Intrusion prevention with active networks: A performance comparison between user and kernel-space implementation
ISSN der Zeitschrift
E-Science und Grid Ad-hoc Netze Medienintegration, 18. DFN-Arbeitstagung über Kommunikationsnetze
Regular Research Papers
Gesellschaft für Informatik e.V.
Recent experiences with attacks in the Internet and especially the tremendous increase in the propagation speed of self-distributing attacks clearly show that the problem of exploiting vulnerabilities of hosts connected to the Internet can not be countered appropriately with an approach that is only aiming to defend against attacks by fixing security holes when patches become available. In order to overcome this situation, various researchers are working on network based intrusion prevention. One specific approach in this respect aims at deploying programmable networking technology (sometimes also called active networking technology) that allows to dynamically deploy task-specific services on so-called active routers for intrusion prevention purposes. However, as an intrusion prevention system (IPS) necessarily has a certain impact on the network performance because each packet is analyzed in terms of malicious content before being forwarded, the important criterion of processing efficiency has to be taken into account in the design and implementation of such a system while at the same time also considering further requirements like robustness and security. One particular design question arising in this context is if specific intrusion prevention modules should be executed in useror in kernel-space. In order to thoroughly discuss this question we realized two prototypes: a userand a kernel-space implementation. In this paper we discuss both architectures and we present performance results in terms of throughput, delay and loss rate.