1 Using Snort/Sguil on 10 Gigabit Networks Livio Ricciulli Chief Security Scientist (408) 835-5005 *Supported by the Division.

Slides:

Advertisements

Similar presentations

SHARKFEST '09 | Stanford University | June 15–18, 2009 The Reality of 10G Analysis Presented by: Network Critical Wednesday, June 17 th, :30 pm –

Advertisements

IP Router Architectures. Outline Basic IP Router Functionalities IP Router Architectures.

Access Control List (ACL)

IPv6 Victor T. Norman.

Supercharging PlanetLab : a high performance, Multi-Application, Overlay Network Platform Written by Jon Turner and 11 fellows. Presented by Benjamin Chervet.

Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.

IUT– Network Security Course 1 Network Security Firewalls.

Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

SDN and Openflow.

Firewalls and Intrusion Detection Systems

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) SriramGopinath( )

1 In VINI Veritas: Realistic and Controlled Network Experimentation Jennifer Rexford with Andy Bavier, Nick Feamster, Mark Huang, and Larry Peterson

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

t Popularity of the Internet t Provides universal interconnection between individual groups that use different hardware suited for their needs t Based.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

1 Force10 Networks Security 2007 Denver – April 11, 2007 Debbie Montano

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

IETF 90: VNF PERFORMANCE BENCHMARKING METHODOLOGY Contributors: Sarah Muhammad Durrani: Mike Chen:

Introducing Kerio Control Unified Threat Management Solution Release date: June 1, 2010 Kerio Technologies, Inc.

Joint Techs 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA Voice: (408) Fax (408) Demonstration of 10 Gbps IDS/IPS.

Networking Virtualization Using FPGAs Russell Tessier, Deepak Unnikrishnan, Dong Yin, and Lixin Gao Reconfigurable Computing Group Department of Electrical.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.

Penetration Testing Security Analysis and Advanced Tools: Snort.

What is a Protocol A set of definitions and rules defining the method by which data is transferred between two or more entities or systems. The key elements.

Chapter 6: Packet Filtering

Software-Defined Networks Jennifer Rexford Princeton University.

Web Application Firewall (WAF) RSA ® Conference 2013.

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )

1 Liquid Software Larry Peterson Princeton University John Hartman University of Arizona

11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.

Access Control List (ACL) W.lilakiatsakun. ACL Fundamental ► Introduction to ACLs ► How ACLs work ► Creating ACLs ► The function of a wildcard mask.

Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Copyright 2010 Elitecore Technologies Ltd. All rights reserved.

Design and Implementation of a Multi-Channel Multi-Interface Network Chandrakanth Chereddi Pradeep Kyasanur Nitin H. Vaidya University of Illinois at Urbana-Champaign.

CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.

Vladimír Smotlacha CESNET Full Packet Monitoring Sensors: Hardware and Software Challenges.

Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.

© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.

CCNA 3 Week 2 Link State Protocols OSPF. Copyright © 2005 University of Bolton Distance Vector vs Link State Distance Vector –Copies Routing Table to.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

CSC 600 Internetworking with TCP/IP Unit 7: IPv6 (ch. 33) Dr. Cheer-Sun Yang Spring 2001.

IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows.

Management of the LHCb DAQ Network Guoming Liu * †, Niko Neufeld * * CERN, Switzerland † University of Ferrara, Italy.

4/19/20021 TCPSplitter: A Reconfigurable Hardware Based TCP Flow Monitor David V. Schuehler.

Metanetworks 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA Voice: (408) Fax (408) Gbps programmable IDS/IPS.

Hot Interconnects TCP-Splitter: A Reconfigurable Hardware Based TCP/IP Flow Monitor David V. Schuehler

Lecture 12: Reconfigurable Systems II October 20, 2004 ECE 697F Reconfigurable Computing Lecture 12 Reconfigurable Systems II: Exploring Programmable Systems.

Department of Computer Science and Engineering Applied Research Laboratory Architecture for a Hardware Based, TCP/IP Content Scanning System David V. Schuehler.

High-Speed Policy-Based Packet Forwarding Using Efficient Multi-dimensional Range Matching Lakshman and Stiliadis ACM SIGCOMM 98.

Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:

© Janice Regan, CMPT 128, CMPT 371 Data Communications and Networking Network Layer NAT, IPv6.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.

Gbps IPv6 Programmable IDS/IPS Livio Ricciulli (408) *Supported by the Division of Design Manufacturing and Industrial.

1 IEX8175 RF Electronics Avo Ots telekommunikatsiooni õppetool, TTÜ raadio- ja sidetehnika inst.

Central Management of 300 Firewalls and Access-Lists Fabian Mauchle TNC 2012 Reykjavík, 21-May-2012.

Instructor Materials Chapter 7: Network Evolution

Securing the Network Perimeter with ISA 2004

of Dynamic NFV-Policies

Practical IPv6 Filtering

Layered Protocol Wrappers Design and Interface review

Internet Protocol version 6 (IPv6)

Chapter 4: outline 4.1 Overview of Network layer data plane

Presentation transcript:

1 Using Snort/Sguil on 10 Gigabit Networks Livio Ricciulli Chief Security Scientist (408) *Supported by the Division of Design Manufacturing and Industrial Innovation of the National Science Foundation (Awards # , ) and the Air Force Rome Laboratories. Rome Laboratories

2 Open architecture to leverage open source software –More robust, more flexible, promotes composability –Hardware acceleration of important network applications –Abstract hardware as a network interface from OS prospective Retain high-degree of programmability –Extend to application beyond IDS/IPS –New threat models (around the corner) Line-speed/low latency to allow integration in production networks –Unanchored payload string search –Support analysis across packets –Gracefully handle state exhaustion Hardware support for adaptive information management –Detailed reporting when reporting bandwidth is available –Dynamically switch to more compact representations when necessary –Support the insertion of application-specific analysis code in the fast path 1-10 Gbps Programmable Network Security

3 Available Today P10 PCI Card (10 GbE interface) –High speed PCI card in 1U chassis –Wire-speed stateful deep packet inspection; 20G-in/20G-out –650 static rule capacity 65 dynamic rules; (currently being increased); –8 million concurrent flows P1 PCI Card (GbE interface) –High speed PCI card in 1U chassis –Wire-speed stateful deep packet inspection; 2G-in/2G-out –1000 static rule capacity; up to 200 dynamic; (currently being increased); –2 million concurrent flows P1/P10 Appliance –1U host embeds a P1 or P10 PCI card –Software and drivers pre-installed and pre-configured

4 Architecture

5 Product Architecture Management Synthesis + firmware update Dynamic Static Runtime update Latency ~ 1.3 μs 100Mb-10Gb 2-8M Concurrent Flows PHY FPGA L-1 RAM PHY Packets or Stats State Read Only Block +

6

7 Firewall and IDS/IPS

8 Firewall IDS/IPS High Performance (> 330K cps; 20 Gbps) Unique level of programmability –What is IN and what is OUT? –Two organizations sharing each other’s services –Insider attacks –Can define stateful policies asymmetrically or symmetrically –Hardcode part of the policies in hardware –Keep software-like flexibility –Can code specific policies directly into fast-path Layer-1 –Invisible µs latency –True-line rate (20 Gbps) –Drops in and out with NO L2/3 reconfiguration

9 Power Failure No power –Stateful In-line  No packet loss; No loss of connection state –Traditional rerouting  L2/L3 convergence time; loss of state CPU Reporting CPU Reporting Bypass

10 OS Upgrade Soft reboot, OS reconfiguration, change OS –Forwarding + policies are unaffected; no loss of connection state –Once upgrade is over OS reattaches to forwarding path CPU Reporting CPU Reporting Bypass

11 Policy update Fast-path reconfiguration (new policies are added/deleted) –Loading new static policies  open for < 1s; loss of connection state –Loading dynamic policies  No loss of state CPU Reporting CPU Reporting Bypass

12 Configuration + Reporting Compile policies off-line –Makefile (open Unix CLI environment) –Add user code in Fast-path Add Permit and Deny on the fly –Immediate action Run any pcap application on interface –Use Snort’s output plugins  syslog, , packet archive MIB-II Host/Interface Monitoring –Disk, Daemons, SNMP traps

13 Testing Need a LOT of equipment to assess –Separate test equipment behavior from P10 behavior –DOS scenarios with stateless generation easy Connections/second up to 330k Measured stateful throughput up to 9.5 Gbps –Not enough gear to fill up the pipe with stateful traffic yet –Stateless traffic up to 20 Gbps Connections per SecondPercentage Retries 100, , , ,

14 200Mbs

15 Stateful Content Inspection Performance Comparison

16 Current API

17 User-level programmability –Define API to let user write ad- hoc wire-speed code –Add user modules to synthesis flow and share reduction network –Architecture provides determinism –It either fits or it does not fit in the FPGA –It either meets timing or does not meet timing –Load/store network processing much harder to predict User-level programmability Memory Interface Packet Processor Host Interface User Defined Address Data RW Payload Offset Valid Payload Block Capture Common Functions Reduction Network Block Capture PCI Interface Layer-1 Applications Standard OS User Defined Offset Valid Capture Payload Block FPGA

18 Hello World!

19 memory mem(.c1(clk),.a1(dstp[15:0]),.di1(newval),.do1(oldvalout),.w(write),.c2(cnfclk),.a2(address[15:0]),.do2(valout)); clk) begin if(offset==1) begin proto<=data[7:0]; //Get protocol number end else if(offset==2 && (proto==06 || proto==17)) begin dstp<=data[31:16]; //Get destination port if TCP or UDP end else if(offset==4 && dstp!=0) begin //1 cycle later counter is read newval<=oldvalout+1; //increment counter write<=1; //write counter end else begin write<=0; end Count Destination Ports with FPGA

20 Reuse existing Open Source

21 IPv6 Security Hardware IPv6 options provide a covert channel –Ex. Joe 6 pack ( 1.0.tar.gz) uses IPv6 Destination option for transporthttp://people.suug.ch/~tgr/misc/j6p- 1.0.tar.gz Want to see what are IPv6 options used for (for example source routing) –Extend hardware payload match semantics to Ipv6 header Tunneling –Want to inspect headers of multiple tunnels

22 Additions to IPv6 API 8-bit “parse” value indicating which section of the packet is being clocked in –Unknown –IPV4 = 0x4 –Payload = 0xFE –TCP = 0x6 –ICMPV4 = 0x1 –UDP = 0x11 –IPV6 = 41 –Routing = 43 –Fragment = 44 –Destination = 60 –Authentication = 51 –Security Payload = 50 –ICMPv6 = 58 –Hop by Hop = 0 Counters –Tunnel “tcnt” counter –Length offset within section pointed to by “parse”

23 Open Source Alert Aggregation (Sguil)

24 Architecture Mysql Alerts Database Snort Barnyard Sancp Sguild TCPFlow P0F Sensors Sguil Client Internet DShield Database Snort Database Whois Database DNS

25 Sguil Aggregation and Analysis Who is knocking on who? Real time Snort Events Why did we trigger?

26 Analysis support Did the overflow make it? Recognize the attack Blow the stack Glue Code Overwrite Password

27 You are not Alone; One Sguil click.. Snort Database DShield Database

28 Extremely low latency design enables a wide variety of deployment options Leverage Open Source software 1G and 10G available today Processing paradigm lends itself to ad-hoc application level programmability Livio Ricciulli (408) Summary

29 Thank You