Deep Packet Inspection as a Service Author : Anat Bremler-Barr, Yotam Harchol, David Hay and Yaron Koral Conference: ACM 10th International Conference on emerging Networking EXperiments and Technologies(CoNEXT), 2014 Presenter: Kuan-Chieh Feng Date: 2015/10/07 Department of Computer Science and Information Engineering National Cheng Kung University, Taiwan R.O.C.
Outline Introduction Architecture DPI Service Instance Implementation Experiment Result Conclusion National Cheng Kung University CSIE Computer & Internet Architecture Lab 2
Introduction - DPI Based Middleboxes Intrusion Detection System Network Anti-Virus L7 Firewall L7 Load Balancer Leakage Prevention System Network Analytic Traffic Shaper Lawful Interception Copyright Enforcement 3 National Cheng Kung University CSIE Computer & Internet Architecture Lab
Introduction Each MB implements its own DPI engine (higher MB costs) Each packet is scanned multiple times causing waste of computation resources National Cheng Kung University CSIE Computer & Internet Architecture Lab 4
Introduction DPI engine is the most time-consuming task and it may take most of the middlebox processing time. DPI engine is considered a system bottleneck in many of todays MBs (30%- 80%) [*Laboratory simulations over real deployments of Snort and ClamAV] National Cheng Kung University CSIE Computer & Internet Architecture Lab 5
Introduction The idea of having a centralized DPI service instead of multiple instances of it at each Middlebox. National Cheng Kung University CSIE Computer & Internet Architecture Lab 6
Introduction SDN (Software Define Network) SDN makes it possible to perform traffic steering. This paper uses this flexibility to route traffic to a DPI service when needed. NFV (Network Function Virtualization) The main objective of NFV is to reduce the operational costs of these appliances. NFV provides easier management and maintenance. DPI is a significant example of an appliance or functionality that may be virtualized. National Cheng Kung University CSIE Computer & Internet Architecture Lab 7
Introduction Aho-Corasick algorithm (AC algorithm) The AC algorithm is the de-facto standard for contemporary network intrusion detection systems (NIDS). It matches strings simultaneously by constructing a DFA that represents the pattern set. National Cheng Kung University CSIE Computer & Internet Architecture Lab 8
9
Introduction Pattern set : {EDAE, BE, CDBA, CBD} National Cheng Kung University CSIE Computer & Internet Architecture Lab 10 A D E E C B E D B B D A D D E E
DPI2 Architecture L7 FW1 IDS1 DPI1 IDS2 AV2 AV1 TS S1 S2 S3 S4 SDN Controller Traffic Steering DPI Controller hello Register Rules Add Patterns Update Policy Chain 11
Architecture – DPI controller DPI controller is a centralized entity to manage the DPI process across the network. Two kinds of procedures take place between the DPI Controller and middleboxes. Register Pattern set management DPI controller is also responsible for initializing DPI service instances and deployment of different DPI service instances across the network National Cheng Kung University CSIE Computer & Internet Architecture Lab 12
Architecture – Passing Pattern Matching Result Network Service Header (NSH) Separate result-packet Delay packet until result-packet arrives National Cheng Kung University CSIE Computer & Internet Architecture Lab 13 hello
Architecture – Deployment A common deployment choice is to group together similar policy chains and to deploy instances. For example: Sets of patterns that correspond to HTTP traffic may be allocated to some DPI service instance while patterns correspond to FTP traffic is allocated to other DPI service instance. National Cheng Kung University CSIE Computer & Internet Architecture Lab 14
DPI Service Instance Implementation National Cheng Kung University CSIE Computer & Internet Architecture Lab 15
DPI Service Instance Implementation National Cheng Kung University CSIE Computer & Internet Architecture Lab 16
DPI Service Instance Implementation National Cheng Kung University CSIE Computer & Internet Architecture Lab 17
DPI Service Instance Implementation Pattern Set 1Pattern Set 2 Pattern set 1 Pattern set 2 Both sets
DPI Service Instance Implementation National Cheng Kung University CSIE Computer & Internet Architecture Lab 19 ]*SYSTEM[^>]*>.*\x2EparseError <\x21DOCTYPE SYSTEM\x2EparseError
Experimental Environment POX SDN Controller (OpenFlow 1.0) Static steering mechanism DPI Service and Middlebox using separate machines Toy middlebox applications: Snort, ClamAV Functionality: Tested in virtual environments (Mininet, VMWare) Toy Snort2 Toy ClamAV Toy Snort1 Virtual Environment DPI Controller Static Steering Runs over POX SDN Controller DPI Service Instance 20
Experiment Results - Performance National Cheng Kung University CSIE Computer & Internet Architecture Lab 21 Overall Latency Overall Throughput LatencyThroughputSpacePatterns 21.5us/p668.4Mbps 9.69us/p 807.7Mbps71.18M B 4356Snort 11.91us/p 668.4Mbps1.87GB31827 ClamA V IDS1 Policy Chain with Two DPIs : Combined DPI instances (DPI as a Service): IDS1AV1 IDS1 AV1 DPI1 DPI2 Each using separate machines AV1
Experiment Results – Road Traffic National Cheng Kung University CSIE Computer & Internet Architecture Lab 22 Separate IDSs: Static Load Balancing DPI as a Service: Dynamic Load Balancing Two separate policy chains: Combined DPI instances (DPI as a Service): IDS1 AV1 IDS1DPI1 AV1DPI2
Conclusion DPI is a common service used by today’s MB Thanks to its scalability it may be easily exported as a stand-alone network service DPI as a Service provides: Innovation (Lower entry barriers) Network scalability Lower costs (Cheaper MB Hardware) National Cheng Kung University CSIE Computer & Internet Architecture Lab 23