Luth: Composing and Parallelizing Midpoint Inspection Devices

The race for innovation is driving Internet evolution. Internet software developers have to create more complex systems while enduring the pressuring time to market. Therefore, end-host software have bugs, vulnerabilities and cannot be trusted. That's why, among others, network Intrusion Detection System (IDS), Intrusion Prevention System (IPS), firewall or other network devices monitor such software to prevent unexpected behaviors. However, their functionalities are limited by design, because they can only handle a configuration of predefined monolithic protocol layerings. In this paper we present Luth, a midpoint inspection device that relies on the composition and parallelization of predefined midpoint inspectors (MI). We present the main functionalities offered by its configuration language and interpreter. Finally, we benchmark a prototype implemented in OCaml. This prototype runs in the user space of a GNU/Linux operating system, by means of the libnet filter_queue library. We show how it efficiently inspects and filters DNS hidden-channels encapsulated into 20 GRE tunnels.

[1]  Wenbin Zheng,et al.  Intrusion prevention system design , 2004 .

[2]  Avishai Wool,et al.  Firmato: a novel firewall management toolkit , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[3]  Mohamed G. Gouda,et al.  Diverse Firewall Design , 2008, IEEE Trans. Parallel Distributed Syst..

[4]  Richard D. Schlichting,et al.  Configurable communication protocols for mobile computing , 1999, Proceedings. Fourth International Symposium on Autonomous Decentralized Systems. - Integration of Heterogeneous Systems -.

[5]  Matti A. Hiltunen,et al.  Coyote: a system for constructing fine-grain configurable communication services , 1998, TOCS.

[6]  Herbert Bos,et al.  FFPF: Fairly Fast Packet Filters , 2004, OSDI.

[7]  Mohamed G. Gouda,et al.  Structured firewall design , 2007, Comput. Networks.

[8]  Zhenyu Wu,et al.  Swift: A Fast Dynamic Packet Filter , 2008, NSDI.

[9]  Alex X. Liu Formal Verification of Firewall Policies , 2008, 2008 IEEE International Conference on Communications.

[10]  Anja Feldmann,et al.  Dynamic Application-Layer Protocol Analysis for Network Intrusion Detection , 2006, USENIX Security Symposium.

[11]  Philippe Owezarski,et al.  LaasNetExp: a generic polymorphic platform for network emulation and experiments , 2008 .

[12]  Larry L. Peterson,et al.  The x-Kernel: An Architecture for Implementing Network Protocols , 1991, IEEE Trans. Software Eng..

[13]  David J. Scott,et al.  Melange: creating a "functional" internet , 2007, EuroSys '07.

[14]  Mohamed G. Gouda,et al.  A model of stateful firewalls and its properties , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[15]  Helen J. Wang,et al.  Generic Application-Level Protocol Analyzer and its Language , 2007, NDSS.

[16]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[17]  Steven McCanne,et al.  BPF+: exploiting global data-flow optimization in a generalized packet filter architecture , 1999, SIGCOMM '99.

[18]  Sanjay Ghemawat,et al.  MapReduce: Simplified Data Processing on Large Clusters , 2004, OSDI.

[19]  Jeffrey Posluns,et al.  Snort 2.0 Intrusion Detection , 2003 .

[20]  Michel Diaz,et al.  FPTP: the XQoS aware and fully programmable transport protocol , 2003, The 11th IEEE International Conference on Networks, 2003. ICON2003..

[21]  Ion Alberdi,et al.  Malicious trafic observation using a framework to parallelize and compose midpoint inspection devices. (Observation du trafic malveillant à l'aide d'un cadriciel permettant la composition et la parallélisation d'inspecteurs de points d'interconnexion) , 2010 .

[22]  Azer Bestavros,et al.  Self-similarity in World Wide Web traffic: evidence and possible causes , 1996, SIGMETRICS '96.