joint techs 2005 metanetworks inc. 647 n. santa cruz suite e, los gatos, ca 95030 voice: (408)...

Joint Techs 2005Metanetworks Inc.647 N. Santa Cruz Suite E, Los Gatos, CA 95030Voice: (408) 399-2284 Fax (408) 356-9446

Demonstration of 10 Gbps IDS/IPS

Livio [email protected]

(408) 399-2284

The Meta Traffic Processor*

*Supported by the Division of Design Manufacturing and Industrial Innovation of the National Science Foundation (Award #0339343) and the Air Force Rome Laboratories.

Rome Laboratories


► Active Networks (DARPA Program)Change behavior of network components (routers) dynamically (add

new protocols, flow control algorithms, monitoring, etc..)→Discrete. Update network through separate management operations→Integrated. Packets cause network to update itself

Broad scope did not result in industry adoption→Lack of “killer application”→Lack of tight industry interaction→Tried to change too much too soon

► Metanetworks’ bottom-up approachAchieve programmability while reusing current infrastructureAugment networks with new, non-invasive technology Application-driven rather than design-drivenWork closely with users/operators Revisit hardware computational model

Brief History


► Open architecture to leverage open source software More robust, more flexible, promotes composability Directly support Snort signatures Abstract hardware as a network interface from OS prospective

► Retain high-degree of programmability New threat models (around the corner) Extend to application beyond IDS/IPS

► Line-speed/low latency to allow integration in production networks Unanchored payload string search Support analysis across packets Gracefully handle state exhaustion

► Hardware support for adaptive information management Detailed reporting when reporting bandwidth is available Dynamically switch to more compact representations when necessary Support the insertion of application-specific analysis code in the fast path

1-10 Gbps IDS/IPS Hardware


► Knowing what is in your network is very importantCatch misuses both incoming and outgoingFBI says that effective network monitoring (not even IDS) is in top 3

most important things to doWho and how is using the bandwidth

► DecentralizationCannot find out what the traffic is unless you do content inspectionMany p2p applications randomly changing ports (VOIP)Key exchanges need to be monitoredWould like to know what applications are doing

► High Speed High Complexity1G and 10G make content inspection a challengeHardware/Software co-design is a must

If you Cannot Measure it, You Cannot Manage it


Memory ProcessorProcessor

ProcessorProcessor

MemoryMemoryMemory

InstructionsGet packet

Compareto rules

Alert

Data

Flynn’s Computer Taxonomy

ProcessorMemory

InstructionsGet packet

Compareto rules

Alert

Data

P0 . . . . P1 Pn

Reduction Network

Data

Alert

Instructions

P0 . . . . P1 Pn

Reduction Network

Alert

Data

Instructions

SISD

MIMDMISD

SIMD


R1 . . . . R2 Rn

Reduction Network

Block

Data Stream

FPGA

Data ValidReceive Clock

MatchMemory

Host Interface

StatefulAnalysis

MISD Programmable Hardware


Block Direction 1

Block Direction 2

Monitoring System

AND

PHY

RxDataRxEnable

PHYRxEnableRxData

AND


PHY

FPGA

L-1

RAM

RAM

IPS/IDS

Synthesis + firmware update

DynamicPolicies

PHY

Static Policies Compilation +

runtime update

Packets

State

Read Only

Block+

Fail Close

Latency < 0.5 μs

< 1500< 100

100Mb-10Gb

1-8M C

oncurrent Flows

Cost-effective & Powerful

Internet

Internet

Web-based signature management service


FPGAPHY

SRAM

SRAM

PCI FPGAPHY

SRAM

SRAM

PCI

FPGAPHY

SRAM

SRAM

PCI

FPGAPHY

SRAM

SRAM

PCI

FPGAPHY

SRAM

SRAM

PCI

CPU CPU

FPGAPHY

SRAM

SRAM

PCI SnortIDS/IPS

FPGAPHY

SRAM

SRAM

PCI

Up to 6 cards/box


Content Inspection Performance Comparison

Percenatge of Alert Loss

-20.00%

0.00%

20.00%

40.00%

60.00%

80.00%

100.00%

0 1000 2000 3000

Mbps

% o

f ale

rt lo

ss

darpa no MTP w eb1 no MTP

w eb2 no MTP darpa w ith MTP

w eb1 w ith MTP w eb2 w ith MTP


MA

TC

HT

S

HI

&

&

&

&

&

1

|

CA

1

&

&

&

&

&

&

SO

NE

MA

TC

HT

HIS

CA

TC

HT

HIS

ON

EStatic analysis of large number of IDS signatures

►Transform Snort rules or BPF expressions into a low-level declarative language

►Extract fine-grain parallelism across thousands of signaturesDefine independent FSMs each

implementing a signatureShare comparison logic across

multiple FSMs ►Synthesizer further optimizes

Merge multiple FSMs sharing intermediate states

Eliminate redundant rules


Some Rule Compression Results

010002000300040005000600070008000

0 500 1000 1500

Snort Rules

Com

pon

ent

Cou

nts

Comp

Edges

Compsaved


CPU

IDS/IPS

CPU

IDS/IPS

Router/Switch

Multiple Mirrors

Inline

Passive

CPU

IDS/IPS

Mirror PortPassive Inline

To other passivedevices

To other passivedevice

→Use it for IPS or just to eliminate a TAP

→Chain multiple cards

→Traditional passive monitoring→Up to 6 cards per host

→Extend passive capacity→Can hang multiple passive

devices off 1 TAP or Mirror


Layer-1 “T” Junction

C B

ICMP 1 0

ICMP Echo 1 0

ICMP 1 0

ICMP Echo 1 1

ICMP 1 0

ICMP Echo 0 1

ICMP 1 0

ICMP Echo 0 0

Capture Output

All ICMP All ICMP

All ICMP All ICMP that is not an Echo

All ICMP that is not an Echo

ALL ICMP that is not an Echo

All ICMP that is not an Echo

All ICMP


Native IDS Acceleration

► Wire-speed capture of interesting flowsCapture flows with specific bad signaturesPass flows known to be good

→ISO image transfers, data files

► Open source IDS/monitoring toolsSnort, Bro

All traffic

Bad traffic

All traffic(optional)

To CPU


Native IDS/IPS► Wire-speed filtration of a subset of known bad packets

Worms, Viruses, Rootkits► Open source IDS/monitoring tools

Snort, Bro to inspect bad traffic► Dynamically add signatures

“Lock Down” while patching► Filter DDoS streams before bottleneck

All traffic

Good trafficFirewall or Switch

Bad trafficTo CPU


Transparent IDS Acceleration

► Wire-speed capture and filtration of good flowsCapture flows known to be good for archiving

→ISO image transfers, data files, etc…

► Other IDS/monitoring appliances only receive a fraction of the traffic

All traffic

Good traffic

UnknownOther IDS

(optional)To CPU


Redundant IDS► Wire-speed capture of suspected flows

Capture flows with specific bad signatures Pass and filter flows known to be good

→ ISO image transfers, data files► Open source IDS/monitoring tools

Snort, BroAll traffic

Bad traffic

All traffic or unknownOther IDS

Correlate


Packet temporarily stored in a linked list

Stateful matches

Packets captured from linked list


Each packet can be Captured and/or Blocked


►Host bandwidth is << of fast-pathFlooding cannot be used to compromise blocking

capability→FP rate in blocking when state is exhausted

Flooding can be exploited to reduce efficacy of monitoring

►Need to find needle in a haystack but needs to cope with flood of packetsHardware stateful analysis (implemented)Intelligent MonitoringApplication-level programmability (implemented)

10Gbps Information bandwidth management


Rule

1

2

3

4

5...n

> T? Switch off lower priority rules and report number of triggers only NOT entire packet

Intelligent Monitoring (work in progress)

T = maximum amount of alerts tolerable


► User-level programmabilityDefine API to let user write ad-

hoc wire-speed codeAdd user modules to synthesis

flow and share reduction network

Architecture provides determinism

→It either fits or it does not fit in the FPGA

→It either meets timing or does not meet timing

→Load/store network processing much harder to predict

User-level programmability

MemoryInterface

PacketProcessor

HostInterface

UserDefined

AddressData

RW

Payload

Offset

Valid

Payload

Block

Capture

Common Functions

Reduction Network

Block

Capture

PCI Interface

Layer-1

Applications

Standard OS

UserDefined

Offset

Valid

Capture

Payload

Payload

Block

FPGA


1G PCI Card

Signature Services

Compiler

1G Appliance

10G PCI Card

API

Multiple FPGA 10G

Multiple FPGA 1G

Roadmap

Q4-03 Q1-04 Q2-04 Q3-04 Q4-04 Q1-05 Q2-05 Q3-05 Q4-05 Q1-06 Q3-06 Q4-06 Q1-07


IDS/IPS Demonstration► Background traffic saturates line

► Stateful HTTP traffic added to background traffic

► Show that can capture based on content9.6 Billion comparisons per second (600 rules x 16 Mpps)

► Show that can filter based on content

All traffic

Captured Traffic

Filtered traffic

HTTPClients

HTTPServer

Load

CRC

Spirent SMB-6000


► Extremely low latency design enables a wide variety of deployment options

► Leverage Open Source software► 1G and 10G available today► Processing paradigm lends itself to ad-hoc application level

programmability

Livio [email protected]

(408) 399-2284www.metanetworks.org

Summary

joint techs 2005 metanetworks inc. 647 n. santa cruz suite e, los gatos, ca 95030 voice: (408)...

Documents