Using SnortSguil on 10 Gigabit Networks - PowerPoint PPT Presentation

1 / 27
About This Presentation
Title:

Using SnortSguil on 10 Gigabit Networks

Description:

if(offset==4 && dstp!=0) begin //1 cycle later counter is read ... begin. write =0; end. end. Count Destination Ports with FPGA. 20. Reuse existing Open Source ... – PowerPoint PPT presentation

Number of Views:104
Avg rating:3.0/5.0
Slides: 28
Provided by: jstie6
Category:

less

Transcript and Presenter's Notes

Title: Using SnortSguil on 10 Gigabit Networks


1
  • Using Snort/Sguil on 10 Gigabit Networks
  • Livio Ricciulli
  • Chief Security Scientist
  • lricciulli_at_force10networks.com
  • (408) 835-5005

Rome Laboratories
Supported by the Division of Design
Manufacturing and Industrial Innovation of the
National Science Foundation (Awards 0339343,
0521902) and the Air Force Rome Laboratories.
2
1-10 Gbps Programmable Network Security
  • Open architecture to leverage open source
    software
  • More robust, more flexible, promotes
    composability
  • Hardware acceleration of important network
    applications
  • Abstract hardware as a network interface from OS
    prospective
  • Retain high-degree of programmability
  • Extend to application beyond IDS/IPS
  • New threat models (around the corner)
  • Line-speed/low latency to allow integration in
    production networks
  • Unanchored payload string search
  • Support analysis across packets
  • Gracefully handle state exhaustion
  • Hardware support for adaptive information
    management
  • Detailed reporting when reporting bandwidth is
    available
  • Dynamically switch to more compact
    representations when necessary
  • Support the insertion of application-specific
    analysis code in the fast path

3
Available Today
  • P10 PCI Card (10 GbE interface)
  • High speed PCI card in 1U chassis
  • Wire-speed stateful deep packet inspection
    20G-in/20G-out
  • 650 static rule capacity 65 dynamic rules
    (currently being increased)
  • 8 million concurrent flows
  • P1 PCI Card (GbE interface)
  • High speed PCI card in 1U chassis
  • Wire-speed stateful deep packet inspection
    2G-in/2G-out
  • 1000 static rule capacity up to 200 dynamic
    (currently being increased)
  • 2 million concurrent flows
  • P1/P10 Appliance
  • 1U host embeds a P1 or P10 PCI card
  • Software and drivers pre-installed and
    pre-configured

4
  • Architecture

5
Product Architecture
100Mb-10Gb
PHY
RAM
State
2-8M Concurrent Flows
L-1
RAM
Latency 1.3 µs
Read Only
FPGA
Packets or Stats
PHY
Dynamic
Management
Static
Runtime update
Synthesis firmware update
6
(No Transcript)
7
  • Firewall and IDS/IPS

8
Firewall IDS/IPS
  • High Performance (gt 330K cps 20 Gbps)
  • Unique level of programmability
  • What is IN and what is OUT?
  • Two organizations sharing each others services
  • Insider attacks
  • Can define stateful policies asymmetrically or
    symmetrically
  • Hardcode part of the policies in hardware
  • Keep software-like flexibility
  • Can code specific policies directly into
    fast-path
  • Layer-1
  • Invisible -- 1.5 µs latency
  • True-line rate (20 Gbps)
  • Drops in and out with NO L2/3 reconfiguration

9
Power Failure
Reporting
Bypass
CPU
Reporting
Bypass
  • No power
  • Stateful In-line ? No packet loss No loss of
    connection state
  • Traditional rerouting ?L2/L3 convergence time
    loss of state

CPU
10
OS Upgrade
Reporting
Bypass
CPU
Reporting
Bypass
CPU
  • Soft reboot, OS reconfiguration, change OS
  • Forwarding policies are unaffected no loss of
    connection state
  • Once upgrade is over OS reattaches to forwarding
    path

11
Policy update
Reporting
Bypass
CPU
Reporting
Bypass
CPU
  • Fast-path reconfiguration (new policies are
    added/deleted)
  • Loading new static policies ? open for lt 1s loss
    of connection state
  • Loading dynamic policies ? No loss of state

12
Configuration Reporting
  • Compile policies off-line
  • Makefile (open Unix CLI environment)
  • Add user code in Fast-path
  • Add Permit and Deny on the fly
  • Immediate action
  • Run any pcap application on interface
  • Use Snorts output plugins ? syslog, email,
    packet archive
  • MIB-II Host/Interface Monitoring
  • Disk, Daemons, SNMP traps

13
Testing
  • Need a LOT of equipment to assess
  • Separate test equipment behavior from P10
    behavior
  • DOS scenarios with stateless generation easy
  • Connections/second up to 330k
  • Measured stateful throughput up to 9.5 Gbps
  • Not enough gear to fill up the pipe with stateful
    traffic yet
  • Stateless traffic up to 20 Gbps

14
Snort _at_ 200Mbs
15
Stateful Content Inspection Performance Comparison
16
  • Current API

17
User-level programmability
FPGA
Block
  • User-level programmability
  • Define API to let user write ad-hoc wire-speed
    code
  • Add user modules to synthesis flow and share
    reduction network
  • Architecture provides determinism
  • It either fits or it does not fit in the FPGA
  • It either meets timing or does not meet timing
  • Load/store network processing much harder to
    predict

Reduction Network
Capture
Capture
Block
Block
User Defined
User Defined
Address
Capture
Data
RW
Valid
Offset
Valid
Offset
Payload
Payload
Payload
Payload
Common Functions
Memory Interface
Packet Processor
Host Interface
Layer-1
PCI Interface
Applications
Standard OS
18
  • Hello World!

19
Count Destination Ports with FPGA
memory mem(.c1(clk),.a1(dstp150),.di1(newval),.
do1(oldvalout),.w(write),.c2(cnfclk),.a2(address1
50),.do2(valout)) always_at_(posedge
clk) begin if(offset1) begin protoltdata7
0 //Get protocol number end
else if(offset2 (proto06 proto17))
begin dstpltdata3116 //Get destination
port if TCP or UDP end else if(offset4
dstp!0) begin //1 cycle later counter is
read newvalltoldvalout1 //increment
counter writelt1 //write
counter end else begin writelt0
end end
20
Reuse existing Open Source
21
IPv6 Security Hardware
  • IPv6 options provide a covert channel
  • Ex. Joe 6 pack (http//people.suug.ch/tgr/misc/j6
    p-1.0.tar.gz) uses IPv6 Destination option for
    transport
  • Want to see what are IPv6 options used for (for
    example source routing)
  • Extend hardware payload match semantics to Ipv6
    header
  • Tunneling
  • Want to inspect headers of multiple tunnels

22
Additions to IPv6 API
  • 8-bit parse value indicating which section of
    the packet is being clocked in
  • Unknown
  • IPV4 0x4
  • Payload 0xFE
  • TCP 0x6
  • ICMPV4 0x1
  • UDP 0x11
  • IPV6 41
  • Routing 43
  • Fragment 44
  • Destination 60
  • Authentication 51
  • Security Payload 50
  • ICMPv6 58
  • Hop by Hop 0
  • Counters
  • Tunnel tcnt counter
  • Length offset within section pointed to by parse

23
  • Open Source Alert Aggregation (Sguil)

24
Architecture
Sguil Client
TCPFlow
Sensors
Sancp
Sguild
Snort
P0F
Barnyard
Snort
Mysql Alerts Database
Internet
DNS
Whois Database
DShield Database
Snort Database
25
Sguil Aggregation and Analysis
Real time Snort Events
Who is knocking on who?
Why did we trigger?
26
Analysis support
Blow the stack
Glue Code
Overwrite Password
Recognize the attack
Did the overflow make it?
27
You are not Alone One Sguil click..
Snort Database
DShield Database
28
Summary
  • Extremely low latency design enables a wide
    variety of deployment options
  • Leverage Open Source software
  • 1G and 10G available today
  • Processing paradigm lends itself to ad-hoc
    application level programmability
  • Livio Ricciulli
  • livio_at_force10networks.com
  • (408) 835-500

29
Thank You
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Using SnortSguil on 10 Gigabit Networks" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!