Joint Techs 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA 95030 Voice: (408)...
-
Upload
derrick-mcdowell -
Category
Documents
-
view
226 -
download
0
Transcript of Joint Techs 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA 95030 Voice: (408)...
Joint Techs 2005Metanetworks Inc.647 N. Santa Cruz Suite E, Los Gatos, CA 95030Voice: (408) 399-2284 Fax (408) 356-9446
Demonstration of 10 Gbps IDS/IPS
Livio [email protected]
(408) 399-2284
The Meta Traffic Processor*
*Supported by the Division of Design Manufacturing and Industrial Innovation of the National Science Foundation (Award #0339343) and the Air Force Rome Laboratories.
Rome Laboratories
Joint Techs 2005Metanetworks Inc.647 N. Santa Cruz Suite E, Los Gatos, CA 95030Voice: (408) 399-2284 Fax (408) 356-9446
► Active Networks (DARPA Program)Change behavior of network components (routers) dynamically (add
new protocols, flow control algorithms, monitoring, etc..)→Discrete. Update network through separate management operations→Integrated. Packets cause network to update itself
Broad scope did not result in industry adoption→Lack of “killer application”→Lack of tight industry interaction→Tried to change too much too soon
► Metanetworks’ bottom-up approachAchieve programmability while reusing current infrastructureAugment networks with new, non-invasive technology Application-driven rather than design-drivenWork closely with users/operators Revisit hardware computational model
Brief History
Joint Techs 2005Metanetworks Inc.647 N. Santa Cruz Suite E, Los Gatos, CA 95030Voice: (408) 399-2284 Fax (408) 356-9446
► Open architecture to leverage open source software More robust, more flexible, promotes composability Directly support Snort signatures Abstract hardware as a network interface from OS prospective
► Retain high-degree of programmability New threat models (around the corner) Extend to application beyond IDS/IPS
► Line-speed/low latency to allow integration in production networks Unanchored payload string search Support analysis across packets Gracefully handle state exhaustion
► Hardware support for adaptive information management Detailed reporting when reporting bandwidth is available Dynamically switch to more compact representations when necessary Support the insertion of application-specific analysis code in the fast path
1-10 Gbps IDS/IPS Hardware
Joint Techs 2005Metanetworks Inc.647 N. Santa Cruz Suite E, Los Gatos, CA 95030Voice: (408) 399-2284 Fax (408) 356-9446
► Knowing what is in your network is very importantCatch misuses both incoming and outgoingFBI says that effective network monitoring (not even IDS) is in top 3
most important things to doWho and how is using the bandwidth
► DecentralizationCannot find out what the traffic is unless you do content inspectionMany p2p applications randomly changing ports (VOIP)Key exchanges need to be monitoredWould like to know what applications are doing
► High Speed High Complexity1G and 10G make content inspection a challengeHardware/Software co-design is a must
If you Cannot Measure it, You Cannot Manage it
Joint Techs 2005Metanetworks Inc.647 N. Santa Cruz Suite E, Los Gatos, CA 95030Voice: (408) 399-2284 Fax (408) 356-9446
Memory ProcessorProcessor
ProcessorProcessor
MemoryMemoryMemory
InstructionsGet packet
Compareto rules
Alert
Data
Flynn’s Computer Taxonomy
ProcessorMemory
InstructionsGet packet
Compareto rules
Alert
Data
P0 . . . . P1 Pn
Reduction Network
Data
Alert
Instructions
P0 . . . . P1 Pn
Reduction Network
Alert
Data
Instructions
SISD
MIMDMISD
SIMD
Joint Techs 2005Metanetworks Inc.647 N. Santa Cruz Suite E, Los Gatos, CA 95030Voice: (408) 399-2284 Fax (408) 356-9446
R1 . . . . R2 Rn
Reduction Network
Block
Data Stream
FPGA
Data ValidReceive Clock
MatchMemory
Host Interface
StatefulAnalysis
MISD Programmable Hardware
Joint Techs 2005Metanetworks Inc.647 N. Santa Cruz Suite E, Los Gatos, CA 95030Voice: (408) 399-2284 Fax (408) 356-9446
Block Direction 1
Block Direction 2
Monitoring System
AND
PHY
RxDataRxEnable
PHYRxEnableRxData
AND
Joint Techs 2005Metanetworks Inc.647 N. Santa Cruz Suite E, Los Gatos, CA 95030Voice: (408) 399-2284 Fax (408) 356-9446
PHY
FPGA
L-1
RAM
RAM
IPS/IDS
Synthesis + firmware update
DynamicPolicies
PHY
Static Policies Compilation +
runtime update
Packets
State
Read Only
Block+
Fail Close
Latency < 0.5 μs
< 1500< 100
100Mb-10Gb
1-8M C
oncurrent Flows
Cost-effective & Powerful
Internet
Internet
Web-based signature management service
Joint Techs 2005Metanetworks Inc.647 N. Santa Cruz Suite E, Los Gatos, CA 95030Voice: (408) 399-2284 Fax (408) 356-9446
FPGAPHY
SRAM
SRAM
PCI FPGAPHY
SRAM
SRAM
PCI
FPGAPHY
SRAM
SRAM
PCI
FPGAPHY
SRAM
SRAM
PCI
FPGAPHY
SRAM
SRAM
PCI
CPU CPU
FPGAPHY
SRAM
SRAM
PCI SnortIDS/IPS
FPGAPHY
SRAM
SRAM
PCI
Up to 6 cards/box
Joint Techs 2005Metanetworks Inc.647 N. Santa Cruz Suite E, Los Gatos, CA 95030Voice: (408) 399-2284 Fax (408) 356-9446
Content Inspection Performance Comparison
Percenatge of Alert Loss
-20.00%
0.00%
20.00%
40.00%
60.00%
80.00%
100.00%
0 1000 2000 3000
Mbps
% o
f ale
rt lo
ss
darpa no MTP w eb1 no MTP
w eb2 no MTP darpa w ith MTP
w eb1 w ith MTP w eb2 w ith MTP
Joint Techs 2005Metanetworks Inc.647 N. Santa Cruz Suite E, Los Gatos, CA 95030Voice: (408) 399-2284 Fax (408) 356-9446
MA
TC
HT
S
HI
&
&
&
&
&
1
|
CA
1
&
&
&
&
&
&
SO
NE
MA
TC
HT
HIS
CA
TC
HT
HIS
ON
EStatic analysis of large number of IDS signatures
►Transform Snort rules or BPF expressions into a low-level declarative language
►Extract fine-grain parallelism across thousands of signaturesDefine independent FSMs each
implementing a signatureShare comparison logic across
multiple FSMs ►Synthesizer further optimizes
Merge multiple FSMs sharing intermediate states
Eliminate redundant rules
Joint Techs 2005Metanetworks Inc.647 N. Santa Cruz Suite E, Los Gatos, CA 95030Voice: (408) 399-2284 Fax (408) 356-9446
Some Rule Compression Results
010002000300040005000600070008000
0 500 1000 1500
Snort Rules
Com
pon
ent
Cou
nts
Comp
Edges
Compsaved
Joint Techs 2005Metanetworks Inc.647 N. Santa Cruz Suite E, Los Gatos, CA 95030Voice: (408) 399-2284 Fax (408) 356-9446
CPU
IDS/IPS
CPU
IDS/IPS
Router/Switch
Multiple Mirrors
Inline
Passive
CPU
IDS/IPS
Mirror PortPassive Inline
To other passivedevices
To other passivedevice
→Use it for IPS or just to eliminate a TAP
→Chain multiple cards
→Traditional passive monitoring→Up to 6 cards per host
→Extend passive capacity→Can hang multiple passive
devices off 1 TAP or Mirror
Joint Techs 2005Metanetworks Inc.647 N. Santa Cruz Suite E, Los Gatos, CA 95030Voice: (408) 399-2284 Fax (408) 356-9446
Layer-1 “T” Junction
C B
ICMP 1 0
ICMP Echo 1 0
ICMP 1 0
ICMP Echo 1 1
ICMP 1 0
ICMP Echo 0 1
ICMP 1 0
ICMP Echo 0 0
Capture Output
All ICMP All ICMP
All ICMP All ICMP that is not an Echo
All ICMP that is not an Echo
ALL ICMP that is not an Echo
All ICMP that is not an Echo
All ICMP
Joint Techs 2005Metanetworks Inc.647 N. Santa Cruz Suite E, Los Gatos, CA 95030Voice: (408) 399-2284 Fax (408) 356-9446
Native IDS Acceleration
► Wire-speed capture of interesting flowsCapture flows with specific bad signaturesPass flows known to be good
→ISO image transfers, data files
► Open source IDS/monitoring toolsSnort, Bro
All traffic
Bad traffic
All traffic(optional)
To CPU
Joint Techs 2005Metanetworks Inc.647 N. Santa Cruz Suite E, Los Gatos, CA 95030Voice: (408) 399-2284 Fax (408) 356-9446
Native IDS/IPS► Wire-speed filtration of a subset of known bad packets
Worms, Viruses, Rootkits► Open source IDS/monitoring tools
Snort, Bro to inspect bad traffic► Dynamically add signatures
“Lock Down” while patching► Filter DDoS streams before bottleneck
All traffic
Good trafficFirewall or Switch
Bad trafficTo CPU
Joint Techs 2005Metanetworks Inc.647 N. Santa Cruz Suite E, Los Gatos, CA 95030Voice: (408) 399-2284 Fax (408) 356-9446
Transparent IDS Acceleration
► Wire-speed capture and filtration of good flowsCapture flows known to be good for archiving
→ISO image transfers, data files, etc…
► Other IDS/monitoring appliances only receive a fraction of the traffic
All traffic
Good traffic
UnknownOther IDS
(optional)To CPU
Joint Techs 2005Metanetworks Inc.647 N. Santa Cruz Suite E, Los Gatos, CA 95030Voice: (408) 399-2284 Fax (408) 356-9446
Redundant IDS► Wire-speed capture of suspected flows
Capture flows with specific bad signatures Pass and filter flows known to be good
→ ISO image transfers, data files► Open source IDS/monitoring tools
Snort, BroAll traffic
Bad traffic
All traffic or unknownOther IDS
Correlate
Joint Techs 2005Metanetworks Inc.647 N. Santa Cruz Suite E, Los Gatos, CA 95030Voice: (408) 399-2284 Fax (408) 356-9446
Joint Techs 2005Metanetworks Inc.647 N. Santa Cruz Suite E, Los Gatos, CA 95030Voice: (408) 399-2284 Fax (408) 356-9446
Packet temporarily stored in a linked list
Stateful matches
Packets captured from linked list
Joint Techs 2005Metanetworks Inc.647 N. Santa Cruz Suite E, Los Gatos, CA 95030Voice: (408) 399-2284 Fax (408) 356-9446
Each packet can be Captured and/or Blocked
Joint Techs 2005Metanetworks Inc.647 N. Santa Cruz Suite E, Los Gatos, CA 95030Voice: (408) 399-2284 Fax (408) 356-9446
Joint Techs 2005Metanetworks Inc.647 N. Santa Cruz Suite E, Los Gatos, CA 95030Voice: (408) 399-2284 Fax (408) 356-9446
►Host bandwidth is << of fast-pathFlooding cannot be used to compromise blocking
capability→FP rate in blocking when state is exhausted
Flooding can be exploited to reduce efficacy of monitoring
►Need to find needle in a haystack but needs to cope with flood of packetsHardware stateful analysis (implemented)Intelligent MonitoringApplication-level programmability (implemented)
10Gbps Information bandwidth management
Joint Techs 2005Metanetworks Inc.647 N. Santa Cruz Suite E, Los Gatos, CA 95030Voice: (408) 399-2284 Fax (408) 356-9446
Rule
1
2
3
4
5...n
> T? Switch off lower priority rules and report number of triggers only NOT entire packet
Intelligent Monitoring (work in progress)
T = maximum amount of alerts tolerable
Joint Techs 2005Metanetworks Inc.647 N. Santa Cruz Suite E, Los Gatos, CA 95030Voice: (408) 399-2284 Fax (408) 356-9446
► User-level programmabilityDefine API to let user write ad-
hoc wire-speed codeAdd user modules to synthesis
flow and share reduction network
Architecture provides determinism
→It either fits or it does not fit in the FPGA
→It either meets timing or does not meet timing
→Load/store network processing much harder to predict
User-level programmability
MemoryInterface
PacketProcessor
HostInterface
UserDefined
AddressData
RW
Payload
Offset
Valid
Payload
Block
Capture
Common Functions
Reduction Network
Block
Capture
PCI Interface
Layer-1
Applications
Standard OS
UserDefined
Offset
Valid
Capture
Payload
Payload
Block
FPGA
Joint Techs 2005Metanetworks Inc.647 N. Santa Cruz Suite E, Los Gatos, CA 95030Voice: (408) 399-2284 Fax (408) 356-9446
1G PCI Card
Signature Services
Compiler
1G Appliance
10G PCI Card
API
Multiple FPGA 10G
Multiple FPGA 1G
Roadmap
Q4-03 Q1-04 Q2-04 Q3-04 Q4-04 Q1-05 Q2-05 Q3-05 Q4-05 Q1-06 Q3-06 Q4-06 Q1-07
Joint Techs 2005Metanetworks Inc.647 N. Santa Cruz Suite E, Los Gatos, CA 95030Voice: (408) 399-2284 Fax (408) 356-9446
IDS/IPS Demonstration► Background traffic saturates line
► Stateful HTTP traffic added to background traffic
► Show that can capture based on content9.6 Billion comparisons per second (600 rules x 16 Mpps)
► Show that can filter based on content
All traffic
Captured Traffic
Filtered traffic
HTTPClients
HTTPServer
Load
CRC
Spirent SMB-6000
Joint Techs 2005Metanetworks Inc.647 N. Santa Cruz Suite E, Los Gatos, CA 95030Voice: (408) 399-2284 Fax (408) 356-9446
► Extremely low latency design enables a wide variety of deployment options
► Leverage Open Source software► 1G and 10G available today► Processing paradigm lends itself to ad-hoc application level
programmability
Livio [email protected]
(408) 399-2284www.metanetworks.org
Summary