Upload
educause
View
215
Download
0
Embed Size (px)
Citation preview
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 1/75
Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose
Vincent StofferCyber Security Engineer
EDUCAUSE Security
Professionals Conference
May 7th, 2014
UNIVERSITY OF
CALIFORNIA
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 2/75
!
Intro / overview!
The problem! Monitoring pipeline!
Device roundup and review!
Output & analysis! Discussion / Questions
Agenda
SPC 2014
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 3/75
Lawrence Berkeley National Laboratory
!
Located in Berkeley, CA!
"Bringing science solutions to the world"! Unclassified DoE research facility
operated by University of California! Function much like a research university
Overview
SPC 2014
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 4/75
SPC 2014
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 5/75
SPC 2014
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 6/75
!
~5000 users ~10,000 hosts!
Distributed computing resources!
Many guests and visitors!
Open network to enable
collaboration and research
Computing overview
SPC 2014
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 7/75
Orders of magnitude changes in
network speeds/bandwidth createbig issues for network monitoring
What’s driving these changes?
The (scaling) problem
SPC 2014
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 8/75
!
Explosion of data (both scientific
and commercial)!
Science DMZ!
Network redesign
Berkeley Lab forcing factors
SPC 2014
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 9/75SPC 2014Courtesy Greg Bell, ESnet
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 10/75SPC 2014Courtesy Greg Bell, ESnet
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 11/75
Courtesy Greg Bell, ESnet
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 12/75
!
Same data explosion everywhereo
Big data in all its formso
Mobile, internet of things!
Research networks!
Outgrowing capacity and olderhardware
General forcing factors
SPC 2014
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 13/75
!
10M to 100M!
<1G to 1G!
1G to 10G!
10G to 40G/100G
These transitions mean changingmore than network equipment!
All of that means transitions
SPC 2014
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 14/75
! Inputo
Tappingo Aggregation & Load-balancingo Filtering
!
Outputo Analysis toolso Packet captureo Filtering
Monitoring Pipeline
SPC 2014
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 15/75
Where and how to tap?!
Need visibility at bordero
Inside and Outside
!
Key protected network segmentso
Proxies, Load balancers, VPN,DNS, “Crown Jewels”
Tapping
SPC 2014
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 16/75
!
Preference for passive tapso
no losso
no traffic interruptiono
no reliance on network gear!
But" o
many taps needed ($)o
aggregation, filtering, dedupe
Passive tap vs. span port
SPC 2014
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 17/75
!
Filter at the source!
Aggregation of links!
Multiple outputs!
Media conversion!
Cost effectiveThe right answer depends on your
environment
Span ports work well too!
SPC 2014
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 18/75
!
Commercialappliance vendorso
High performance
o
Custom ASICso Flexibleo
High cost per port
Aggregation/load balancing
SPC 2014
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 19/75
!
Commodity network vendors!
SDN/Openflow or tapaggregation code (distribution,telemetry, DANZ, etc.)
!
Lower cost per port!
Massively scalable
The new hope...delivered!
SPC 2014
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 20/75
For < 1G
!
Where we started
(early 1990s)o
Single tapso
Span portso
Single analysis machineo
Maybe some simple filtering
SPC 2014
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 21/75
It’s really this easy...
Portland ISSA 2014
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 22/75
For < 1G cont’d
!
Solved problem
!
Modern hardware very capable!
For load-balancing/aggregationpurchase commodity or roll yourown (PBR, LAGs)
SPC 2014
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 23/75SPC 2014
Scaling beyond 1G
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 24/75
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 25/75
For 1-10G
!
Mostly a solved problem
!
Load-balancing/aggregation:appliance or network vendor
! Analysis needs a cluster orpurposed boxes
!
Separation of duties
! More careful tuning/filtering SPC 2014
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 26/75
1-10G Berkeley Lab approach
!
Aggregate 1G/10G links (cVue)
!
Some filtering!
Output 10G to single servers
!
Output 10G to clusters:previously hardware load-balancers 10G-1G, now mostly
cluster in a box SPC 2014
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 27/75
1-10G Berkeley Lab approachcont’d
!
Purposed analysis machines
o
wireless, SMTP, VPN, etc.!
Internal cluster
o
Collect important internal nets!
Time Machine
SPC 2014
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 28/75
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 29/75
SPC 2014
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 30/75
SPC 2014
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 31/75
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 32/75
Everything running smooth
!
Average traffic 1-3 Gbps
!
Peaks to 6-7 Gbps!
There will always be someamount of packet loss, try tominimize
!
Then...
SPC 2014
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 33/75
Recent LBLnet redesign
!
100G
!
Science DMZ!
Redundant border routers
!
New distribution layer routers
!
All dual connected
SPC 2014
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 34/75
New monitoring diagram
SPC 2014
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 35/75
!
Dozens of taps for internal nets
!
Multiple inputs (1,10,100G)!
Many outputs, unfiltered/filteredin different ways
!
Output groups needed
Moving from duplication toaggregation
SPC 2014
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 36/75
!
Filtering at ingress & egress
!
Port speed agnostic!
Aggregation, symmetric load-balancing with 5 tuple (minimum)
!
No oversubscription limits!
API for dynamic filtering/shunting
Device wish list
SPC 2014
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 37/75
!
Filtering for arbitrary IP headers /
TCP flags!
Every port can be input/output!
Create port groups!
Send output to load-balancedgroups and single ports
!
IPv6 support
Device wish list cont’d
SPC 2014
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 38/75
!
Commercial / Appliance
!
Commodity network (proprietary /hybrid)
!
Commodity network + SDN!
Roll your own
Monitoring device options
SPC 2014
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 39/75
!
Commercial load-balancer /
aggregation switch / networkpacket broker / splitter /distribution / visibility device /
whatchamacallit
Commercial / Appliance
SPC 2014
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 40/75
!
Gigamon
!
cPacket!
VSS!
Endace
!
IXIA/Anue/Netoptics!
Apcon!
Others?
Appliance vendor roundup
SPC 2014
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 41/75
!
Full featured 10G offering
!
Using for many years at BerkeleyLab
!
100G PoC at NERSC
!
Very flexible, high performance!
High cost
cPacket
SPC 2014
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 42/75
!
CLI and GUI
!
Excellent filtering!
SPIFEE (distributed DPI)!
Our reference index
cPacket cont’d
SPC 2014
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 43/75
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 44/75
!
EndaceAccess
!
100G appliance evaluated at theLab
!
100G in -> 12x10G out
!
Nice form factor!
1 device for each direction
Endace
SPC 2014
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 45/75
!
Does MAC rewriting and load
balancing!
GUI only for basic config!
Limited filtering
!
Ultimately our requirementschanged (no 10G in)
Endace cont’d
SPC 2014
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 46/75
SPC 2014
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 47/75
!
Arista
!
Brocade!
Cisco
Network vendors
SPC 2014
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 48/75
!
7150 models
!
“TapAgg” mode separatelylicensed
!
100G?
!
Openflow/SDN support
Arista
SPC 2014
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 49/75
SPC 2014
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 50/75
!
Just bought a 24 port 7150
!
More focus on the feature set!
Covers most of the wish list!
Functional GUI
!
Bash shell, python!
API
Arista @ Berkeley Lab
SPC 2014
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 51/75
!
IPv6 filtering not yet implemented
!
Flexible I/O and filtering!
100G solutions still emergingo
2 devices neededo
100G optics just becomingavailable
Arista @ Berkeley Lab cont’d
SPC 2014
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 52/75
!
“Telemetry” native feature
!
100G ready (LR-4)!
Certainly a feature of a switch,not an appliance
!
Openflow/SDN support alsohybrid mode
Brocade
SPC 2014
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 53/75
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 54/75
!
100G eval at the Lab
!
It mostly does what we want!
Configuration is network centric!
No GUI
!
3 VLAN tags!
Filtering limitations!
Single box
Brocade @ Berkeley Lab
SPC 2014
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 55/75
!
Openflow support is ??? (OpFlex:
An open source approach), but!
Newly emerging feature set withNexus switches + Openflow
(Monitor manager)!
Cost could be competitive
Cisco
SPC 2014
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 56/75
!
Not tested yet
!
Hoping to try on Arista / Brocade!
IU’s Flowscale!
Newer apps
!
Advantages over native featuresets?
SDN / Openflow
SPC 2014
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 57/75
For >10G
!
Not a solved problem!
!
40G or 100G?o
40G gear more available
o
100G still ~$20k pertransceiver (LR-4)
!
Advanced clustering for tools
! New tools and techniques SPC 2014
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 58/75
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 59/75
SPC 2014
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 60/75
!
Filtering
!
Analysis toolso
Broo
Snort / Suricata
!
Packet captureo
Time Machineo
Moloch
Output
SPC 2014
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 61/75
!
Elephant flows
o
Control traffico
Exclusions (IP pairs, netblocks,ports/protocols)
!
Research networks / affiliates
!
Resnet?
Filtering
SPC 2014
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 62/75
!
Dynamic
o
via Bro, IDSo
near real time
o
via API (Arista) or scripting
o
holy grail
Filtering cont’d
SPC 2014
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 63/75
Not your typical IDS/IPS
!
A monitoring platformo
A standalone network monitoro
A programmable framework
o
An ecosystem
What is Bro? www.bro.org
SPC 2014
! %& (
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 64/75
!"# %&'(#")
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 65/75
Bro platform
IntrusionDetection
Programming Language
Packet Processing
VulnMgmt
File Analysis
LogRecording
CustomLogic
Standard Library
Network Traffic
Apps
BroPlatform
Tap
SPC 2014
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 66/75
!
Clustering a fundamental part of
Bro!
Manager, workers, proxies!
Hardware or “cluster in a box”
o
(PFring/DNA, Myri10G)
Bro cluster
SPC 2014
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 67/75
SPC 2014
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 68/75
!
Capable of handling multi-gigabitbandwidth loads
!
Network cards really matter
!
Tune ruleset for your needs!
Separate and filter
Snort / Suricata
SPC 2014
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 69/75
!
pf_ring (LibDNA, zero copy)
o
direct memory access tonetwork hardware
o
high throughput
o
supports multiple tools
Network cards - Intel
SPC 2014
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 70/75
!
Sniffer10G
o
Support for Linux, FreeBSDo
Myricom 10G cards only
o
Supports only one tool(multiple should be coming)
o
Company/IP in some flux
Network cards - Myricon
SPC 2014
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 71/75
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 72/75
!
Creates pcap files with indexes
!
Killer feature: "connection cutoff"!
Cutoffs defined per port!
Assumption: interesting stuff in
the first N bits
Time Machine
SPC 2014
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 73/75
!
Index and search PCAPs
!
Elasticsearch based!
Can be used for full packet!
Also can be a poor man’s SEIM
!
IPv4 only right now!
Active development
Moloch
SPC 2014
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 74/75
Thank you!
Questions / Discussion
SPC 2014
8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)
http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 75/75
Arista - http://www.aristanetworks.com/en/products/eos/danzcPacket - http://cpacket.com/products/cvu/Brocade - http://www.brocade.com/solutions-technology/service-
provider/network-visibility/index.pageEndace - http://www.emulex.com/products/network-visibility-products-
and-services/10040g-network-visibility-headends/features/Cisco - http://www.cisco.com/c/en/us/products/collateral/cloud-systems-
management/extensible-network-controller-xnc/solution-overview-c22-729753.html
Bro - http://bro.org/TM - http://www.bro.org/community/time-machine.htmlMoloch - https://github.com/aol/molochpf_ring - http://www.ntop.org/products/pf_ring/Myricom - https://www myricom com/software/sniffer10g html
References