Content-based Alternatives to Conventional Network Monitoring Systems Extended Abstract George Louthan University of Tulsa 800 S. Tucker Drive Tulsa, OK, USA
[email protected]
Brady Deetz
University of Tulsa 800 S. Tucker Drive Tulsa, OK, USA
[email protected]
Matthew Walker
University of Tulsa 800 S. Tucker Drive Tulsa, OK, USA
[email protected]
John Hale
University of Tulsa 800 S. Tucker Drive Tulsa, OK, USA
[email protected] Categories and Subject Descriptors C.2.3 [Computer-communication Networks]: Network Operations—network monitoring, network management
General Terms
ways of incorporating them into network intelligence and design methodologies; we conclude that the set of standard tools at the disposal of network administrators should be considered incomplete, and we suggest a selection of relatively straightforward research and development opportunities toward refilling that toolbox.
Security, Measurement, Management
Keywords Network management, Network monitoring, Network protocol identification, Network protocols
1.
INTRODUCTION
Network monitoring and management rely extensively upon network protocol identification as one of the most basic acts of analysis of network traffic. However, the conventional method of identifying network protocols based upon standard or well-known port numbers is no longer sufficient for modern networks, given the propensities for users and programs to change ports dynamically or use nonstandard ports. Unfortunately, this calls into question the ability of the collection of standard tools to gather reliable network intelligence. Therefore there is a clear need for content-based tools capable of reliably classifying network traffic and services in spite of these realities. In this presentation, we introduce a set of existing tools suitable for augmenting—and, in some cases, replacing—those in current use by network administrators and, through two manufactured case studies, suggest
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. CSIIRW ’09 April 13-15, Oak Ridge, Tennessee, USA Copyright 2009 ACM 978-1-60558-518-5 ...$5.00.
2.
BACKGROUND
In the TCP/IP suite of network protocols, the Internet Protocol serves as the basic system of host-to-host communication. TCP and UDP, protocols that run on top of the Internet Protocol, utilize port numbers in order to multiplex it into process-to-process channels. The Internet Assigned Numbers Authority (IANA) provides well-known port numbers for common protocols, and traditionally applications have bound to these and other standard ports, the knowledge of which forms the basis for classification of network services and traffic in conventional network analysis. However, users and programs attempt to evade detection by network monitors or administrators, often to malicious ends, by taking advantage of the reliance of these methods for protocol classification, undermining the attempts of a network administrator to gain accurate knowledge about his network. Furthermore, when dealing with the increasing number of protocols that do not have standard ports, such as BitTorrent, or the peer-to-peer Internet telephony software Skype, which uses unpredictable port numbers and is capable of remarkably robust NAT and firewall traversal [1], port-based methodologies are wholly inappropriate. Furthermore, technically savvy users running unauthorized services may configure them to alternate ports either to evade detection or due to a lack of privileges, creating the opportunity for purely port-based systems to fail utterly to provide useful classification—or worse, to miscategorize the traffic. The natural solution to this problem is to base classification not upon port number, but rather upon the content of traffic, a far more robust and adaptive methodology. Unfortunately, the collection of content-based tools for gathering
network intelligence is much smaller and less mature than the set of conventional tools, but they do exist, and they are quite useful. Therefore, when we present a selection of these tools, they should prove quite valuable additions to the toolbox of administrators. We intentionally omit discussing perhaps the two most well-known and mature content-aware systems, Snort (the intrusion detection system) and Nessus (the vulnerability scanner), in order to emphasize less well-known tools capable of serving as alternatives to their na¨ıve (but more popular) counterparts.
3.
NETWORK DESIGN
In dealing with the initial design of a network, a small number of conventional tools and appliances can benefit from augmentation or replacement by their content-sensitive counterparts. Traditionally these include firewalls and content monitoring, filtering, or shaping systems, often on the gateway at the border of the network; content-based additions to these systems are summarized in Fig. 1. On the topic of firewalling and quality of service (henceforth QoS), we describe a quite mature system called L7filter, which gives Netfilter, the Linux kernel’s firewalling component, the ability to identify packets by content rather than port [2] and we provide some recommendations as to deployment details, including inline firewalling and QoS marking, as well as direction for off-line firewall integration using Netfilter’s conntrack tools, which provide hooks that afford an off-line system some control and notion of the firewall’s state. [4] Additionally, an administrator is tasked with enforcing network policy regarding an array of issues such as Internet use and ensuring particular business goals. To achieve these goals, an administrator may turn to content-aware systems capable of examining outbound traffic and dynamically making intelligent decisions regarding that traffic’s future. Toward that end, we introduce tools and methods for limiting the use of file-sharing protocols and some novel uses of the same tools to control the flow of sensitive information.
4.
NETWORK INTELLIGENCE
There are several common problems that network administrators face daily when administrating their networks. We discuss three problems in our presentation: determining the current network topology, understanding and pinpointing the services running in the network, and understanding traffic flow in the network, all the way from an aggregate overview all the way down to the individual host. A summary of these solutions is presented in Fig. 2. There comes a time when no matter how good of an original network map one has, the time arrives to replace it. A wide variety of tools are currently being used to support this endeavor. Staples in the industry include cheopsng, which itself actually provides some content-based intelligence, though their primary goal is to provide a highly nuanced topological view of a network [3]. On the other Firewall Content Filtering Off-line Analysis
L7-filter ipp2p conntrack-tools and others
Figure 1: Network design alternatives
hand, this information doesn’t have much useful purpose if we don’t know anything about the machines themselves. Determining what services are running on particular hosts is a classic security and administration problem. Traditionally, tools such as nmap are have been used for this purpose, but when deployed in the typical fashion they only determine the network ports that are open. We present a tool chain including a signature based service detection tool called amap, and we discuss some of the lesser-known content-aware features of nmap itself. Awareness of topology and host-based services is highly valuable, but more information is needed to build the intelligence necessary to sensibly develop QoS rules for the network. Rather than guessing at the particular needs of the network or using port-based analysis tools, a more nuanced means of viewing network traffic in the aggregate will prove useful. We present a method for using L7-filter, introduced earlier, to monitor and classify network traffic, as well as a method for reporting its rich protocol statistics off-line. Many tools exist that can be adapted to this purpose. Many widely-used pieces of network hardware have the ability to dissect TCP half-streams and present information on those flows. When these tools are incorporated with a metamonitoring tool like argus the canny administrator can begin to answer questions like “Is ARP life better than it was in January?” and “Did those QoS rules I put in place to limit Internet radio actually work?”.
5.
A CALL TO ARMS
The tools introduced above are quite valuable; however, when compared to the polish of many conventional tools, their funtionality appears quite incomplete. Nevertheless, with increased knowledge and usage of the content-aware approach, these tools will gain a high level of maturity and quickly find their way into the standard repertoire of network analysis and intelligence. To that end, we provide a selection of research and development directions for those who are interested in building the maturity of content-based network analysis software. A simple way that any administrator can give back to the body of work in content-based network analysis is by deploying tools like nmap, amap, and L7-filter. If such an administrator discovers an application that amap or nmap fails to identify correctly, the signature that the sytem reports can be submitted to the developers; furthermore, if an L7-filter signature needs to be written, submitting it back to the L7-filter team will improve the software for everyone. Wireshark, a popular protocol analyzer and packet sniffer, contains powerful protocol dissection capabilities but identifies protocols strictly by port number, while L7-filter is capable of fulfilling only the content-based protocol identification role. A graphical interface, report-generating script, or even Wireshark integration would create an immensely valuable tool with minimal effort. Alternately, Intel manufactures a card called the IXP2855, which contains a set of network interfaces and FPGAs (fieldNetwork mapping Service detection Aggregate traffic analysis
cheops-ng and others nmap, amap L7-filter, argus
Figure 2: Network intelligence alternatives
programmable gate arrays). Equipped with the proper firmware, it is capable of quickly performing many content-based tasks at wire speed. Suites of free and open-source content-aware tools appropriate to firewalls already exist, most notably in the firewall system untangle, which provides content filtering and content-based protocol identification for QoS and traffic filtering. These, however, are new directions largely concerned with development; there are also many opportunities for true research in the field of content-based network analysis. Our work, for example, includes working with TCP stream reassembly to determine what speed and accuracy tradeoffs are truly involved. Additionally, work has been done to adapt Backus-Naur Form to describe network protocols with context-free grammars. It remains to be seen whether this could be leveraged, with approaches from the field of compilers, toward useful results in network protocol analysis. Truly exciting opportunities exist in the fields of languages, artificial intelligence, and even high-performance computing toward interdisciplinary efforts to improve our ability to understand computer network traffic and services.
6.
CONCLUSION
This presentation strives to answer the question of how to focus our efforts to meet the challenges of the future of cyber security. We present a case for the inadequacy of the conventional, port-based method of identifying network services and suggest that future efforts move away from this na¨ıve approach.
We further present a very basic survey of tools and appliances typically involved in the design of a new network and introduce a set of existing tools to augment the traffic monitoring, filtering, and shaping systems on such a network with more intelligent content-sensitive capabilities. We do the same for the tools essential to network analysis and intelligence gathering. Finally, we call the computer security community to action in an effort to drive development of—and contribution to—content-aware systems across the industry. Our bedrock position is this: classifying network traffic using port numbers is simplistic and unsustainable when compared to the promises of a more adaptive approach.
7.
REFERENCES
[1] S. Baset and H. Schulzrinne. An Analysis of the Skype Peer-to-Peer Internel Telephony Protocol. arXiv preprint cs.NI/0412017, 2004. [2] J. Levandoski, E. Sommer, and M. Strait. Application Layer Packet Classifier for Linux. 2008. http://l7-filter.sourceforge.net/. [3] S. O Donnell. Network management: open source solutions to proprietary problems. In ACM SIGUCCS USER SERVICES CONFERENCE, volume 28, pages 208–217. ASSOCIATION FOR COMPUTING MACHINERY, 2000. [4] H. Welte. The netfilter framework in Linux 2.4. In Proceedings of Linux Kongress, 2000.
