1 / 8

Scaling Out CERN's IDS with Network Automation

Addressing the growing traffic entering CERN through enhanced IDS automation for security and analysis. Leveraging event-driven, modular automation for scalable and efficient network monitoring. Improved vendor support and deployment readiness for a robust solution.

fullerj
Download Presentation

Scaling Out CERN's IDS with Network Automation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Scaling-out CERN’sIDSwithNetwork Automation Openlab Lightning Talk 2019 Andrea Lacava Author: • Openlab Collaborator: ExtremeNetworks • https://www.extremenetworks.com/ • Supervisors: Stefan Stancu, Edoardo Martelli August 2019 andrea.lacava@cern.ch | thecave003@gmail.com

  2. The problem: Keep CERN traffic safe The volume of traffic entering and leaving CERN is growing continuously More than 100 Gbit/s incoming and outgoing traffic More than 1 Million simultaneous connections • Traffic needs to beinspected and analyzed in order to ensuresecurity • Wealready have an IDS (Intrusion DetectionSystem) • Thanks to the openlab projectwithExtreme Networks Scaling-out CERN’s IDS withNetwork Automation | Andrea Lacava

  3. Current setup – Limited scalability EFO-Bro integration (plugin) Configure Monitor SLX 9540 Load balance Aggregate mirrored traffic IDS(Servers running Bro) Scaling-out CERN’s IDS withNetwork Automation | Andrea Lacava

  4. aka "IFTTT for Ops" Event-driven automation engine Open source & Python friendly Enables If This Then That paradigm for (Dev)Ops Modular: users can develop their own Packs. • Pack: A set of Rules triggered by Events that runs Actions } if an IDS server needs maintenance then take it out from the network load balancer Actions implemented in CERN IDS Pack if a known traffic type saturates the IDS server then track only connection initiation and termination Scaling-out CERN’s IDS withNetwork Automation | Andrea Lacava

  5. The solution Multiplevendorsupport for the IDS Stackstorm pack Scaling-out CERN’s IDS withNetwork Automation | Andrea Lacava

  6. New setup – scalable EFO-Bro integration (plugin) Configure Monitor QFX10002-72Q Aggregate mirrored traffic SLX 9540 Load balance IDS(Servers running Bro) Scaling-out CERN’s IDS withNetwork Automation | Andrea Lacava

  7. My contribution • Redesign of the existingCERN IDS Pack • Added abstraction layer for multiple vendor support Made good pasta for more than 15 Openlab Students "Scalable and delicious" (cit.) • Refactoring of the existing Actions code for the SLX platform • More than 1000 lines of code reviewed and adapted • Implementation of the same Actions for the QFX platform • Alsoreported a deploymentrelated bug in the StackStorm pack engine • Fullyfunctional prototype using the QFX platform • Production deploymentforeseen for Q4 2019 Scaling-out CERN’s IDS withNetwork Automation | Andrea Lacava

  8. Questions? andrea.lacava@cern.ch | thecave003@gmail.com thecave3.github.io/ | www.andrealacava.com Scaling-out CERN’s IDS withNetwork Automation | Andrea Lacava

More Related