Securing and Monitoring 10GbE WAN Links Steven Carter Center for Computational Sciences Oak Ridge National Laboratory.

Slides:

Advertisements

Similar presentations

Decreasing Incident Response Time ______________________________ Benefits of Packet Capture & Real-time NetFlow Generation Boni Bruno, CISSP, CISM, CGEIT.

Advertisements

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

Router Architecture : Building high-performance routers Ian Pratt

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) SriramGopinath( )

ROYAL PALM NETWORK PROJECT John Healy Tom Jamieson

Review on Networking Technologies Linda Wu (CMPT )

Passive traffic measurement Capturing actual Internet packets in order to measure: –Packet sizes –Traffic volumes –Application utilisation –Resource utilisation.

Networking Components Manuel Palos. HUBS Hubs are inexpensive devices that connect multiple devices t0 a network. Hubs merely pass along network data.

Computer Networks IGCSE ICT Section 4.

Firewall and Proxy Server Director: Dr. Mort Anvari Name: Anan Chen Date: Summer 2000.

(part 3).  Switches, also known as switching hubs, have become an increasingly important part of our networking today, because when working with hubs,

Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.

Sven Ubik, Petr Žejdl CESNET TNC2008, Brugges, 19 May 2008 Passive monitoring of 10 Gb/s lines with PC hardware.

CLIENT A client is an application or system that accesses a service made available by a server. applicationserver.

Networking Components

IDS Mike O’Connor Eric Tallman Matt Yasiejko. Overview IDS defined IDS defined What it does What it does Sample logs Sample logs Why we need it Why we.

Module 4 - Networking MIS5122: Enterprise Architecture for the IT Auditor.

Networking Components Mike Yardley LTEC 4550 Assignment 3

Penetration Testing Security Analysis and Advanced Tools: Snort.

Characterizing the Existing Internetwork PART 1

Is Lambda Switching Likely for Applications? Tom Lehman USC/Information Sciences Institute December 2001.

COEN 252 Computer Forensics

AS Computing F451 F451 Data Transmission. What data is transmitted? Phone SMS Radio TV Internet.

TCOM 515 Lecture 6.

NETWORKING COMPONENTS By Scott H. Bowers. HUB A hub can be easily mistaken for a switch, physically there are no defining characteristics, both have power.

What is FORENSICS? Why do we need Network Forensics?

Introduction to Networking. Key Terms packet  envelope of data sent between computers server  provides services to the network client  requests actions.

ACM 511 Chapter 2. Communication Communicating the Messages The best approach is to divide the data into smaller, more manageable pieces to send over.

CS3502: Data and Computer Networks Local Area Networks - 4 Bridges / LAN internetworks.

Honeypot and Intrusion Detection System

1 The Firewall Menu. 2 Firewall Overview The GD eSeries appliance provides multiple pre-defined firewall components/sections which you can configure uniquely.

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )

INTERNATIONAL NETWORKS At Indiana University Hans Addleman TransPAC Engineer, International Networks University Information Technology Services Indiana.

Switches 1RD-CSY  In this lecture, we will learn about  Collision Domain and Microsegmentation  Switches – a layer two device ◦ MAC address.

NETWORKING COMPONENTS AN OVERVIEW OF COMMONLY USED HARDWARE Christopher Johnson LTEC 4550.

Vladimír Smotlacha CESNET Full Packet Monitoring Sensors: Hardware and Software Challenges.

Basic Network Gear Created by Alex Schatz. Hub A hub is a very basic internetworking device. Hubs connect multiple machines together and allow them to.

NETWORK COMPONENTS Assignment #3. Hub A hub is used in a wired network to connect Ethernet cables from a number of devices together. The hub allows each.

Networking Components Daniel Rosser LTEC Network Hub It is very difficult to find Hubs anymore Hubs sends data from one computer to all other computers.

ENW-9800 Copyright © PLANET Technology Corporation. All rights reserved. Dual 10Gbps SFP+ PCI Express Server Adapter.

Computer Security Workshops Networking 101. Reasons To Know Networking In Regard to Computer Security To understand the flow of information on the Internet.

Packet Filtering COMP 423. Packets packets datagram To understand how firewalls work, you must first understand packets. Packets are discrete blocks of.

Switches 1RD-CSY  In this lecture, we will learn about  Collision Domain and Microsegmentation  Switches – a layer two device ◦ MAC address.

Infiniband Bart Taylor. What it is InfiniBand™ Architecture defines a new interconnect technology for servers that changes the way data centers will be.

NETWORKING COMPONENTS Buddy Steele Assignment 3, Part 1 CECS-5460: Summer 2014.

Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.

Components of wireless LAN & Its connection to the Internet

Network Sniffer Anuj Shah Advisor: Dr. Chung-E Wang Department of Computer Science.

Network Components By Kagan Strayer. Network Components This presentation will cover various network components and their functions. The components that.

1 Flexible, High-Speed Intrusion Detection Using Bro Vern Paxson Computational Research Division Lawrence Berkeley National Laboratory and ICSI Center.

Hardened IDS using IXP Didier Contis, Dr. Wenke Lee, Dr. David Schimmel Chris Clark, Jun Li, Chengai Lu, Weidong Shi, Ashley Thomas, Yi Zhang  Current.

Neethu Kuriakose CECS  HUB  SWITCH  ROUTER  BRIDGE  GATEWAY  FIREWALL  WIRELESS AP Kuriakose_CECS5460.

Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.

July 19th, 2004 Joint Techs, Columbus, OH 1 Monitoring the 10 Gigabit Abilene Backbone Jörg Micheel.

CHAPTER -II NETWORKING COMPONENTS CPIS 371 Computer Network 1 (Updated on 3/11/2013)

Chapter 11 – Cloud Application Development. Contents Motivation. Connecting clients to instances through firewalls. Cloud Computing: Theory and Practice.

By Harshal Ghule Guided by Mrs. Anita Mahajan G.H.Raisoni Institute Of Engineering And Technology.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

Recent experience with PCI-X 2.0 and PCI-E network interfaces and emerging server systems Yang Xia Caltech US LHC Network Working Group October 23, 2006.

Section 4 – Computer Networks

Planning and Troubleshooting Routing and Switching

Firewall – Survey Purpose of a Firewall Characteristic of a firewall

Network Packet Brokers

Network Concepts Devices

Computer Networks Part - 2

Firewalls Routers, Switches, Hubs VPNs

Network Devices Hub Definition:

Myrinet 2Gbps Networks (

Firewall Installation

Practical Network Computer Science IT&CS Third Class part Mohanad Ali

Presentation transcript:

Securing and Monitoring 10GbE WAN Links Steven Carter Center for Computational Sciences Oak Ridge National Laboratory

Disclaimer Oak Ridge National Laboratory does not endorse any particular product. This presentation merely details our experience and chosen course of action (i.e. I am not a patsy for Force10).

Requirements Wire rate intrusion detection (i.e. 20Gb/s) Little or no latency Low administrative/development overhead Flexible (used for IDS and protocol monitoring) Scalable (We have 5+ 10G links that we would like to monitor) Affordable

Approaches Divide and Conquer: Use a piece of network equipment (e.g. Juniper Router) to divide the stream of packets by some attribute (e.g. destination port) into smaller, more easily handled streams for processing.

Approaches (Cont.) Host intensive: Send the full (or possibly filtered) stream to the host CPU for inspection. NIC intensive: The NIC does the packet inspection.

The Contenders Intel, Neterion, Chelsio 10G NICs Endace DAG 6.2SE Force10 P-Series (formally MetaNetworks)

Initial Pros/Cons Standard 10G NICS Inexpensive Single host unable to keep up with full rate, full duplex connection Endace DAG 6.2SE Offload allows single host to inspect more traffic (~13Gb/s), but you need a beefy host. Timestamps Only available with 1310nm optics Expensive

Initial Pros/Cons (cont) Force10 P-Series Less expensive Compete offload Scalable Can block packets if used in-line Supports too few snort rules (700 shared between 2 channels) Long compile time PCI Bus (1Gb/s b/w the card and the host)

Initial Test Setup HostHost P-Series DAG Switch HostHost Switch Optical TapPort Mirror HostHost Simulated Nefarious Traffic Saturating Traffic (~10Gb/s)

DAG Results Circular Buffer started overflowing ~5Gb/s (could likely be tuned better) Not a generic network interface (Either use the provided dag* utilities or a special version of libpcap) Only one tool can be used at a time

P-Series Results Able to handle full rate (~10Gb/s) Interface presented as generic interface (i.e. can run Bro, Snort, and tcpdump simultaneously) Supports too few snort rules (700 shared between 2 channels)... you have to choose well Long compile time (long test cycles)

Our Decision The DAG 6.2SE is way too expensive for what you get. We could not afford to use it on 5+ links The Force10 P-Series had the best strategy and would scale best to fit our needs. Although the card doubled in price, the next generation is slated to have stateful firewall features, more real estate, and a PCI-X (should be PCIe) interface. This makes for a very cost effective, flexible, firewall, IPS, and protocol analysis solution.

Working Around the Rule Limitation Send known low-rate traffic (ICMP, DNS, HTTP, etc.) to the host CPU to be compared against full complement of Snort rules. Send the first few packets of every connection to the host CPU to be compared against full compliment of Snort rules (either via state register or through the API). Use the rules on the card for high-rate traffic.

Final Setup 3U Dual 2.8Ghz Opteron 8 GB RAM 3TB of internal RAID 5 storage 2 P-Series cards (room for a third)

Final Testing BorderRouter Host P-SeriesHost Switch Saturating Traffic (~9Gb/s) “Real” Internet Traffic

Conclusion The Force10 P-Series takes a good approach to the problem. It allows us to secure and monitor several 10G links for a reasonable price. The next generation is even more promising allowing the merging of IPS with firewalling capabilities.

Questions?