270 likes | 294 Views
Using Snort/Sguil on 10 Gigabit Networks Livio Ricciulli Chief Security Scientist lricciulli@force10networks.com (408) 835-5005. Rome Laboratories.
E N D
Using Snort/Sguil on 10 Gigabit Networks Livio Ricciulli Chief Security Scientist lricciulli@force10networks.com (408) 835-5005 Rome Laboratories *Supported by the Division of Design Manufacturing and Industrial Innovation of the National Science Foundation (Awards #0339343, 0521902) and the Air Force Rome Laboratories.
1-10 Gbps Programmable Network Security • Open architecture to leverage open source software • More robust, more flexible, promotes composability • Hardware acceleration of important network applications • Abstract hardware as a network interface from OS prospective • Retain high-degree of programmability • Extend to application beyond IDS/IPS • New threat models (around the corner) • Line-speed/low latency to allow integration in production networks • Unanchored payload string search • Support analysis across packets • Gracefully handle state exhaustion • Hardware support for adaptive information management • Detailed reporting when reporting bandwidth is available • Dynamically switch to more compact representations when necessary • Support the insertion of application-specific analysis code in the fast path
Available Today • P10 PCI Card (10 GbE interface) • High speed PCI card in 1U chassis • Wire-speed stateful deep packet inspection; 20G-in/20G-out • 650 static rule capacity 65 dynamic rules; (currently being increased); • 8 million concurrent flows • P1 PCI Card (GbE interface) • High speed PCI card in 1U chassis • Wire-speed stateful deep packet inspection; 2G-in/2G-out • 1000 static rule capacity; up to 200 dynamic; (currently being increased); • 2 million concurrent flows • P1/P10 Appliance • 1U host embeds a P1 or P10 PCI card • Software and drivers pre-installed and pre-configured
+ Block Product Architecture 100Mb-10Gb PHY RAM State 2-8M Concurrent Flows L-1 RAM Latency ~ 1.3 μs Read Only FPGA Packets or Stats PHY Dynamic Management Static Runtime update Synthesis + firmware update
Firewall IDS/IPS • High Performance (> 330K cps; 20 Gbps) • Unique level of programmability • What is IN and what is OUT? • Two organizations sharing each other’s services • Insider attacks • Can define stateful policies asymmetrically or symmetrically • Hardcode part of the policies in hardware • Keep software-like flexibility • Can code specific policies directly into fast-path • Layer-1 • Invisible -- 1.5 µs latency • True-line rate (20 Gbps) • Drops in and out with NO L2/3 reconfiguration
Power Failure Reporting Bypass CPU • No power • Stateful In-line No packet loss; No loss of connection state • Traditional rerouting L2/L3 convergence time; loss of state Reporting Bypass CPU
OS Upgrade Reporting Bypass CPU • Soft reboot, OS reconfiguration, change OS • Forwarding + policies are unaffected; no loss of connection state • Once upgrade is over OS reattaches to forwarding path Reporting Bypass CPU
Policy update Reporting Bypass CPU • Fast-path reconfiguration (new policies are added/deleted) • Loading new static policies open for < 1s; loss of connection state • Loading dynamic policies No loss of state Reporting Bypass CPU
Configuration + Reporting • Compile policies off-line • Makefile (open Unix CLI environment) • Add user code in Fast-path • Add Permit and Deny on the fly • Immediate action • Run any pcap application on interface • Use Snort’s output plugins syslog, email, packet archive • MIB-II Host/Interface Monitoring • Disk, Daemons, SNMP traps
Testing • Need a LOT of equipment to assess • Separate test equipment behavior from P10 behavior • DOS scenarios with stateless generation easy • Connections/second up to 330k • Measured stateful throughput up to 9.5 Gbps • Not enough gear to fill up the pipe with stateful traffic yet • Stateless traffic up to 20 Gbps
User-level programmability FPGA Block Reduction Network Capture Capture • User-level programmability • Define API to let user write ad-hoc wire-speed code • Add user modules to synthesis flow and share reduction network • Architecture provides determinism • It either fits or it does not fit in the FPGA • It either meets timing or does not meet timing • Load/store network processing much harder to predict Block Block User Defined User Defined Address Capture Data RW Valid Offset Valid Payload Offset Payload Payload Payload Common Functions Memory Interface Packet Processor Host Interface Layer-1 PCI Interface Applications Standard OS
Count Destination Ports with FPGA memory mem(.c1(clk),.a1(dstp[15:0]),.di1(newval),.do1(oldvalout),.w(write),.c2(cnfclk),.a2(address[15:0]),.do2(valout)); always@(posedge clk) begin if(offset==1) begin proto<=data[7:0]; //Get protocol number end else if(offset==2 && (proto==06 || proto==17)) begin dstp<=data[31:16]; //Get destination port if TCP or UDP end else if(offset==4 && dstp!=0) begin //1 cycle later counter is read newval<=oldvalout+1; //increment counter write<=1; //write counter end else begin write<=0; end end
Architecture Sguil Client TCPFlow Sensors Sancp Sguild Snort P0F Barnyard Snort Mysql Alerts Database Internet DNS Whois Database DShield Database Snort Database
Sguil Aggregation and Analysis Real time Snort Events Who is knocking on who? Why did we trigger?
Analysis support Blow the stack Glue Code Overwrite Password Recognize the attack Did the overflow make it?
You are not Alone; One Sguil click.. Snort Database DShield Database
Summary • Extremely low latency design enables a wide variety of deployment options • Leverage Open Source software • 1G and 10G available today • Processing paradigm lends itself to ad-hoc application level programmability Livio Ricciulli livio@force10networks.com (408) 835-500