Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Using Snort/Sguil on 10 Gigabit Networks Livio Ricciulli Chief Security Scientist (408) 835-5005 *Supported by the Division.

Published byEmory Carpenter Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Using Snort/Sguil on 10 Gigabit Networks Livio Ricciulli Chief Security Scientist (408) 835-5005 *Supported by the Division."— Presentation transcript:

1 1 Using Snort/Sguil on 10 Gigabit Networks Livio Ricciulli Chief Security Scientist lricciulli@force10networks.com (408) 835-5005 *Supported by the Division of Design Manufacturing and Industrial Innovation of the National Science Foundation (Awards #0339343, 0521902) and the Air Force Rome Laboratories. Rome Laboratories

2 2 Open architecture to leverage open source software –More robust, more flexible, promotes composability –Hardware acceleration of important network applications –Abstract hardware as a network interface from OS prospective Retain high-degree of programmability –Extend to application beyond IDS/IPS –New threat models (around the corner) Line-speed/low latency to allow integration in production networks –Unanchored payload string search –Support analysis across packets –Gracefully handle state exhaustion Hardware support for adaptive information management –Detailed reporting when reporting bandwidth is available –Dynamically switch to more compact representations when necessary –Support the insertion of application-specific analysis code in the fast path 1-10 Gbps Programmable Network Security

3 3 Available Today P10 PCI Card (10 GbE interface) –High speed PCI card in 1U chassis –Wire-speed stateful deep packet inspection; 20G-in/20G-out –650 static rule capacity 65 dynamic rules; (currently being increased); –8 million concurrent flows P1 PCI Card (GbE interface) –High speed PCI card in 1U chassis –Wire-speed stateful deep packet inspection; 2G-in/2G-out –1000 static rule capacity; up to 200 dynamic; (currently being increased); –2 million concurrent flows P1/P10 Appliance –1U host embeds a P1 or P10 PCI card –Software and drivers pre-installed and pre-configured

4 4 Architecture

5 5 Product Architecture Management Synthesis + firmware update Dynamic Static Runtime update Latency ~ 1.3 μs 100Mb-10Gb 2-8M Concurrent Flows PHY FPGA L-1 RAM PHY Packets or Stats State Read Only Block +

6 6

7 7 Firewall and IDS/IPS

8 8 Firewall IDS/IPS High Performance (> 330K cps; 20 Gbps) Unique level of programmability –What is IN and what is OUT? –Two organizations sharing each other’s services –Insider attacks –Can define stateful policies asymmetrically or symmetrically –Hardcode part of the policies in hardware –Keep software-like flexibility –Can code specific policies directly into fast-path Layer-1 –Invisible -- 1.5 µs latency –True-line rate (20 Gbps) –Drops in and out with NO L2/3 reconfiguration

9 9 Power Failure No power –Stateful In-line  No packet loss; No loss of connection state –Traditional rerouting  L2/L3 convergence time; loss of state CPU Reporting CPU Reporting Bypass

10 10 OS Upgrade Soft reboot, OS reconfiguration, change OS –Forwarding + policies are unaffected; no loss of connection state –Once upgrade is over OS reattaches to forwarding path CPU Reporting CPU Reporting Bypass

11 11 Policy update Fast-path reconfiguration (new policies are added/deleted) –Loading new static policies  open for < 1s; loss of connection state –Loading dynamic policies  No loss of state CPU Reporting CPU Reporting Bypass

12 12 Configuration + Reporting Compile policies off-line –Makefile (open Unix CLI environment) –Add user code in Fast-path Add Permit and Deny on the fly –Immediate action Run any pcap application on interface –Use Snort’s output plugins  syslog, email, packet archive MIB-II Host/Interface Monitoring –Disk, Daemons, SNMP traps

13 13 Testing Need a LOT of equipment to assess –Separate test equipment behavior from P10 behavior –DOS scenarios with stateless generation easy Connections/second up to 330k Measured stateful throughput up to 9.5 Gbps –Not enough gear to fill up the pipe with stateful traffic yet –Stateless traffic up to 20 Gbps Connections per SecondPercentage Retries 100,0000.0059 150,0000.0053 175,0000.0060 200,0000.0061

14 14 Snort @ 200Mbs

15 15 Stateful Content Inspection Performance Comparison

16 16 Current API

17 17 User-level programmability –Define API to let user write ad- hoc wire-speed code –Add user modules to synthesis flow and share reduction network –Architecture provides determinism –It either fits or it does not fit in the FPGA –It either meets timing or does not meet timing –Load/store network processing much harder to predict User-level programmability Memory Interface Packet Processor Host Interface User Defined Address Data RW Payload Offset Valid Payload Block Capture Common Functions Reduction Network Block Capture PCI Interface Layer-1 Applications Standard OS User Defined Offset Valid Capture Payload Block FPGA

18 18 Hello World!

19 19 memory mem(.c1(clk),.a1(dstp[15:0]),.di1(newval),.do1(oldvalout),.w(write),.c2(cnfclk),.a2(address[15:0]),.do2(valout)); always@(posedge clk) begin if(offset==1) begin proto<=data[7:0]; //Get protocol number end else if(offset==2 && (proto==06 || proto==17)) begin dstp<=data[31:16]; //Get destination port if TCP or UDP end else if(offset==4 && dstp!=0) begin //1 cycle later counter is read newval<=oldvalout+1; //increment counter write<=1; //write counter end else begin write<=0; end Count Destination Ports with FPGA

20 20 Reuse existing Open Source

21 21 IPv6 Security Hardware IPv6 options provide a covert channel –Ex. Joe 6 pack (http://people.suug.ch/~tgr/misc/j6p- 1.0.tar.gz) uses IPv6 Destination option for transporthttp://people.suug.ch/~tgr/misc/j6p- 1.0.tar.gz Want to see what are IPv6 options used for (for example source routing) –Extend hardware payload match semantics to Ipv6 header Tunneling –Want to inspect headers of multiple tunnels

22 22 Additions to IPv6 API 8-bit “parse” value indicating which section of the packet is being clocked in –Unknown –IPV4 = 0x4 –Payload = 0xFE –TCP = 0x6 –ICMPV4 = 0x1 –UDP = 0x11 –IPV6 = 41 –Routing = 43 –Fragment = 44 –Destination = 60 –Authentication = 51 –Security Payload = 50 –ICMPv6 = 58 –Hop by Hop = 0 Counters –Tunnel “tcnt” counter –Length offset within section pointed to by “parse”

23 23 Open Source Alert Aggregation (Sguil)

24 24 Architecture Mysql Alerts Database Snort Barnyard Sancp Sguild TCPFlow P0F Sensors Sguil Client Internet DShield Database Snort Database Whois Database DNS

25 25 Sguil Aggregation and Analysis Who is knocking on who? Real time Snort Events Why did we trigger?

26 26 Analysis support Did the overflow make it? Recognize the attack Blow the stack Glue Code Overwrite Password

27 27 You are not Alone; One Sguil click.. Snort Database DShield Database

28 28 Extremely low latency design enables a wide variety of deployment options Leverage Open Source software 1G and 10G available today Processing paradigm lends itself to ad-hoc application level programmability Livio Ricciulli livio@force10networks.com (408) 835-500 Summary

29 29 Thank You

Download ppt "1 Using Snort/Sguil on 10 Gigabit Networks Livio Ricciulli Chief Security Scientist (408) 835-5005 *Supported by the Division."

Similar presentations

SHARKFEST '09 | Stanford University | June 15–18, 2009 The Reality of 10G Analysis Presented by: Network Critical Wednesday, June 17 th, 2009 1:30 pm –

SHARKFEST '09 | Stanford University | June 15–18, 2009 The Reality of 10G Analysis Presented by: Network Critical Wednesday, June 17 th, :30 pm –
IP Router Architectures. Outline Basic IP Router Functionalities IP Router Architectures.

IP Router Architectures. Outline Basic IP Router Functionalities IP Router Architectures.
Access Control List (ACL)

Access Control List (ACL)
IPv6 Victor T. Norman.

IPv6 Victor T. Norman.
Supercharging PlanetLab : a high performance, Multi-Application, Overlay Network Platform Written by Jon Turner and 11 fellows. Presented by Benjamin Chervet.

Supercharging PlanetLab : a high performance, Multi-Application, Overlay Network Platform Written by Jon Turner and 11 fellows. Presented by Benjamin Chervet.
Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.

Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi.

Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
SDN and Openflow.

SDN and Openflow.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) SriramGopinath(1203800749)

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) SriramGopinath( )
1 In VINI Veritas: Realistic and Controlled Network Experimentation Jennifer Rexford with Andy Bavier, Nick Feamster, Mark Huang, and Larry Peterson

1 In VINI Veritas: Realistic and Controlled Network Experimentation Jennifer Rexford with Andy Bavier, Nick Feamster, Mark Huang, and Larry Peterson
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
t Popularity of the Internet t Provides universal interconnection between individual groups that use different hardware suited for their needs t Based.

t Popularity of the Internet t Provides universal interconnection between individual groups that use different hardware suited for their needs t Based.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

Similar presentations

Ads by Google