Upload
cora-hall
View
214
Download
0
Tags:
Embed Size (px)
Citation preview
Metanetworks 2005Metanetworks Inc.647 N. Santa Cruz Suite E, Los Gatos, CA 95030Voice: (408) 399-2284 Fax (408) 356-9446
1-10 Gbps programmable IDS/IPS
Livio [email protected]
(408) 399-2284
The Meta Traffic Processor*
*Supported by the Division of Design Manufacturing and Industrial Innovation of the National Science Foundation (Award #0339343) and the Air Force Rome Laboratories.
Rome Laboratories
Metanetworks 2005Metanetworks Inc.647 N. Santa Cruz Suite E, Los Gatos, CA 95030Voice: (408) 399-2284 Fax (408) 356-9446
►Founded in 1999 by Livio RicciulliOut of SRI International
→Leading 7 years of Government-funded research→Industry patents worth $$$$
Award-winning DARPA research (SRI, Columbia)Spun off Reactive Network Solutions
› $5M+ VC investments› Leading flooding detection and mitigation product› Several “early” patent-pending applications› Major player in evolving DDoS market consolidation
Currently dedicated to bringing advanced network processing technology to market
MetaNetworks
Metanetworks 2005Metanetworks Inc.647 N. Santa Cruz Suite E, Los Gatos, CA 95030Voice: (408) 399-2284 Fax (408) 356-9446
► Active Networks (DARPA Program)Change behavior of network components (routers) dynamically (add
new protocols, flow control algorithms, monitoring, etc..)→Discrete. Update network through separate management operations→Integrated. Packets cause network to update itself
Broad scope did not result in industry adoption→Lack of “killer application”→Lack of tight industry interaction→Tried to change too much too soon
► Metanetworks’ bottom-up approachAchieve programmability while reusing current infrastructureAugment networks with new, non-invasive technology Application-driven rather than design-drivenWork closely with users/operators Revisit hardware computational model
Brief History
Metanetworks 2005Metanetworks Inc.647 N. Santa Cruz Suite E, Los Gatos, CA 95030Voice: (408) 399-2284 Fax (408) 356-9446
► Open architecture to leverage open source software More robust, more flexible, promotes composability Directly support Snort signatures Abstract hardware as a network interface from OS prospective
► Retain high-degree of programmability New threat models (around the corner) Extend to application beyond IDS/IPS
► Line-speed/low latency to allow integration in production networks Unanchored payload string search Support analysis across packets Gracefully handle state exhaustion
► Hardware support for adaptive information management Detailed reporting when reporting bandwidth is available Dynamically switch to more compact representations when necessary Support the insertion of application-specific analysis code in the fast path
1-10 Gbps IDS/IPS Hardware
Metanetworks 2005Metanetworks Inc.647 N. Santa Cruz Suite E, Los Gatos, CA 95030Voice: (408) 399-2284 Fax (408) 356-9446
► Knowing what is in your network is very important Catch misuses both incoming and outgoing FBI says that effective network monitoring (not even IDS) is in top 3 most
important things to do Who or what is using the bandwidth
► Decentralization Cannot find out what the traffic is unless you do content inspection Many p2p applications randomly changing ports (VOIP) Key exchanges need to be monitored Would like to know what applications are doing
► High Speed High Complexity 1G and 10G make content inspection a challenge Hardware/Software co-design is a must Packet loss is a BIG problem
If you Cannot Measure it, You Cannot Manage it
Metanetworks 2005Metanetworks Inc.647 N. Santa Cruz Suite E, Los Gatos, CA 95030Voice: (408) 399-2284 Fax (408) 356-9446
Memory ProcessorProcessor
ProcessorProcessor
MemoryMemoryMemory
InstructionsGet packet
Compareto rules
Alert
Data
Flynn’s Computer Taxonomy
ProcessorMemory
InstructionsGet packet
Compareto rules
Alert
Data
P0 . . . . P1 Pn
Reduction Network
Data
Alert
Instructions
P0 . . . . P1 Pn
Reduction Network
Alert
Data
Instructions
SISD
MIMDMISD
SIMD
Metanetworks 2005Metanetworks Inc.647 N. Santa Cruz Suite E, Los Gatos, CA 95030Voice: (408) 399-2284 Fax (408) 356-9446
R1 . . . . R2 Rn
Reduction Network
Block
Data Stream
FPGA
Data ValidReceive Clock
MatchMemory
Host Interface
StatefulAnalysis
MISD Programmable Hardware
Metanetworks 2005Metanetworks Inc.647 N. Santa Cruz Suite E, Los Gatos, CA 95030Voice: (408) 399-2284 Fax (408) 356-9446
Block Direction 1
Block Direction 2
Monitoring System
AND
PHY
RxDataRxEnable
PHYRxEnableRxData
AND
Metanetworks 2005Metanetworks Inc.647 N. Santa Cruz Suite E, Los Gatos, CA 95030Voice: (408) 399-2284 Fax (408) 356-9446
PHY
FPGA
L-1
RAM
RAM
IPS/IDS
Synthesis + firmware update
DynamicPolicies
PHY
Static Policies Compilation +
runtime update
Packets
State
Read Only
Block+
Fail Close
Latency < 0.5 μs
< 1500< 100
100Mb-10Gb
1-8M C
oncurrent Flows
Cost-effective & Powerful
Internet
Internet
Web-based signature management service
Metanetworks 2005Metanetworks Inc.647 N. Santa Cruz Suite E, Los Gatos, CA 95030Voice: (408) 399-2284 Fax (408) 356-9446
FPGAPHY
SRAM
SRAM
PCI FPGAPHY
SRAM
SRAM
PCI
FPGAPHY
SRAM
SRAM
PCI
FPGAPHY
SRAM
SRAM
PCI
FPGAPHY
SRAM
SRAM
PCI
CPU CPU
FPGAPHY
SRAM
SRAM
PCI SnortIDS/IPS
FPGAPHY
SRAM
SRAM
PCI
Up to 6 cards/box
Metanetworks 2005Metanetworks Inc.647 N. Santa Cruz Suite E, Los Gatos, CA 95030Voice: (408) 399-2284 Fax (408) 356-9446
Content Inspection Performance Comparison
Percenatge of Alert Loss
-20.00%
0.00%
20.00%
40.00%
60.00%
80.00%
100.00%
0 1000 2000 3000
Mbps
% o
f ale
rt lo
ss
darpa no MTP w eb1 no MTP
w eb2 no MTP darpa w ith MTP
w eb1 w ith MTP w eb2 w ith MTP
Metanetworks 2005Metanetworks Inc.647 N. Santa Cruz Suite E, Los Gatos, CA 95030Voice: (408) 399-2284 Fax (408) 356-9446
MA
TC
HT
S
HI
&
&
&
&
&
1
|
CA
1
&
&
&
&
&
&
SO
NE
MA
TC
HT
HIS
CA
TC
HT
HIS
ON
EStatic analysis of large number of IDS signatures
►Transform Snort rules or BPF expressions into a low-level declarative language
►Extract fine-grain parallelism across thousands of signaturesDefine independent FSMs each
implementing a signatureShare comparison logic across
multiple FSMs ►Synthesizer further optimizes
Merge multiple FSMs sharing intermediate states
Eliminate redundant rules
Metanetworks 2005Metanetworks Inc.647 N. Santa Cruz Suite E, Los Gatos, CA 95030Voice: (408) 399-2284 Fax (408) 356-9446
Some Rule Compression Results
010002000300040005000600070008000
0 500 1000 1500
Snort Rules
Com
pon
ent
Cou
nts
Comp
Edges
Compsaved
Metanetworks 2005Metanetworks Inc.647 N. Santa Cruz Suite E, Los Gatos, CA 95030Voice: (408) 399-2284 Fax (408) 356-9446
CPU
IDS/IPS
CPU
IDS/IPS
Router/Switch
Multiple Mirrors
Inline
Passive
CPU
IDS/IPS
Mirror PortPassive Inline
To other passivedevices
To other passivedevice
→Use it for IPS or just to eliminate a TAP
→Chain multiple cards
→Traditional passive monitoring→Up to 6 cards per host
→Extend passive capacity→Can hang multiple passive
devices off 1 TAP or Mirror
Metanetworks 2005Metanetworks Inc.647 N. Santa Cruz Suite E, Los Gatos, CA 95030Voice: (408) 399-2284 Fax (408) 356-9446
Layer-1 “T” JunctionC B
ICMP 1 0
ICMP Echo 1 0
ICMP 1 0
ICMP Echo 1 1
ICMP 1 0
ICMP Echo 0 1
ICMP 1 0
ICMP Echo 0 0
Capture Output
All ICMP All ICMP
All ICMP All ICMP that is not an Echo
All ICMP that is not an Echo
ALL ICMP that is not an Echo
All ICMP that is not an Echo
All ICMP
Metanetworks 2005Metanetworks Inc.647 N. Santa Cruz Suite E, Los Gatos, CA 95030Voice: (408) 399-2284 Fax (408) 356-9446
Metanetworks 2005Metanetworks Inc.647 N. Santa Cruz Suite E, Los Gatos, CA 95030Voice: (408) 399-2284 Fax (408) 356-9446
Packet temporarily stored in a linked list
Stateful matches
Packets captured from linked list
Metanetworks 2005Metanetworks Inc.647 N. Santa Cruz Suite E, Los Gatos, CA 95030Voice: (408) 399-2284 Fax (408) 356-9446
Each packet can be Captured and/or Blocked
Metanetworks 2005Metanetworks Inc.647 N. Santa Cruz Suite E, Los Gatos, CA 95030Voice: (408) 399-2284 Fax (408) 356-9446
Metanetworks 2005Metanetworks Inc.647 N. Santa Cruz Suite E, Los Gatos, CA 95030Voice: (408) 399-2284 Fax (408) 356-9446
► User-level programmabilityDefine API to let user write ad-
hoc wire-speed codeAdd user modules to synthesis
flow and share reduction network
Architecture provides determinism
→It either fits or it does not fit in the FPGA
→It either meets timing or does not meet timing
→Load/store network processing much harder to predict
User-level programmability
MemoryInterface
PacketProcessor
HostInterface
UserDefined
AddressData
RW
Payload
Offset
Valid
Payload
Block
Capture
Common Functions
Reduction Network
Block
Capture
PCI Interface
Layer-1
Applications
Standard OS
UserDefined
Offset
Valid
Capture
Payload
Payload
Block
FPGA
Metanetworks 2005Metanetworks Inc.647 N. Santa Cruz Suite E, Los Gatos, CA 95030Voice: (408) 399-2284 Fax (408) 356-9446
► Extremely low latency design enables a wide variety of deployment options
► Leverage Open Source software► 1G and 10G available today► Processing paradigm lends itself to ad-hoc application level
programmability
Livio [email protected]
(408) 399-2284www.metanetworks.org
Summary