DÃ©partement RÃ©seau, SÃ©curitÃ© et MultimÃ©dia Rapport d'ActivitÃ©s 2008

More documents

Recommendations

Info

A Fast Adaptative Secure Technology for high-speed NetworkResearch Staff : Sylvain GombaultKeywords : Traffic filtering, Packet classification, Reconfigurable components, String matchingApplications : Intrusion detection sensor and Firewall for high speed networkPartners & Funding : IRISA, partially funded by Région Bretagne in the framework of PRIR FastnetIntroductionThe development of high-speedcommunication networks led to a growinginterest for the deployment of securitymechanisms related to the specificity of theseenvironments. The Fastnet project (FastAdaptative Secure Technology for high-speedNETwork) tackles the problematic of high-ratenetwork traffic analysis: the proposedapproach is to combine software security ruleanalysis and hardware architectures based onreconfigurable components. Network intrusiondetection probe (NIDS) Snort [2] has beenchosen as a use case, and the considerednetwork link is Ethernet 10 Gb/s, up to 40Gb/s.Fastnet is a PRIR (PRojet d’Intérêt Régional)project funded by the Britany Region (2005-2008). In this project, TELECOM Bretagne isassociated with the R2D2 project (IRISA).RealizationWe carried out a state of the art on thesoftware algorithms used or which could beused in Snort. Based on this work, a firstselection of hardware filtering and stringmatching techniques adapted to the needs ofsnort was proposed [3].We have designed a new hardwareimplementation of a string matching enginebased on a multi-character variant of the wellknownAho-Corasick algorithm [4]. Theproposed architecture model optimally exploitsthe current FPGA reconfigurable components.It combines in an efficient way, the use of thelogic and memory resources of the FPGA. It issuited for searches on very large set of strings(tens of thousand of strings) and the proposeddesign has been validated through theimplementation of a search engine suited tothe processing of a subset of the Snort rules.An Altera Stratix FPGA component is targeted.By using traffic parallelization and circuitretiming techniques, we then show that 40Gbit/s traffic content scanning can besustained [4].fig. 1 : Preprocessor Polsec in Snort ArchitectureWe have also proposed a new functionality toSnort : a preprocessor dealing with « networkpolicy monitoring ». To ensure the security ofits information system, an orgnisation definesa security policy which applies to all itsequipments. This policy is then translated insecurity mechanisms on each equipment. Onetranslation of this policy applies to networktraffic : it describes allowed and prohibitedtraffic in network policy rules. With these rules,we can describe both internal andinbound/outbound trafic. The role of IDS is tocheck that no policy violation occurs. As snortrules cannot be used to write network policyrules, thanks to its flexibility, we havedevelopped a snort software preprocessorbased on policy rules which monitors thenetwork trafic [5].ConclusionAs a future work, we plan to process byhardware all the parameters of a Snort rule.This means that we have to combine packetclassification to select packets into whichlooking for string matching. Packetclassification is also useful to monitor networkpolicy and we will see how to implement oursnort preprocessor in hardware.References[1] Alfred V. Aho and Margaret J.Corasick.1975, Efficient string matching: An aidto bibliographic search, Communications of the52 Pracom’s Annual Report 2008
ACM, vol. 18, issue 6, pages 333–340, June1975[2] “Snort - The Open Source NetworkIntrusion Detection System,” inhttp://www.snort.org/[3] Georges Adouko, François Charot, SylvainGombault, Tony Ramard and ChristopheWolinski. “Panorama des algorithmes efficaceset architectures matérielles pour le filtrageréseau haut débit et la détection d'intrusions ».MAJECSTIC 2006, Lorient, France, 22--24November 2006.[4] Georges Adouko and François Charot, andChristophe Wolinski. « Exploitation optimaledes circuits reconfigurables FPGA pour la miseen oeuvre d'un moteur de recherche demotifs ». SYMPA 2008, Fribourg, Allemagne,Février 2008.[5] Clément Cresteaux, Thomas Gautier,Mamadou Sanoussy Diallo, Pierre Tasson.« Projet Snort : Ajout d’un préprocesseur ».Rapport de projet Master 2 Université deRennes 1, Février 2007.Consistency and interoperability in security policiesResearch Staff : Frédéric Cuppens, Nora Cuppens-Boulahia – PhD. Student: Céline ComaKeywords : security policy, secured interoperability, OrBAC, Ontology, Sphere of authorityApplications : Web service securityPartners & Funding : partially funding from the French RNRT project Politess and by a grant fromthe Institut TELECOMIntroductionCurrent information systems are more andmore distributed and require more interactionswith external services to achieve businesscontinuity. In this context, we have to securethe access to and usage of exchangedinformation and, insure that each partyinvolved in some interoperability session mustat least maintain its security level. Toguarantee good interoperability exchanges,organizations need to share information withother participant about the services theyprovide. In addition, to be compliant withsecurity requirements during interoperability,security policies have to be dynamic. Onepurpose of our recent works is to provide thisdynamic behavior by taking care about contextof access parameters. The context-awaresecurity requirements may be met by using acontextual access control model to define thesecurity policy of each party involved in theinteraction, and OrBAC (Organization basedAccess Control) is an adequate model for thispurpose. Elaborating an ontology basedsecurity model provides a mean to ensuresharing of understandable knowledge, inparticular knowledge needed to derive theauthorized accesses and usages during theinteroperability sessions. We thus suggestcontext ontology to be combined with anontological representation of the OrBAC modeland show how it can be used to ease thesecurity rules definition and derivation duringinteroperability sessions.RealizationWe suggest a formal approach called O2O(Organization to Organization) to deal withaccess control in an interoperability context. Itis based on the concept of Virtual PrivateOrganization (VPO) that enables anyorganization undertaking an interoperationwith other organizations to keep control overthe resources accessed during theinteroperability phases. Thus, using O2O, eachorganization can define and enforce its owninteroperability security policy. Thisinteroperability security policy defines howsubjects from some organization can accessand use resources owned by otherorganizations in the VPO. In the O2Oapproach, VPO policies are expressed by useof the OrBAC model. Its built-in confinementprinciple ensures a secure interoperation andits structure based on organizations, roles,activities, views and contexts makesspecifications of fine grained access controleasier. In OrBAC due to the confinementprinciple, the scope of every security rule isPracom’s report 2006 53
Page 2 and 3:
Présentation générale...........
Page 4 and 5:
Activités d’enseignementLe dépa
Page 6 and 7:
Activités de rechercheLe départem
Page 8 and 9:
Notre implication dans les organism
Page 10 and 11:
le cadre du projet NextTV4all où l
Page 12 and 13:
cloisonnement par domaine tels qu
Page 14 and 15:
- le GIS ITS (Intelligent Transport
Page 16 and 17:
Twente aux Pays Bas, Université de
Page 18 and 19:
Liste des doctorants présents en 2
Page 20 and 21:
Annexe 2 : liste des publicationsAr
Page 22 and 23:
COMA-BREBEL Céline, CUPPENS Nora,
Page 24 and 25:
PHAN LE Cam Tu, CUPPENS Frédéric,
Page 26 and 27:
Annexe 3 : description détaillée
Page 28 and 29: Access Control ....................
Page 30 and 31: schemes specifically suitable for l
Page 32 and 33: An easy-to-use solution for IPv6 co
Page 34 and 35: Loss Synchronization and Router Buf
Page 36 and 37: Sensor NetworksRandom Walk Techniqu
Page 38 and 39: Suppressing Neighbor Discovery in W
Page 40 and 41: Media and NetworksIP-based transmis
Page 42 and 43: One of the most difficult aspects o
Page 44 and 45: Another direction is the associatio
Page 46 and 47: classes. In our simple study case,
Page 48 and 49: Management of Multiple Access Netwo
Page 50 and 51: Adaptation of Multimedia Flows in a
Page 52 and 53: Optimized mobility management in he
Page 54 and 55: ecause it offers a generic framewor
Page 56 and 57: Future workOur next step is to fina
Page 58 and 59: Security Analysis and ValidationAna
Page 60 and 61: RealizationFigure 1 shows a classif
Page 62 and 63: Policy AdministrationResearch Staff
Page 64 and 65: execution in a distributed manner.
Page 66 and 67: Intrusion DetectionDetection and co
Page 68 and 69: eported alerts have to be managed b
Page 70 and 71: inside the corresponding detection
Page 72 and 73: function has a limitation that it d
Page 74 and 75: 1) Normal Node behavior simulation:
Page 76 and 77: negotiation. These strategies speci
Page 80 and 81: estricted to the organization to wh
Page 82 and 83: ights and external identities, and
Page 84 and 85: Peer 2 peerP2PIm@gesResearch Staff
Page 86 and 87: Managing a Peer-to-Peer Storage Sys
Page 88 and 89: Applications of networks to transpo
Page 90 and 91: Adaptive Application Support in Mob
Page 92 and 93: Wireless Mesh NetworksResearch Staf
Page 94 and 95: TestbedsA showroom for practical IP
Page 96 and 97: egistrar and proxies, video streami
show all

DÃ©partement RÃ©seau, SÃ©curitÃ© et MultimÃ©dia Rapport d'ActivitÃ©s 2008

Create successful ePaper yourself

Delete template?

Save as template?