Native IP Threat Engine Framework
Design
Feature purpose: applying IP threat detection policies based on the direction of a flow.
The design discussed here assumes that a flow direction is already detected when presenting the flow to the FSM policy engine. A new IP threat detection plugin is required to handle the outbound and inbound flows.
Overview
The following steps are involved:
The internet IP address for a new IP flow is collected.
Query FSM policies for the action to take.
Internet IP Address for a new IP Flow
The IP threat detection plugin will get the packet from the dpi_dispatcher plugin. The global/internet IP address and the device(TX/RX)'s MAC are retrieved from the packet.
Query Policies
The IP threat detection plugin presents the IP and the device's MAC to the FSM policy engine, which returns an action to take. The corresponding action is cached in dns_cache.
The flow is marked either for blocking/allowing.
Feature Scope
The following features are supported:
A library to cache the FSM policy lookup results.
The ability for FSM to block a new flow based on the IP and MAC addresses.
Implementation
A new FSM dpi_plugin called "ipthreat_dpi" needs to be configured.
The plugin handles traffic for the dpi_plugin→targets tag values. It uses the fsm_poilicy_tags library to hold the values of the tags.
The plugin gets the policy name from the "other_config" key "policy_table" in the plugins configuration as shown below. This is used to lookup the FSM policy engine to get the result of the action to take for a given combo of IP+MAC.
The plugin also gets the "provider_plugin" value from the "other_config" in Flow_Service_Manager_Config table.
The direction of whether a given FSM policy lookup is either inbound or outbound is provided by the network_metadata library which is passed along with the lookup in FSM policy engine.
An example of an IP threat detection plugin entry is shown below:
$ ovsh -j s Flow_Service_Manager_Config -w handler==ipthreat_dpi
[
{
"if_name": "",
"_version": [
"uuid",
"5efeaee7-92a7-4ed5-8c0e-46682f1d423b"
],
"other_config": [
"map",
[
[
"dpi_dispatcher",
"core_dpi_dispatch"
],
[
"dso_init",
"ipthreat_dpi_plugin_init"
],
[
"mqtt_v",
"IP/Threats/opensync/XXXXD000A9/XXXX50b53a011e24d1ba29bb"
],
[
"inbound_policy_table",
"inbound_ipthreat_dpi"
],
[
"outbound_policy_table",
"outbound_ipthreat_dpi"
],
[
"provider_plugin",
"opensync"
],
[
"targeted_devices",
"${targeted_devices}"
],
[
"excluded_devices",
"${excluded_devices}"
],
[
"wc_hero_stats_interval_secs",
"1800"
],
[
"wc_hero_stats_topic",
"IP-WC/Stats/Hero/opensync/XXXX50b53a011e24d1ba29bb/XXXXD000A9"
]
]
],
"type": "dpi_plugin",
"plugin": "",
"_uuid": [
"uuid",
"16d91d59-c864-482a-9408-43d83c7d381e"
],
"pkt_capt_filter": "",
"handler": "ipthreat_dpi"
}
]
Event Reporting
A blocked event is reported in the format similar to DNS queries, with the following updates:
An ipFlowInfo block is added to provide flow info information
The reportType is set to "ipThreat"
Here is a report example:
{
"dnsQueries": [
{
"action": "blocked",
"deviceMac": "11:22:4C:20:9F:85",
"dnsAddress": "198.55.101.102",
"ipFlowInfo": {
"destinationPort": 80,
"ipProtocol": "tcp",
"sourcePort": 50026
},
"policy": "dev_iptd_policy",
"policyIndex": 9,
"reportType": "ipThreat",
"ruleName": "dev_iptd_policy_rule_0"
}
],
"locationId": "XXXX9f5acbb22513f0ae5e17",
"nodeId": "XXXX8002B3",
"reportedAt": "2020-12-21T23:00:16.771Z",
"version": "1.0.0"
}
Test Instructions
Please use the FUT scripts updated at https://github.com/plume-design/opensync/tree/609f9eda64b5e50ff437b48ad3a0e71d49cf716f/src/lib/ipthreat_dpi/tests/futs. These could be used to add or remove the ipthreat dpi plugin.
The IP threat detection plugin needs a provider plugin backend. Please use this script to create a temporary wc_null plugin: https://github.com/plume-design/opensync/blob/osync_2.4.0/src/lib/wc_null_plugin/tests/fut/create_wc_null_plugin.sh.
Published Content
https://www.opensync.io/s/EDE-021-030-501_FSM_Plugins.pdf
https://www.opensync.io/s/ERE-021-061-701_FSM_Plugin_Requirements.pdf