Embed Size (px)
Citation preview
1
Using Snort/Sguil on 10 Gigabit NetworksLivio RicciulliChief Security [email protected](408) 835-5005
*Supported by the Division of Design Manufacturing and Industrial Innovation of the National Science Foundation (Awards #0339343, 0521902) and the Air Force Rome Laboratories.
Rome Laboratories
2
Open architecture to leverage open source software– More robust, more flexible, promotes composability– Hardware acceleration of important network applications– Abstract hardware as a network interface from OS prospective
Retain high-degree of programmability – Extend to application beyond IDS/IPS– New threat models (around the corner)
Line-speed/low latency to allow integration in production networks– Unanchored payload string search – Support analysis across packets– Gracefully handle state exhaustion
Hardware support for adaptive information management– Detailed reporting when reporting bandwidth is available– Dynamically switch to more compact representations when necessary– Support the insertion of application-specific analysis code in the fast path
1-10 Gbps Programmable Network Security
3
Available Today
P10 PCI Card (10 GbE interface)– High speed PCI card in 1U
chassis– Wire-speed stateful deep packet
inspection; 20G-in/20G-out– 650 static rule capacity 65
dynamic rules; (currently being increased);
– 8 million concurrent flows P1 PCI Card (GbE interface)
– High speed PCI card in 1U chassis
– Wire-speed stateful deep packet inspection; 2G-in/2G-out
– 1000 static rule capacity; up to 200 dynamic; (currently being increased);
– 2 million concurrent flows P1/P10 Appliance
– 1U host embeds a P1 or P10 PCI card
– Software and drivers pre-installed and pre-configured
4
Architecture
5
Product Architecture
Management
Synthesis + firmware update
DynamicStatic
Runtime update
Latency ~ 1.3 μs
100Mb-10Gb2-8M
Concurrent Flow
s
PHY
FPGA
L-1
RAM
RAM
PHY Packetsor Stats
State
Read Only
Block+
6
7
Firewall and IDS/IPS
8
Firewall IDS/IPS
High Performance (> 330K cps; 20 Gbps) Unique level of programmability
– What is IN and what is OUT?– Two organizations sharing each other’s services– Insider attacks
– Can define stateful policies asymmetrically or symmetrically
– Hardcode part of the policies in hardware– Keep software-like flexibility– Can code specific policies directly into fast-path
Layer-1– Invisible -- 1.5 µs latency– True-line rate (20 Gbps)– Drops in and out with NO L2/3 reconfiguration
9
Power Failure
No power– Stateful In-line No packet loss; No
loss of connection state– Traditional rerouting L2/L3
convergence time; loss of state
CPU
Reporting
CPU
ReportingB
ypassB
ypass
10
OS Upgrade
Soft reboot, OS reconfiguration, change OS– Forwarding + policies are unaffected; no loss of connection
state– Once upgrade is over OS reattaches to forwarding path
CPU
Reporting
CPU
ReportingB
ypassB
ypass
11
Policy update
Fast-path reconfiguration (new policies are added/deleted)– Loading new static policies open for < 1s; loss of
connection state– Loading dynamic policies No loss of state
CPU
Reporting
CPU
ReportingB
ypassB
ypass
12
Configuration + Reporting
Compile policies off-line– Makefile (open Unix CLI environment)– Add user code in Fast-path
Add Permit and Deny on the fly– Immediate action
Run any pcap application on interface– Use Snort’s output plugins syslog, email, packet archive
MIB-II Host/Interface Monitoring– Disk, Daemons, SNMP traps
13
Testing
Need a LOT of equipment to assess– Separate test equipment behavior from P10 behavior– DOS scenarios with stateless generation easy
Connections/second up to 330k
Measured stateful throughput up to 9.5 Gbps– Not enough gear to fill up the pipe with stateful traffic yet– Stateless traffic up to 20 Gbps
Connections per Second
Percentage Retries
100,000 0.0059
150,000 0.0053
175,000 0.0060
200,000 0.0061
14
Snort @ 200Mbs
15
Stateful Content Inspection Performance Comparison
Percentage of Alert Loss
-20.00%0.00%
20.00%40.00%60.00%
80.00%100.00%
0 500 1000 1500 2000 2500 3000
Mbps
% o
f a
lert
los
s
darpa no MTP web1 no MTP web2 no MTP
darpa with MTP web1 with MTP web2 with MTP
16
Current API
17
User-level programmability– Define API to let user write ad-
hoc wire-speed code– Add user modules to synthesis
flow and share reduction network
– Architecture provides
determinism
– It either fits or it does not fit in the FPGA
– It either meets timing or does not meet timing
– Load/store network processing much harder to predict
User-level programmability
MemoryInterface
PacketProcessor
HostInterface
UserDefined
AddressData
RW
Payload
Offset
Valid
Payload
Block
Capture
Common Functions
Reduction Network
Block
Capture
PCI Interface
Layer-1
Applications
Standard OS
UserDefined
Offset
Valid
Capture
Payload
Payload
Block
FPGA
18
Hello World!
19
memory mem(.c1(clk),.a1(dstp[15:0]),.di1(newval),.do1(oldvalout),.w(write),.c2(cnfclk),.a2(address[15:0]),.do2(valout));
always@(posedge clk)begin
if(offset==1) beginproto<=data[7:0]; //Get protocol number
end elseif(offset==2 && (proto==06 || proto==17)) begin
dstp<=data[31:16]; //Get destination port if TCP or UDPend else if(offset==4 && dstp!=0) begin //1 cycle later counter is read
newval<=oldvalout+1; //increment counterwrite<=1; //write counter
end else begin
write<=0; end
end
Count Destination Ports with FPGA
20
Reuse existing Open Source
23
Open Source Alert Aggregation (Sguil)
24
Architecture
Mysql Alerts Database
Snort
Snort Barnyard
Sancp
Sguild
TCPFlow
P0F
Sensors
Sguil Client
Internet
DShield Database
SnortDatabase
Whois Database
DNS
25
Sguil Aggregation and Analysis
Who is knocking on who?
Real time Snort Events
Why did we trigger?
26
Analysis support
Did the overflow make it?
Recognize the attack
Blow the stack
Glue Code
Overwrite Password
27
You are not Alone; One Sguil click..
Snort Database
DShield Database
28
Extremely low latency design enables a wide variety of deployment options
Leverage Open Source software 1G and 10G available today Processing paradigm lends itself to ad-hoc application level
programmability
Livio Ricciulli
(408) 835-500
Summary
29
Thank You
