metanetworks 2005 metanetworks inc. 647 n. santa cruz suite e, los gatos, ca 95030 voice: (408)...

Metanetworks 2005Metanetworks Inc.647 N. Santa Cruz Suite E, Los Gatos, CA 95030Voice: (408) 399-2284 Fax (408) 356-9446

1-10 Gbps programmable IDS/IPS

Livio [email protected]

(408) 399-2284

The Meta Traffic Processor*

*Supported by the Division of Design Manufacturing and Industrial Innovation of the National Science Foundation (Award #0339343) and the Air Force Rome Laboratories.

Rome Laboratories


►Founded in 1999 by Livio RicciulliOut of SRI International

→Leading 7 years of Government-funded research→Industry patents worth $$$$

Award-winning DARPA research (SRI, Columbia)Spun off Reactive Network Solutions

› $5M+ VC investments› Leading flooding detection and mitigation product› Several “early” patent-pending applications› Major player in evolving DDoS market consolidation

Currently dedicated to bringing advanced network processing technology to market

MetaNetworks


► Active Networks (DARPA Program)Change behavior of network components (routers) dynamically (add

new protocols, flow control algorithms, monitoring, etc..)→Discrete. Update network through separate management operations→Integrated. Packets cause network to update itself

Broad scope did not result in industry adoption→Lack of “killer application”→Lack of tight industry interaction→Tried to change too much too soon

► Metanetworks’ bottom-up approachAchieve programmability while reusing current infrastructureAugment networks with new, non-invasive technology Application-driven rather than design-drivenWork closely with users/operators Revisit hardware computational model

Brief History


► Open architecture to leverage open source software More robust, more flexible, promotes composability Directly support Snort signatures Abstract hardware as a network interface from OS prospective

► Retain high-degree of programmability New threat models (around the corner) Extend to application beyond IDS/IPS

► Line-speed/low latency to allow integration in production networks Unanchored payload string search Support analysis across packets Gracefully handle state exhaustion

► Hardware support for adaptive information management Detailed reporting when reporting bandwidth is available Dynamically switch to more compact representations when necessary Support the insertion of application-specific analysis code in the fast path

1-10 Gbps IDS/IPS Hardware


► Knowing what is in your network is very important Catch misuses both incoming and outgoing FBI says that effective network monitoring (not even IDS) is in top 3 most

important things to do Who or what is using the bandwidth

► Decentralization Cannot find out what the traffic is unless you do content inspection Many p2p applications randomly changing ports (VOIP) Key exchanges need to be monitored Would like to know what applications are doing

► High Speed High Complexity 1G and 10G make content inspection a challenge Hardware/Software co-design is a must Packet loss is a BIG problem

If you Cannot Measure it, You Cannot Manage it


Memory ProcessorProcessor

ProcessorProcessor

MemoryMemoryMemory

InstructionsGet packet

Compareto rules

Alert

Data

Flynn’s Computer Taxonomy

ProcessorMemory

InstructionsGet packet

Compareto rules

Alert

Data

P0 . . . . P1 Pn

Reduction Network

Data

Alert

Instructions

P0 . . . . P1 Pn

Reduction Network

Alert

Data

Instructions

SISD

MIMDMISD

SIMD


R1 . . . . R2 Rn

Reduction Network

Block

Data Stream

FPGA

Data ValidReceive Clock

MatchMemory

Host Interface

StatefulAnalysis

MISD Programmable Hardware


Block Direction 1

Block Direction 2

Monitoring System

AND

PHY

RxDataRxEnable

PHYRxEnableRxData

AND


PHY

FPGA

L-1

RAM

RAM

IPS/IDS

Synthesis + firmware update

DynamicPolicies

PHY

Static Policies Compilation +

runtime update

Packets

State

Read Only

Block+

Fail Close

Latency < 0.5 μs

< 1500< 100

100Mb-10Gb

1-8M C

oncurrent Flows

Cost-effective & Powerful

Internet

Internet

Web-based signature management service


FPGAPHY

SRAM

SRAM

PCI FPGAPHY

SRAM

SRAM

PCI

FPGAPHY

SRAM

SRAM

PCI

FPGAPHY

SRAM

SRAM

PCI

FPGAPHY

SRAM

SRAM

PCI

CPU CPU

FPGAPHY

SRAM

SRAM

PCI SnortIDS/IPS

FPGAPHY

SRAM

SRAM

PCI

Up to 6 cards/box


Content Inspection Performance Comparison

Percenatge of Alert Loss

-20.00%

0.00%

20.00%

40.00%

60.00%

80.00%

100.00%

0 1000 2000 3000

Mbps

% o

f ale

rt lo

ss

darpa no MTP w eb1 no MTP

w eb2 no MTP darpa w ith MTP

w eb1 w ith MTP w eb2 w ith MTP


MA

TC

HT

S

HI

&

&

&

&

&

1

|

CA

1

&

&

&

&

&

&

SO

NE

MA

TC

HT

HIS

CA

TC

HT

HIS

ON

EStatic analysis of large number of IDS signatures

►Transform Snort rules or BPF expressions into a low-level declarative language

►Extract fine-grain parallelism across thousands of signaturesDefine independent FSMs each

implementing a signatureShare comparison logic across

multiple FSMs ►Synthesizer further optimizes

Merge multiple FSMs sharing intermediate states

Eliminate redundant rules


Some Rule Compression Results

010002000300040005000600070008000

0 500 1000 1500

Snort Rules

Com

pon

ent

Cou

nts

Comp

Edges

Compsaved


CPU

IDS/IPS

CPU

IDS/IPS

Router/Switch

Multiple Mirrors

Inline

Passive

CPU

IDS/IPS

Mirror PortPassive Inline

To other passivedevices

To other passivedevice

→Use it for IPS or just to eliminate a TAP

→Chain multiple cards

→Traditional passive monitoring→Up to 6 cards per host

→Extend passive capacity→Can hang multiple passive

devices off 1 TAP or Mirror


Layer-1 “T” JunctionC B

ICMP 1 0

ICMP Echo 1 0

ICMP 1 0

ICMP Echo 1 1

ICMP 1 0

ICMP Echo 0 1

ICMP 1 0

ICMP Echo 0 0

Capture Output

All ICMP All ICMP

All ICMP All ICMP that is not an Echo

All ICMP that is not an Echo

ALL ICMP that is not an Echo

All ICMP that is not an Echo

All ICMP


Packet temporarily stored in a linked list

Stateful matches

Packets captured from linked list


Each packet can be Captured and/or Blocked


► User-level programmabilityDefine API to let user write ad-

hoc wire-speed codeAdd user modules to synthesis

flow and share reduction network

Architecture provides determinism

→It either fits or it does not fit in the FPGA

→It either meets timing or does not meet timing

→Load/store network processing much harder to predict

User-level programmability

MemoryInterface

PacketProcessor

HostInterface

UserDefined

AddressData

RW

Payload

Offset

Valid

Payload

Block

Capture

Common Functions

Reduction Network

Block

Capture

PCI Interface

Layer-1

Applications

Standard OS

UserDefined

Offset

Valid

Capture

Payload

Payload

Block

FPGA


► Extremely low latency design enables a wide variety of deployment options

► Leverage Open Source software► 1G and 10G available today► Processing paradigm lends itself to ad-hoc application level

programmability

Livio [email protected]

(408) 399-2284www.metanetworks.org

Summary

metanetworks 2005 metanetworks inc. 647 n. santa cruz suite e, los gatos, ca 95030 voice: (408)...

Documents

market metanetworks

santa cruz suite e

los gatos

update network

network interface

packets cause network

effective network monitoring

gbps idsips hardware