Presentation is loading. Please wait.

Presentation is loading. Please wait.

Deep Packet Inspection as a Service Anat Bremler-Barr IDC Herzliya Joint work with Yotam Harchol, David Hay and Yaron Koral The Hebrew University Appeared.

Published byBruce Chambers Modified over 9 years ago

Similar presentations

Presentation on theme: "Deep Packet Inspection as a Service Anat Bremler-Barr IDC Herzliya Joint work with Yotam Harchol, David Hay and Yaron Koral The Hebrew University Appeared."— Presentation transcript:

1 Deep Packet Inspection as a Service Anat Bremler-Barr IDC Herzliya Joint work with Yotam Harchol, David Hay and Yaron Koral The Hebrew University Appeared at CoNEXT 2014 www.deepness-lab.org This work was supported by European Research Council (ERC) Starting Grant no. 259085 and “Neptune” consortium

2 Middlebox : Current Status Many Middleboxes (MB) – In some cases even more than switches & routers Two revolutions: – Software Defined Networks (SDN): controlling the routing Easier to realize Service Chains – Network Function Virtualization(NFV): From HW  SW Rethinking MB architecture 2 DDoS protection Firewall IDS Load balancer Ad insertion

3 NFV: Hardware MB  Software MB Hardware Middlebox – Not Flexible – Expensive – Hard to manage (many vendors) – Not multi-tenants – Difficult to add new features – Constraining innovation: higher entry barrier 3 Software Middlebox – Performance penalty Commodity Servers VMs No hardware accelerators We suggest a new MB architecture that improves performance and innovation using NFV and SDN

4 Our approach: MB common modules as a service Break MB architecture to common modules - E.g. many MBs use Deep Packet Inspection (DPI) Provide modules as a service - A single module provides a service to many different kinds of MBs - In service chain scenario: packets use the service only once and not repeatedly in each MB DPI as an example

5 DPI-Based Middleboxes 5 Intrusion Detection System Network Anti-Virus L7 Firewall L7 Load Balancer Leakage Prevention System Network Analytic Traffic Shaper Lawful Interception Copyright Enforcement A MB processes packet header or payload The latter uses DPI engine

6 DPI Engine – Complicated Challenge Pattern set size varies between 10 2 -10 5 patterns DPI engine is considered a system bottleneck in many of todays MBs (30%-80%) [Laboratory simulations over real deployments of Snort and ClamAV] Hundreds of academic papers over recent years 6 scalability throughput latency power resiliency updates compression

7 Middleboxes Service Chains 7 Each packet is scanned multiple times causing waste of computation resources Each MB implements its own DPI engine (higher MB costs, reduced features)

8 Our Solution: DPI as a Service 8 Contribution: The idea of having a centralized DPI service instead of multiple instances of it at each Middlebox Benefits: Innovation – Lower entry barriers Reduced costs – Cheaper MB HW/SW Improved performance - Scan each packet once Rich DPI functionality – Invest once for all MB Enhanced data-plane – Potential to enhance switches

9 Agenda Architecture aspects of DPI as a service – DPI controller – Passing results from the DPI to the MBs Scalable algorithm that combines DPI patterns from different MBs Experimental Results Vision & Future Work

10 ARCHITECTURE 10

11 Service chain of MBs in NFV L7 FW1 IDS1 IDS2 AV2 AV1 TS S1 S2 S3 S4 VM Traffic Steering SDN Controller

12 DPI as a Service L7 FW1 IDS1 DPI IDS2 AV2 AV1 TS S1 S2 S3 S4 AV1 TS IDS1 L7 FW1 Modified Service Chain: DPI Traffic Steering SDN Controller

13 DPI2 Architecture Overview 13 L7 FW1 IDS1 DPI1 IDS2 AV2 AV1 TS S1 S2 S3 S4 SDN Controller Traffic Steering DPI Controller New elements: DPI controller Multiple DPI instances

14 Details: DPI instance MB sends its pattern set to DPI controller DPI instance receives an aggregated pattern set from DPI controller DPI instance scans incoming packets against an aggregated pattern set Each pattern & each MB has a unique ID Result: + + Each packet may contain several pattern matches All pattern-match results are attached to the packet 14 MB: 1 ID: 139; Offset: 90 MB: 2 ID: 14; Offset: 109 MB: 3 ID: 723; Offset: 201 MB: 4 ID: 221; Offset: 507 … DPI Instance

15 DPI2 Architecture Overview (SDN) 15 L7 FW1 IDS1 DPI1 IDS2 AV2 AV1 TS S1 S2 S3 S4 SDN Controller Traffic Steering DPI Controller hello Register Patterns Add Patterns Update Service Chain

16 Passing Results Use a dedicated new header in packet A common need by many network services Network Service Header (NSH) – IETF draft (cisco’s vPath) 16 hello Results header size For security apps: mostly 0B (95% normal traffic) Upon match: 99% use less than 200B

17 Question: Are The DPI algorithms scalable? 17

18 Are DPI Algorithms Scalable? Yes Yes, e ach input byte requires a single lookup regardless the number of patterns!! But: Lookup can be 1 memory access or 1 cache access Increasing the number of patterns may result in a moderate performance reduction DPI service has a small penalty as compared to its advantages. 18

19 String Matching: Aho-Corasick Algorithm Build a Deterministic Finite Automaton (basic full-table variant) Example: {E, BE, BD, BCD, CDBCAB, BCAA} The head of the tree is in the cache (fast memory). More patterns - less levels of the tree are in the cache. 19 s0s0 s7s7 s 12 s1s1 s2s2 s3s3 s5s5 s4s4 s 14 s 13 s6s6 s8s8 s9s9 s 10 s 11 C C E D B E D D B C A B A A B E CB E C B E C D E B C D E C E B C E B C E B C E C B B B Input: BCDBCAB s0s0 s 12 s2s2 s5s5 s6s6 s9s9 s 10 s 11 Cache

20 Pattern Set Aggregation 20 MB 0: Pattern Set 0MB 1: Pattern Set 1 Pattern set 1 Pattern set 2 Both sets Pattern set 0 Pattern set 1 Both sets

21 Regular Expressions Matching Are regular expression algorithms scalable ? Yes. Solutions like DFA/NFA are not scalable with repetition operators (e.g. * ) – May cause memory blowout/huge performance penalty – Not commonly implemented in MB today Current MB common approach (e.g. Snort) is scalable Implement two-phase approach: 1. String matching over all strings that appeared in the combined set of regular expressions 2. Running single regular expression DFA 21 ]*SYSTEM[^>]*>.*\x2EparseError <\x21DOCTYPESYSTEM\x2EparseError Multi Regex Matching Multi String Matching + Single Regex Matching

22 Other Middlebox architecture MB Consolidation – [Comb, NSDI 2012], [xOMB, ANCS 2012], [Crossbeam, 2012],[Kekely et al., Infocom 2014] – One box to rule them all (MBs) – Unified management & resource sharing – Our DPI as a service can be also combined internal in MB consolidation solution Outsource MB (out-of-network) – [Gibb et al., HotSDN 2012], [Sherry et al., SIGCOMM 2012] – Latency is no more an issue – DDoS mitigation - Prolexic (now part of Akamai) – Our DPI as a service can be also combined in outsource MB 22 Hypervisor TS L7 FW1 IDS1 AV1 DPI

23 Experiments 23

24 Experiment: Proof of Concept POX SDN Controller (OpenFlow 1.0) Static steering mechanism Separate machines for DPI and Middlebox Toy middlebox applications: Snort, ClamAV 24 Toy Snort2 Toy ClamAV Toy Snort1 Virtual Environment DPI Controller Static Steering Runs over POX SDN Controller DPI Service Instance

25 Virtual DPI Performance Number of Patterns Throughput [Mbps] Running DPI as a virtual service has minor implications on performance

26 DPI on Combined Pattern Set Total Number of Patterns Throughput [Mbps] The throughput of the combined AC DFA is comparable to the original AC DFA The number of patterns has moderate effect on the throughput

27 DPI as a Service Two separate DPIs IDS1 Performance Results 27 Service Chain with Two DPIs : DPI as a Service: Combined DPI instances IDS1AV1 IDS1 AV1 DPI1 DPI2 Each using separate machines AV1 Latency traditional: 21.5us/p Latency DPI as a services: 13.8us/p Two

28 Superior Performance Two separate IDSs: Combined DPI instances (DPI as a Service): DPI as a Service Two separate IDSs IDS1IDS2 IDS1 DPI1 IDS2 DPI2 Two

29 Dynamic Load Balancing Separate IDSs: Static Load Balancing DPI as a Service: Dynamic Load Balancing Two separate IDSs: Combined DPI instances (DPI as a Service): IDS1 IDS2 IDS1DPI1 IDS2DPI2

30 Vision & Future work 30

31 MB Data plane Data plane tasks: each MB application performs more or less a set of the same MB modules (in pipeline). Wire speed Module: Software (VM) or Hardware (Accelerator) Currently: – In many cases, companies use home- made modules  Limited innovation – Common modules repeat in many MBs in the service chain  Reduced throughput Packet Classification Application Classification Session Reconstruction Decrypt/Decompress Traffic Normalizer DPI Traffic Measurement

32 Thin MB with MB Services MB modules will be implemented as services in the network. Traffic travels between the services. Example: DDOS protection IP anti-spoofing Packet Classification DPI Traffic Measurement

33 The control tasks Configure the flow between MB modules Configure each of the MB modules Dynamic changes due to measurements Scale up and scale out of modules (orchestration) DDOS protection IP anti-spoofing Packet Classification DPI Traffic Measurement FIlter ICMP X is an attacker Filter X Service chain optimization – use the same service one time in a service chain  Improved performance

34 Innovation Enabler Lower entry barriers – If the modules are services one can tailor a MB by using off-the shelf modules – Cheaper MB HW/SW Richer functionality – Companies will specialize in specific MB modules Simple MB would be implemented by off-the-shelf services and switches – Enhance Switch: use DPI service to tag packets to drive policies in switches – Enhance MB: SDN switches can perform the packet classification module 34

35 Related Industry solution: Qosmos Application aware classification – The company (Qosmos) suggests a NFV service that classifies the traffic Skype/IM/VoIP/FTP/Video/Social Networks… 35 Application Classification

36 Anat Bremler-Barr David HayYotam Harchol Yaron Koral

37 Thank You!!

Download ppt "Deep Packet Inspection as a Service Anat Bremler-Barr IDC Herzliya Joint work with Yotam Harchol, David Hay and Yaron Koral The Hebrew University Appeared."

Similar presentations

Deep Packet Inspection(DPI) Engineering for Enhanced Performance of Network Elements and Security Systems PIs: Dr. Anat Bremler-Barr (IDC) Dr. David.

Deep Packet Inspection(DPI) Engineering for Enhanced Performance of Network Elements and Security Systems PIs: Dr. Anat Bremler-Barr (IDC) Dr. David.
Practical and Incremental Convergence between SDN and Middleboxes 1 Zafar Qazi, Cheng-Chun Tu, Luis Chiang Vyas Sekar Rui Miao Minlan Yu.

Practical and Incremental Convergence between SDN and Middleboxes 1 Zafar Qazi, Cheng-Chun Tu, Luis Chiang Vyas Sekar Rui Miao Minlan Yu.
Toward Practical Integration of SDN and Middleboxes

Toward Practical Integration of SDN and Middleboxes
SIMPLE-fying Middlebox Policy Enforcement Using SDN

SIMPLE-fying Middlebox Policy Enforcement Using SDN
CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon.

CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon.
Slick: A control plane for middleboxes Bilal Anwer, Theophilus Benson, Dave Levin, Nick Feamster, Jennifer Rexford Supported by DARPA through the U.S.

Slick: A control plane for middleboxes Bilal Anwer, Theophilus Benson, Dave Levin, Nick Feamster, Jennifer Rexford Supported by DARPA through the U.S.
Virtualization of Fixed Network Functions on the Oracle Fabric Krishna Srinivasan Director, Product Management Oracle Networking Savi Venkatachalapathy.

Virtualization of Fixed Network Functions on the Oracle Fabric Krishna Srinivasan Director, Product Management Oracle Networking Savi Venkatachalapathy.
Making Cellular Networks Scalable and Flexible Li Erran Li Bell Labs, Alcatel-Lucent Joint work with collaborators at university of Michigan, Princeton,

Making Cellular Networks Scalable and Flexible Li Erran Li Bell Labs, Alcatel-Lucent Joint work with collaborators at university of Michigan, Princeton,
Multi-Core Packet Scattering to Disentangle Performance Bottlenecks Yehuda Afek Tel-Aviv University.

Multi-Core Packet Scattering to Disentangle Performance Bottlenecks Yehuda Afek Tel-Aviv University.
Deep Packet Inspection as a Service Yaron Koral† Joint work with Anat Bremler-Barr‡, Yotam Harchol† and David Hay† †The Hebrew University, Israel ‡IDC.

Deep Packet Inspection as a Service Yaron Koral† Joint work with Anat Bremler-Barr‡, Yotam Harchol† and David Hay† †The Hebrew University, Israel ‡IDC.
MCA 2: Multi Core Architecture for Mitigating Complexity Attacks Yaron Koral (TAU) Joint work with: Yehuda Afek (TAU), Anat Bremler-Barr (IDC), David Hay.

MCA 2: Multi Core Architecture for Mitigating Complexity Attacks Yaron Koral (TAU) Joint work with: Yehuda Afek (TAU), Anat Bremler-Barr (IDC), David Hay.
SDN and Openflow.

SDN and Openflow.
Course Name- CSc 8320 Advanced Operating Systems Instructor- Dr. Yanqing Zhang Presented By- Sunny Shakya Latest AOS techniques, applications and future.

Course Name- CSc 8320 Advanced Operating Systems Instructor- Dr. Yanqing Zhang Presented By- Sunny Shakya Latest AOS techniques, applications and future.
Report of Interconnectivity Testing of Service Function Chaining by Six Companies NTT Alaxala Networks Cisco Systems Hitachi Alcatel-Lucent Japan et al.

Report of Interconnectivity Testing of Service Function Chaining by Six Companies NTT Alaxala Networks Cisco Systems Hitachi Alcatel-Lucent Japan et al.
Keith Wiles Keith.Wiles@Intel.com DPACC vNF Overview and Proposed methods Keith Wiles Keith.Wiles@Intel.com 2015.04.03 – v0.5.

Keith Wiles DPACC vNF Overview and Proposed methods Keith Wiles – v0.5.
Jaehoon (Paul) Jeong, Hyoungshick Kim, and Jung-Soo Park

Jaehoon (Paul) Jeong, Hyoungshick Kim, and Jung-Soo Park
Deep Packet Inspection with Regular Expression Matching Min Chen, Danny Guo {michen, CSE Dept, UC Riverside 03/14/2007.

Deep Packet Inspection with Regular Expression Matching Min Chen, Danny Guo {michen, CSE Dept, UC Riverside 03/14/2007.
Intrusion Prevention System Group 6 Mu-Hsin Wei Renaud Moussounda Group 6 Mu-Hsin Wei Renaud Moussounda.

Intrusion Prevention System Group 6 Mu-Hsin Wei Renaud Moussounda Group 6 Mu-Hsin Wei Renaud Moussounda.
A Survey on Interfaces to Network Security

A Survey on Interfaces to Network Security
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Similar presentations

Ads by Google