Transcript Metanetworks Inc.

The Meta Traffic Processor*
Demonstration of 10 Gbps IDS/IPS
Livio Ricciulli
[email protected]
(408) 399-2284
Rome Laboratories
*Supported by the Division of Design Manufacturing and Industrial
Innovation of the National Science Foundation (Award #0339343) and the
Air Force Rome Laboratories.
Joint Techs 2005
Metanetworks Inc.
647 N. Santa Cruz Suite E, Los Gatos, CA 95030
Voice: (408) 399-2284 Fax (408) 356-9446
Brief History
► Active Networks (DARPA Program)
 Change behavior of network components (routers) dynamically (add
new protocols, flow control algorithms, monitoring, etc..)
→Discrete. Update network through separate management operations
→Integrated. Packets cause network to update itself
 Broad scope did not result in industry adoption
→Lack of “killer application”
→Lack of tight industry interaction
→Tried to change too much too soon
► Metanetworks’ bottom-up approach
 Achieve programmability while reusing current infrastructure
 Augment networks with new, non-invasive technology
 Application-driven rather than design-driven
 Work closely with users/operators
 Revisit hardware computational model
Joint Techs 2005
Metanetworks Inc.
647 N. Santa Cruz Suite E, Los Gatos, CA 95030
Voice: (408) 399-2284 Fax (408) 356-9446
1-10 Gbps IDS/IPS Hardware
► Open architecture to leverage open source software
 More robust, more flexible, promotes composability
 Directly support Snort signatures
 Abstract hardware as a network interface from OS prospective
► Retain high-degree of programmability
 New threat models (around the corner)
 Extend to application beyond IDS/IPS
► Line-speed/low latency to allow integration in production networks
 Unanchored payload string search
 Support analysis across packets
 Gracefully handle state exhaustion
► Hardware support for adaptive information management
 Detailed reporting when reporting bandwidth is available
 Dynamically switch to more compact representations when necessary
 Support the insertion of application-specific analysis code in the fast path
Joint Techs 2005
Metanetworks Inc.
647 N. Santa Cruz Suite E, Los Gatos, CA 95030
Voice: (408) 399-2284 Fax (408) 356-9446
If you Cannot Measure it, You Cannot Manage it
► Knowing what is in your network is very important
 Catch misuses both incoming and outgoing
 FBI says that effective network monitoring (not even IDS) is in top 3
most important things to do
 Who and how is using the bandwidth
► Decentralization
 Cannot find out what the traffic is unless you do content inspection
 Many p2p applications randomly changing ports (VOIP)
 Key exchanges need to be monitored
 Would like to know what applications are doing
► High Speed High Complexity
 1G and 10G make content inspection a challenge
 Hardware/Software co-design is a must
Joint Techs 2005
Metanetworks Inc.
647 N. Santa Cruz Suite E, Los Gatos, CA 95030
Voice: (408) 399-2284 Fax (408) 356-9446
Flynn’s Computer Taxonomy
MIMD
Instructions
Processor
Processor
Processor
Processor
P1
....
Pn
Data
Alert
Instructions
Alert
Get packet
Compare
to rules
Reduction Network
P0
Processor
P1
Data
Alert
Data
....
Pn
Instructions
Instructions
Joint Techs 2005
P0
SIMD
SISD
Memory
Reduction Network
Compare
to rules
Data
Memory
Memory
Memory
Memory
Get packet
Alert
MISD
Metanetworks Inc.
647 N. Santa Cruz Suite E, Los Gatos, CA 95030
Voice: (408) 399-2284 Fax (408) 356-9446
MISD Programmable Hardware
Block
FPGA
Stateful
Analysis
Reduction
Network
R1 R2
....
Rn
Receive Clock
Data Valid
Data Stream
Match
Memory
Host Interface
Joint Techs 2005
Metanetworks Inc.
647 N. Santa Cruz Suite E, Los Gatos, CA 95030
Voice: (408) 399-2284 Fax (408) 356-9446
Monitoring System
RxData
RxEnable
Block Direction 2
PHY
AND
RxData
RxEnable
Block Direction 1
Joint Techs 2005
PHY
AND
Metanetworks Inc.
647 N. Santa Cruz Suite E, Los Gatos, CA 95030
Voice: (408) 399-2284 Fax (408) 356-9446
100Mb-10Gb
Cost-effective & Powerful
PHY
+
RAM
Block
State
L-1
Read
Only
RAM
FPGA
PHY
< 100
< 1500
Web-based
signature
management
service
Joint Techs 2005
Static
Policies
Synthesis +
firmware update
Interne
t
IPS/
IDS
Dynamic
Policies
Compilation +
runtime update
Metanetworks Inc.
647 N. Santa Cruz Suite E, Los Gatos, CA 95030
Voice: (408) 399-2284 Fax (408) 356-9446
Up to 6 cards/box
SRAM
SRAM
SRAM
SRAM SRAM
SRAM
PHY
SRAM SRAM
PHY
PHYPHY
PCI
SRAM
FPGA
SRAM
PHY
PCI PHY
PCI PCI
SRAM
FPGA
SRAM
SRAM
FPGA
FPGA
SRAM
FPGA
FPGA
PHY
FPGA
PCI
PCI
PCI
Joint Techs 2005
Snort
IDS/IPS
Metanetworks Inc.
647 N. Santa Cruz Suite E, Los Gatos, CA 95030
Voice: (408) 399-2284 Fax (408) 356-9446
Content Inspection Performance Comparison
Pe rce natge of Ale rt Los s
M bps
0
1000
2000
3000
% of alert loss
100.00%
80.00%
60.00%
40.00%
20.00%
0.00%
-20.00%
Joint Techs 2005
darpa no MTP
w eb1 no MTP
w eb2 no MTP
darpa w ith MTP
w eb1 w ith MTP
w eb2 w ith MTP
Metanetworks Inc.
647 N. Santa Cruz Suite E, Los Gatos, CA 95030
Voice: (408) 399-2284 Fax (408) 356-9446
&
HT
&
&
HI
&
SO
&
S
&
NE
&
MATCHTHIS
CATCHTHISONE
Static analysis of large number of IDS signatures
►Transform Snort rules or BPF
1
1
expressions into a low-level
declarative language
CA &
MA &
►Extract fine-grain parallelism
across thousands of signatures
&
&
TC
Define independent FSMs each
implementing a signature
Share comparison logic across
multiple FSMs
►Synthesizer further optimizes
Merge multiple FSMs sharing
intermediate states
Eliminate redundant rules
|
Joint Techs 2005
Metanetworks Inc.
647 N. Santa Cruz Suite E, Los Gatos, CA 95030
Voice: (408) 399-2284 Fax (408) 356-9446
Component Counts
Some Rule Compression Results
8000
7000
6000
5000
4000
3000
2000
1000
0
Comp
Edges
Comp
saved
0
500
1000
1500
Snort Rules
Joint Techs 2005
Metanetworks Inc.
647 N. Santa Cruz Suite E, Los Gatos, CA 95030
Voice: (408) 399-2284 Fax (408) 356-9446
Router/Switch
Inline
IDS/IPS
Multiple Mirrors
Passive
IDS/IPS
→Use it for IPS or just to
eliminate a TAP
→Chain multiple cards
→Traditional passive monitoring
→Up to 6 cards per host
To other passive
devices
Mirror Port
Passive Inline
IDS/IPS
To other passive
device
Joint Techs 2005
→Extend passive capacity
→Can hang multiple passive
devices off 1 TAP or Mirror
Metanetworks Inc.
647 N. Santa Cruz Suite E, Los Gatos, CA 95030
Voice: (408) 399-2284 Fax (408) 356-9446
Layer-1 “T” Junction
C
B
Capture
Output
ICMP
1
0
All ICMP
All ICMP
ICMP Echo
1
0
ICMP
1
0
All ICMP
All ICMP that is
not an Echo
ICMP Echo
1
1
ICMP
1
0
All ICMP that is
not an Echo
ALL ICMP that is
not an Echo
ICMP Echo
0
1
1
0
All ICMP that is
not an Echo
All ICMP
ICMP
ICMP Echo
0
0
Joint Techs 2005
Metanetworks Inc.
647 N. Santa Cruz Suite E, Los Gatos, CA 95030
Voice: (408) 399-2284 Fax (408) 356-9446
Native IDS Acceleration
► Wire-speed capture of interesting flows
 Capture flows with specific bad signatures
 Pass flows known to be good
→ISO image transfers, data files
► Open source IDS/monitoring tools
 Snort, Bro
All traffic
All traffic
(optional)
Bad traffic
To CPU
Joint Techs 2005
Metanetworks Inc.
647 N. Santa Cruz Suite E, Los Gatos, CA 95030
Voice: (408) 399-2284 Fax (408) 356-9446
Native IDS/IPS
► Wire-speed filtration of a subset of known bad packets
 Worms, Viruses, Rootkits
► Open source IDS/monitoring tools
 Snort, Bro to inspect bad traffic
► Dynamically add signatures
 “Lock Down” while patching
► Filter DDoS streams before bottleneck
All traffic
Firewall or Switch
Good traffic
Bad traffic
To CPU
Joint Techs 2005
Metanetworks Inc.
647 N. Santa Cruz Suite E, Los Gatos, CA 95030
Voice: (408) 399-2284 Fax (408) 356-9446
Transparent IDS Acceleration
► Wire-speed capture and filtration of good flows
 Capture flows known to be good for archiving
→ISO image transfers, data files, etc…
► Other IDS/monitoring appliances only receive a fraction of the
traffic
All traffic
Other IDS
Unknown
Good traffic
(optional)
Joint Techs 2005
To CPU
Metanetworks Inc.
647 N. Santa Cruz Suite E, Los Gatos, CA 95030
Voice: (408) 399-2284 Fax (408) 356-9446
Redundant IDS
► Wire-speed capture of suspected flows
 Capture flows with specific bad signatures
 Pass and filter flows known to be good
→ ISO image transfers, data files
► Open source IDS/monitoring tools
 Snort, Bro
All traffic
All traffic or unknown
Other IDS
Bad traffic
Correlate
Joint Techs 2005
Metanetworks Inc.
647 N. Santa Cruz Suite E, Los Gatos, CA 95030
Voice: (408) 399-2284 Fax (408) 356-9446
Joint Techs 2005
Metanetworks Inc.
647 N. Santa Cruz Suite E, Los Gatos, CA 95030
Voice: (408) 399-2284 Fax (408) 356-9446
Packet temporarily stored in
a linked list
Stateful matches
Packets
captured from
linked list
Joint Techs 2005
Metanetworks Inc.
647 N. Santa Cruz Suite E, Los Gatos, CA 95030
Voice: (408) 399-2284 Fax (408) 356-9446
Each packet can be Captured and/or Blocked
Joint Techs 2005
Metanetworks Inc.
647 N. Santa Cruz Suite E, Los Gatos, CA 95030
Voice: (408) 399-2284 Fax (408) 356-9446
Joint Techs 2005
Metanetworks Inc.
647 N. Santa Cruz Suite E, Los Gatos, CA 95030
Voice: (408) 399-2284 Fax (408) 356-9446
10Gbps Information bandwidth management
►Host bandwidth is << of fast-path
Flooding cannot be used to compromise blocking capability
→FP rate in blocking when state is exhausted
Flooding can be exploited to reduce efficacy of monitoring
►Need to find needle in a haystack but needs to cope
with flood of packets
Hardware stateful analysis (implemented)
Intelligent Monitoring
Application-level programmability (implemented)
Joint Techs 2005
Metanetworks Inc.
647 N. Santa Cruz Suite E, Los Gatos, CA 95030
Voice: (408) 399-2284 Fax (408) 356-9446
Intelligent Monitoring (work in progress)
Rule
1
 > T? 
2
3
Switch off lower
priority rules
and report number
of triggers only
NOT entire packet
4
5
.
.
.
n
T = maximum amount of alerts tolerable
Joint Techs 2005
Metanetworks Inc.
647 N. Santa Cruz Suite E, Los Gatos, CA 95030
Voice: (408) 399-2284 Fax (408) 356-9446
User-level programmability
► User-level programmability
Reduction Network
Block
Capture
Block
User
Defined
Capture
Address
Data
RW
User
Defined
Payload
Valid
Offset
Payload
Payload
Valid
Offset
Payload
→It either fits or it does not fit in
the FPGA
→It either meets timing or does
not meet timing
→Load/store network processing
much harder to predict
Block
Capture
 Define API to let user write adhoc wire-speed code
 Add user modules to synthesis
flow and share reduction
network
 Architecture provides
determinism
FPGA
Common Functions
Host
Interface
Memory
Interface
Packet
Processor
Layer-1
PCI Interface
Applications
Standard OS
Joint Techs 2005
Metanetworks Inc.
647 N. Santa Cruz Suite E, Los Gatos, CA 95030
Voice: (408) 399-2284 Fax (408) 356-9446
Roadmap
Multiple FPGA 10G
Multiple FPGA 1G
10G PCI Card
1G Appliance
Signature Services
Compiler
API
1G PCI Card
Q4-03 Q1-04 Q2-04
Joint Techs 2005
Q3-04
Q4-04 Q1-05
Q2-05
Q3-05 Q4-05 Q1-06 Q3-06 Q4-06 Q1-07
Metanetworks Inc.
647 N. Santa Cruz Suite E, Los Gatos, CA 95030
Voice: (408) 399-2284 Fax (408) 356-9446
IDS/IPS Demonstration
► Background traffic saturates line
► Stateful HTTP traffic added to background traffic
► Show that can capture based on content
 9.6 Billion comparisons per second (600 rules x 16 Mpps)
► Show that can filter based on content
HTTP
Clients
Load
All traffic
Spirent SMB-6000
Filtered traffic
HTTP
Server
Joint Techs 2005
CRC
Captured Traffic
Metanetworks Inc.
647 N. Santa Cruz Suite E, Los Gatos, CA 95030
Voice: (408) 399-2284 Fax (408) 356-9446
Summary
► Extremely low latency design enables a wide variety of
deployment options
► Leverage Open Source software
► 1G and 10G available today
► Processing paradigm lends itself to ad-hoc application level
programmability
Livio Ricciulli
[email protected]
(408) 399-2284
www.metanetworks.org
Joint Techs 2005
Metanetworks Inc.
647 N. Santa Cruz Suite E, Los Gatos, CA 95030
Voice: (408) 399-2284 Fax (408) 356-9446