Metanetworks 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA Voice: (408) Fax (408) Gbps programmable IDS/IPS Livio Ricciulli (408) The Meta Traffic Processor* *Supported by the Division of Design Manufacturing and Industrial Innovation of the National Science Foundation (Award # ) and the Air Force Rome Laboratories. Rome Laboratories

Metanetworks 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA Voice: (408) Fax (408) ►Founded in 1999 by Livio Ricciulli  Out of SRI International →Leading 7 years of Government-funded research →Industry patents worth $$$$  Award-winning DARPA research (SRI, Columbia)  Spun off Reactive Network Solutions › $5M+ VC investments › Leading flooding detection and mitigation product › Several “early” patent-pending applications › Major player in evolving DDoS market consolidation  Currently dedicated to bringing advanced network processing technology to market MetaNetworks

Metanetworks 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA Voice: (408) Fax (408) ►Active Networks (DARPA Program)  Change behavior of network components (routers) dynamically (add new protocols, flow control algorithms, monitoring, etc..) →Discrete. Update network through separate management operations →Integrated. Packets cause network to update itself  Broad scope did not result in industry adoption →Lack of “killer application” →Lack of tight industry interaction →Tried to change too much too soon ►Metanetworks’ bottom-up approach  Achieve programmability while reusing current infrastructure  Augment networks with new, non-invasive technology  Application-driven rather than design-driven  Work closely with users/operators  Revisit hardware computational model Brief History

Metanetworks 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA Voice: (408) Fax (408) ►Open architecture to leverage open source software  More robust, more flexible, promotes composability  Directly support Snort signatures  Abstract hardware as a network interface from OS prospective ►Retain high-degree of programmability  New threat models (around the corner)  Extend to application beyond IDS/IPS ►Line-speed/low latency to allow integration in production networks  Unanchored payload string search  Support analysis across packets  Gracefully handle state exhaustion ►Hardware support for adaptive information management  Detailed reporting when reporting bandwidth is available  Dynamically switch to more compact representations when necessary  Support the insertion of application-specific analysis code in the fast path 1-10 Gbps IDS/IPS Hardware

Metanetworks 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA Voice: (408) Fax (408) ►Knowing what is in your network is very important  Catch misuses both incoming and outgoing  FBI says that effective network monitoring (not even IDS) is in top 3 most important things to do  Who or what is using the bandwidth ►Decentralization  Cannot find out what the traffic is unless you do content inspection  Many p2p applications randomly changing ports (VOIP)  Key exchanges need to be monitored  Would like to know what applications are doing ►High Speed High Complexity  1G and 10G make content inspection a challenge  Hardware/Software co-design is a must  Packet loss is a BIG problem If you Cannot Measure it, You Cannot Manage it

Metanetworks 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA Voice: (408) Fax (408) MemoryProcessor Memory Instructions Get packet Compare to rules Alert Data Flynn’s Computer Taxonomy Processor Memory Instructions Get packet Compare to rules Alert Data P0.. P1Pn Reduction Network Data Alert Instructions P0.. P1Pn Reduction Network Alert Data Instructions SISD MIMD MISD SIMD

Metanetworks 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA Voice: (408) Fax (408) R1.. R2 Rn Reduction Network Block Data Stream FPGA Data Valid Receive Clock Match Memory Host Interface Stateful Analysis MISD Programmable Hardware

Metanetworks 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA Voice: (408) Fax (408) Block Direction 1 Block Direction 2 Monitoring System AND PHY RxData RxEnable PHY RxEnable RxData AND

Metanetworks 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA Voice: (408) Fax (408) PHY FPGA L-1 RAM IPS/ IDS Synthesis + firmware update Dynamic Policies PHY Static Policies Compilation + runtime update Packets State Read Only Block + Fail Close Latency < 0.5 μs < 1500 < Mb-10Gb 1-8M Concurrent Flows Cost-effective & Powerful Interne t Web-based signature management service

Metanetworks 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA Voice: (408) Fax (408) CPU Snort IDS/IPS Up to 6 cards/box

Metanetworks 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA Voice: (408) Fax (408) Content Inspection Performance Comparison

Metanetworks 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA Voice: (408) Fax (408) MA TC HT S HI & & & & & 1 | CA 1 & & & & & & SO NE MATCHTHIS CATCHTHISONE Static analysis of large number of IDS signatures ►Transform Snort rules or BPF expressions into a low-level declarative language ►Extract fine-grain parallelism across thousands of signatures  Define independent FSMs each implementing a signature  Share comparison logic across multiple FSMs ►Synthesizer further optimizes  Merge multiple FSMs sharing intermediate states  Eliminate redundant rules

Metanetworks 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA Voice: (408) Fax (408) Some Rule Compression Results

Metanetworks 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA Voice: (408) Fax (408) CPU IDS/IPS CPU IDS/IPS Router/Switch Multiple Mirrors Inline Passive CPU IDS/IPS Mirror Port Passive Inline To other passive devices To other passive device →Use it for IPS or just to eliminate a TAP →Chain multiple cards →Traditional passive monitoring →Up to 6 cards per host →Extend passive capacity →Can hang multiple passive devices off 1 TAP or Mirror

Metanetworks 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA Voice: (408) Fax (408) Layer-1 “T” Junction CB ICMP10 ICMP Echo10 ICMP10 ICMP Echo11 ICMP10 ICMP Echo01 ICMP10 ICMP Echo00 CaptureOutput All ICMP All ICMP that is not an Echo ALL ICMP that is not an Echo All ICMP that is not an Echo All ICMP

Metanetworks 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA Voice: (408) Fax (408)

Metanetworks 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA Voice: (408) Fax (408) Packet temporarily stored in a linked list Stateful matches Packets captured from linked list

Metanetworks 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA Voice: (408) Fax (408) Each packet can be Captured and/or Blocked

Metanetworks 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA Voice: (408) Fax (408)

Metanetworks 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA Voice: (408) Fax (408) ►User-level programmability  Define API to let user write ad- hoc wire-speed code  Add user modules to synthesis flow and share reduction network  Architecture provides determinism →It either fits or it does not fit in the FPGA →It either meets timing or does not meet timing →Load/store network processing much harder to predict User-level programmability Memory Interface Packet Processor Host Interface User Defined Address Data RW Payload Offset Valid Payload Block Capture Common Functions Reduction Network Block Capture PCI Interface Layer-1 Applications Standard OS User Defined Offset Valid Capture Payload Block FPGA

Metanetworks 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA Voice: (408) Fax (408) ►Extremely low latency design enables a wide variety of deployment options ►Leverage Open Source software ►1G and 10G available today ►Processing paradigm lends itself to ad-hoc application level programmability Livio Ricciulli (408) Summary