Learn How VortiQa Application Identification Software (AIS) Can Detect Encrypted Web Application Traffic Using Heuristic Logic and SSL Proxy FTF-NET-F0017

Nageswara Rao A. V. K.

A P R . 2 0 1 4

TM

External Use Agenda

• AIS Market Trends • VortiQa AIS: Overview • VortiQa AIS: Detecting SSL based traffic (HTTPS) • VortiQa AIS: Traffic Characterization • VortiQa AIS: Signature Distribution • VortiQa AIS: Supported Applications • NSSG Overview • VortiQa Value Proposition

TM External Use 1 VortiQa AIS Software Products and Services Overview

TM External Use 2 Trends and Alignment

•1Gbps+ WIFI bandwidth per AP moves the policy enforcement to the network 802.11ac edge. •EWLAN APs need to be application aware for effective policy enforcement.

•Enterprises are allowing employees to connect private handhelds to the business BYOD network. •Security posture of BYOD is a big concern.

•HTTP/S based Apps traffic has been growing unabated. Application Firewalls •Conventional Stateful inspection firewalls are getting upgraded to Application aware next generation Firewalls.

TM External Use 3 VortiQa Solution :Application Identification Software (AIS)

Highlights: • VortiQa AIS is built on top of the base networking modules • Runs in Linux® user space without drastically affecting performance and no buffer copy over head • Configurable detection schema for full deep packet inspection or partial inspection for higher performance • Application detection over encrypted traffic : SSL and heuristic approach • In-house signature development and distribution infrastructure • Nearly 1800 application features detection – social networking, P2P, business apps, games, streaming etc.

TM External Use 4 VortiQa AIS – Overview

• Advanced application detection techniques − Port-agnostic application detection with universal signatures − Detection of proprietary encrypted apps , traffic characterization support (heuristic approach) − Detection of HTTPS based apps − Nested detection for select apps e.g. Facebook photos and games − Encoded and obfuscated URL support • Built-in content search algorithms − Built-in software pattern matching engines (software DFA engine, PCRE, Boyer Moore) − Interface to Freescale hardware PME engine • Lower false positives − Context based signature verification − Stateful application engines (HTTP, SMTP, FTP, …TCP,UDP,IP) − Superior rule formats with application specific keywords − Rules classified to granular levels by application category

TM External Use 5 VortiQa AIS – Overview (continued)

• Periodic signature updates − Bi-weekly − Urgency basis • Notification methods − ANSI C callback − In-packet identification • Simplified registration API for various policy enforcement software packages, such as NextGen Firewalls or QoS • Comprehensive signature distribution infrastructure • Signature development APIs • Event logging

TM External Use 6 Application encyclopedia is available at www.freescale.com/VortiQa

TM External Use 7 VortiQa AIS: Detecting SSL based traffic (HTTPS)

• VortiQa SSL proxy is packet/stream SSL Proxy based implementation • Implemented over proxy transport (VortiQa Transport Layer) Thread 1 AIS • Not a socket based implementation • Suitable for run to Completion model HTTPS • Suitable for DP architecture SSL Proxy • Scalable to multicore/ multi-thread architecture Proxy Transport • Supports TLS v1 and SSL v3 • Hardware security engine(Sec 4) Packet processing Engine support** Flow/Session Manager

Eth PME ** In planning

TM External Use 8

VortiQa AIS: Traffic Characterization

Machine Learning/Signatures generation for Heuristic Approach

p Decision Tree

c a p s Collect pcaps

• 'Heuristic' refers to experience-based techniques for problem solving, learning and discovery • Machine learning is about learning to make predictions from examples of desired behavior or past observations • Collect the pcaps samples from real networks, which connected with different devices • Feed this pcaps to decision tree algorithm (C4.5) to generate balanced tree(XML) • Generated decision tree will be used for evasive, proprietary protocols classification

TM External Use 9 VortiQa AIS: Traffic Characterization (continued)

• VortiQa AIS solution offers hybrid approach, which is a combination of pattern-based and heuristic-based solutions • Decision making based on six attributes to avoid false positives and false negatives − Average packet size − Min packet size − Max packet size − Standard mean deviation − number of packets − number of bytes • Base signatures are used to improve the performance, by avoiding statistics collection on unwanted traffic • Proprietary techniques like, matching “Base application ID” verification used to avoid false positives/ false negatives

TM External Use 10

VortiQa AIS Signature Distribution

• Master Signature Server (MSS) is installed in Freescale data center • Serving Signature Server (SSS) is expected to be installed by our OEM customer in their respective data centers • Freescale delivers SSS software to OEMs • Signature development team uploads new signature releases to MSS periodically • MSS informs SSSes to download new updates • VortiQa AIS enabled end customer devices are expected to point to their respective SSS to download the latest updates

TM External Use 11 VortiQa AIS: Supported Applications

Sl.No Application CATEGORY Applications

1. Social Networking Facebook, Twitter, Orkut, LinkedIn, Hi5, WordPress, Flixster, Friendster, Tagged, MpSpace, Badoo, Haboo, Bebo. 2. P2P Applications Ares, BitTorrent , DirectConnect P2P, eDonkey protocol, GnuTella, GnuTella 2, Apple Juice P2P, Mute P2P, Mute P2P, Winny P2P, ExoSee, BearShare/iMesh p2p network, Manolito, NeoNet, Zepp Network, SoulSeek, WinMX Peer Network Protocol (WPNP), OpenNap, ANts P2P, XOC link. 3. IMs Google Talk, IRC IM, Jabber, MSN IM, AOL IM, Rediff Bol IM, Yahoo IM 4. DDLs One click hosting sites or Direct Download Links like, 4shared.com, badongo.com, (Direct Download Link) badongo.net, mediafire.com, megashare.com, megashares.com, megaupload.com 4. Tunnel Protocol and GRE, IPsec, GTP, HamachiVPN, IP in IP, SSL, ISAKMP, L2TP, NetMotion, Applications OpenVPN,PPTP, SoftEthernet, SSH, Teredo, Tor, UltraSurf, VoipSwitch VoIP Tunnel, VPN-X, VTun,YourFreedom,SocksICMP Tunnel 5. Streaming Protocol and Youtube, AVI, Flash, Funshion, MMS, MPEG, Octoshape, PPLive, PPStream, Real Applications Media, RTSP, Sopcast, veohtv 6. Standard Protocols AFP, BGP, DHCP, DNS, EGP, FTP, HTTP, HTTP App ACTIVESYNC, ICMP, PING, IGMP, IMAP, IPP, MAPI, MulticastDNS, NETBIOS, NFS, NTP, OSPF, pcAnywhere, PPP, POP3, RADIUS, RDP, RDS, SMB/CIFS, SMTP, SNMP, SSDP, STUN, Syslog, TDS, TeamViewer, Telnet, TFTP, UltraBac, Usenet, VNC, WINS 7 Mobile Apps Apple iTunes, Apple Facetime Application encyclopedia is available at www.freescale.com/VortiQa

TM External Use 12 Digital Networking Software and Services

• World-Class Technology − Freescale Silicon - Used in Leading Products − Freescale Enablement – Innovative Investment . Device Drivers – Optimized and Portable . Linux – Commercial-grade, Available . Solutions References – Near-market Ready . CodeWarrior – Commercial Tools • World-Class Ecosystem • Complemented by Commercial Capability − Freescale Networking Software and Services . Commercial Software – VortiQa Applications . Commercial Services – Linux Support and Services

TM External Use 13 Save development costs and accelerate time to market by using Freescale’s cutting-edge, optimized and commercially supported VortiQa software

Time to Market Reduce Development Reliable Engineering Advantage Costs Support

VortiQa software VortiQa software builds a Customers can rely on accelerates time to strategic cost advantage Freescale for engineering market by providing for customers by support during their cutting-edge software leveraging optimized and product development, infrastructure and highly portable multicore certification and field application solutions application software deployment cycles across their product line

TM External Use 14 Introducing The QorIQ LS2 Family

Breakthrough, New, high-performance architecture built with ease-of-use in mind software-defined Groundbreaking, flexible architecture that abstracts hardware complexity and approach to advance enables customers to focus their resources on innovation at the application level the world’s new virtualized networks Optimized for software-defined networking applications Balanced integration of CPU performance with network I/O and C-programmable datapath acceleration that is right-sized (power/performance/cost) to deliver advanced SoC technology for the SDN era

Extending the industry’s broadest portfolio of 64-bit multicore SoCs Built on the ARM® Cortex®-A57 architecture with integrated L2 switch enabling interconnect and peripherals to provide a complete system-on-chip solution

TM External Use 15 QorIQ LS2 Family Key Features High performance cores with leading interconnect and memory bandwidth SDN/NFV • 8x ARM Cortex-A57 cores, 2.0GHz, 4MB L2 cache, w Neon SIMD Switching • 1MB L3 platform cache w/ECC • 2x 64b DDR4 up to 2.4GT/s A high performance datapath designed Data with software developers in mind Center • New datapath hardware and abstracted acceleration that is called via standard Linux objects • 40 Gbps Packet processing performance with Wireless 20Gbps acceleration (crypto, Pattern Access Match/RegEx, Data Compression) • Management complex provides all init/setup/teardown tasks Leading network I/O integration Unprecedented performance and • 8x1/10GbE + 8x1G, MACSec on up to 4x 1/10GbE ease of use for smarter, more • Integrated L2 switching capability for cost savings capable networks • 4 PCIe Gen3 controllers, 1 with SR-IOV support • 2 x SATA 3.0, 2 x USB 3.0 with PHY

TM External Use 16 See the LS2 Family First in the Tech Lab!

4 new demos built on QorIQ LS2 processors:

Performance Analysis Made Easy

Leave the Packet Processing To Us

Combining Ease of Use with Performance

Tools for Every Step of Your Design

TM External Use 17 TM

www.Freescale.com

© 2014 Freescale Semiconductor, Inc. | External Use