NGI Security Research
CAIDA is collaborating with the Pacific Institute for Computer Security ( PICS) at SDSC to enhance the OC12mon passive traffic monitor to facilitate ubiquitous network monitoring at aggregation points (e.g. DMZ's and up-stream ISP's), by developing dynamic filtering and data collection, security policy compliance monitoring, and security policy enforcement components.
Principal Investigator: kc claffy
Funding source: N66001-98-2-8922 Period of performance: September 15, 1997 - October 15, 2001.
Filtering is required to reduce data, isolate suspicious traffic, minimize contention for the peripheral bus, and permit persistent monitoring of heavily-loaded links. This will be accomplished with two-level filtering: in hardware on the network adaptor FPGA and in the host kernel. Modifications of the FPGA firmware to enable classes of filters will be developed. In-kernel filtering will be optimized with a zero-copy design built around the BSD Packet Filter (BPF) machine.
Once the basic filtering and data collection mechanisms are in place, security-relevant capabilities can be expanded. We will build on previous work to perform further data reduction through dynamic filtering. In this approach, traffic matching specified flow filters (e.g. attack precursors) triggers realtime modification of traffic collection filters to enable detailed flow data collection. This detailed flow data collection could not be accomplished with conventional static filters.
We will extend the OC12mon capabilities by developing security policy compliance and enforcement modules. The compliance module takes a network security policy, formulated by a set of protocol filter rules, and passively audits traffic on the link for compliance. Statistics and alerts may be generated for non-compliant traffic. The compliance monitor could be used to signal an enforcement module to actively respond to the non-compliant traffic. In previous work, we developed an enforcement module for broadcast media. We will explore new mechanisms, applicable to non-broadcast media, to enable policy enforcement. These could include NNI protocol attacks, switch re-configuration, and packet insertion.
While the focus of this task is on security applications of the OC12mon, the expanded capabilities are by no means limited to security. This task will permit more general filtering and detailed data collection with the OC12mon. Such capabilities would be quite useful in other areas such as network management and trouble-shooting where one may wish to detect and extract specific or abberant protocol traffic in realtime.
- Security Management in Next Generation Networks, a presentation by Glenn Sager, PICS, July 1998
- Security Fun with OCxmon and cflowd, a presentation by Glenn Sager, PICS, at the Internet2 Working Group meeting, November 1998