Our business, campus, and home networks today are full of important traffic being moved from node to node as efficiently as possible. Unfortunately, a significant amount of the traffic in our networks is not what we might consider important. SPAM is consuming a large amount of network bandwidth today, but that’s just one of the many types of traffic creating havoc in our networks.
The “cost” of things like SPAM, worms, or viruses isn’t just the network bandwidth they consume, but also the valuable business time spent dealing with them at the end node. The network bandwidth consumption becomes an issue at the “choke points” that still exist in modern networks, such as access links. With the explosion of MP3 players as well as video, which is offered for download, peer-to-peer (P2P) traffic has also become a major portion of the data being moved within networks today. A few megabits per second of P2P traffic may not represent the majority of the traffic on a Fast Ethernet or Gigabit Ethernet network, but they certainly are across the DSL/T1 or other link between that network and the outside world.
In our digital age, there are also numerous mischievous and malicious types of traffic from computer viruses to malware to phishing e-mails, as well as denial of service attacks being unleashed on networks today. As you can see in Figure 1, the financial impact of virus attacks is enormous. This has spurred on multi-billion dollar spending aimed at cleaning the traffic on networks for security appliances, application acceleration appliances, and other network appliances, ultimately allowing the consumer to utilize the bandwidth more efficiently.
What all of these appliances have in common is the need to look further up the OSI (Open System Interconnection) stack beyond the layer 3 (IP) headers to the application protocol layer. Meanwhile, the needed performance levels are increasing faster than malicious traffic in the networks. Can the general-purpose CPUs that offer these services on networks today continue to deliver the performance necessary to prevent this malicious traffic from entering and propagating throughout networks?
Whether this higher layer processing is called “Application Aware” or “Content Aware,” the fact is that all of these security risks and new low-priority traffic are using the same layer 3, layer 4, and even some layer 7 network protocols as the high-priority traffic. Whether it’s P2P traffic using well-known ports (e.g., port 80) so that it can masquerade as Web traffic and pass through firewalls unhindered, or SPAM coming in the same SMTP (Simple Mail Transport Protocol) connection as your much-needed business and personal e-mail, this traffic can’t be differentiated without looking well into the application layer.
Many solutions on the market today can handle this problem, such as regular expression engines using deterministic finite-state automaton (DFA) or nondeterministic finite-state automaton (NFA) algorithms in conjunction with table searches to establish connection level details. Or specialized processing can be used to assess each pattern match along with any other information that’s been collected on the connection. However, all of this is being processed on general-purpose CPUs that aren’t optimal for these types of operations.
The most difficult application to detect involves the well-designed attacks that target protocol stacks and their deficiencies. They can cause significant damage to the networks and the data stored on the nodes in the network. Examples of these attacks include: a virus that attaches itself to an executable file in an e-mail and causes havoc on your computer; or a worm that uses your own system resources to multiply and spread to other clients. It can even be a Trojan Horse—it looks like a useful software tool, but when executed can create a backdoor into your computer, allowing access for malicious activity. Detecting any of these application-level attacks on a network node starts by monitoring each connection to that system, since it’s created to determine the need for further processing.
This monitoring requires tracking the protocol state of all connections and carrying some of that state further along for each connection that’s targeted for deeper application-level processing. Then each connection must be processed on a packet-by-packet basis, looking deeper into the packet for signatures that can indicate certain traffic types, alerting the software to be wary of that connection, or looking for a combination of signatures that leads to detection of the particular attack and preventing further distribution to other network resources. Many of today’s appliances do this with software on general-purpose CPUs. However, they don’t have the necessary performance to process all of the traffic flowing through that network node. To perform this task in a network node, at the performance level required to process the amount of traffic necessary to secure today’s network bandwidths, you will need hardware acceleration for much of the pattern-matching packet processing. As a result, the CPU is able to play its part effectively.
Reprints
