Survey
* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project
Download Metanetworks Inc.
Document related concepts
Transcript
The Meta Traffic Processor* Demonstration of 10 Gbps IDS/IPS Livio Ricciulli [email protected] (408) 399-2284 Rome Laboratories *Supported by the Division of Design Manufacturing and Industrial Innovation of the National Science Foundation (Award #0339343) and the Air Force Rome Laboratories. Joint Techs 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA 95030 Voice: (408) 399-2284 Fax (408) 356-9446 Brief History ► Active Networks (DARPA Program) Change behavior of network components (routers) dynamically (add new protocols, flow control algorithms, monitoring, etc..) →Discrete. Update network through separate management operations →Integrated. Packets cause network to update itself Broad scope did not result in industry adoption →Lack of “killer application” →Lack of tight industry interaction →Tried to change too much too soon ► Metanetworks’ bottom-up approach Achieve programmability while reusing current infrastructure Augment networks with new, non-invasive technology Application-driven rather than design-driven Work closely with users/operators Revisit hardware computational model Joint Techs 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA 95030 Voice: (408) 399-2284 Fax (408) 356-9446 1-10 Gbps IDS/IPS Hardware ► Open architecture to leverage open source software More robust, more flexible, promotes composability Directly support Snort signatures Abstract hardware as a network interface from OS prospective ► Retain high-degree of programmability New threat models (around the corner) Extend to application beyond IDS/IPS ► Line-speed/low latency to allow integration in production networks Unanchored payload string search Support analysis across packets Gracefully handle state exhaustion ► Hardware support for adaptive information management Detailed reporting when reporting bandwidth is available Dynamically switch to more compact representations when necessary Support the insertion of application-specific analysis code in the fast path Joint Techs 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA 95030 Voice: (408) 399-2284 Fax (408) 356-9446 If you Cannot Measure it, You Cannot Manage it ► Knowing what is in your network is very important Catch misuses both incoming and outgoing FBI says that effective network monitoring (not even IDS) is in top 3 most important things to do Who and how is using the bandwidth ► Decentralization Cannot find out what the traffic is unless you do content inspection Many p2p applications randomly changing ports (VOIP) Key exchanges need to be monitored Would like to know what applications are doing ► High Speed High Complexity 1G and 10G make content inspection a challenge Hardware/Software co-design is a must Joint Techs 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA 95030 Voice: (408) 399-2284 Fax (408) 356-9446 Flynn’s Computer Taxonomy MIMD Instructions Processor Processor Processor Processor P1 .... Pn Data Alert Instructions Alert Get packet Compare to rules Reduction Network P0 Processor P1 Data Alert Data .... Pn Instructions Instructions Joint Techs 2005 P0 SIMD SISD Memory Reduction Network Compare to rules Data Memory Memory Memory Memory Get packet Alert MISD Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA 95030 Voice: (408) 399-2284 Fax (408) 356-9446 MISD Programmable Hardware Block FPGA Stateful Analysis Reduction Network R1 R2 .... Rn Receive Clock Data Valid Data Stream Match Memory Host Interface Joint Techs 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA 95030 Voice: (408) 399-2284 Fax (408) 356-9446 Monitoring System RxData RxEnable Block Direction 2 PHY AND RxData RxEnable Block Direction 1 Joint Techs 2005 PHY AND Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA 95030 Voice: (408) 399-2284 Fax (408) 356-9446 100Mb-10Gb Cost-effective & Powerful PHY + RAM Block State L-1 Read Only RAM FPGA PHY < 100 < 1500 Web-based signature management service Joint Techs 2005 Static Policies Synthesis + firmware update Interne t IPS/ IDS Dynamic Policies Compilation + runtime update Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA 95030 Voice: (408) 399-2284 Fax (408) 356-9446 Up to 6 cards/box SRAM SRAM SRAM SRAM SRAM SRAM PHY SRAM SRAM PHY PHYPHY PCI SRAM FPGA SRAM PHY PCI PHY PCI PCI SRAM FPGA SRAM SRAM FPGA FPGA SRAM FPGA FPGA PHY FPGA PCI PCI PCI Joint Techs 2005 Snort IDS/IPS Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA 95030 Voice: (408) 399-2284 Fax (408) 356-9446 Content Inspection Performance Comparison Pe rce natge of Ale rt Los s M bps 0 1000 2000 3000 % of alert loss 100.00% 80.00% 60.00% 40.00% 20.00% 0.00% -20.00% Joint Techs 2005 darpa no MTP w eb1 no MTP w eb2 no MTP darpa w ith MTP w eb1 w ith MTP w eb2 w ith MTP Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA 95030 Voice: (408) 399-2284 Fax (408) 356-9446 & HT & & HI & SO & S & NE & MATCHTHIS CATCHTHISONE Static analysis of large number of IDS signatures ►Transform Snort rules or BPF 1 1 expressions into a low-level declarative language CA & MA & ►Extract fine-grain parallelism across thousands of signatures & & TC Define independent FSMs each implementing a signature Share comparison logic across multiple FSMs ►Synthesizer further optimizes Merge multiple FSMs sharing intermediate states Eliminate redundant rules | Joint Techs 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA 95030 Voice: (408) 399-2284 Fax (408) 356-9446 Component Counts Some Rule Compression Results 8000 7000 6000 5000 4000 3000 2000 1000 0 Comp Edges Comp saved 0 500 1000 1500 Snort Rules Joint Techs 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA 95030 Voice: (408) 399-2284 Fax (408) 356-9446 Router/Switch Inline IDS/IPS Multiple Mirrors Passive IDS/IPS →Use it for IPS or just to eliminate a TAP →Chain multiple cards →Traditional passive monitoring →Up to 6 cards per host To other passive devices Mirror Port Passive Inline IDS/IPS To other passive device Joint Techs 2005 →Extend passive capacity →Can hang multiple passive devices off 1 TAP or Mirror Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA 95030 Voice: (408) 399-2284 Fax (408) 356-9446 Layer-1 “T” Junction C B Capture Output ICMP 1 0 All ICMP All ICMP ICMP Echo 1 0 ICMP 1 0 All ICMP All ICMP that is not an Echo ICMP Echo 1 1 ICMP 1 0 All ICMP that is not an Echo ALL ICMP that is not an Echo ICMP Echo 0 1 1 0 All ICMP that is not an Echo All ICMP ICMP ICMP Echo 0 0 Joint Techs 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA 95030 Voice: (408) 399-2284 Fax (408) 356-9446 Native IDS Acceleration ► Wire-speed capture of interesting flows Capture flows with specific bad signatures Pass flows known to be good →ISO image transfers, data files ► Open source IDS/monitoring tools Snort, Bro All traffic All traffic (optional) Bad traffic To CPU Joint Techs 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA 95030 Voice: (408) 399-2284 Fax (408) 356-9446 Native IDS/IPS ► Wire-speed filtration of a subset of known bad packets Worms, Viruses, Rootkits ► Open source IDS/monitoring tools Snort, Bro to inspect bad traffic ► Dynamically add signatures “Lock Down” while patching ► Filter DDoS streams before bottleneck All traffic Firewall or Switch Good traffic Bad traffic To CPU Joint Techs 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA 95030 Voice: (408) 399-2284 Fax (408) 356-9446 Transparent IDS Acceleration ► Wire-speed capture and filtration of good flows Capture flows known to be good for archiving →ISO image transfers, data files, etc… ► Other IDS/monitoring appliances only receive a fraction of the traffic All traffic Other IDS Unknown Good traffic (optional) Joint Techs 2005 To CPU Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA 95030 Voice: (408) 399-2284 Fax (408) 356-9446 Redundant IDS ► Wire-speed capture of suspected flows Capture flows with specific bad signatures Pass and filter flows known to be good → ISO image transfers, data files ► Open source IDS/monitoring tools Snort, Bro All traffic All traffic or unknown Other IDS Bad traffic Correlate Joint Techs 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA 95030 Voice: (408) 399-2284 Fax (408) 356-9446 Joint Techs 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA 95030 Voice: (408) 399-2284 Fax (408) 356-9446 Packet temporarily stored in a linked list Stateful matches Packets captured from linked list Joint Techs 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA 95030 Voice: (408) 399-2284 Fax (408) 356-9446 Each packet can be Captured and/or Blocked Joint Techs 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA 95030 Voice: (408) 399-2284 Fax (408) 356-9446 Joint Techs 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA 95030 Voice: (408) 399-2284 Fax (408) 356-9446 10Gbps Information bandwidth management ►Host bandwidth is << of fast-path Flooding cannot be used to compromise blocking capability →FP rate in blocking when state is exhausted Flooding can be exploited to reduce efficacy of monitoring ►Need to find needle in a haystack but needs to cope with flood of packets Hardware stateful analysis (implemented) Intelligent Monitoring Application-level programmability (implemented) Joint Techs 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA 95030 Voice: (408) 399-2284 Fax (408) 356-9446 Intelligent Monitoring (work in progress) Rule 1 > T? 2 3 Switch off lower priority rules and report number of triggers only NOT entire packet 4 5 . . . n T = maximum amount of alerts tolerable Joint Techs 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA 95030 Voice: (408) 399-2284 Fax (408) 356-9446 User-level programmability ► User-level programmability Reduction Network Block Capture Block User Defined Capture Address Data RW User Defined Payload Valid Offset Payload Payload Valid Offset Payload →It either fits or it does not fit in the FPGA →It either meets timing or does not meet timing →Load/store network processing much harder to predict Block Capture Define API to let user write adhoc wire-speed code Add user modules to synthesis flow and share reduction network Architecture provides determinism FPGA Common Functions Host Interface Memory Interface Packet Processor Layer-1 PCI Interface Applications Standard OS Joint Techs 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA 95030 Voice: (408) 399-2284 Fax (408) 356-9446 Roadmap Multiple FPGA 10G Multiple FPGA 1G 10G PCI Card 1G Appliance Signature Services Compiler API 1G PCI Card Q4-03 Q1-04 Q2-04 Joint Techs 2005 Q3-04 Q4-04 Q1-05 Q2-05 Q3-05 Q4-05 Q1-06 Q3-06 Q4-06 Q1-07 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA 95030 Voice: (408) 399-2284 Fax (408) 356-9446 IDS/IPS Demonstration ► Background traffic saturates line ► Stateful HTTP traffic added to background traffic ► Show that can capture based on content 9.6 Billion comparisons per second (600 rules x 16 Mpps) ► Show that can filter based on content HTTP Clients Load All traffic Spirent SMB-6000 Filtered traffic HTTP Server Joint Techs 2005 CRC Captured Traffic Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA 95030 Voice: (408) 399-2284 Fax (408) 356-9446 Summary ► Extremely low latency design enables a wide variety of deployment options ► Leverage Open Source software ► 1G and 10G available today ► Processing paradigm lends itself to ad-hoc application level programmability Livio Ricciulli [email protected] (408) 399-2284 www.metanetworks.org Joint Techs 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA 95030 Voice: (408) 399-2284 Fax (408) 356-9446
