Article Preview
TopIntroduction
Network Intrusion Detection and Prevention Systems (NIDPS), either standalone or integrated into firewalls, are important elements of network security. Their role is to monitor internet traffic for malicious content and, on detection, generate an alert message and/or block the offending traffic. In signature-based systems, Deep Packet Inspection (DPI) is used to examine the data streams of each connection for the presence of attack patterns listed in a database of rules known as the rule set. Signatures are typically in the form of fixed strings or regular expressions, or a combination of both. However, in order to correctly analyze network traffic, the NIDPS must first reassemble any IP fragments or TCP segments before performing DPI on the reconstructed data stream.
Performing TCP/IP tracking and reassembly in software at high traffic speeds places a very heavy work load on the processor due to the amount of memory copying and the potentially huge number of flows that need to be tracked. TCP Offload Engine (TOE) technology is available to reduce the load on server CPUs by shifting TCP layer processing to the Network Interface Card (NIC). Several commercial hardware IP cores are available as building blocks for ASIC and FPGA designs, e.g. from Intilop Corp. (2013) and PLDA (2012). However, these solutions are aimed at end host systems and are not suitable for performing connection tracking and reassembly in DPI solutions on intermediate hosts.
Most existing research proposals on TCP/IP reassembly for NIDPS are either fully software based (Novak & Sturges, 2007) or fully hardware based (Necker et al., 2002; Schuehler & Lockwood, 2004). In this article we describe a hybrid architecture which splits the processing between a slow path and a fast path, as shown in Figure 1. The fast path handles the most frequent tasks that can take advantage of the parallelism of hardware logic, while the slow path handles the less frequent but more involved tasks that are more suitable for software implementation. The outlined architecture is based on the Xilinx Zynq-7100 System on Chip (SoC) with built-in hard dual-core ARM processor, but is equally applicable to any suitable FPGA or ASIC device with an internal or external CPU and sufficient internal memory.
Figure 1. Hybrid software-hardware processing
TopBackground
IP fragmentation occurs in a network node if the size of the packets exceeds the Maximum Transmission Unit (MTU) of the outgoing interface. IP Fragmentation at intermediate nodes is usually avoided by using the technique of Path MTU Discovery (PMTUD) that determines the minimum MTU for the entire path from source to destination node. As the UDP protocol does not perform payload fragmentation, the most common occurrence of IP fragmentation is in the case of UDP traffic on source nodes. The TCP protocol, however, does perform fragmentation, which is known as TCP segmentation, if the data size is greater than the Maximum Segment Size (MSS). The MSS value is negotiated during connection establishment and its value usually ensures that fragmentation is avoided at the IP layer.
TCP/IP reassembly is a complex task due to the possibility of out-of-order, overlapping and duplicate fragments or segments. An added complication for an intermediate node, such as an NIDPS, is that there are subtle differences in how various operating systems (OS) perform reassembly due to different interpretations of the standards. In order to avoid the possibility of evasion or insertion attacks (Ptacek & Newsham, 1998), an NIDPS must either perform target-based reassembly (Novak & Sturges, 2007) or traffic normalization/scrubbing (Malan et al., 2000).