AIRCC PUBLISHING CORPORATION
Deployment of Intrusion Prevention System on Multi-Core Processor Based Security Hardware
Swetha K V1 and Ravi Dara2
1Department of Computer Science & Engineering, CMR Institute of Technology, Bangalore, India
2Nevis Networks(I) Pvt.Ltd., Pune, India
After tightening up network perimeter for dealing with external threats, organizations have woken up to the threats from inside Local Area Networks (LAN) over the past several years. It is thus important to design and implement LAN security strategies in order to secure assets on LAN by filtering traffic and thereby protecting them from malicious access and insider attacks. Banking Financial Services and Insurance (BFSI) industry is one such segment that faces increased risks and security challenges. The typical architecture of this segment includes several thousands of users connecting from various branches over Wide Area Network (WAN) links crossing national and international boundaries with varying network speed to access data center resources. The objective of this work is to deploy LAN security solution to protect the data center located at headquarters from the end user machines. A LAN security solution should ideally provide Network Access Control (NAC) along with cleaning (securing) the traffic going through it. Traffic cleaning itself includes various features like firewall, intrusion detection/prevention, traffic anomaly detection, validation of asset ownership etc. LANenforcer (LE) is a device deployed in front of the data center such that the traffic from end-user machines necessarily passes through it so that it can enforce security. The goal of this system is to enhance the security features of a LANenforcer security system with Intrusion Prevention System (IPS) to enable it to detect and prevent malicious network activities. IPS is plugged into the packet path based on the configuration in such a way that the entire traffic passes through the IPS on LE.
LAN security, LANenforcer, IPS, Security hardware, Multi-core processor
LAN security solutions are important for the complete protection of enterprise networks and the users on the network. The security solutions include firewalls, anti-virus programs, Intrusion Detection/Prevention Systems (IDPS), traffic anomaly detection mechanisms that identify attacks as it occurs. Firewalls, anti-virus, and IDS helps prevent confidential data from getting out and also prevent intruders getting in. A firewall filters traffic from the Internet into the organization as well as traffic from within the organization to the outside. IDS can evaluate traffic that passes through these open ports but cannot stop it. Network -based IPS is generally systems that sit in line, and block suspicious traffic after detecting an attack. IPS protects networks from unauthorized network connections, malicious network activities and intruders. In IPS mode, device is not working with copy of the packets, but instead, it is working with the original packets. IPS has become an essential next-level of defence for environments that want transparency to users while protecting data and network resources. IPS may be implemented in hardware or in software on a PC. The various IPS software’s use different detection methods,
signature detection, anomaly detection, and some proprietary methods to prevent the occurrences of attacks. IPS is an evolution of IDS technology. Its proactive capabilities will help to keep networks safer from more sophisticated attacks. IPS focuses on what an attack does — its behavior, which does not change. IPS use a set of rules to represent the type of behavior: acceptable or harmful. The real time traffic is then compared to the set of rules and the action is taken, whether to be permitted or blocked.
The challenges associated with financial organizations possess increased economical risk at every step of transactions. The challenges include data access control and security, availability of network connectivity and so on. Security threats and attacks can end up in disrupting the entire network including ATMs. To have a control on access by unknown machines and monitor for detection of malicious behavior within the traffic and thereby block the detected traffic, it is necessary to adopt LAN security strategies.
1.1. Problem Statement
Most of the segments in the current world face many risks and security challenges. Banking Financial Services and Insurance (BFSI) industry is one among them. The typical infrastructure of BFSI industry includes the large number of users with connections from various branches over WAN links. The Number of branches varies depending upon the organization and network speed varies depending upon the infrastructure. Critical servers are located at the Headquarters. LEs are deployed in front of data centers such that the traffic from end-user machines necessarily passes through it so that it can enforce security. Critical servers need to be protected from end-users and machines. LE with LAN security solutions such as user authentication, validation of asset ownership, MAC address verification, NAC, firewall, traffic anomaly keeps networks safer from network- based attacks. These are deployed in n:m redundancy model, where n is the number of active LEs and m is the number of standby LEs to ensure complete availability of the network even if connectivity to active LE fails. In this work, IPS feature is proposed to enhance the security features of a LE security system which can prevent from suspicious threats. IPS is plugged into the packet path based on configuration in such a way that the entire traffic passes through the IPS on LE. LS is a monitoring and configuring tool for LE where GUI resides. LE and LS do secure communication. IPS configuration is integrated into LS for admin to control LE.
2. The Multi-Core Processor
The multi-core processor used is Cavium Network’s Octeon processor. It provides high performance, high bandwidth and, low power consumption. It contains hardware acceleration for specific applications like encryptions and pattern matching. The processor can be used for control plane as well as data-plane networking applications. The Octeon processors are used in a wide variety of OEM equipment. Some examples include routers, switches, unified threat management (UTM) appliances, content-aware switches, application-aware gateways, triple-play broadband gateways, WLAN access and aggregation devices, 3G, WiMAX and LTE base station and core network equipment, storage networking equipment, storage systems, servers, and intelligent network adapters. The Octeon family of multi-core processors supports up to 32 MIPS cores. Multiple hardware acceleration units are integrated into the Octeon processor. These hardware acceleration units offload the cores, reducing software overhead and complexity. The processor consists of control plane and data plane.
3. Selection Of An Open Source Intrusion Prevention System
Intrusion Prevention Systems such as Snort, Suricata and Metaflows were studied and compared to choose a good quality and economically feasible solution . Snort is a free and open source network intrusion prevention system (NIPS) and network intrusion detection system (NIDS) created by Martin Roesch in 1998. Suricata is a high performance Network IDS, IPS, and Network Security Monitoring engine. Metaflows is a product that can be installed on low- cost hardware and transmit the network data to the cloud system for analysis. It includes Bot Hunter, Snort, Flow, Net Flow like network traffic monitoring plug-ins; log management tools. Meta Flows sensors process 800 Mbps of sustained network throughput when using an eight-core Intel i7 CPU that costs around $1,000. On the server side, a threat prediction algorithm is used to prioritize events. The table below summarizes the comparison between Snort, Suricata and Metaflows.
Table 1. Comparison between snort, suricata , and metaflows
Based on the study, Suricata is chosen as the IPS for deployment. Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF).
3.1. Packet Pipeline
Suricata has multiple run modes, each of which initializes the threads, queues, and plumbing necessary for operation. These modes are usually tied to the choice of the capture device and whether the mode is IDS or IPS. Example of capture devices: pcap, pcap file, nfqueue, ipfw, or a proprietary capture device. Only one run mode is chosen at startup. Each thread in the packet pipeline is an instance of a module,.
These threads are initialized by the runmode defined in ‘runmodes.c’. The run mode also initializes the queues and packet handlers used for moving packets between modules and queues. A thread is marked runnable after the all the steps from the run mode initialization are complete.
Real time traffic from NIC or network packets stored on PCAP file is passed as input to Suricata. Then the traffic is decoded, which converts the input in to a Suricata support data structure where it is passed to a link type decoder. Then the streams are reassembled prior to being distributed between the signature-detection modules. The detection module takes care of multiple complex tasks: loading all signatures, initializing detection plugins, creating detection groups for packet routing, and finally running packets through all applicable rules. The user can configure the number of threads, number of CPUs required in the configuration file.
Suricata is compatible with most operating systems (e.g. Linux, Mac, FreeBSD, UNIX and Windows). The industry considers Suricata a strong competitor to Snort and thus they are often compared with each other.
Fig 1. Packet Pipeline
3.2. Suricata.yaml file
Suricata uses the Yaml  format for configuration. The Suricata.yaml file is included in the source code. At the top of the YAML-file you will find % YAML 1.1. Suricata reads the file and identifies the file as YAML.
3.3. Suricata rules
Signatures play a very important role in Suricata. Mostly used existing rule sets are Emerging Threats, Emerging Threats Pro and source fire’s VRT. A rule/signature consists of the following: The action, header and rule-options. Example of a signature:
alert udp any any -> any 53 (msg:”ET DOS DNS BIND 9 Dynamic Update DoS attempt”; byte_test:1,&,40,2; byte_test:1,>,0,5; byte_test:1,>,0,1; content:”|00 00 06|”; offset:8; content:”|c0 0c 00 ff|”; distance:2; reference:cve,2009-0696; reference:url,doc.emergingthreats.net/2009701;classtype:attempteddos; sid:2009701; rev:2;)
Col 1: action-type (alert/drop/reject/pass)
Col 2: protocol (tcp (for tcp-traffic), udp, icmp and ip. ip stands for ‘all’ or ‘any’, http, ftp, tls (this includes ssl), smb and dns)
Col 3: source ip
Col 4: source port
Col 5: direction operator (source -> destination, source <> destination (both directions))
Col 6: destination ip
Col 7: destination port
Col 8 till end: signature
4. Testing And Optimization
This chapter focuses on the experiments done on LE with Suricata enabled and optimizations are done on Suricata configuration based on the results of experiments. Suricata is configured as a bridging IPS where interfaces eth0 and eth1 are bridged.
Fig.2. Experimental setup with bridge configuration
For basic testing purposes, a machine host1 is connected to LAN to which eth0 interface of LE is connected. Eth1 is connected to LAN to which another machine host2 is connected. Packets sent from host1 to host2 enter LE via eth0 interface and are forwarded to bridge, then Suricata and finally pass through eth1.
4.1. Testing using Tcpreplay and Tomahawk
Tcpreplay is a tool used to replay the traffic previously captured back onto the network and through other devices such as switches, routers, firewalls, NIDS and IPSs. Tomahawk is also a tool for testing the performance and in-line blocking capabilities of IPS devices. They split traffic between two interfaces and emulate client and server sides of the connection. The tool divides packet trace into two parts as those given by the client and those given by server. The First time it sees an IP address, it is classified as client if the address is found in the ip source field of packet and classified as server if the address is found in the IP destination field of the packet. Testing with these tools did not give substantial results because of the packet misbehaviour.
These tools could not do anything with the packets if it detects a source IP in the packet which is already classified as server. A DARPA Intrusion set of 400 MB and some other downloaded pcap files were replayed. But it produced warning that many packets had outgoing interface conflicts.
4.2. Testing Using Ixia
Ixia traffic generator provides a complete platform of testing the network setup to ensure sustained and reliable performance. Ixia test ports can be independently configured to define traffic, filtering, and capture capabilities. Experiments were carried out using IxExplorer and IxLoad by sending packets through DUT with Suricata enabled. Four ports of Ixia Chasis were connected to the DUT, two ports being configured as clients and two ports as servers. Using IxLoad, two client networks were configured each with 200 clients and two server networks were configured each with one server. HTTP and FTP packets were transferred using IxLoad setup. The graphs obtained as experimental results are shown below.
Fig.3. Graph showing throughput in MB obtained for FTP traffic through LE without Suricata
Fig.4. Graph showing throughput in MB obtained for HTTP traffic through LE without Suricata
Fig.5. Graph showing throughput in MB obtained for HTTP traffic through LE with Suricata
Fig.6. Graph showing throughput in MB obtained for FTP traffic through LE with Suricata
Fig.7.CPU Utilization for FTP traffic
Fig.8.CPU Utilization for HTTP traffic
4.3. Optimization of Suricata Configuration
Suricata IPS configurations are stored in a YAML file format.
Following options have been modified in the default yaml file for optimizing the performance.
Default number of packets allowed to be processed simultaneously by Suricata is 1,024. Increasing this limit to 5000 showed a slight improvement in performance.
There are different run-modes available in Suricata. Workers mode is chosen since it gave better throughput than default auto-fp mode. In workers mode, all the treatment for a packet is made on a single thread.
Fig.9.Graph showing throughput in default run-mode(autofp) versus workers mode of Suricata.
Netlink buffer size:
The default netlink buffer size in yaml is 18432. Increasing this value will increase the number of packets to be queued in nfqueue thereby reducing the packet loss. But when the value is changed to 20000 config was not getting reflected. Thus, the variable ―queue_maxlen‖ in the source code is explicitly set to 30,000.
Before this modification, there was significant packet loss.
Fig.9. nfqueue statistics before increasing queue length
(default: it is commented) This option loads the signature after it starts capturing packets. Because of this suricata can capture the packets while signature building is in progress. This is used in DP suricata script to start/stop suricata without waiting for signature building.
– receive-cpu-set: cpu: [ ―all‖ ] (default: cpu )
– decode-cpu-set: cpu: [ ―all‖ ] (default cpu[ 0, 1])
On dividing the cpu load among all the cores, performance is slightly increased.
In workers mode, number of threads depend on number of nfqueues used. If there are 16 queues used, there will be 16 worker threads in total.
stream: reassembly: memcap: 4gb #(default 128 mb )
The stream reassembly engine uses a set of pools in which preallocated segments are stored. There are various pools each with different packet sizes. Prealloc value for segments with different packet sizes are also modified for tuning the performance. (under segments: prealloc: in yaml file). This setting could be varied as per the verbose output.
By default, Suricata provides different rule files. For the deployment purpose, all the files containing rules are merged to all.rules (a single file).
5.1. Selection of an open-source Intrusion Prevention System
Based on the literature survey done on various open-source Intrusion Prevention Systems such as Snort, Suricata and Metaflows, Suricata IPS is chosen for the deployment.
Cross-compilation is the act of compiling code for one system on a different system. The system on which compiler runs is the host and the system on which the new compiled program runs is the target. When host and target are of same machine types, the compiler is native. When host and target are of different machine types, the compiler is said to be cross-compiler. Since compilation is a resource-intensive process, it is difficult to do all resource-intensive tasks on embedded hardware designed for low-power consumption. Suricata programs are developed on X86 hardware. The processor on which Suricata IPS is deployed is MIPS based platform. Hence, Suricata is cross-compiled using MIPS tool chain on X86 machine that generated code for MIPS platform. Cross-compilation of Suricata involves crosscompilation of each library it requires and the cross-compilation of Suricata source code. Suricata requires following libraries: libpcap, libcapng, pcre, yaml, libnfnetlink, libnetfilter_queue, libmnl, libnet, libmagic, zlib, libnetfilter_log. All these libraries are downloaded and cross-compiled and finally the Suricata source too. The compiled binaries are then copied to proper the locations of processor where Suricata is being executed.
5.3. Plugging IPS into the packet path
Suricata IPS is a userspace software. In order to make the network packets to pass through Suricata userspace from kernel space before it reaches the destination, IP tables rules have to be configured accordingly.
The simplest rule to send all traffic to Suricata is as follows:
iptables -I FORWARD -j NFQUEUE –queue-num 0
In this case, all forwarded traffic goes to Suricata through NFQUEUE. NFQUEUE is iptables and ip6tables, target that delegates the choice on packets to a user space package. Once a packet reaches associate degree NFQUEUE target it’s en-queued to the queue as per the amount given
by the –queue-num choice. The packet queue is enforced as a in chains list with component being the packet and data (a UNIX kernel skb). The protocol used between kernel and userspace is nfnetlink.
This can be a message primarily based protocol that doesn’t involve any shared memory. Once a packet is en-queued, the kernel sends a nfnetlink formatted message containing packet knowledge and connected data to a socket and userspace reads this message. In userspace, the package should use libnetfilter_queue to attach to queue zero (the default one) and acquire the messages from kernel. It then should issue a finding of fact on the packet. To issue a finding of fact, userspace format a nfnetlink message containing the index of the packet and send it to the communication socket. As an example, the higher than rule can arouse a choice to a listening userpsace program for all packets aiming to the box.
–queue-balance is an NFQUEUE option which to load balance packets queued by the same iptables rules to multiple queues. The usage is fairly simple. For example, to load balance FORWARD traffic to queue 0 to 15, the following rule can be used.
iptables -A INPUT -j NFQUEUE –queue-balance 0:15
The following command is used to view nfqueue statistics:
0 15015 0 2 65535 0 0 0 1
Col 1: queue num
Col 2: id attached to queue
Col 3: number of packets waiting to be processed by the application
Col 4: if packet payload is also passed, value is 2; if only meta-data is passed, value is 1
Col 5: how many bytes of packet payload should be copied to userspace at most.
Col 6: Packets dropped by kernel
Col 7: packets dropped within netlink subsystem
Col 8: ID of the most recent packet queued by userspace
Col 9: Always 1
5.4. Iptables rule setup to use IPS within the deployment context
Packets are being bridged here. So iptables are called in link layer forwarding context. The packets will go through ebtables NAT and then bridge forwarding action. Bridge forwarding action will call ebtables-forward-chain – filter table followed by iptables-forward-chain – filter table. The iptables forward chain has default DROP policy. Only all the accepted packets from forward chain are sent to Suricata to prevent unnecessary load. A new chain called IPS chain is thus introduced. The ACCEPT rules in FORWARD chain are replaced by a GOTO IPS chain target action. Also another rule with -J ACCEPT at the bottom is added in IPS chain. If IPS is enabled, NFQUEUE rule is added to IPS chain. If IPS is disabled, NfQUEUE rule is flushed and all the packets which hit allow action in FORWARD chain enter IPS chain and hit –j ACEEPT rule by which the packet is simply accepted.
Fig 5.4.1: Packet flow through different chains of iptables
5.5. Deployment of IPS in data-plane part
On data-plane, all the libraries are copied and the Suricata binary is copied during build process. Iptables configuration are copied to a script and executed during init time. Along with this, ftpserver is started during init on data-plane. A script on control-plane passes the tar of Suricata configuration files using ftpput utility and invokes the script on data-plane to start Suricata binary. The script on data-plane copy the configuration files required for starting Suricata to proper locations, enable iptables rules with NFQUEUE option and start Suricata.
6. Conclusion And Future Work
Banking and Financial Organizations need security solutions to protect their data servers. Les deployed with LAN security solutions such as user authentication, validation of asset ownership, MAC address verification, NAC, firewall, traffic anomaly keep networks safer from network based attacks. These solutions equip the BFSI networks for the access control, transparency, visibility and the defense against malicious attacks which are the basic requirements of modern enterprise networks.
IPS feature deployed enhance the security features of a LE security system and prevent from suspicious threats.
The multi-core processor used here supports hardware acceleration. In this work, the IPS used has a software- based pattern matching engine. Future work could be porting the software based pattern matching engine to hardware-based pattern matching engine. Using hardware acceleration for pattern matching will increase the performance and give better results.
 Suricata Features, http://suricata-ids.org/features/all-features/
 A performance analysis of snort and suricata network intrusion detection and prevention engines. IDCS 2011, the Fifth International Conference on Digital Society, Gosier, Guadeloupe, France. 187–192.
 Deployment of Intrusion Prevention System based on Software Defined Networking, 2013 15th IEEE International Conference on Communication Technology (ICCT)
 Metaflows and its features, http://www.metaflows.com/features/ids/
 Free and open source intrusion detection systems: A study, 2015 International Conference on Machine Learning and Cybernetics
 Fundamentals of Iptables, http://www.thegeekstuff.com/2011/01/IPTABLES-FUNDAMENTALS/
 Iptables, https://help.ubuntu.com/community/IptablesHowTo
 About Nfqueue, http://netfilter.org/projects/libnetfilter_queue/
 Packet path through Kernel, http://www.cs.wustl.edu/~jain/cse567-11/ftp/pkt_recp/index.html
 Tcpreplay, http://tcpreplay.synfin.net/wiki/tcpreplay
 Usage of nfqueue, https://home.regit.org/netfilter-en/using-nfqueue-and-libnetfilter_queue/
 Setting up Suricata in inline mode, https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Setting_up_IPSinline_for_Linux
 Ubuntu Installation steps for Suricata, https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ubuntu_Installation
 Tuning Suricata Inline IPS performance- discussion, https://lists.openinfosecfoundation.org/pipermail/oisf-users/2011-December/001141.html
 Patrick-patch for zero copy, http://home.regit.org/2011/08/patrick-mchardy-memory mappednetlink-and-nfnetlink_queue/
 Suricata as a bridging IPS (Setup),http://taosecurity.blogspot.in/2014/01/suricata-20beta2-as-ipson-ubuntu-1204.html
 Emerging-Threats Ruleset Download, https://rules.emergingthreats.net/open/suricata/rules/
 Suricata Threading, https://kaurikim.wordpress.com/2015/02/16/suricata-threading/