, telecommunications DPI and network virtualization, and mobile edge computing (MEC).

Conclusion
The CSA-7400 is a next-generation, high performance, carrier grade COTS network security platform built on the Open Compute Carrier-grade Edge Reference Architecture (OCCERA) by ADLINK, integrating network interfaces, switches, and overall computing capacity. The open hardware architecture and platform scalability of the CSA-7400 support NSFOCUS’ next-generation 100G+ ISD/IPS solutions, allowing NSFOCUS to launch its high-performance NIDS/NIPS products for the network security market. The CSA-7400’s flexibility and configurability enables cross-business product deployment and easy integration to other high-end network security markets, such as next-generation firewalls, telecommunications, and mobile edge computing. In addition to hardware features, the API library provided by ADLINK allows security solution providers focus on their core competence, enhance business migration increase product efficiency, and shorten product launch and delivery cycles.


Qizhi Zhang is System Architect for the Network & Communication Business Center, ADLINK Technology, where he is responsible for product definition, architectural design, and technical consulting for the enterprise’s Network & Communication platforms. Dr. Zhang received his Ph.D. in Automation from Shanghai Jiao Tong University. With 10+ years’ working experience in telecom industry, he is equipped with solid expertise in system management, high availability systems, and network security devices.

 

Share and Enjoy:
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google
  • TwitThis

Tags:

Extension Media websites place cookies on your device to give you the best user experience. By using our websites, you agree to placement of these cookies and to our Privacy Policy. Please click here to accept.