1 / 27

Using Snort/Sguil on 10 Gigabit Networks Livio Ricciulli Chief Security Scientist

Using Snort/Sguil on 10 Gigabit Networks Livio Ricciulli Chief Security Scientist lricciulli@force10networks.com (408) 835-5005. Rome Laboratories.

wgriffiths
Download Presentation

Using Snort/Sguil on 10 Gigabit Networks Livio Ricciulli Chief Security Scientist

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Using Snort/Sguil on 10 Gigabit Networks Livio Ricciulli Chief Security Scientist lricciulli@force10networks.com (408) 835-5005 Rome Laboratories *Supported by the Division of Design Manufacturing and Industrial Innovation of the National Science Foundation (Awards #0339343, 0521902) and the Air Force Rome Laboratories.

  2. 1-10 Gbps Programmable Network Security • Open architecture to leverage open source software • More robust, more flexible, promotes composability • Hardware acceleration of important network applications • Abstract hardware as a network interface from OS prospective • Retain high-degree of programmability • Extend to application beyond IDS/IPS • New threat models (around the corner) • Line-speed/low latency to allow integration in production networks • Unanchored payload string search • Support analysis across packets • Gracefully handle state exhaustion • Hardware support for adaptive information management • Detailed reporting when reporting bandwidth is available • Dynamically switch to more compact representations when necessary • Support the insertion of application-specific analysis code in the fast path

  3. Available Today • P10 PCI Card (10 GbE interface) • High speed PCI card in 1U chassis • Wire-speed stateful deep packet inspection; 20G-in/20G-out • 650 static rule capacity 65 dynamic rules; (currently being increased); • 8 million concurrent flows • P1 PCI Card (GbE interface) • High speed PCI card in 1U chassis • Wire-speed stateful deep packet inspection; 2G-in/2G-out • 1000 static rule capacity; up to 200 dynamic; (currently being increased); • 2 million concurrent flows • P1/P10 Appliance • 1U host embeds a P1 or P10 PCI card • Software and drivers pre-installed and pre-configured

  4. Architecture

  5. + Block Product Architecture 100Mb-10Gb PHY RAM State 2-8M Concurrent Flows L-1 RAM Latency ~ 1.3 μs Read Only FPGA Packets or Stats PHY Dynamic Management Static Runtime update Synthesis + firmware update

  6. Firewall and IDS/IPS

  7. Firewall IDS/IPS • High Performance (> 330K cps; 20 Gbps) • Unique level of programmability • What is IN and what is OUT? • Two organizations sharing each other’s services • Insider attacks • Can define stateful policies asymmetrically or symmetrically • Hardcode part of the policies in hardware • Keep software-like flexibility • Can code specific policies directly into fast-path • Layer-1 • Invisible -- 1.5 µs latency • True-line rate (20 Gbps) • Drops in and out with NO L2/3 reconfiguration

  8. Power Failure Reporting Bypass CPU • No power • Stateful In-line  No packet loss; No loss of connection state • Traditional rerouting L2/L3 convergence time; loss of state Reporting Bypass CPU

  9. OS Upgrade Reporting Bypass CPU • Soft reboot, OS reconfiguration, change OS • Forwarding + policies are unaffected; no loss of connection state • Once upgrade is over OS reattaches to forwarding path Reporting Bypass CPU

  10. Policy update Reporting Bypass CPU • Fast-path reconfiguration (new policies are added/deleted) • Loading new static policies  open for < 1s; loss of connection state • Loading dynamic policies  No loss of state Reporting Bypass CPU

  11. Configuration + Reporting • Compile policies off-line • Makefile (open Unix CLI environment) • Add user code in Fast-path • Add Permit and Deny on the fly • Immediate action • Run any pcap application on interface • Use Snort’s output plugins  syslog, email, packet archive • MIB-II Host/Interface Monitoring • Disk, Daemons, SNMP traps

  12. Testing • Need a LOT of equipment to assess • Separate test equipment behavior from P10 behavior • DOS scenarios with stateless generation easy • Connections/second up to 330k • Measured stateful throughput up to 9.5 Gbps • Not enough gear to fill up the pipe with stateful traffic yet • Stateless traffic up to 20 Gbps

  13. Snort @ 200Mbs

  14. Stateful Content Inspection Performance Comparison

  15. Current API

  16. User-level programmability FPGA Block Reduction Network Capture Capture • User-level programmability • Define API to let user write ad-hoc wire-speed code • Add user modules to synthesis flow and share reduction network • Architecture provides determinism • It either fits or it does not fit in the FPGA • It either meets timing or does not meet timing • Load/store network processing much harder to predict Block Block User Defined User Defined Address Capture Data RW Valid Offset Valid Payload Offset Payload Payload Payload Common Functions Memory Interface Packet Processor Host Interface Layer-1 PCI Interface Applications Standard OS

  17. Hello World!

  18. Count Destination Ports with FPGA memory mem(.c1(clk),.a1(dstp[15:0]),.di1(newval),.do1(oldvalout),.w(write),.c2(cnfclk),.a2(address[15:0]),.do2(valout)); always@(posedge clk) begin if(offset==1) begin proto<=data[7:0]; //Get protocol number end else if(offset==2 && (proto==06 || proto==17)) begin dstp<=data[31:16]; //Get destination port if TCP or UDP end else if(offset==4 && dstp!=0) begin //1 cycle later counter is read newval<=oldvalout+1; //increment counter write<=1; //write counter end else begin write<=0; end end

  19. Reuse existing Open Source

  20. Open Source Alert Aggregation (Sguil)

  21. Architecture Sguil Client TCPFlow Sensors Sancp Sguild Snort P0F Barnyard Snort Mysql Alerts Database Internet DNS Whois Database DShield Database Snort Database

  22. Sguil Aggregation and Analysis Real time Snort Events Who is knocking on who? Why did we trigger?

  23. Analysis support Blow the stack Glue Code Overwrite Password Recognize the attack Did the overflow make it?

  24. You are not Alone; One Sguil click.. Snort Database DShield Database

  25. Summary • Extremely low latency design enables a wide variety of deployment options • Leverage Open Source software • 1G and 10G available today • Processing paradigm lends itself to ad-hoc application level programmability Livio Ricciulli livio@force10networks.com (408) 835-500

  26. Thank You

More Related