[unisog] Security and packet shaping

Steve Bernard sbernard at gmu.edu
Thu Mar 14 18:01:20 GMT 2002


I have implemented and been managing our PacketShapers for a couple of years
now. In that time I have used the devices to curtail network abuses on
several occasions with mixed results. Over time the accuracy of the shaping
engine has gotten better as have the protocol signatures. I have had the
best results when doing things like minimizing bandwidth saturation DoS
attacks, by limiting connections and/or bandwidth, and preventing
straight-forward URL based attacks like CodeRed, although some still slip
by. On the other hand, I have had packets which should be caught by deny
rules slip by and haven't thoroughly tested the fragment reassembly
capabilities. Also, the lack of regular expressions makes it impossible to
create powerful URL matching rules. If you have used the devices in large,
rather open, environments then you have no doubt seen the large amounts of
traffic that sometimes fall into the 'default' class despite having matching
rules higher up the tree. Once the flows are fully recognized the percentage
of traffic that gets by the established classes is very minimal, typically
P2P, but I see a lot that is simply classified as "TCP" or "ICMP". It is
necessary for several packets of a given flow to pass through the device
before it can accurately classify the flow. Therefore, distributed, gradual,
or perhaps fragmented attacks may not be recognized properly, if at all. The
rules also don't let you stipulate granular controls on packets, such as
flags, options, etc. It does read and write TOS/COS bits but those aren't
really security related.

The reporting tools are not geared towards being a security device although
it can augment other tools. I have found it useful when doing security
assessments. You can just drop it inline and quickly get a pretty good idea
of how much of what is going where from who. It also decodes many more
protocols and applications than any of the sniffers that I've used.

I suppose I would say that if the device was 100% accurate and provided more
granular packet controls then it would be a more useful network security
tool but, it isn't so wouldn't bet all my chips on it.

I'll let you know if I think of anything else,


-----Original Message-----
From: MVick at mail.uttyl.edu [mailto:MVick at mail.uttyl.edu]
Sent: Thursday, March 14, 2002 9:34 AM
To: unisog at sans.org
Subject: [unisog] Security and packet shaping

A colleague and I have the privilege of presenting a short program on the
possible applications of packet shaping and specifically the Packeteer
PacketShaper product in the area of network security.  While we realize
there are better ways to implement network security, we are looking for any
comments, suggestions, experiences, URL's and even reasonable theories that
we can include in this presentation.

If you send comments and then request a copy of the presentation, we will
email you a copy shortly after we make the presentation.

Michael Vick
mvick at mail.uttyl.edu

More information about the unisog mailing list