|
Products
|
|
 |
|
 | |
 |
Develop Rich security Applications – Quickly – with Highly Versatile Building Blocks
|
As networks have evolved from private systems to highly available public places, security has become an urgent issue. Every day, billions of data files and interconnected systems are threatened and, in some cases, destroyed. While hackers work relentlessly to wreak havoc in the interconnected world, developers are working overtime to fortify system defenses. Ever-changing network conditions, as well as rapidly evolving security threats and sources, only compound the problem. |
|
|
In theory, network security is simple: develop systems that can intelligently differentiate between "good" and "bad" traffic, allow only the "good" traffic to proceed while disposing of any "bad" traffic, and then learn from the analysis, all without any disruption in the flow of "good" traffic. To meet all of these criteria, ideal solutions must have extremely high performance qualities including high-speed processing, scalability and flexibility. In their fast-paced race against the enemy, developers need highly versatile, sophisticated building blocks and tools that can provide this high level of performance, now. |
|
|
One particularly crippling type of attack, Distributed Denial of Service (DDoS) flooding, has proven extremely difficult to thwart because of its highly amorphous nature. Network Associates Laboratories, the research and development arm of Network Associates, Inc. – at the behest of one of the US Governments’ research agencies – is in the process of developing a highly versatile security "filter" for network traffic, capable of preventing DDoS flooding attacks with no interruption in normal network traffic. Using existing development tools and building blocks from Teja Technologies (an Intel® Capital Fund Company based in San Jose, California), Network Associates Laboratories raced from design concept to functional models – all in a matter of weeks. |
|
|
At this time, the Network Associates Laboratories security filter – called NetBouncer* – is still experimental and undergoing rigorous evaluation and testing. This case study explains how building blocks from Intel and Teja provided the advanced, highly versatile platform that is enabling Network Associates Laboratories to develop a real-world defense against DDoS flooding in record time. |
|
|
Network attacks have been increasing in frequency and sophistication for years. As businesses aim to provide high-performance, readily available networks, they make the enterprise more vulnerable to attack. While the firewalls, anti-virus software, filters, and other existing security solutions are effective against some threats, most of these solutions were not designed to handle the highly amorphous attacks being used against networks today. Recognizing the increasing security struggle, a research arm of the US Government awarded Network Associates Laboratories with a contract to research new solutions for fault tolerant networks, and to focus especially on the highly crippling Denial of Service (DoS) flood attacks. |
|
|
As network flooding (DDoS) attacks move "up stack," they look more and more like legitimate packets. Because hackers are increasingly using real (compromised) hosts instead of spoofed addresses, with protocols emulating typical web traffic, it’s getting more difficult to distinguish between legitimate and illegitimate users. The current state-of-the-art involves network engineers turning on "rate limiting" within routers – at the cost of tossing both the good traffic out with the bad. |
|
|
Even so, Network Associates Laboratories floated the hypothesis that it is possible for devices to distinguish between good and bad packet sources and then drop the illegitimate traffic. The solution, according to Network Associates Laboratories, would be a client-legitimacy based DDoS defense system that uses ingress filtering; they proposed a solution that would assess the legitimacy of clients sending packets to a web server. To prevent the DDoS style of attack, Network Associates Laboratories determined that this solution – code named NetBouncer* - must be located upstream, in the path of incoming packets, appearing as a link-level device requiring no firewall configuration. In addition, the device must be capable of sustained wire speed processing while performing a series of tests to determine the "legitimacy" of source IP addresses. |
|
|
Network Associates Laboratories began developing NetBouncer in July 2001. Now nine months through its two-year research and development cycle, the NetBouncer device is proving effective in real-world tests. Final performance results and a possible production version are expected in July 2003. The following analysis explains the NetBouncer development challenges and the platform solutions that are enabling Network Associates Laboratories to make NetBouncer a viable DDoS security option. |
|
|
Although it sounds simple in theory, there are numerous challenges to making NetBouncer a real-world application. Like a router, NetBouncer must function at line speeds, even when processing hundreds of thousands of tests per second. Yet unlike routers, NetBouncer must be completely programmable to handle very frequent updates. The routing tables must reside in large volume, multi-tiered memory to be able to handle an enormous number of entries, including both full source IP addresses as well as subnet prefixes. And while NetBouncer is being designed, tested and optimized, Network Associates developers must be able to easily modify and adjust system code to fully explore all possible solutions; the combination of Teja software with the programmability of a network processor (NPU) – such as the Intel® IXP1200 Network Processor – is key to Network Associates Laboratories being able to perform their rapid turn-around research-> test -> learn "loop." |
|
|
These performance issues hinge on the development environment, as well as the packet-processing and memory components of the NetBouncer solution. Making the distinction between legitimate and illegitimate traffic – especially if, on a packet-by-packet basis, each packet is "legal" – requires a level of critical thinking. So Network Associates Laboratories developers are working to develop algorithms that enable smart, efficient address lookup. In addition, system designers have to optimize the packet processing function for asymmetric routing, adaptive rate limiting, high-speed packet filtering, and ongoing programmability. |
|
|
At the start of the project, Network Associates Laboratories was also facing some difficult situational challenges. The team had to start the whole programming scheme from scratch: nothing like it had ever been built before. There were no viable ASIC or NPU solutions to map to. To complicate matters, the Network Associates Laboratories development team had never designed solutions based on an NPU. Yet it was soon obvious that the NetBouncer solution would only be viable using NPUs. It seemed that getting NetBouncer from the drawing board to the real world would be quite a trick. |
|
|
After evaluating several available NPUs, Network Associates Laboratories chose the fully programmable Intel® IXP1200 Network Processor as the platform for its NetBouncer security filter. One of the most programmable NPUs on the market today, the Intel IXP1200 Network Processor is easily integrated into networking and communications solutions because of a vast network of pre-tested and pre-integrated companion applications. For the NetBouncer solution, the Intel IXP1200 Network Processor is supported by an advanced application development environment (ADE) and an IPv4 forwarding application from Teja. Sporting six programmable 32-bit RISC microengines and an Intel® StrongArm® processor core, as well as the robust ADE from Teja, the Intel IXP1200 Network Processor offered the most versatile development platform for the NetBouncer solution. |
|
|
Even though the Network Associates Laboratories development team had no experience working with the Intel IXP1200 Network Processors, they were able to take NetBouncer from a Linux* based proof-of-concept template, to a working prototype in a few short weeks. Two Network Associates Laboratories attended a 2-day training course at Teja’s facility, and then spent 3 days in the lab to brainstorm the application with some of Teja’s design experts. Following this brief one-week training period, the Network Associates Laboratories team was able to produce a functional prototype of the NetBouncer within a few weeks. |
|
|
The Teja NP* application provides the IPv4 forwarding plane packet processing logic that executes on the Intel IXP1200 Network Processor, as well as the invaluable programming interface that makes it possible to experiment with logic configurations on the fly. In addition to the receive, transmit and queuing features of the Teja forwarding application, Network Associates Laboratories relies heavily on the advanced GUI that allows the NetBouncer designers to customize the table management code and to create new application logic without regard to the individual microprocessing engines on the Intel IXP1200 Network Processor. This unique interface allows developers to build application logic using state machines and literally "drag-and-drop" it onto the microengines. With the push of a button, Teja NP software will then generate all the necessary code for the Intel IXP1200 Network Processor. |
|
|
To further simplify the NetBouncer development process, Teja NP includes functions that allow designers to rapidly converge on the best assignment of logic to hardware that yields the highest systems-level performance. During this optimization process, modular application components can be moved between microengines, and between microengine and the StrongARM core. This allows the NetBouncer team to fine-tune and adjust the solution during continuous performance testing, helping them avoid many complexities associated with synchronization, timing and pipelining. |
|
|
The programming versatility, processing configuration, speed, and memory characteristics of the Intel IXP1200 Network Processor provide the optimum processing platform for the NetBouncer solution. The Intel IXP1200 Network Processor’s ability to swap from one thread to the next with no performance penalty enables each microengine to do useful work, even while other threads are waiting for memory transactions to complete. And, with a four-tiered memory structure on the Intel IXP1200 Network Processor, even traditional memory bottlenecks aren’t much of an issue. Using the built-in memory optimization code and the drag-and-drop feature of the Teja NP development platform to map logical memory to physical memory, the Network Associates Laboratories team is able to experiment with memory optimization on the fly. |
|
|
With the Intel IXP1200 Network Processor in the NetBouncer prototype machines, initial performance results are very encouraging: recent tests show the IXP1200 maintaining speeds up to 1 Gbps and handling approximately 480,000 address lookups per second. (See pipelining chart below for a visual explanation of how the Intel IXP1200 Network Processor microengines and StrongARM processor have been optimized in the NetBouncer solution.) |
|
|
As security issues continue to plague the networking and communications industry, the development of new solutions will be essential. Researchers and developers everywhere – such as those at Network Associates Laboratories – need advanced building blocks and development tools that offer versatility and scalability to meet the ever-changing demands of the security industry. |
|
|
Both the versatility of the Intel IXP1200 Network Processors and the robust GUI of the Teja NP development software made it possible for Network Associates Laboratories to develop the prototype NetBouncer security filter – a new and highly complex security application – very quickly. As the Network Associates Laboratories team continues to fine-tune this solution for real-world application, the versatility of the Intel-Teja platform will continue to be invaluable. |
|
|
|
Network Associates, Inc.*