SafeCard [dBSvR+06]
is a network intrusion prevention system
for edge hosts that combines full packet payload scanning, application-layer
protocol filtering (which requires traversing the entire protocol stack)
and flow-based behavioral detection.
Network intruders are increasingly capable of circumventing
traditional Intrusion Detection Systems (IDS). Evasion and insertion
techniques blind the IDS by spoofing the datastream,
while polymorphism cloaks malicious code to slip past
the filter engine [PN98,HPK01].
Besides hiding the attack, however, attackers employ another weapon to
thwart network defense systems: raw speed [SSW02]. Less
sophisticated attacks traveling over Gigabit links may be as
difficult to stop as more complex attacks spreading more slowly. This
leads to an interesting dilemma. On the one hand, systems that handle
evasion and polymorphism are either too slow for in-line deployment
(and are often host-based) or not sufficiently accurate (e.g. [JNS05]).
On the other hand, fast in-line solutions are
not able to detect and stop sophisticated attacks
(e.g., [S. 04]). In this project we have built a network card that
can be deployed in the datastream as an Intrusion Prevention System
(IPS) at the edge of the network and that handles many forms of attack
at Gigabit rates.
SafeCard provides a single IPS solution
that considers many levels of abstraction in communication: packets,
streams, higher-level protocol units, and aggregates (e.g., flow
statistics).
We selected state-of-the-art methods for the most challenging
abstractions (streams and application data units)
and demonstrate for the first time
the feasibility of a full IPS on a network card containing advanced
detection methods for all levels of abstraction in digital
communication. To support in-depth analysis in higher-level protocol
layers and achieve performance at Gigabit rates without swamping the
host processor, we offload all tasks to a smart NIC.
Additionally, physically removing
safety measures from the user's machine has the advantage that they
cannot be tampered with, which from a security viewpoint may be preferred
by administrators.
As in the case of NIC-FIX [BH05], SafeCard uses
a slightly outdated and therefore cheap processor![[*]](/usr/share/latex2html/icons/footnote.png)
.
Figure 7.10:
SafeCard application pipeline
![\includegraphics[width=1\linewidth]{figpriv/safecardarch.eps}](img10.png) |
Subsections
willem
2010-02-03
