If you're thinking of setting up some of your assets in the cloud, you need to think about how you can do that without compromising your network security monitoring standards and how you can meet compliance regulations. Even if you run an Intrusion Detection (and/or Prevention) System in your organization or have host-based IDS, securing the cloud is a different matter. Read this article to learn how the MSS secures assets in the cloud.
10 Gbps Snort multiprocessing with PF_RING
PF_RING is software that load balances network traffic originating from an Ethernet interface by hashing the IP headers into N buckets. This allows it to spawn N instances of Snort, each processing a single bucket and achieve higher throughput through multiprocessing. In order to take full advantage of this, you need a multicore processor (like an I7 with 8 processing threads) or a dual or quad processor board that increases parallelism even further across multiple chips.
In a related article we measured the performance of PF_RING with Snort inline at 1 Gbps on an I7 950. The results were impressive.
In this article we report on our experiment running Snort on a dual processor board with a total of 24 hyperthreads (using the Intel X5670). Besides measuring Snort processing throughput varying the number of rules, we also (1) changed the compiler used to compile Snort (GCC vs. ICC) and (2) compared PF_RING in NAPI mode (running 24 Snort processes in parallel) and PF_RING Direct NIC Access technology (DNA) (running 16 Snort processes in parallel).
PF_RING NAPI performs the hashing of the packets in software and has a traditional architecture where the packets are copied to user space by the driver. Snort is parallelized using 24 processes that are allowed to float on the 24 hardware threads while the interrupts are parallelized on 16 of the 24 hardware threads.
PF_RING DNA performs the hashing of the packets in hardware (using the Intel 52599 RSS functionality) and relies on 16 hardware queues. The DNA driver allows 16 instances of Snort to read packets directly from the hardware queues therefore virtually eliminating system-level processing overhead. The limitation of DNA is that (1) supports a maximum of 16x parallelism per 10G interface, (2) it only allows 1 process to attach to each hardware queue and (3) it costs a bit of money or requires Silicom cards(well worth it). (2) is significant because it does not allow multiple processes to receive the same data. So, for example if you run “tcpdump -i dna0″, you could not also run “snort -i dna0 -c config.snort -A console” at the same time. The second invocation would return an error.
GCC is the standard open source compiler that comes with CentOS 6 and virtually all other Unix systems. It is the foundation of open source and without it we would still be in the stone age (computationally).
ICC is an Intel proprietary compiler that goes much further in extracting instruction- and data-level parallelism of modern multicore processors such as the i7 and Xeons.
All results are excellent and show that you can build a 5-7 Gbps IDS using standard off-the-shelf machines and PF_RING. The system we used to perform these experiments is below:
Comparing GCC,Intel ICC, PF_RING NAPI and PF_RING DNA
The graph shows the sustained Snort performance of 4 different configurations using a varying number of Emerging Threats Pro rules. As expected, the number of rules has a dramatic effect on performance for all configurations (the more rules, the lower the performance). In all cases, memory access contention is likely to be the main limiting factor.
Given our experience, we think that our setup is fairly representative of an academic institution we have to admit that measuring Snort performance in the absolute is hard. No two networks are the same and rule configurations vary even more widely, nevertheless, the relative performance variations are important and of general interest. You can draw your own conclusions from the above graph; however here are some interesting observations:
At the high end (6900 rules) ICC makes a big difference by increasing the throughput by ~1 Gbps (25%)
GCC is just as good at maintaining throughput around 5 Gbps
PF_RING DNA is always better than PF_RING NAPI.
We describe below how to reproduce these numbers on Linux CentOS 6. If you do not want to go through these steps, we also provide this functionality through our security system (MSS) pre-packaged and ready to go. It would help us if you tried it and let us know what you think. If you want to go at it on your own, read the full article on our main website.
Block Torrents
Metaflows’ CEO and Chief Research Scientist, Livio Ricciulli, has developed a plugin for the Metaflows Security System that is able to block torrents and much more. While in passive mode, the “Isolate Plugin” uses TCP session disruption and packet spoofing to block torrents and any other kind of traffic by simply selecting any Snort rule in the Metaflows Rule Interface.
The Metaflows Security System can turn on the isolate plugin by modifying the sensor configuration and ticking the “Isolate” check box. If the Isolate plugin is left off, it will simulate the actions it would have taken and alert customers to the items it would have blocked.
The Isolate Plugin is an active response system that disrupts TCP (and sometimes UDP) sessions to block unwanted traffic like Torrents or other potentially disruptive applications. The active response mechanism works by injecting spoofed TCP reset packets as well as other session hijacking packets into the network. This gives IDS operators the ability to block unwanted traffic without having to modify firewall rules.
Give Metaflows a try. Create your free account.
Infosec News We’re Reading
>>>>> SSL Hacked!
Law.com has a very interesting article about the ramifications for enterprise security after the high profile breaches of certificate authorities like DigiNotar and others this year. Link to full article on law.com
>>>>> Japan to boost cyber-security after defense contractor hacked
” ‘”The government will unite and take possible measures against cyber attacks, ” Chief Cabinet Secretary Osamu Fujimura told a news conference on Tuesday, adding that the upcoming meeting is expected to discuss ways to reinforce anti-cyber attack measures.’” Link to full article from Kuwait News Agency.
The giants of cloud security
To say that cloud computing has taken the business world by storm would be a massive understatement. To say that traditional security systems are in a place to deal with the new challenges posed by cloud computing would be an even greater understatement.
Cloud computing has disrupted the status quo for giants like Cisco and Juniper and others who sell physical network appliances. There are worlds upon worlds of wispy new network space to be secured but there is still no clear leader in cloud security.
What will the future of cloud security look like? Will it pan out much like the market for large enterprise network security: a few big players with many small and medium guys fighting over the rest?
Large network security companies have become very successful at selling products that work very well in the real world. Will their enormous success in the “real world” enable them to successfully navigate this new virtual territory? They certainly have enough money and human resources to try.
Or will the battle for the clouds be won by smaller companies that are already providing cloud security? I guess we’ll see. But if the ground starts to shake you’ll know what it is.
The “prevention” vs “detection” debate continues
A new e-book from SC Magazine continues the debate within the network security field about which is better: intrusion detection or intrusion prevention (you can download that here).
The point the author makes is that with the very public successes of recent attacks, the author wonders if companies aren’t spending too much time and money on prevention and not enough on detecting attacks. Companies should not stop working to keep attackers out, the rapid detection of successful intrusions should be a top priority.
What is Soft IPS?
Intrusion prevention systems (IPS), for the most part, involve very expensive network appliances that sit outside the network to prevent attacks from getting in. We call that “hard IPS”. A typical IPS could cost at least $10,000 or more plus maintenance fees.
Soft IPS is software that uses off-the-shelf hardware to monitor network traffic at high-performance speeds in passive or inline mode, block unwanted traffic through packet filtering, TCP session disruption and customizable inline drop policies.
The Metaflows Security System (MSS) is the very first soft IPS and costs a fraction of what typical a IPS might cost because it doesn’t need an expensive piece of hardware to run.
Metaflows has modified a piece of open-source software, called PF_RING, so that it can turn a standard off-the-shelf desktop computer into a high-performance intrusion prevention system. If you’d like to learn exactly how our modified version of PF_RING does that, you can read our technical release here.
Soft IPS lets small and medium-sized businesses get the protection they need by lowering the cost of a high-performance IPS. For large enterprises and government agencies, this means that they can drastically reduce their information security and IT costs.
If you’re interested in integrating our modified PF_RING into your own Snort IPS system, you can download our code and install instructions here: Metaflows Modified PF_RING.
PF_RING puts Snort Inline
The Metaflows Team has just released the libraries to their modified version of PF_RING. Download them and read the technical report here. Our inline version of PF_RING can be integrated with Snort and our testing shows that it can run an IPS at 700-800 Mbps on off-the-shelf hardware with no packet drop. Here’s a graph of our testing that illustrates the performance that users can expect to see.
PF_RING balances the traffic load that Snort has to analyze by hashing the IP headers in multiple buckets. An instance of Snort is spawned to process each bucket which gives us a higher throughput rate. Obviously, to get the most out of this you’ll need a processor with multiple cores.
The main purpose of this is to let people build a high-performance IPS Snort appliance on a $1000 machine. The UI and rule management interface is easy to use as well.
InfoSec News We’re Reading
>>>>> linuxfoundation.org Hacked!
After the website, linuxfoundation.org was compromised on September 8, 2011, system administrators have taken down not only that website but all sub-domains in order to do a complete re-install. This comes a week after servers hosting kernel.org were discovered to contain malware.
As of September 15, 2011, linuxfoundation.org is still down and displaying a message that reads in part, “Linux Foundation infrastructure including LinuxFoundation.org, Linux.com, and their subdomains are down for maintenance due to a security breach that was discovered on September 8, 2011.”
>>>>> ANZUS Treaty Upgraded to Encompass Cyber Attacks
Almost 60 years to the day, on September 1, 1951, the Australian, New Zealand and United States treaty known as ANZUS was signed as each nation pledged to defend each other against attacks. On Thursday, September 15, 2011 diplomats and defense chiefs from the involved nations will declare cyber attacks to be covered in the mutual defense treaty. “I think it’s in large measure a recognition of what I’ve been saying time and time again, which is that cyber is the battlefield of the future, ” said U.S. Defense Secretary Leon Panetta. Read the full article from Reuters.
by admin
no comments
add a comment