Joint Techs 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA 95030 Voice: (408) 399-2284 Fax (408) 356-9446 Demonstration of 10 Gbps IDS/IPS.

Slides:

Advertisements

Similar presentations

IP Router Architectures. Outline Basic IP Router Functionalities IP Router Architectures.

Advertisements

CCNA3: Switching Basics and Intermediate Routing v3.0 CISCO NETWORKING ACADEMY PROGRAM Switching Concepts Introduction to Ethernet/802.3 LANs Introduction.

New Solutions to New Threats. The Threats, They Are A Changing Page 2 | © 2008 Palo Alto Networks. Proprietary and Confidential.

A Scalable and Reconfigurable Search Memory Substrate for High Throughput Packet Processing Sangyeun Cho and Rami Melhem Dept. of Computer Science University.

Vector Processing. Vector Processors Combine vector operands (inputs) element by element to produce an output vector. Typical array-oriented operations.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

SDN and Openflow.

Network Innovation using OpenFlow: A Survey

Chapter 8 Hardware Conventional Computer Hardware Architecture.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) SriramGopinath( )

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

1 Version 3 Module 8 Ethernet Switching. 2 Version 3 Ethernet Switching Ethernet is a shared media –One node can transmit data at a time More nodes increases.

RDMA ENABLED WEB SERVER Rajat Sharma. Objective  To implement a Web Server serving HTTP client requests through RDMA replacing the traditional TCP/IP.

Jaehoon (Paul) Jeong, Hyoungshick Kim, and Jung-Soo Park

Chapter 9 Classification And Forwarding. Outline.

Department Of Computer Engineering

Darema Dr. Frederica Darema NSF Dynamic Data Driven Application Systems (Symbiotic Measurement&Simulation Systems) “A new paradigm for application simulations.

Semester 1 Module 8 Ethernet Switching Andres, Wen-Yuan Liao Department of Computer Science and Engineering De Lin Institute of Technology

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

LECTURE 9 CT1303 LAN. LAN DEVICES Network: Nodes: Service units: PC Interface processing Modules: it doesn’t generate data, but just it process it and.

Virtual LAN Design Switches also have enabled the creation of Virtual LANs (VLANs). VLANs provide greater opportunities to manage the flow of traffic on.

COEN 252 Computer Forensics

ECE 526 – Network Processing Systems Design Network Processor Architecture and Scalability Chapter 13,14: D. E. Comer.

What is a Protocol A set of definitions and rules defining the method by which data is transferred between two or more entities or systems. The key elements.

Protocols and the TCP/IP Suite

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Identifying Application Impacts on Network Design Designing and Supporting Computer.

Connectivity Devices Hakim S. ADICHE, MSc

Repeaters and Hubs Repeaters: simplest type of connectivity devices that regenerate a digital signal Operate in Physical layer Cannot improve or correct.

To be smart or not to be? Siva Subramanian Polaris R&D Lab, RTP Tal Lavian OPENET Lab, Santa Clara.

CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.

Vladimír Smotlacha CESNET Full Packet Monitoring Sensors: Hardware and Software Challenges.

1 Using Snort/Sguil on 10 Gigabit Networks Livio Ricciulli Chief Security Scientist (408) *Supported by the Division.

High Performance Embedded Computing © 2007 Elsevier Chapter 1, part 2: Embedded Computing High Performance Embedded Computing Wayne Wolf.

Salim Hariri HPDC Laboratory Enhanced General Switch Management Protocol Salim Hariri Department of Electrical and Computer.

Securing and Monitoring 10GbE WAN Links Steven Carter Center for Computational Sciences Oak Ridge National Laboratory.

Advanced Computer Networks Topic 2: Characterization of Distributed Systems.

Chapter 5: Implementing Intrusion Prevention

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

Increasing Web Server Throughput with Network Interface Data Caching October 9, 2002 Hyong-youb Kim, Vijay S. Pai, and Scott Rixner Rice Computer Architecture.

Sem1 - Module 8 Ethernet Switching. Shared media environments Shared media environment: –Occurs when multiple hosts have access to the same medium. –For.

Distributed Information Systems. Motivation ● To understand the problems that Web services try to solve it is helpful to understand how distributed information.

Net Optics Confidential and Proprietary 1 Bypass Switches Intelligent Access and Monitoring Architecture Solutions.

High Performance Web Accelerator WEB INSIGHT AG Product Introduction March – 2007 MONITORAPP Co.,Ltd.

SDN AND OPENFLOW SPECIFICATION SPEAKER: HSUAN-LING WENG DATE: 2014/11/18.

StrideBV: Single chip 400G+ packet classification Author: Thilan Ganegedara, Viktor K. Prasanna Publisher: HPSR 2012 Presenter: Chun-Sheng Hsueh Date:

Metanetworks 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA Voice: (408) Fax (408) Gbps programmable IDS/IPS.

Department of Computer Science and Engineering Applied Research Laboratory Architecture for a Hardware Based, TCP/IP Content Scanning System David V. Schuehler.

PARALLEL PROCESSOR- TAXONOMY. CH18 Parallel Processing {Multi-processor, Multi-computer} Multiple Processor Organizations Symmetric Multiprocessors Cache.

SDN Management Layer DESIGN REQUIREMENTS AND FUTURE DIRECTION NO OF SLIDES : 26 1.

Rehab AlFallaj.  Network:  Nodes: Service units: PC Interface processing Modules: it doesn’t generate data, but just it process it and do specific task.

Gbps IPv6 Programmable IDS/IPS Livio Ricciulli (408) *Supported by the Division of Design Manufacturing and Industrial.

Addressing Data Compatibility on Programmable Network Platforms Ada Gavrilovska, Karsten Schwan College of Computing Georgia Tech.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

Lecture 13 Parallel Processing. 2 What is Parallel Computing? Traditionally software has been written for serial computation. Parallel computing is the.

CompTIA Security+ Study Guide (SY0-401)

Snort – IDS / IPS.

Jehandad Khan and Peter Athanas Virginia Tech

Dynamic Data Driven Application Systems

CT1303 LAN Rehab AlFallaj.

Storage Virtualization

CompTIA Security+ Study Guide (SY0-401)

Copyright © 2011 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Chapter 2 Database System Concepts and Architecture.

CS 31006: Computer Networks – The Routers

Software Defined Networking (SDN)

Dynamic Data Driven Application Systems

File Transfer Issues with TCP Acceleration with FileCatalyst

Lecture 2: Overview of TCP/IP protocol

Introduction to Network Security

Presentation transcript:

Joint Techs 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA Voice: (408) Fax (408) Demonstration of 10 Gbps IDS/IPS Livio Ricciulli (408) The Meta Traffic Processor* *Supported by the Division of Design Manufacturing and Industrial Innovation of the National Science Foundation (Award # ) and the Air Force Rome Laboratories. Rome Laboratories

Joint Techs 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA Voice: (408) Fax (408) ►Active Networks (DARPA Program)  Change behavior of network components (routers) dynamically (add new protocols, flow control algorithms, monitoring, etc..) →Discrete. Update network through separate management operations →Integrated. Packets cause network to update itself  Broad scope did not result in industry adoption →Lack of “killer application” →Lack of tight industry interaction →Tried to change too much too soon ►Metanetworks’ bottom-up approach  Achieve programmability while reusing current infrastructure  Augment networks with new, non-invasive technology  Application-driven rather than design-driven  Work closely with users/operators  Revisit hardware computational model Brief History

Joint Techs 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA Voice: (408) Fax (408) ►Open architecture to leverage open source software  More robust, more flexible, promotes composability  Directly support Snort signatures  Abstract hardware as a network interface from OS prospective ►Retain high-degree of programmability  New threat models (around the corner)  Extend to application beyond IDS/IPS ►Line-speed/low latency to allow integration in production networks  Unanchored payload string search  Support analysis across packets  Gracefully handle state exhaustion ►Hardware support for adaptive information management  Detailed reporting when reporting bandwidth is available  Dynamically switch to more compact representations when necessary  Support the insertion of application-specific analysis code in the fast path 1-10 Gbps IDS/IPS Hardware

Joint Techs 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA Voice: (408) Fax (408) ►Knowing what is in your network is very important  Catch misuses both incoming and outgoing  FBI says that effective network monitoring (not even IDS) is in top 3 most important things to do  Who and how is using the bandwidth ►Decentralization  Cannot find out what the traffic is unless you do content inspection  Many p2p applications randomly changing ports (VOIP)  Key exchanges need to be monitored  Would like to know what applications are doing ►High Speed High Complexity  1G and 10G make content inspection a challenge  Hardware/Software co-design is a must If you Cannot Measure it, You Cannot Manage it

Joint Techs 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA Voice: (408) Fax (408) MemoryProcessor Memory Instructions Get packet Compare to rules Alert Data Flynn’s Computer Taxonomy Processor Memory Instructions Get packet Compare to rules Alert Data P0.. P1Pn Reduction Network Data Alert Instructions P0.. P1Pn Reduction Network Alert Data Instructions SISD MIMD MISD SIMD

Joint Techs 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA Voice: (408) Fax (408) R1.. R2 Rn Reduction Network Block Data Stream FPGA Data Valid Receive Clock Match Memory Host Interface Stateful Analysis MISD Programmable Hardware

Joint Techs 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA Voice: (408) Fax (408) Block Direction 1 Block Direction 2 Monitoring System AND PHY RxData RxEnable PHY RxEnable RxData AND

Joint Techs 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA Voice: (408) Fax (408) PHY FPGA L-1 RAM IPS/ IDS Synthesis + firmware update Dynamic Policies PHY Static Policies Compilation + runtime update Packets State Read Only Block + Fail Close Latency < 0.5 μs < 1500 < Mb-10Gb 1-8M Concurrent Flows Cost-effective & Powerful Interne t Web-based signature management service

Joint Techs 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA Voice: (408) Fax (408) CPU Snort IDS/IPS Up to 6 cards/box

Joint Techs 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA Voice: (408) Fax (408) Content Inspection Performance Comparison

Joint Techs 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA Voice: (408) Fax (408) MA TC HT S HI & & & & & 1 | CA 1 & & & & & & SO NE MATCHTHIS CATCHTHISONE Static analysis of large number of IDS signatures ►Transform Snort rules or BPF expressions into a low-level declarative language ►Extract fine-grain parallelism across thousands of signatures  Define independent FSMs each implementing a signature  Share comparison logic across multiple FSMs ►Synthesizer further optimizes  Merge multiple FSMs sharing intermediate states  Eliminate redundant rules

Joint Techs 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA Voice: (408) Fax (408) Some Rule Compression Results

Joint Techs 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA Voice: (408) Fax (408) CPU IDS/IPS CPU IDS/IPS Router/Switch Multiple Mirrors Inline Passive CPU IDS/IPS Mirror Port Passive Inline To other passive devices To other passive device →Use it for IPS or just to eliminate a TAP →Chain multiple cards →Traditional passive monitoring →Up to 6 cards per host →Extend passive capacity →Can hang multiple passive devices off 1 TAP or Mirror

Joint Techs 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA Voice: (408) Fax (408) Layer-1 “T” Junction CB ICMP10 ICMP Echo10 ICMP10 ICMP Echo11 ICMP10 ICMP Echo01 ICMP10 ICMP Echo00 CaptureOutput All ICMP All ICMP that is not an Echo ALL ICMP that is not an Echo All ICMP that is not an Echo All ICMP

Joint Techs 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA Voice: (408) Fax (408) Native IDS Acceleration ►Wire-speed capture of interesting flows  Capture flows with specific bad signatures  Pass flows known to be good →ISO image transfers, data files ►Open source IDS/monitoring tools  Snort, Bro All traffic Bad traffic All traffic (optional) To CPU

Joint Techs 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA Voice: (408) Fax (408) Native IDS/IPS ►Wire-speed filtration of a subset of known bad packets  Worms, Viruses, Rootkits ►Open source IDS/monitoring tools  Snort, Bro to inspect bad traffic ►Dynamically add signatures  “Lock Down” while patching ►Filter DDoS streams before bottleneck All traffic Good traffic Firewall or Switch Bad traffic To CPU

Joint Techs 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA Voice: (408) Fax (408) Transparent IDS Acceleration ►Wire-speed capture and filtration of good flows  Capture flows known to be good for archiving →ISO image transfers, data files, etc… ►Other IDS/monitoring appliances only receive a fraction of the traffic All traffic Good traffic Unknown Other IDS (optional) To CPU

Joint Techs 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA Voice: (408) Fax (408) Redundant IDS ►Wire-speed capture of suspected flows  Capture flows with specific bad signatures  Pass and filter flows known to be good →ISO image transfers, data files ►Open source IDS/monitoring tools  Snort, Bro All traffic Bad traffic All traffic or unknown Other IDS Correlate

Joint Techs 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA Voice: (408) Fax (408)

Joint Techs 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA Voice: (408) Fax (408) Packet temporarily stored in a linked list Stateful matches Packets captured from linked list

Joint Techs 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA Voice: (408) Fax (408) Each packet can be Captured and/or Blocked

Joint Techs 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA Voice: (408) Fax (408)

Joint Techs 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA Voice: (408) Fax (408) ►Host bandwidth is << of fast-path  Flooding cannot be used to compromise blocking capability →FP rate in blocking when state is exhausted  Flooding can be exploited to reduce efficacy of monitoring ►Need to find needle in a haystack but needs to cope with flood of packets  Hardware stateful analysis (implemented)  Intelligent Monitoring  Application-level programmability (implemented) 10Gbps Information bandwidth management

Joint Techs 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA Voice: (408) Fax (408) Rule n n  > T?  Switch off lower priority rules and report number of triggers only NOT entire packet Intelligent Monitoring (work in progress) T = maximum amount of alerts tolerable

Joint Techs 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA Voice: (408) Fax (408) ►User-level programmability  Define API to let user write ad- hoc wire-speed code  Add user modules to synthesis flow and share reduction network  Architecture provides determinism →It either fits or it does not fit in the FPGA →It either meets timing or does not meet timing →Load/store network processing much harder to predict User-level programmability Memory Interface Packet Processor Host Interface User Defined Address Data RW Payload Offset Valid Payload Block Capture Common Functions Reduction Network Block Capture PCI Interface Layer-1 Applications Standard OS User Defined Offset Valid Capture Payload Block FPGA

Joint Techs 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA Voice: (408) Fax (408) G PCI Card Signature Services Compiler 1G Appliance 10G PCI Card API Multiple FPGA 10G Multiple FPGA 1G Roadmap Q4-03Q1-04Q2-04Q3-04Q4-04Q1-05Q2-05Q3-05Q4-05Q1-06Q3-06Q4-06Q1-07

Joint Techs 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA Voice: (408) Fax (408) IDS/IPS Demonstration ►Background traffic saturates line ►Stateful HTTP traffic added to background traffic ►Show that can capture based on content  9.6 Billion comparisons per second (600 rules x 16 Mpps) ►Show that can filter based on content All traffic Captured Traffic Filtered traffic HTTP Clients HTTP Server Load CRC Spirent SMB-6000

Joint Techs 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA Voice: (408) Fax (408) ►Extremely low latency design enables a wide variety of deployment options ►Leverage Open Source software ►1G and 10G available today ►Processing paradigm lends itself to ad-hoc application level programmability Livio Ricciulli (408) Summary