Security at the edge challenges TCP/IP, WLAN infrastructure
By Ahmed Shihab, Technical Director Alcahest Ltd., Hampshire, England, U.K., EE Times
March 10, 2003 (11:58 a.m. EST)
Complex security systems such as Internet Protocol Security (IPSec) require a good understanding of general security principles and can be complicated to administer. The average telecom system user has not traditionally known, nor cared, about the security of their traffic over public networks such as the Internet. Their primary concern: data or voice transmissions are transferred from one terminus to another without getting lost or corrupted in the process, Most users have come to accept that a small percentage of transmissions will never reach their destination.
Recent demonstrations have shown how easy it is to track packets on a typically insecure wired network and extract from it such information as user names, passwords and any other unencrypted data such as email content. The latest wireless systems becoming common at the network edge make such data capture even simpler, as the hacker does not need to gain access to the physical net work and can capture such data from a safe distance.
The simple answer is to use suitable precautions to secure valuable data against such relatively simple attacks. Such a protection layer can be applied to the network strata from the individual NIC, enterprise router and the edge-of-enterprise.
While it is important that an intelligent network security policy is meticulously designed and executed, it is also just a crucial to focus on the most logical places to protect any network: at its interfaces to the outside world. Edge of network interfaces can be the telecom link to the outside world, such as fast ADSL, Modem access, Leased lines, Direct Connections and wireless systems that form part of the internal network for reasons outlined above.
Recently there has been a quiet revolution occurring in the world of network security; The gradual acceptance of a flexible network protocol called Internet Protocol Security or IPSec. Other security protocols exist and have been in common use for sometime. Examples of these include SSL, PPTP amongst others, but these protocols have all lacked the flexibility, speed and adaptability of IPSec.
To satisfy the growing demand for ever-higher IPSec speeds, a new market for security processors has emerged. This market is divided into three tiers:
- Software only: The entire protocol stack and security work is done on a processor typically implemented in systems where the secure links only need a few hundred kbit/seconds to a few Mbit/seconds.
Accelerated software: The complex cryptographic calculations are offloaded onto an external application-specific standard product (ASSP) usually connected to the host processor via a PCI bus; characterized by high bus bandwidth requirements.
Configurable soft security processor: A new approach to IPSec implementation by embedding the software and hardware components into a single programmable logic device (typically a field-programmable gate array or FPGA), thus achiev ing high integration levels and dramatically reducing the host CPU and its bus loading.
The ASSPs used in the accelerated software approach will typically contain the encryption and authentication components in hardware to implement most of the complex calculations, offloading them from the host CPU. Such devices may enable a fast host processor to handle data rates up to a peak of 100s of Mbit/sec or even 1Gbit/sec. The nature of these devices forces the system architect and equipment manufacturer to conform to their system requirements usually making them the system's performance bottleneck by overloading the CPU peripheral bus.
Until recently, there has been little alternative to these using external co-processor devices unless the manufacturer wanted to develop all the acceleration technology from scratch.
However, advances in programmable logic technology have made possible intellectual property-based FPGA implementation s that overcome the performance bottlenecks of co-processor systems, while reducing time-to-market and enabling a clear path to future enhancements and upgrades. For example, we've developed a number of implementations using system-on-programmable-chip methodologies that allowed us to build a variety of custom systems that may include a powerful embedded processor, a number of acceleration cores, and a custom bus structure, instead of forcing us to our systems to the needs of a single component. Given the time to market issues and the range of different system configurations at the network edge. just as important are the automated tools that can assemble such FPGA based designs with a high degree of automation given only the parameters of the system.
Although this system approach simplifies the design process, it is suitable mainly for those with an existing software solution who wish to accelerate it, or those who need a moderate data rates up to approximately 400Mbit/second. This design methodolo gy alleviates the bus overload problem by designing a customised bus structure to suite each design. It also enables the software and hardware components of IPSec implementation to be encapsulated within a single programmable device, but it does not write the application software nor handle the performance-critical components such as the security association store and look up.
Being in a programmable device can fulfill one of the key promises of IPSec: that of flexibility. IPSec can be thought of as a cryptographic and protocol toolkit that can easily be expanded with new ciphers to replace or enhance the security of the data stream. In FPGAs, this ability can be easily realised by changing the FPGA's configuration image without changing the existing system hardware. By contrast, a system based around an ASSP would require a complete system redesign, or at least the physical replacement of that ASSP with a custom device.
For higher performance systems at 1Gbit/sec and above, soft IPSec proc essors implemented in programmable logic offer full IPSec functionality at very high performance. The resultant processor can handle the all the processing functions of IPSec, as well as being able to cache or handle the complete Security Association (SA) store. This represents a significant performance advantage over software implementations.
A SA entry will hold all the information necessary to process a packet received from an external network entity, for example. In a conventional software-only, and some ASSP-assisted implementations, the SA lookup can take a significant number of machine cycles to fetch the information from main system memory. Using a SA cache means once this association is used, it will remain on the chip memory so that subsequent uses of the same SA will incur a much shorter access penalty after first use.
It is important to note that these soft security processors can be easily customised around the needs of a particular implementation, as well as used in their defau lt functional state.