Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing and Monitoring 10GbE WAN Links Steven Carter Center for Computational Sciences Oak Ridge National Laboratory.

Published byLoraine Cobb Modified over 9 years ago

Similar presentations

Presentation on theme: "Securing and Monitoring 10GbE WAN Links Steven Carter Center for Computational Sciences Oak Ridge National Laboratory."— Presentation transcript:

1 Securing and Monitoring 10GbE WAN Links Steven Carter Center for Computational Sciences Oak Ridge National Laboratory

2 Disclaimer Oak Ridge National Laboratory does not endorse any particular product. This presentation merely details our experience and chosen course of action (i.e. I am not a patsy for Force10).

3 Requirements Wire rate intrusion detection (i.e. 20Gb/s) Little or no latency Low administrative/development overhead Flexible (used for IDS and protocol monitoring) Scalable (We have 5+ 10G links that we would like to monitor) Affordable

4 Approaches Divide and Conquer: Use a piece of network equipment (e.g. Juniper Router) to divide the stream of packets by some attribute (e.g. destination port) into smaller, more easily handled streams for processing.

5 Approaches (Cont.) Host intensive: Send the full (or possibly filtered) stream to the host CPU for inspection. NIC intensive: The NIC does the packet inspection.

6 The Contenders Intel, Neterion, Chelsio 10G NICs Endace DAG 6.2SE Force10 P-Series (formally MetaNetworks)

7 Initial Pros/Cons Standard 10G NICS Inexpensive Single host unable to keep up with full rate, full duplex connection Endace DAG 6.2SE Offload allows single host to inspect more traffic (~13Gb/s), but you need a beefy host. Timestamps Only available with 1310nm optics Expensive

8 Initial Pros/Cons (cont) Force10 P-Series Less expensive Compete offload Scalable Can block packets if used in-line Supports too few snort rules (700 shared between 2 channels) Long compile time PCI Bus (1Gb/s b/w the card and the host)

9 Initial Test Setup HostHost P-Series DAG Switch HostHost Switch Optical TapPort Mirror HostHost Simulated Nefarious Traffic Saturating Traffic (~10Gb/s)

10 DAG Results Circular Buffer started overflowing ~5Gb/s (could likely be tuned better) Not a generic network interface (Either use the provided dag* utilities or a special version of libpcap) Only one tool can be used at a time

11 P-Series Results Able to handle full rate (~10Gb/s) Interface presented as generic interface (i.e. can run Bro, Snort, and tcpdump simultaneously) Supports too few snort rules (700 shared between 2 channels)... you have to choose well Long compile time (long test cycles)

12 Our Decision The DAG 6.2SE is way too expensive for what you get. We could not afford to use it on 5+ links The Force10 P-Series had the best strategy and would scale best to fit our needs. Although the card doubled in price, the next generation is slated to have stateful firewall features, more real estate, and a PCI-X (should be PCIe) interface. This makes for a very cost effective, flexible, firewall, IPS, and protocol analysis solution.

13 Working Around the Rule Limitation Send known low-rate traffic (ICMP, DNS, HTTP, etc.) to the host CPU to be compared against full complement of Snort rules. Send the first few packets of every connection to the host CPU to be compared against full compliment of Snort rules (either via state register or through the API). Use the rules on the card for high-rate traffic.

14 Final Setup 3U Dual 2.8Ghz Opteron 8 GB RAM 3TB of internal RAID 5 storage 2 P-Series cards (room for a third)

15 Final Testing BorderRouter Host P-SeriesHost Switch Saturating Traffic (~9Gb/s) “Real” Internet Traffic

16 Conclusion The Force10 P-Series takes a good approach to the problem. It allows us to secure and monitor several 10G links for a reasonable price. The next generation is even more promising allowing the merging of IPS with firewalling capabilities.

17 Questions?

Download ppt "Securing and Monitoring 10GbE WAN Links Steven Carter Center for Computational Sciences Oak Ridge National Laboratory."

Similar presentations

Decreasing Incident Response Time ______________________________ Benefits of Packet Capture & Real-time NetFlow Generation Boni Bruno, CISSP, CISM, CGEIT.

Decreasing Incident Response Time ______________________________ Benefits of Packet Capture & Real-time NetFlow Generation Boni Bruno, CISSP, CISM, CGEIT.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Router Architecture : Building high-performance routers Ian Pratt

Router Architecture : Building high-performance routers Ian Pratt
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) SriramGopinath(1203800749)

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) SriramGopinath( )
ROYAL PALM NETWORK PROJECT John Healy Tom Jamieson

ROYAL PALM NETWORK PROJECT John Healy Tom Jamieson
Review on Networking Technologies Linda Wu (CMPT 471 2003-3)

Review on Networking Technologies Linda Wu (CMPT )
Passive traffic measurement Capturing actual Internet packets in order to measure: –Packet sizes –Traffic volumes –Application utilisation –Resource utilisation.

Passive traffic measurement Capturing actual Internet packets in order to measure: –Packet sizes –Traffic volumes –Application utilisation –Resource utilisation.
Networking Components Manuel Palos. HUBS Hubs are inexpensive devices that connect multiple devices t0 a network. Hubs merely pass along network data.

Networking Components Manuel Palos. HUBS Hubs are inexpensive devices that connect multiple devices t0 a network. Hubs merely pass along network data.
Computer Networks IGCSE ICT Section 4.

Computer Networks IGCSE ICT Section 4.
Firewall and Proxy Server Director: Dr. Mort Anvari Name: Anan Chen Date: Summer 2000.

Firewall and Proxy Server Director: Dr. Mort Anvari Name: Anan Chen Date: Summer 2000.
(part 3).  Switches, also known as switching hubs, have become an increasingly important part of our networking today, because when working with hubs,

(part 3).  Switches, also known as switching hubs, have become an increasingly important part of our networking today, because when working with hubs,
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.

Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.
Sven Ubik, Petr Žejdl CESNET TNC2008, Brugges, 19 May 2008 Passive monitoring of 10 Gb/s lines with PC hardware.

Sven Ubik, Petr Žejdl CESNET TNC2008, Brugges, 19 May 2008 Passive monitoring of 10 Gb/s lines with PC hardware.
CLIENT A client is an application or system that accesses a service made available by a server. applicationserver.

CLIENT A client is an application or system that accesses a service made available by a server. applicationserver.
Networking Components

Networking Components
IDS Mike O’Connor Eric Tallman Matt Yasiejko. Overview IDS defined IDS defined What it does What it does Sample logs Sample logs Why we need it Why we.

IDS Mike O’Connor Eric Tallman Matt Yasiejko. Overview IDS defined IDS defined What it does What it does Sample logs Sample logs Why we need it Why we.
Module 4 - Networking MIS5122: Enterprise Architecture for the IT Auditor.

Module 4 - Networking MIS5122: Enterprise Architecture for the IT Auditor.
Networking Components Mike Yardley LTEC 4550 Assignment 3

Networking Components Mike Yardley LTEC 4550 Assignment 3
Penetration Testing Security Analysis and Advanced Tools: Snort.

Penetration Testing Security Analysis and Advanced Tools: Snort.
Characterizing the Existing Internetwork PART 1

Characterizing the Existing Internetwork PART 1

Similar presentations

Ads by Google