Joint Traffic Routing and Distribution of Security Services in High Speed Networks

Transcription

1 Joint Traffic Routing and Distribution of Security Services in High Speed Networks Andreas Hess Telecommunication Networks Group Technical University Berlin, Germany Sudipta Sengupta Microsoft Research Redmond, WA, USA Vijay P. Kumar VPK Technologies Holmdel, NJ, USA Abstract The continued explosion of new virus/worm and other security attacks in the Internet and the tremendous propagation speed of self-propagating attacks has led to network security being considered as a design criterion rather than an afterthought. Attack prevention, detection, and mitigation mechanisms can be broadly classified as network based or host based. Network based security mechanisms have been shown to be much more effective than host based mechanisms, primarily because of the former s ability in identifying attack traffic that is further upstream from the victim and closer to the attack source. In the context of network based mechanisms, we consider a flexible overlay network of security systems running on top of programmable (active) routers. In such an architecture, security services can be dynamically distributed across the network, which provides flexibility for load-balancing of services across nodes and addition of new services over time. Such network based mechanisms inevitably decrease network performance as all packets are analyzed for malicious content before being forwarded. In this paper, we consider traffic routing, placement of active router nodes, and distribution of security services across such nodes so as to optimize certain objectives, including (i) minimize the total number of active router deployed nodes, and (ii) minimize the maximum utilization of any router node in the network. Based on an emulation in the Deter testbed we show the benefit of the presented approach. I. INTRODUCTION Recent developments show that communication networks cannot be secured by sporadic and uncoordinated security devices like firewalls at users and cooperates sites. Moreover, it cannot be expected that all users and administrators will be able to keep their system(s) secure and thus, we think that the protection of end systems should be done in the network. For the purpose, we propose a flexible overlay network of intrusion prevention systems (IPS) running on top of an active networking environment. Active networks consist of programmable nodes (active nodes) on which, for example, IPS services can be dynamically deployed for the purpose of creating overlay networks. In this paper, we remove respective assumptions in two previous approaches either the routes are given or placement of security nodes is given and provide a framework for joint optimization of both design choices. On the one hand, [3] shows how to intelligently distribute security services to efficiently protect end-systems against attacks coming from the Internet. Here, the authors assumed pre-defined routes and tree-based topology. On the other hand, [5] developed a heuristic for the placement of content-filtering nodes in a network, and, given the placement of such nodes, designed a fully polynomial time approximation scheme (FPTAS) that maximizes the traffic carried by the network subject to the constraint that all traffic passes through a content filtering node at least once. We envisage that the contribution of this paper can be applied in a network planning setting where estimated traffic patterns can be used to deploy security services at selected nodes and provision paths for load-balanced routing in the network. We develop two mixed integer linear programming (MILP) formulations that assign the routes and simultaneously place programmable router nodes and distribute security services across these nodes so as to (i) minimize the number of nodes where programmable routers are deployed, or (ii) minimize the maximum utilization of any router node in the network. Any other linear objective function can also be accommodated. In the first approach, the MILP calculates the optimal single path route for each source-destination pair in the network. In the second approach, the set of available routes for each source-destination pair is predefined and multipath routing is allowed. II. JOINT TRAFFIC ROUTING AND DISTRIBUTION OF SECURITY SERVICES In this section, we present our concept for distributed intrusion prevention in high-speed networks. It is based on two pillars: the FIDRAN architecture, which enables the dynamic integration of security services on a programmable router, and the optimal placement of security services in the network. A. The FIDRAN Architecture This section briefly describes the FIDRAN architecture; for a detailed discussion we refer to [4]. The framework consists of core components which run permanently and of add-on components the security services which are dynamically integrated into the system as needed (cf. Fig. 1). The core functionality comprises the traffic selector, the security policy, the control/management module and the default queuing discipline. Security services are implemented as loadable modules featuring IPS specific networking services. The capabilities provided by the underlying programmable networking infrastructure allow to distribute the FIDRAN system on pro-

2 i Packets 1 Trace Point i 2 Security Policy Traffic Selector Drop Management Module Queues 3 4 Forward Fig. 1. Control Module Service Process Chains S 2 S 7... S m S 2... S 4 S 5... S l S 4... S 1 S 2... S n S 1... The FIDRAN architecture 5 Network grammable routers. The dynamic creation of an IPS overlay network is thereby enabled. Secure communication between programmable nodes is also provided. All network traffic is redirected to the traffic selector, which according to the rules specified in the security policy assigns the traffic to one of the categories: forward, process or drop. Traffic that is assigned to the category forward is directly forwarded and not analyzed by any installed security service (see Fig. 1). It is either not necessary to check this traffic (e. g. encrypted traffic, IPSec), or another programmable node on the route to the end-system is in charge of doing so. Traffic in the category process is queued and analyzed by specific security services. The detailed proceeding for queuing and analysis as well as the reaction in case of a detected attack is also specified in the security policy. Finally, traffic belonging to the category drop is blocked altogether by the traffic selector. The management and the control modules are responsible for the configuration of the FIDRAN system. The management module is the interface between the overlay network of programmable routers and the FIDRAN system. Hence, it is able to trigger the download of a security service from a service repository. The control module coordinates the downloaded security services. Most attacks are based on a vulnerability that is specific for an operating system, protocol or application, so a modularization of the protection services is possible. In order to realize a demand-driven intrusion prevention system, the required security services for a specific set of destinations are concatenated and stored in a service process chain. A process chain is a linked list of security services with an unique identifier that is composed of IP-address(es), port(s), and protocol. A security service can be part of one or more process chains. In addition, each security service keeps track of the amount of alarms it raised and the packets it dropped. Once the chains are set up, the control module takes a packet from one of the waiting queues, inspects it, and forwards it to the appropriate process chain. The security services contain the intrusion prevention intelligence that actually provides protection against attacks. According to the statistics recorded by them, they are reordered in regular intervals in order to optimize the internal packet processing. B. Modeling Packet Processing Times The processing time for a packet can be modeled as a sum of three components: the basic delay T base representing the routing delay in a standard network router; the delay T active representing the overhead necessary to decide whether a packet must be processed on the programmable router (applies only if the router is programmable); the sum of the processing times T s for each service s that is applied to a packet. Accordingly, the total processing time for a packet that receives services in the set A S at a node is given by T base + T active + s A T s For further details on the individual components we refer to [3]. C. Distribution of Services with Single Path Routing We first consider the single path routing version of the problem, where a demand is routed along a single path from source to destination under the constraint that it is analyzed by all security services. Multi-path routing, considered in the next section, allows the demand to be split across multiple paths from source destination. Given a network with link capacities, traffic demands, and packet processing times as above, we consider the problem of routing, placement of programmable routers, and distribution of security services, so as to minimize the total number of nodes with deployed programmable routers. Towards the end of this section, we consider a second objective function also. Let routing variable ze k have value 1 if the routing of demand k uses link e, value 0 otherwise. Let variable wi k have value 1 if node i is on the routed path for demand k, value 0 otherwise. Let service distribution variable yis k be the fraction of demand k that is provided service type s at node i. Let variable x i have value 1 if node i is a programmable router node, value 0 otherwise. Then, our problem can be expressed as the following polynomial size mixed integer linear program (MILP): subject to e E + (i) z k e minimize e E (i) e E (i) e E + (i) z k e = i N x i { +1 if i = s(k) 1 if i = d(k) 0 otherwise i N, k D (1) z k e 1 i N, k D (2) z k e 1 i N, k D (3)

3 i N w k i = { 1 if i = s(k) or d(k) e E (i) zk e otherwise i N, k D (4) y k is w k i i N, k D, s S (5) y k is x i i N, k D, s S (6) y k is = 1 k D, s S (7) t(k)w k i T base 1 i N (8) t(k)w k i (T base + T active) + t(k) T sy k is s S 1 + C(1 x i) i N (9) z k e u e e E (10) z k e, wk i, xi {0, 1} e E, i N, k D (11) y k is 0 i N, k D, s S (12) Constraints (1)-(4) involve the routing of the demands. Constraints (1) corresponding to the routing of one unit of flow from node i to node j along a single path. Constraints (2) and (3) guarantee that the paths are loop-free by enforcing that the total in-degree or out-degree of used links at any node is at most 1. Constraints (4) say that a node i (other than source or destination) is on the path for routing demand k if it has an incident link that is used. Constraints (5)-(7) involve the deployment of programmable routers at nodes and the distribution of services among such nodes. Constraints (5) model the fact that the routed demand k can receive some security service at node i only if node i is on the path. Constraints (6) model the additional requirement that such a node should have a programmable router deployed. Constraints (7) state that for each demand and for each type of service, the fraction of traffic processed over all nodes on the routed path should be 1. Constraints (8)-(9) model stability conditions for packet processing times. The total traffic entering node i is f i = t(k)wk i. Thus, the average time between consecutive packet arrivals is 1/f i. The stability condition for a node i without a programmable router is T base 1/f i, or f i T base 1. This is constraint (8). This constraint becomes redundant if x i = 1 (i.e., node i has a programmable router) due to the presence of constraint (9). The average processing time of a packet at a programmable router node i is T base + T active + t(k)w k i f i T s yis k s S Now observe that the bilinear product term wi kyk is is 0 when wi k = 0, i.e., when node i is not on the path for demand k. In that case, yis k is also 0. Otherwise, when wk i = 1, the product term equals yis k. Thus, in both case, we have wk i yk is = yk is. Hence, the average processing time becomes T base + T active + 1 t(k) T s yis k f i s S This must be at most 1/f i, whence f i (T base + T active ) + t(k) s S T s y k is 1 This corresponds to constraint (9). We have added a term C(1 x i ) on the right-hand-side of (9), where C = t(k)(t base + T active + s S T s ) so that this constraint is correct when node i has a programmable router (x i = 1), and is redundant otherwise (x i = 0). Finally, constraints (10) are the link capacity constraints. It is well known that the performance of a router rapidly degrades as packet processing times approach inter-packet arrival times. Motivated by this, we might want to minimize the maximum ratio of average packet processing time to the average packet inter-arrival time at each node. The value of this ratio at a node i is the left-hand-size of constraint (8) if node i is not a programmable router, or constraint (9) is node i is a programmable router. If we denote the maximum value of this ratio over all nodes by v, we want to minimize v subject to constraints (1)-(7) and (10)-(12), with constraints (8)-(9) replaced by t(k)wi k T base v i N (13) t(k)wi k (T base + T active ) + t(k) T s yis k s S v + C(1 x i ) i N (14) The mixed integer linear programs outlined in this section and the next can be solved using a standard MILP solver like CPLEX. D. Distribution of Services with Multi-Path Routing In this section, we modify the MILP formulation for single path routing to allow routing of the demand to be split across multiple paths from source destination. Let P k denote the set of available paths from source s(k) to destination d(k) for routing demand k. For example, we could choose the K- shortest hop paths from s(k) to d(k) as the set P k. The routing variables now become z k (P ) which denotes the amount of traffic on path P for routing demand k. Also, let service distribution variable yis k (P ) be the amount (and not fraction) from z k (P ) that is provided service type s at node i. The variable yis k (P ) is defined only if node i appears on path P. We will simplify notation and use P to denote either the set of nodes or the set of links on path P (the specific use will be clear from the context). Then, the multi-path routing version of our problem can be expressed as the following polynomial size mixed integer linear program (MILP):

4 STTL CHIN subject to minimize i N x i z k (P ) = t(k) k D (15) P P k y k is (P ) t(k)xi i N, P P k, k D, s S (16) y k is (P ) = zk (P ) P P k, SNVA r 9 r 10 r 3 r 7 Fig. 2. r 6 r 5 The Abilene network r 2 r 8 r 11 NYCM WASH P i P i i P k D, s S (17) z k (P )T base 1 i N (18) z k (P )(T base + T active) + P e T sy k is (P ) P i s S 1 + C(1 x i) i N (19) z k (P ) u e e E (20) x i {0, 1} i N (21) z k (P ), y k is (P ) 0 i N, P P k, k D, s S (22) In a manner analogous to that in the previous section, we can minimize the maximum ratio of average packet processing time to the average packet inter-arrival time at each node. The value of this ratio at a node i is the left-hand-size of constraint (18) if node i is not a programmable router, or constraint (19) is node i is a programmable router. If we denote the maximum value of this ratio over all nodes by v, we want to minimize v subject to constraints (15)-(17) and (20)-(22), with constraints (18)-(19) replaced by z k (P )T base v i N (23) P i T s yis(p k ) z k (P )(T base + T active ) + P i P i s S v + C(1 x i ) III. EMULATION i N (24) The performance of FIDRAN was assessed on the Cyber Defense Technology Experimental Research testbed (DETER) [2], [7] which is a shared infrastructure designed for mediumscale repeatable experiments in computer security. The testbed provides a pool of over 300 computers of varying hardware which can be used to emulate networks. As scenario we chose the Abilene network depicted in Figure 2 which is a research IP backbone connecting multiple universities across the US. For this network real world data traffic flows and link capacities is available on the project s web-site [1]. Reference [3] describes in detail the FIDRAN prototype implemented which includes a set of security services and LOSA r 4 which was used throughout the experiments. Table I represents the traffic matrix, the column index specifies the source and the row index the destination. Measurements of local-area and wide-area network traffic have shown that packet-switched data traffic is self-similar. Glen Kramer implemented a tool [6] to synthetically generate self-similar network traffic traces by the superposition of a large number of 0/1 renewal processes whose ON and OFF periods are heavy tailed distributed. Finally, to avoid effects of congestion and flow control mechanisms all experiments were restricted to Udp-traffic. To consider the hardware resources provided by the DETER testbed, the network was emulated on a scale of 1 : 100 which means that traffic rates were divided by 100 and accordingly the delays were multiplied by 100. A. The Abilene Network In the network each subnet sends data to all other subnets resulting in an overall number of 30 traffic flows. The propagation delay for each link was specified by dividing the distance from start node to end node by the speed of light. Table I represents the traffic matrix, the column index specifies the source and the row index the destination. To generate the traffic each subnet is supplied with an UDP sender for each destination which generates self-similar traffic as described above. Each experiment lasted 1800s and contained the sending of over 7, 500, 000 packets. TABLE I THE ABILENE TRAFFIC MATRIX [MBPS] To CHIN LOSA NYCM SNVA STTL WASH CHIN X LOSA X NYCM X SNVA X STTL X WASH X Each traffic flow must be analyzed by three security services, whereby the service processing times T s were scaled as mentioned. We study the performance of the solutions obtained for both presented MILPs (single-path routing and multipath routing) with the objective of minimizing the maximum router utilization, and compare them to the solutions of the MILPs presented in [3] extended to generalized topologies. r 1

5 Drop-rate [packets/s] No Dijkstra SP MP end-to-end-delay [s] No Dijkstra SP MP Flow-ID (a) Flow-specific drop rates Flow-ID (b) Flow-specific end-to-end-delays Fig. 3. Results for Abilene Network IV. RESULTS Our objective is to balance the router load while providing security service to all packets and not increase the delay or drop performance of the network, thus appropriate metrics must be used. The performance of the placement strategies is evaluated in terms of mean packet drop rates and end-toend-delays. Figure 3(a) depicts for all deployment strategies the flowspecific packet drop rates as well as flow-specific end-to-end delays. The flow-ids are assigned according to the traffic matrix, for example, the flow from CHIN to LOSA has the flow-id 1 and ID 15 identifies the flow from NYCM to WASH. The flow-specific average end-to-end-delays are depicted in Figure 3(b). The impact of doing intrusion prevention is evident in both figures. Initially, almost no drops occur in case that no FIDRAN system is running on a router. Then independent of the strategy chosen the deployment of security services in the network causes packet loss. When comparing strategies Dijkstra, MP and SP with each other, it can be seen that both optimal deployment strategies clearly reduce the packet drop rates. For example, considering the flow of the highest volume from WASH to NYCM flow-id 28 the mean drop rate is 51packets/sec for the Dijkstra strategy, 28packets/sec for the SP strategy and finally, 14packets/sec for the MP strategy. The high average end-to-end-delays for the Dijkstra strategy depicted in Figure 3(b) and are correlated to the drop-rates (Figure 3(a)). Nearly all packets the red boxes in Figure 3(a) represent the number of packets that are dropped when no router is running a security service are dropped by FIDRAN systems whose waiting queues are filled and consequently, no further packets are accepted. Furthermore, packets in the waiting queue have to wait to be served. V. DISCUSSION Providing security to communication networks requires that packets be inspected for malicious contents and, consequently, impacts normal network operation. In this paper we presented an optimization framework for joint traffic routing and service placement, which can be used to study that impact, while fulfilling a pre-definied objective. Here, we presented objective function that minimize the amount of security-enabled routers or the maximum router load. Using a scenario based on a real network the Abilene network we showed that the routing and deployment strategies obtained as solution to the problems formulated balance the network load and significantly reduce the overall dropping rate. For the scenario under consideration, we also showed that the joint optimization of single path routing and service placement is a big improvement with respect to optimal service placement over routes calculated with the Dijkstra algorithm, since the latter does not take the additional router load due to security processing into account. Good solutions were obtained for both presented strategies. The single-path strategy tends to generate long paths to disburden heavy loaded routers. In contrast, the multi-path strategy splits huge flow into smaller ones and reroutes these over different paths. Both solutions shows that they balance the load well. REFERENCES [1] The Abilene Network. [2] T. Benzel, R. Braden, D. Kim, C. Neuman, A. Joseph, K. Sklower, R. Ostrenga, and S. Schwab. Experience with DETER: a testbed for security research. In Testbeds and Research Infrastructures for the Development of Networks and Communities TRIDENTCOM, March [3] A. Hess, H. F. Geerdes, and R. Wessäly. Intelligent distribution of intrusion prevention services on programmable routers. In Proc. of 25th IEEE INFOCOM, Barcelona, Spain, May [4] A. Hess, M. Jung, and G. Schäfer. FIDRAN: A flexible Intrusion Detection and Response Framework for Active Networks. In 8th IEEE Symposium on Computers and Communications (ISCC 2003), Kemer,Antalya,Turkey, July [5] M. Kodialam, T. V. Lakshman, and Sudipta Sengupta. Configuring networks with content filtering nodes with applications to network security. In IEEE INFOCOM, [6] Glen Kramer. Synthetic traffic generation. kramer/research.html. [7] Cyber Defense Technology Experimental Research. The deter testbed: Overview. Oct