SlideShare une entreprise Scribd logo

Cyber security2012 hybrid-hardware-software

T
telesoft_tech

A hybrid hardware/software approach to cyber security is presented that can help solve problems with rising data rates. Standard software tools have challenges processing high data rates. Offloading processing to specialized network adapters can help filter traffic and detect threats while reducing CPU load. This allows capturing more data without loss even at high speeds like 10Gbps.

Technologie
1  sur  30
A Hybrid Approach to Cyber Security Presented by Steve Patton Where innovative thinking meets engineering excellence
What this session is about / what will I learn?  Standard building blocks of Cyber Security Systems  Some of the problems system builders face as data rates rise  How a hybrid hardware/software approach can solve these problems  …alternative title “using a combination of hardware and software to build cyber security systems” 2 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
High Level Cyber Security Design Objectives  Capture and analyse flows  Filtering through Gb’s of packet data  Identify threat signatures  100% visibility – no data loss  Build to a cost  End Game = detect & prevent intrusions 3 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
What tools do we have?  Off the Shelf Software Applications – DPI (primarily in software) • Flow tracking • N-tuple • Traffic Analysis • Pattern & Signature Matching  Open source / Freeware – ACARM-ng, AIDE, Bro NIDS, OSSEC HIDS, Prelude Hybrid IDS, Samhain, Snort, Suricata  Off the shelf servers with GbE ports 4 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
DPI?  Deep Packet Inspection (DPI) is the act of any IP network equipment which is not an endpoint of a communication using non- header content (typically the actual payload) for some purpose.  In IP this generally means content above the TCP/UDP layer  Used for identification and filtering 5 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
Flow Tracking  First basic filtering operation, not really DPI  Based on 5-tuple flow identifier using packet header parameters  Common concept in network security equipment e.g. Firewalls  End goal: Determine which packets belong to a communication (“flow”) between two computers 6 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
N-tuple  Is a collection of attributes. Commonly (5): – Source IP address – Source port (typically: any) – Destination IP address – Destination port (80 or 443) – Destination protocol (typically TCP)  How are they used? – Filtering – Define access requirements – Identify suspect flows 7 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
N-tuple in practice 8 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
Where 5-tuple is not enough  Identify specific protocols  Identify malware, badly behaving applications  Identify signatures  Use enhanced filtering to inspect deeper into the data 9 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
Pattern & Signature Matching  Second basic filtering operation  Search for strings, numbers at certain positions – usually several patterns for each protocol 10 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
11 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
Traffic Analysis  Third basic DPI operation  Why do we do this? – Pattern matching impossible for encrypted traffic  Instead, analyse traffic patterns: – Packet sizes – Packet size sequences – Data rates – Packet rates – Number of concurrent flows – Flow arrival rate 12 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
Let’s build a 1GbE IDS  Build using standard server hardware – Add in commodity 1GbE adapters where necessary  Use custom or off the shelf software applications – IDS/IPS (Snort?) – DPI software 13 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
Challenges  Rising data rates – Enterprise: • 1Gb common • 10Gb becoming more common – Datacentre • 40Gb, multiple 100Gb  Ever growing protocol diversity  Both consume CPU resources  Drives up cost 14 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
Let’s build a 10GbE IDS  Same basic components as the 1Gb IDS  But: – Server needs to process 10 times the data throughput – Add in a 10GbE interface card 15 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
Data loss is the enemy  What causes data loss? – Dropped packets – CPU can’t keep up • We can buffer in the server – but can overrun • Need more powerful CPUs/Servers – Delay between detecting that we want to monitor something, and actually monitoring it! (latency) – Larger delays – detecting half way through a session that we want to monitor something – but seconds have passed 16 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
More CPU, more memory, more speed  40Gb/s typically 15 x the cost of 2Gb/s 35 30 25 20 Cores Memory 15 Cost 10 5 0 2 4 10 20 40 17 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
What can we do to offload processing?  Categorise flows (hash) and forward route to multiple lower cost servers for processing – Each flow belongs to the same set of • Source IP address • Source port (typically: any) • Destination IP address • Destination port (80 or 443) • Destination protocol (typically TCP)  Intelligent line adapter allows flows to be split and routed with virtually zero CPU overhead 18 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
How could an intelligent xGbE adapter help? Using 5-tuple filtering to route flows to distributed, low cost IDS Servers 19 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
If multiple systems are not an option  Use a powerful server/compute platform OR  Offload as much processing as possible onto a Hardware Accelerated Network Adapter 20 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
Accelerated Network Adapters  Specialised packet interface and processing cards – Assist with layer 2, 3 & 4 filtering and classification – Load balancing flows to multiple processing engines – Pre-filtering on other layers (i.e. L7 content) – Keyword and signature matching 21 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
Basic NIC Card 22 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
Accelerated Card – With Filtering 23 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
Missing packets due to start delay 24 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
Sometimes the session control is separate 25 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
How can we guard against this?  Store everything on the host server or separate? storage device – More complex = more cost  Implement packet buffers in line cards – Needs to be in the order of 300ms to combat latency – May need to be as long as 2 to 3s for separate control signalling 26 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
Integrated, filtering interface/adapter card  AKA – Hardware Accelerator Cards – Accelerating Capture Cards – Load balancing NIC – Network Analysis Adapter 27 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
Summary  By sharing the filtering and processing load for a Cyber Security application between the host CPU and the line card we can: – Build physically smaller systems – Save on power – Save on component cost – Save on space – Eliminate packet loss Small but powerful! 28 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
For more information  Talk to Telesoft today  Visit www.telesoft-technologies.com  Thank you The definition of insanity is people trying to do the same thing and expecting different results Einstein 29 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
Headquarters: Americas: India: Telesoft Technologies Ltd Telesoft Technologies Inc Telesoft Technologies Ltd (Branch Office) Observatory House Suite 601 Building FC-24 Blandford Dorset 4340 Georgetown Square Sector-16A, Noida 201301 DT11 9LQ UK Atlanta GA 30338 USA Uttar Pradesh, INDIA T. +44 (0)1258 480 880 T. +1 770 454 6001 T. +91 120 466 0300 F. +44 (0)1258 486 598 F. +1 770 452 0130 F. +91 120 466 0301 E. sales@telesoft-technologies.com E. salesusa@telesoft-technologies.com E. salesindia@telesoft-technologies.com www.telesoft-technologies.com Copyright 2010 by Telesoft Technologies. All rights reserved.

Recommandé

DPDK Summit - 08 Sept 2014 - Intel - Networking Workloads on Intel Architecture
DPDK Summit - 08 Sept 2014 - Intel - Networking Workloads on Intel ArchitectureDPDK Summit - 08 Sept 2014 - Intel - Networking Workloads on Intel Architecture
DPDK Summit - 08 Sept 2014 - Intel - Networking Workloads on Intel Architecture
Jim St. Leger
 
1 intro to_dpdk_and_hw
1 intro to_dpdk_and_hw1 intro to_dpdk_and_hw
1 intro to_dpdk_and_hw
videos
 
DPDK Summit - 08 Sept 2014 - NTT - High Performance vSwitch
DPDK Summit - 08 Sept 2014 - NTT - High Performance vSwitchDPDK Summit - 08 Sept 2014 - NTT - High Performance vSwitch
DPDK Summit - 08 Sept 2014 - NTT - High Performance vSwitch
Jim St. Leger
 
DPDK Summit 2015 - NTT - Yoshihiro Nakajima
DPDK Summit 2015 - NTT - Yoshihiro NakajimaDPDK Summit 2015 - NTT - Yoshihiro Nakajima
DPDK Summit 2015 - NTT - Yoshihiro Nakajima
Jim St. Leger
 
Implementation of Huffman Decoder on Fpga
Implementation of Huffman Decoder on FpgaImplementation of Huffman Decoder on Fpga
Implementation of Huffman Decoder on Fpga
IJERA Editor
 
Scaling the Container Dataplane
Scaling the Container Dataplane Scaling the Container Dataplane
Scaling the Container Dataplane
Michelle Holley
 
Netsft2017 day in_life_of_nfv
Netsft2017 day in_life_of_nfvNetsft2017 day in_life_of_nfv
Netsft2017 day in_life_of_nfv
Intel
 
Adv. FPGA Motor Control--EBV & Univ. of Koln: Embedded World 2010
Adv. FPGA Motor Control--EBV & Univ. of Koln: Embedded World 2010Adv. FPGA Motor Control--EBV & Univ. of Koln: Embedded World 2010
Adv. FPGA Motor Control--EBV & Univ. of Koln: Embedded World 2010
Altera Corporation
 

Recommandé

DPDK Summit - 08 Sept 2014 - Intel - Networking Workloads on Intel Architecture
DPDK Summit - 08 Sept 2014 - Intel - Networking Workloads on Intel ArchitectureDPDK Summit - 08 Sept 2014 - Intel - Networking Workloads on Intel Architecture
DPDK Summit - 08 Sept 2014 - Intel - Networking Workloads on Intel Architecture
Jim St. Leger
 
1 intro to_dpdk_and_hw
1 intro to_dpdk_and_hw1 intro to_dpdk_and_hw
1 intro to_dpdk_and_hw
videos
 
DPDK Summit - 08 Sept 2014 - NTT - High Performance vSwitch
DPDK Summit - 08 Sept 2014 - NTT - High Performance vSwitchDPDK Summit - 08 Sept 2014 - NTT - High Performance vSwitch
DPDK Summit - 08 Sept 2014 - NTT - High Performance vSwitch
Jim St. Leger
 
DPDK Summit 2015 - NTT - Yoshihiro Nakajima
DPDK Summit 2015 - NTT - Yoshihiro NakajimaDPDK Summit 2015 - NTT - Yoshihiro Nakajima
DPDK Summit 2015 - NTT - Yoshihiro Nakajima
Jim St. Leger
 
Implementation of Huffman Decoder on Fpga
Implementation of Huffman Decoder on FpgaImplementation of Huffman Decoder on Fpga
Implementation of Huffman Decoder on Fpga
IJERA Editor
 
Scaling the Container Dataplane
Scaling the Container Dataplane Scaling the Container Dataplane
Scaling the Container Dataplane
Michelle Holley
 
Netsft2017 day in_life_of_nfv
Netsft2017 day in_life_of_nfvNetsft2017 day in_life_of_nfv
Netsft2017 day in_life_of_nfv
Intel
 
Adv. FPGA Motor Control--EBV & Univ. of Koln: Embedded World 2010
Adv. FPGA Motor Control--EBV & Univ. of Koln: Embedded World 2010Adv. FPGA Motor Control--EBV & Univ. of Koln: Embedded World 2010
Adv. FPGA Motor Control--EBV & Univ. of Koln: Embedded World 2010
Altera Corporation
 
FPGA Camp - Intellitech Presentation
FPGA Camp - Intellitech PresentationFPGA Camp - Intellitech Presentation
FPGA Camp - Intellitech Presentation
FPGA Central
 
DPDK Summit 2015 - Intro - Tim O'Driscoll
DPDK Summit 2015 - Intro - Tim O'DriscollDPDK Summit 2015 - Intro - Tim O'Driscoll
DPDK Summit 2015 - Intro - Tim O'Driscoll
Jim St. Leger
 
Ap nr5000 pt file
Ap nr5000 pt fileAp nr5000 pt file
Ap nr5000 pt file
AddPac1999
 
How to Minimize Cost and Risk for Developing Safety-Certifiable Systems
How to Minimize Cost and Risk for Developing Safety-Certifiable SystemsHow to Minimize Cost and Risk for Developing Safety-Certifiable Systems
How to Minimize Cost and Risk for Developing Safety-Certifiable Systems
Real-Time Innovations (RTI)
 
Surf Communication Solutions - Packet To Packet Apps
Surf Communication Solutions - Packet To Packet AppsSurf Communication Solutions - Packet To Packet Apps
Surf Communication Solutions - Packet To Packet Apps
Surf Communication Solutions, Ltd.
 
Packet-to-Packet Applications
Packet-to-Packet ApplicationsPacket-to-Packet Applications
Packet-to-Packet Applications
Videoguy
 
FPLDs
FPLDsFPLDs
FPLDs
Abhilash Nair
 
System Partitioning and Design - VE2013
System Partitioning and Design - VE2013System Partitioning and Design - VE2013
System Partitioning and Design - VE2013
Analog Devices, Inc.
 
Research Paper
Research PaperResearch Paper
Research Paper
Warren Dennis
 
Under the Armor of Knights Corner: Intel MIC Architecture at Hotchips 2012
Under the Armor of Knights Corner: Intel MIC Architecture at Hotchips 2012Under the Armor of Knights Corner: Intel MIC Architecture at Hotchips 2012
Under the Armor of Knights Corner: Intel MIC Architecture at Hotchips 2012
Intel IT Center
 
High-Definition Rugged DVR - Case Study
High-Definition Rugged DVR - Case StudyHigh-Definition Rugged DVR - Case Study
High-Definition Rugged DVR - Case Study
Mistral Solutions
 
Network: Synchronization: IEEE1588's Future in Computing and the Data Center
Network: Synchronization: IEEE1588's Future in Computing and the Data CenterNetwork: Synchronization: IEEE1588's Future in Computing and the Data Center
Network: Synchronization: IEEE1588's Future in Computing and the Data Center
Michelle Holley
 
Eric Vyncke - IPv6 Security Vendor Point of View
Eric Vyncke - IPv6 Security Vendor Point of ViewEric Vyncke - IPv6 Security Vendor Point of View
Eric Vyncke - IPv6 Security Vendor Point of View
IPv6 Conference
 
Sudhakar_Resume
Sudhakar_ResumeSudhakar_Resume
Sudhakar_Resume
sudhakar
 
7 hands on
7 hands on7 hands on
7 hands on
videos
 
Jda foqa briefing slide view
Jda foqa briefing slide viewJda foqa briefing slide view
Jda foqa briefing slide view
JDA Aviation Technology Solutions
 
JSR82: Past, Present and Future
JSR82: Past, Present and FutureJSR82: Past, Present and Future
JSR82: Past, Present and Future
Sean O'Sullivan
 
SDN/NFV Building Block Introduction
SDN/NFV Building Block IntroductionSDN/NFV Building Block Introduction
SDN/NFV Building Block Introduction
Michelle Holley
 
Surf Communication Solutions - Voice Video Gw
Surf Communication Solutions - Voice Video GwSurf Communication Solutions - Voice Video Gw
Surf Communication Solutions - Voice Video Gw
Surf Communication Solutions, Ltd.
 
Building Voice
Building Voice Building Voice
Building Voice
Videoguy
 
Demuxed 2020
Demuxed 2020Demuxed 2020
Demuxed 2020
SeanDuBois3
 
Lagopus presentation on 14th Annual ON*VECTOR International Photonics Workshop
Lagopus presentation on 14th Annual ON*VECTOR International Photonics WorkshopLagopus presentation on 14th Annual ON*VECTOR International Photonics Workshop
Lagopus presentation on 14th Annual ON*VECTOR International Photonics Workshop
Lagopus SDN/OpenFlow switch
 

Contenu connexe

Tendances

FPGA Camp - Intellitech Presentation
FPGA Camp - Intellitech PresentationFPGA Camp - Intellitech Presentation
FPGA Camp - Intellitech Presentation
FPGA Central
 
How to Minimize Cost and Risk for Developing Safety-Certifiable Systems
How to Minimize Cost and Risk for Developing Safety-Certifiable SystemsHow to Minimize Cost and Risk for Developing Safety-Certifiable Systems
How to Minimize Cost and Risk for Developing Safety-Certifiable Systems
Real-Time Innovations (RTI)
 
Packet-to-Packet Applications
Packet-to-Packet ApplicationsPacket-to-Packet Applications
Packet-to-Packet Applications
Videoguy
 
Under the Armor of Knights Corner: Intel MIC Architecture at Hotchips 2012
Under the Armor of Knights Corner: Intel MIC Architecture at Hotchips 2012Under the Armor of Knights Corner: Intel MIC Architecture at Hotchips 2012
Under the Armor of Knights Corner: Intel MIC Architecture at Hotchips 2012
Intel IT Center
 
Sudhakar_Resume
Sudhakar_ResumeSudhakar_Resume
Sudhakar_Resume
sudhakar
 
Building Voice
Building Voice Building Voice
Building Voice
Videoguy
 

Tendances (20)

FPGA Camp - Intellitech Presentation
FPGA Camp - Intellitech PresentationFPGA Camp - Intellitech Presentation
FPGA Camp - Intellitech Presentation
 
DPDK Summit 2015 - Intro - Tim O'Driscoll
DPDK Summit 2015 - Intro - Tim O'DriscollDPDK Summit 2015 - Intro - Tim O'Driscoll
DPDK Summit 2015 - Intro - Tim O'Driscoll
 
Ap nr5000 pt file
Ap nr5000 pt fileAp nr5000 pt file
Ap nr5000 pt file
 
How to Minimize Cost and Risk for Developing Safety-Certifiable Systems
How to Minimize Cost and Risk for Developing Safety-Certifiable SystemsHow to Minimize Cost and Risk for Developing Safety-Certifiable Systems
How to Minimize Cost and Risk for Developing Safety-Certifiable Systems
 
Surf Communication Solutions - Packet To Packet Apps
Surf Communication Solutions - Packet To Packet AppsSurf Communication Solutions - Packet To Packet Apps
Surf Communication Solutions - Packet To Packet Apps
 
Packet-to-Packet Applications
Packet-to-Packet ApplicationsPacket-to-Packet Applications
Packet-to-Packet Applications
 
FPLDs
FPLDsFPLDs
FPLDs
 
System Partitioning and Design - VE2013
System Partitioning and Design - VE2013System Partitioning and Design - VE2013
System Partitioning and Design - VE2013
 
Research Paper
Research PaperResearch Paper
Research Paper
 
Under the Armor of Knights Corner: Intel MIC Architecture at Hotchips 2012
Under the Armor of Knights Corner: Intel MIC Architecture at Hotchips 2012Under the Armor of Knights Corner: Intel MIC Architecture at Hotchips 2012
Under the Armor of Knights Corner: Intel MIC Architecture at Hotchips 2012
 
High-Definition Rugged DVR - Case Study
High-Definition Rugged DVR - Case StudyHigh-Definition Rugged DVR - Case Study
High-Definition Rugged DVR - Case Study
 
Network: Synchronization: IEEE1588's Future in Computing and the Data Center
Network: Synchronization: IEEE1588's Future in Computing and the Data CenterNetwork: Synchronization: IEEE1588's Future in Computing and the Data Center
Network: Synchronization: IEEE1588's Future in Computing and the Data Center
 
Eric Vyncke - IPv6 Security Vendor Point of View
Eric Vyncke - IPv6 Security Vendor Point of ViewEric Vyncke - IPv6 Security Vendor Point of View
Eric Vyncke - IPv6 Security Vendor Point of View
 
Sudhakar_Resume
Sudhakar_ResumeSudhakar_Resume
Sudhakar_Resume
 
7 hands on
7 hands on7 hands on
7 hands on
 
Jda foqa briefing slide view
Jda foqa briefing slide viewJda foqa briefing slide view
Jda foqa briefing slide view
 
JSR82: Past, Present and Future
JSR82: Past, Present and FutureJSR82: Past, Present and Future
JSR82: Past, Present and Future
 
SDN/NFV Building Block Introduction
SDN/NFV Building Block IntroductionSDN/NFV Building Block Introduction
SDN/NFV Building Block Introduction
 
Surf Communication Solutions - Voice Video Gw
Surf Communication Solutions - Voice Video GwSurf Communication Solutions - Voice Video Gw
Surf Communication Solutions - Voice Video Gw
 
Building Voice
Building Voice Building Voice
Building Voice
 

Similaire à Cyber security2012 hybrid-hardware-software

SDN Controller - Programming Challenges
SDN Controller - Programming ChallengesSDN Controller - Programming Challenges
SDN Controller - Programming Challenges
snrism
 
FD.IO Vector Packet Processing
FD.IO Vector Packet ProcessingFD.IO Vector Packet Processing
FD.IO Vector Packet Processing
Kernel TLV
 
Dataplane networking acceleration with OpenDataplane / Максим Уваров (Linaro)
Dataplane networking acceleration with OpenDataplane / Максим Уваров (Linaro)Dataplane networking acceleration with OpenDataplane / Максим Уваров (Linaro)
Dataplane networking acceleration with OpenDataplane / Максим Уваров (Linaro)
Ontico
 
Networking question
Networking questionNetworking question
Networking question
DEVBEJ
 
FlowER Erlang Openflow Controller
FlowER Erlang Openflow ControllerFlowER Erlang Openflow Controller
FlowER Erlang Openflow Controller
Holger Winkelmann
 

Similaire à Cyber security2012 hybrid-hardware-software (20)

Demuxed 2020
Demuxed 2020Demuxed 2020
Demuxed 2020
 
Lagopus presentation on 14th Annual ON*VECTOR International Photonics Workshop
Lagopus presentation on 14th Annual ON*VECTOR International Photonics WorkshopLagopus presentation on 14th Annual ON*VECTOR International Photonics Workshop
Lagopus presentation on 14th Annual ON*VECTOR International Photonics Workshop
 
Software Stacks to enable SDN and NFV
Software Stacks to enable SDN and NFVSoftware Stacks to enable SDN and NFV
Software Stacks to enable SDN and NFV
 
509 512
509 512509 512
509 512
 
In-Memory Key Value Store (KVS) in FPGA for Ultra Low Latency and High Throug...
In-Memory Key Value Store (KVS) in FPGA for Ultra Low Latency and High Throug...In-Memory Key Value Store (KVS) in FPGA for Ultra Low Latency and High Throug...
In-Memory Key Value Store (KVS) in FPGA for Ultra Low Latency and High Throug...
 
Introduction To NIDS
Introduction To NIDSIntroduction To NIDS
Introduction To NIDS
 
Ports and protocols
Ports and protocolsPorts and protocols
Ports and protocols
 
SDN Controller - Programming Challenges
SDN Controller - Programming ChallengesSDN Controller - Programming Challenges
SDN Controller - Programming Challenges
 
Approaching hyperconvergedopenstack
Approaching hyperconvergedopenstackApproaching hyperconvergedopenstack
Approaching hyperconvergedopenstack
 
Decreasing Incident Response Time
Decreasing Incident Response TimeDecreasing Incident Response Time
Decreasing Incident Response Time
 
FD.io Vector Packet Processing (VPP)
FD.io Vector Packet Processing (VPP)FD.io Vector Packet Processing (VPP)
FD.io Vector Packet Processing (VPP)
 
FD.IO Vector Packet Processing
FD.IO Vector Packet ProcessingFD.IO Vector Packet Processing
FD.IO Vector Packet Processing
 
Peer-to-peer Internet telephony
Peer-to-peer Internet telephonyPeer-to-peer Internet telephony
Peer-to-peer Internet telephony
 
Dataplane networking acceleration with OpenDataplane / Максим Уваров (Linaro)
Dataplane networking acceleration with OpenDataplane / Максим Уваров (Linaro)Dataplane networking acceleration with OpenDataplane / Максим Уваров (Linaro)
Dataplane networking acceleration with OpenDataplane / Максим Уваров (Linaro)
 
Networking question
Networking questionNetworking question
Networking question
 
Chap 1 Network Theory & Java Overview
Chap 1 Network Theory & Java OverviewChap 1 Network Theory & Java Overview
Chap 1 Network Theory & Java Overview
 
OpenStack and OpenFlow Demos
OpenStack and OpenFlow DemosOpenStack and OpenFlow Demos
OpenStack and OpenFlow Demos
 
SDN, OpenFlow, NFV, and Virtual Network
SDN, OpenFlow, NFV, and Virtual NetworkSDN, OpenFlow, NFV, and Virtual Network
SDN, OpenFlow, NFV, and Virtual Network
 
FlowER Erlang Openflow Controller
FlowER Erlang Openflow ControllerFlowER Erlang Openflow Controller
FlowER Erlang Openflow Controller
 
The Potential Impact of Software Defined Networking SDN on Security
The Potential Impact of Software Defined Networking SDN on SecurityThe Potential Impact of Software Defined Networking SDN on Security
The Potential Impact of Software Defined Networking SDN on Security
 

Dernier

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 

Dernier (20)

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 

Cyber security2012 hybrid-hardware-software

  • 1. A Hybrid Approach to Cyber Security Presented by Steve Patton Where innovative thinking meets engineering excellence
  • 2. What this session is about / what will I learn?  Standard building blocks of Cyber Security Systems  Some of the problems system builders face as data rates rise  How a hybrid hardware/software approach can solve these problems  …alternative title “using a combination of hardware and software to build cyber security systems” 2 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
  • 3. High Level Cyber Security Design Objectives  Capture and analyse flows  Filtering through Gb’s of packet data  Identify threat signatures  100% visibility – no data loss  Build to a cost  End Game = detect & prevent intrusions 3 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
  • 4. What tools do we have?  Off the Shelf Software Applications – DPI (primarily in software) • Flow tracking • N-tuple • Traffic Analysis • Pattern & Signature Matching  Open source / Freeware – ACARM-ng, AIDE, Bro NIDS, OSSEC HIDS, Prelude Hybrid IDS, Samhain, Snort, Suricata  Off the shelf servers with GbE ports 4 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
  • 5. DPI?  Deep Packet Inspection (DPI) is the act of any IP network equipment which is not an endpoint of a communication using non- header content (typically the actual payload) for some purpose.  In IP this generally means content above the TCP/UDP layer  Used for identification and filtering 5 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
  • 6. Flow Tracking  First basic filtering operation, not really DPI  Based on 5-tuple flow identifier using packet header parameters  Common concept in network security equipment e.g. Firewalls  End goal: Determine which packets belong to a communication (“flow”) between two computers 6 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
  • 7. N-tuple  Is a collection of attributes. Commonly (5): – Source IP address – Source port (typically: any) – Destination IP address – Destination port (80 or 443) – Destination protocol (typically TCP)  How are they used? – Filtering – Define access requirements – Identify suspect flows 7 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
  • 8. N-tuple in practice 8 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
  • 9. Where 5-tuple is not enough  Identify specific protocols  Identify malware, badly behaving applications  Identify signatures  Use enhanced filtering to inspect deeper into the data 9 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
  • 10. Pattern & Signature Matching  Second basic filtering operation  Search for strings, numbers at certain positions – usually several patterns for each protocol 10 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
  • 11. 11 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
  • 12. Traffic Analysis  Third basic DPI operation  Why do we do this? – Pattern matching impossible for encrypted traffic  Instead, analyse traffic patterns: – Packet sizes – Packet size sequences – Data rates – Packet rates – Number of concurrent flows – Flow arrival rate 12 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
  • 13. Let’s build a 1GbE IDS  Build using standard server hardware – Add in commodity 1GbE adapters where necessary  Use custom or off the shelf software applications – IDS/IPS (Snort?) – DPI software 13 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
  • 14. Challenges  Rising data rates – Enterprise: • 1Gb common • 10Gb becoming more common – Datacentre • 40Gb, multiple 100Gb  Ever growing protocol diversity  Both consume CPU resources  Drives up cost 14 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
  • 15. Let’s build a 10GbE IDS  Same basic components as the 1Gb IDS  But: – Server needs to process 10 times the data throughput – Add in a 10GbE interface card 15 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
  • 16. Data loss is the enemy  What causes data loss? – Dropped packets – CPU can’t keep up • We can buffer in the server – but can overrun • Need more powerful CPUs/Servers – Delay between detecting that we want to monitor something, and actually monitoring it! (latency) – Larger delays – detecting half way through a session that we want to monitor something – but seconds have passed 16 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
  • 17. More CPU, more memory, more speed  40Gb/s typically 15 x the cost of 2Gb/s 35 30 25 20 Cores Memory 15 Cost 10 5 0 2 4 10 20 40 17 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
  • 18. What can we do to offload processing?  Categorise flows (hash) and forward route to multiple lower cost servers for processing – Each flow belongs to the same set of • Source IP address • Source port (typically: any) • Destination IP address • Destination port (80 or 443) • Destination protocol (typically TCP)  Intelligent line adapter allows flows to be split and routed with virtually zero CPU overhead 18 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
  • 19. How could an intelligent xGbE adapter help? Using 5-tuple filtering to route flows to distributed, low cost IDS Servers 19 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
  • 20. If multiple systems are not an option  Use a powerful server/compute platform OR  Offload as much processing as possible onto a Hardware Accelerated Network Adapter 20 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
  • 21. Accelerated Network Adapters  Specialised packet interface and processing cards – Assist with layer 2, 3 & 4 filtering and classification – Load balancing flows to multiple processing engines – Pre-filtering on other layers (i.e. L7 content) – Keyword and signature matching 21 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
  • 22. Basic NIC Card 22 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
  • 23. Accelerated Card – With Filtering 23 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
  • 24. Missing packets due to start delay 24 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
  • 25. Sometimes the session control is separate 25 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
  • 26. How can we guard against this?  Store everything on the host server or separate? storage device – More complex = more cost  Implement packet buffers in line cards – Needs to be in the order of 300ms to combat latency – May need to be as long as 2 to 3s for separate control signalling 26 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
  • 27. Integrated, filtering interface/adapter card  AKA – Hardware Accelerator Cards – Accelerating Capture Cards – Load balancing NIC – Network Analysis Adapter 27 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
  • 28. Summary  By sharing the filtering and processing load for a Cyber Security application between the host CPU and the line card we can: – Build physically smaller systems – Save on power – Save on component cost – Save on space – Eliminate packet loss Small but powerful! 28 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
  • 29. For more information  Talk to Telesoft today  Visit www.telesoft-technologies.com  Thank you The definition of insanity is people trying to do the same thing and expecting different results Einstein 29 www.telesoft-technologies.com Copyright 2012 by Telesoft Technologies. All rights reserved
  • 30. Headquarters: Americas: India: Telesoft Technologies Ltd Telesoft Technologies Inc Telesoft Technologies Ltd (Branch Office) Observatory House Suite 601 Building FC-24 Blandford Dorset 4340 Georgetown Square Sector-16A, Noida 201301 DT11 9LQ UK Atlanta GA 30338 USA Uttar Pradesh, INDIA T. +44 (0)1258 480 880 T. +1 770 454 6001 T. +91 120 466 0300 F. +44 (0)1258 486 598 F. +1 770 452 0130 F. +91 120 466 0301 E. sales@telesoft-technologies.com E. salesusa@telesoft-technologies.com E. salesindia@telesoft-technologies.com www.telesoft-technologies.com Copyright 2010 by Telesoft Technologies. All rights reserved.