Multiple vDPI Functions using DPDK and Hyperscan on OVS-DPDK Platform

Slides:

Advertisements

Similar presentations

Virtual Switching Without a Hypervisor for a More Secure Cloud Xin Jin Princeton University Joint work with Eric Keller(UPenn) and Jennifer Rexford(Princeton)

Advertisements

IDPS (Intrusion Detection & Prevention System )

CS/CoE 535 : Snort Lite - Fall Snort Lite Members Michael Attig –Hardware Design / System Architecture Qian Wan –Software Design.

Efficient VM Introspection in KVM and Performance Comparison with Xen

1 Ally: OS-Transparent Packet Inspection Using Sequestered Cores Jen-Cheng Huang 1, Matteo Monchiero 2, Yoshio Turner 3, Hsien-Hsin Lee 1 1 Georgia Tech.

Accelerating the Path to the Guest

Efficient Multi-match Packet Classification with TCAM Fang Yu Randy H. Katz EECS Department, UC Berkeley {fyu,

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

Efficient Multi-Match Packet Classification with TCAM Fang Yu

Deep Packet Inspection with Regular Expression Matching Min Chen, Danny Guo {michen, CSE Dept, UC Riverside 03/14/2007.

Gregex: GPU based High Speed Regular Expression Matching Engine Date:101/1/11 Publisher:2011 Fifth International Conference on Innovative Mobile and Internet.

Host Intrusion Prevention Systems & Beyond

Intrusion Prevention System Group 6 Mu-Hsin Wei Renaud Moussounda Group 6 Mu-Hsin Wei Renaud Moussounda.

Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.

USENIX LISA ‘99 Conference © Copyright 1999, Martin Roesch Snort - Lightweight Intrusion Detection for Networks Martin Roesch.

Kamalapurkar Shounak Rajarshi Salil Joshi Rohan Bhavsar Sagar Pai Sandesh Low Latency Publisher-Subscriber Network for Stock Market Application Team WhiteWalkers.

Workpackage 3 New security algorithm design ICS-FORTH Paris, 30 th June 2008.

IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.

Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.

FEATURES & FUNCTIONALITY. Page 2 Agenda Main topics Packet Filter Firewall Application Control Other features.

MIDeA :A Multi-Parallel Instrusion Detection Architecture Author: Giorgos Vasiliadis, Michalis Polychronakis,Sotiris Ioannidis Publisher: CCS’11, October.

Para-Snort : A Multi-thread Snort on Multi-Core IA Platform Tsinghua University PDCS 2009 November 3, 2009 Xinming Chen, Yiyao Wu, Lianghong Xu, Yibo Xue.

© 2010 IBM Corporation Plugging the Hypervisor Abstraction Leaks Caused by Virtual Networking Alex Landau, David Hadas, Muli Ben-Yehuda IBM Research –

COEN 252: Computer Forensics Network Analysis and Intrusion Detection with Snort.

CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.

Para-Snort : A Multi-thread Snort on Multi-Core IA Platform Tsinghua University PDCS 2009 November 3, 2009 Xinming Chen, Yiyao Wu, Lianghong Xu, Yibo Xue.

TASHKENT UNIVERSITY OF INFORMATION TECHNOLOGIES Lesson №18 Telecommunication software design for analyzing and control packets on the networks by using.

VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.

Module 7: Advanced Application and Web Filtering.

Workpackage 3 New security algorithm design ICS-FORTH Ipswich 19 th December 2007.

Hardened IDS using IXP Didier Contis, Dr. Wenke Lee, Dr. David Schimmel Chris Clark, Jun Li, Chengai Lu, Weidong Shi, Ashley Thomas, Yi Zhang  Current.

CS/CoE 535 : Snort Lite - Fall Snort Lite Members Michael Attig –Hardware Design / System Architecture Qian Wan –Software Design.

Exploiting Task-level Concurrency in a Programmable Network Interface June 11, 2003 Hyong-youb Kim, Vijay S. Pai, and Scott Rixner Rice Computer Architecture.

IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.

Emerging applications in cloud High performance computing E-Commerce Media hosting Web hosting Content delivery... –from Amazon AWS survey 1 Emulated network.

Unit 2 Personal Cyber Security and Social Engineering Part 2.

Final Project: Advanced Security Blade IPS and DLP blades.

Considerations for Benchmarking Virtual Networks Samuel Kommu, Jacob Rapp, Ben Basler,

New Approach to OVS Datapath Performance

NFV Compute Acceleration APIs and Evaluation

IDS Intrusion Detection Systems

Snort – IDS / IPS.

DPDK API and Virtual Infrastructure

Need for high performance Data Plane

Virtualization overview

NSH_SFC Performance Report FD.io NSH_SFC and CSIT Team

Virtualization & Security real solutions

James Logan CS526 Dr. Chow April 29, 2009

Present By:- Company Name: Global Market Forecastes Tel: / Web:

NETWORK SECURITY LAB Lab 9. IDS and IPS.

Virtio Inline Accelerator

Yan Chen Department of Electrical Engineering and Computer Science

Virtio Keith Wiles July 11, 2016.

Open vSwitch HW offload over DPDK

Cloud computing mechanisms

2019/1/1 High Performance Intrusion Detection Using HTTP-Based Payload Aggregation 2017 IEEE 42nd Conference on Local Computer Networks (LCN) Author: Felix.

Enabling TSO in OvS-DPDK

Encrypting OVN tunnels with IPsec

IP Control Gateway (IPCG)

NetCloud Hong Kong 2017/12/11 NetCloud Hong Kong 2017/12/11 PA-Flow:

Firewall Installation

Hosted Security.

Intrusion Detection Systems

Flow Processing for Fast Path & Inline Acceleration

Platform Performance Acceleration

Interrupt Message Store

Presentation transcript:

Multiple vDPI Functions using DPDK and Hyperscan on OVS-DPDK Platform Cheng-Chien SU Fang-Chen KUO LIONIC Corp.

What is Deep Packets Inspection? Application Identification Content Inspection Device Identification Packets flow pass through the network Malicious Websites Viruses Hack’s Intrusion . . . . . . . . . Router / Setup-Box Gateway

Deep Packet Inspection Problem (Snort2.9.11) Packet 1 Gbps (Line rate) reduced 96% throughput 0.038 Gbps Note: Intel Atom C3958 Platform

Agenda DPI Workflow How to improvement DPI throughput in Intel Platform DPDK Hyperscan Content Merging Multiple vDPI Function on OVS-DPDK Platform Throughput Comparison

DPI Workflow (1/2) Flow Management Pre-Filter Post-Checker Flow Action Multiple Pattern Matching for Payload Packet In Packet Out Network Interface Controller

Network Interface Controller DPI Workflow (2/2) Flow Management Pre-Filter Post-Checker Flow Action L3&L4 header matching More exactly pattern matching Packet In Packet Out Network Interface Controller

Network Interface Controller DPI - Example Flow Management Pre-Filter Post-Checker Flow Action alert tcp any any -> 192.168.0.0/16 any (msg:”VIRUS”; content:”virus”; dsize:300<>400; sid:10000;) alert tcp any any -> 192.168.1.0/24 any (msg:”SKYPE”; content:”skype”; pcre:”/^skype=[0-9a-z]{10}/”; sid:20000;) alert UDP 192.168.0.0/16 any -> any 53 (msg:”DNS Query”; content:”google”; pcre:”/\x01\x00.*google0x03.com/”; sid:30000;) Packet In Packet Out Network Interface Controller

How to improvement DPI throughput in Intel Platform Flow Management Pre-Filter via Hyperscan Pre-Filter Post-Checker Flow Action Packet In via DPDK Packet In Packet Out via DPDK Packet Out Network Interface Controller

Content Merging (1/2) Pre-filter support regular expression Increase the complexity of pattern to reduce the number of post check Compatible with snort format

Content Merging (2/2) alert tcp $EXTERNAL_NET any -> $HOME_NET any (content:"|12 01|"; content:"|01 00 00 00|"; within:5; distance:2;) Pattern: “\x01\x00\x00\x00” Regular Expression: “\x12\x01.{2,3}\x01\x00\x00\x00”

Lionic DPI SDK (1/2) Lionic DPI-SDK provide antivirus, intrusion prevention system, application identification, device identification and web content filtering. Lionic DPI-SDK is compatible with snort rule format. Lionic DPI-SDK supports DPDK and Hyperscan.

Lionic DPI SDK (2/2) Lionic DPI SDK Signature Database IPS Signature Virus Signature Anti-Virus IPS Signature Intrusion Prevention System Device Signature Device Identification Application Signature Application Identification Web Content Cloud Database Web Content Filtering Signature Database Applications Services Hardware DPI – LA3000 Pattern Matching Processor (Silicon IP) Software DPI Pattern Matching Library DPI Engine Lionic DPI SDK

Multiple vDPI Function on OVS-DPDK Platform DPDK vHost Acceleration NIC VM vDPI Function with Hyperscan VirtIO DPDK IPS App Ident Antivirus ovs-vswitchd ofproto

Test Platform Specification Hardware – NEXCOM vDNA 1160 Intel Atom C3958 SoC 16 cores @ 2GHz Memory: 32GB NIC: Intel i350 AM4 1GbE*4, Marvell PHY 1GbE*2 OS: Debian 9.4 OvS version: 2.9.0 DPDK version: 18.02.1 Hyperscan version: 4.7.0 Snort Version: 2.9.11 All the VMs are created by KVM and emulated by QEMU Run IXIA IxLoad (version 3.30.58.17) on the provided environment

Test Environment NIC NIC HTTP Traffic Guest VM vDPI Function with Hyperscan VirtIO DPDK HTTP Traffic OvS-DPDK NIC NIC

Throughput Comparison vDPI Function Throughput (Mbps) Impact No inter-VM 872.29 0% Snort (NFQ, Aho-Corasick) 38.71 96% Snort (NFQ, Hyperscan) 95.84 89% Snort (DPDK, Hyperscan) 269.39 69% Lionic-IPS (DPDK, Hyperscan) 795.02 9% Lionic-App_Ident (DPDK, Hyperscan) 864.77 1% Note: IPS rules are 9791, App_Ident rules are1858

Snort Resource Snort access packets via DAQ module Patch for DAQ-2.0.6 available at: http://seclists.org/snort/2016/q2/385 Follows the instruction on the page to build Snort with patched DAQ module Snort 2.9.x does not support using Hyperscan as MPSE Patch for Snort 2.9.8.2 are available at: https://01.org/zh/downloads/hyperscan-integration-snort-2.9.8.2-and- 2.9.9.0?langredirect=1 Some modification based on the patch to support Snort 2.9.11.1

THANK YOU! arthur.su@lionic.com kuo.kuo@lionic.com