high performance network security monitoring at the
play

High-Performance Network Security Monitoring at the Lawrence - PowerPoint PPT Presentation

Feb 23, 2024 •310 likes •841 views

High-Performance Network Security Monitoring at the Lawrence Berkeley National Lab Strategies for Monitoring External and Internal Activity Robin Sommer Lawrence Berkeley National Laboratory & International Computer Science Institute

  1. High-Performance Network Security Monitoring at the Lawrence Berkeley National Lab Strategies for Monitoring External and Internal Activity Robin Sommer Lawrence Berkeley National Laboratory & International Computer Science Institute rsommer@lbl.gov http://www.icir.org Fall 2007 Internet2 Member Meeting

  2. Lawrence Berkeley National Lab • Main site located on a 200-acre area in the Berkeley hills • Close proximity to UC Berkeley Fall 2007 Internet2 Member Meeting 2

  3. Lawrence Berkeley National Lab • Managed by UC for the Department of Energy • Open, unclassified research • Research is freely shared • Collaboration around the world • Diversity of research • Nanotechnology, Energy, Physics, Biology, Chemistry, Environmental, Computing • Diverse user community • Scientific facilities used by researchers around the world • Many users are transient and not employees • Many staff have dual appointment with UC Berkeley • Very liberal, default-allow security policy • Characteristic for many research environment • Requires comprehensive approach to monitoring Fall 2007 Internet2 Member Meeting

  4. Network Security Monitoring at the Lab Outline of this Talk • Monitoring external activity with the Bro NIDS • Overview of Bro’s design & architecture, and LBNL’s installation • Recent Bro Developments • The Bro Cluster • Dynamic Protocol Detection • Monitoring internal activity • Inter- & intra-subnet monitoring • Host-based monitoring • Outlook Fall 2007 Internet2 Member Meeting 4

  5. The Bro NIDS Fall 2007 Internet2 Member Meeting 5

  6. System Philosophy • Bro is being developed at LBNL & ICSI since 1996 • LBNL has been using Bro operationally for >10 years • It is one of the main components of the lab’s network security infrastructure • Bro provides a real-time network analysis framework • Primary a network intrusion detection system (NIDS) • However it is also used for pure traffic analysis • Focus is on • Application-level semantic analysis (rather than analyzing individual packets) • Tracking information over time • Strong separation of mechanism and policy • The core of the system is policy-neutral (no notion of “good” or “bad”) • User provides local site policy Fall 2007 Internet2 Member Meeting 6

  7. System Philosophy (2) • Operators program their policy • Not really meaningful to talk about what Bro detects “by default” • Analysis model is not signature matching • Bro is fundamentally different from, e.g., Snort (though it can do signatures as well) • Analysis model is not anomaly detection • Though it does support such approaches (and others) in principle • System thoroughly logs all activity • It does not just alert • Logs are invaluable for forensics Fall 2007 Internet2 Member Meeting 7

  8. Target Environments • Bro is specifically well-suited for scientific environments • Extremely useful in networks with liberal (“default allow”) policies • High-performance on commodity hardware • Supports intrusion prevention schemes • Open-source (BSD license) • It does however require some effort to use effectively • Pretty complex, script-based system • Requires understanding of the network • No GUI, just ASCII logs • Only partially documented • Lacking resources to fully polish the system • Development is primarily driven by research • However, our focus is operational use; we invest much time into “practical” issues • Want to bridge gap between research and operational deployment Fall 2007 Internet2 Member Meeting 8

  9. Bro Deployment • Bro is typically deployed at a site’s upstream link • Monitors all external packets coming in or going out • Deployment similar to other NIDS Internal Tap Internet Network Bro Fall 2007 Internet2 Member Meeting 9

  10. LBNL’s Bro Setup • Uses Bro to monitor its 10 Gbps Internet uplink • Several Bro boxes for different tasks, both before & after the firewall • Automatically blocks attackers (about 4000 addresses per day!) External Internal Firewall (ESNet) (LBLNet) Dynamic acld Blocking Fall 2007 Internet2 Member Meeting 10

  11. Architecture Packet Stream Network Fall 2007 Internet2 Member Meeting 11

  12. Architecture Event Stream Event Engine (Core) Packet Stream Network Fall 2007 Internet2 Member Meeting 11

  13. Architecture Real-time Notification Policy Script Interpreter Event Stream Event Engine (Core) Packet Stream Network Fall 2007 Internet2 Member Meeting 11

  14. Event-Engine • Event-engine is written in C++ • Performs policy-neutral analysis • Turns low-level activity into high-level events • Examples: connection_established, http_request • Events are annotated with context (e.g., IP addresses, URL) • Contains analyzers for >30 protocols, including • ARP , IP , ICMP , TCP , UDP • DCE-RPC, DNS, FTP , Finger, Gnutella, HTTP , IRC, Ident, NCP , NFS, NTP , NetBIOS, POP3, Portmapper, RPC, Rsh, Rlogin, SMB, SMTP , SSH, SSL, SunRPC, Telnet • Analyzers generate ~300 types of events Fall 2007 Internet2 Member Meeting 12

  15. Policy Scripts • Scripts process event stream, incorporating ... • ... context from past events • ... site’s local security policy • Scripts take actions • Generating alerts via syslog or mail • Executing program as a form of response • Recording activity to disk Fall 2007 Internet2 Member Meeting 13

  16. Example Log: Connection Summaries • One-line summaries for all TCP connections • Most basic, yet also one of the most useful analyzers > bro -r trace tcp Time Duration Source Destination 1144876596.658302 1.206521 192.150.186.169 62.26.220.2 \ http 53052 80 tcp 874 1841 SF X Serv SrcPort DstPort Proto SrcBytes DstBytes State Dir LBNL has connection logs for every connection attempt since June 94! Fall 2007 Internet2 Member Meeting 14

  17. Example Log: HTTP Session 1144876588.30 %2 start 192.150.186.169:53041 > 195.71.11.67:80 1144876588.30 %2 GET /index.html (200 "OK" [57634] www.spiegel.de) 1144876588.30 %2 > HOST: www.spiegel.de 1144876588.30 %2 > USER-AGENT: Mozilla/5.0 (Macintosh; PPC Mac OS ... 1144876588.30 %2 > ACCEPT: text/xml,application/xml,application/xhtml ... 1144876588.30 %2 > ACCEPT-LANGUAGE: en-us,en;q=0.7,de;q=0.3 [...] 1144876588.77 %2 < SERVER: Apache/1.3.26 (Unix) mod_fastcgi/2.2.12 1144876588.77 %2 < CACHE-CONTROL: max-age=120 1144876588.77 %2 < EXPIRES: Wed, 12 Apr 2006 21:18:28 GMT [...] 1144876588.77 %2 <= 1500 bytes: "<!-- Vignette StoryServer 5.0 Wed Apr..." 1144876588.78 %2 <= 1500 bytes: "r "http://spiegel.ivwbox.de" r..." 1144876588.78 %2 <= 1500 bytes: "icon.ico" type="image/ico">^M^J ..." 1144876588.94 %2 <= 1500 bytes: "erver 5.0 Mon Mar 27 15:56:55 ..." [...] Fall 2007 Internet2 Member Meeting 15

  18. Script Example: Tracking SSH Hosts global ssh_hosts: set[addr]; event connection_established(c: connection) { local responder = c$id$resp_h; # Responder’s address local service = c$id$resp_p; # Responder’s port if ( service != 22/tcp ) return; # Not SSH. if ( responder in ssh_hosts ) return; # We already know this one. add ssh_hosts[responder]; # Found a new host. print "New SSH host found", responder; } Fall 2007 Internet2 Member Meeting 16

  19. Expressing Policy • Scripts are written in custom, domain-specific language • Bro ships with 20K+ lines of script code • Default scripts detect attacks & log activity extensively • Language is • Procedural • Event-based • Strongly typed • Rich in types • Usual script-language types, such as tables and sets • Domain-specific types, such as addresses, ports, subnets • Supporting state management (expiration, timers, etc.) • Supporting communication with other Bro instances Fall 2007 Internet2 Member Meeting 17

  20. Communication Architecture Bro A Policy Script Event Engine Network Fall 2007 Internet2 Member Meeting 18

  21. Communication Architecture Bro A Bro B Policy Script Policy Script Event Engine Event Engine Network Network Fall 2007 Internet2 Member Meeting 18

  22. Communication Architecture Bro A Bro B Policy Script Policy Script Event Engine Event Engine Network Network Fall 2007 Internet2 Member Meeting 18

  23. Communication Architecture Bro A Bro B Policy Script Policy Script Event Engine Event Engine Network Network Fall 2007 Internet2 Member Meeting 18

  24. Recent Developments (1) The Bro Cluster Fall 2007 Internet2 Member Meeting 19

  25. Motivation • NIDSs have reached their limits on commodity hardware • Keep needing to do more analysis on more data at higher speeds • Analysis gets richer over time, as attacks get more sophisticated • However, single CPU performance is not growing anymore the way it used to • Single NIDS instance (Snort, Bro) cannot cope with >=1Gbps links • Key to overcome current limits is parallel analysis • Volume is high but composed of many independent tasks • Need to exploit parallelism to cope with load Fall 2007 Internet2 Member Meeting 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Distributed QoS Monitoring High Performance Network Assurance Carter Bullard FloCon 2005

Distributed QoS Monitoring High Performance Network Assurance Carter Bullard FloCon 2005

Distributed QoS Monitoring High Performance Network Assurance Carter Bullard FloCon 2005 Pittsburgh, PA Service ITU Quality Network Service Service Service Operabliity Support Security Service Service Service Performance

583 views • 19 slides
High Precision Based Network Performance Monitoring in critical infrastructures Presented by Rik

High Precision Based Network Performance Monitoring in critical infrastructures Presented by Rik

High Precision Based Network Performance Monitoring in critical infrastructures Presented by Rik Boelee 26-9-2019 Agenda High Precision Based Network Performance Monitoring Why is it needed Benefits customer cases 26-9-2019

476 views • 22 slides
High Performance Network Monitoring Challenges for Grids Les Cottrell , Presented at the

High Performance Network Monitoring Challenges for Grids Les Cottrell , Presented at the

High Performance Network Monitoring Challenges for Grids Les Cottrell , Presented at the Internation Symposium on Grid Computing 2006, Taiwan www.slac.stanford.edu/grp/scs/net/talk05/iscg-06.ppt Partially funded by DOE/MICS for Internet

653 views • 30 slides
Security Monitoring and Enforcement for the Cloud Model Aryan TaheriMonfared

Security Monitoring and Enforcement for the Cloud Model Aryan TaheriMonfared

Infrastructure Architecture for a Cloud IaaS Provider Software Defined Networking and Network Virtualization Network Monitoring Security Enforcement Inter-Domain Routing for Virtualized Networks Security Monitoring and Enforcement for the

795 views • 42 slides
Topology monitoring implementation of network management system in TWAREN hybrid network

Topology monitoring implementation of network management system in TWAREN hybrid network

Topology monitoring implementation of network management system in TWAREN hybrid network National Center for High-Performance Computing 1 ABSTRACT TWAREN (TaiWan Advanced Research and Education Network) is a hybrid network composed of

532 views • 16 slides
They did not know what hit them Network Security Monitoring at Mozilla I bought you those

They did not know what hit them Network Security Monitoring at Mozilla I bought you those

They did not know what hit them Network Security Monitoring at Mozilla I bought you those servers to run NSM on them &lt;- Boss, 2012 New servers &lt;- always cool Mozilla Confidential 2 The big idea NSM = Network Security Monitoring

1.1k views • 82 slides
What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
Monitoring Network Security with the Open-Source Bro NIDS Robin Sommer Lawrence Berkeley National

Monitoring Network Security with the Open-Source Bro NIDS Robin Sommer Lawrence Berkeley National

Monitoring Network Security with the Open-Source Bro NIDS Robin Sommer Lawrence Berkeley National Laboratory &amp; International Computer Science Institute rsommer@lbl.gov http://www.icir.org DOE Network Security Monitoring Technical Summit at

922 views • 49 slides
Student Performance Monitoring October 15, 2018 Student Performance Monitoring Strategic Plan

Student Performance Monitoring October 15, 2018 Student Performance Monitoring Strategic Plan

Student Performance Monitoring October 15, 2018 Student Performance Monitoring Strategic Plan Goals &amp; Strategies: Goal 1: Engage all students in learning that leads to academic growth, achievement, and readiness for high school, college,

259 views • 24 slides
Navigating the Pitfalls and Promises of Network Security Monitoring (NSM) Who are we? Dr. Scott

Navigating the Pitfalls and Promises of Network Security Monitoring (NSM) Who are we? Dr. Scott

Navigating the Pitfalls and Promises of Network Security Monitoring (NSM) Who are we? Dr. Scott Miserendino Michael Gora Chief Data Scientist System Architect Cyber Security Start-Up Started in 2013 Born out of a large defense

342 views • 19 slides
Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice:

634 views • 36 slides
NATIONAL NETWORK FOR SPAM MONITORING Juan Dez Gonzlez Security Technician - INTECO-CERT

NATIONAL NETWORK FOR SPAM MONITORING Juan Dez Gonzlez Security Technician - INTECO-CERT

NATIONAL NETWORK FOR SPAM MONITORING Juan Dez Gonzlez Security Technician - INTECO-CERT April, 2008 20th Annual FIRST Conference on Computer Security Incident Handling Summary 1. INTECO and INTECO-CERT 2. Spam Monitoring Network 1.

675 views • 33 slides
Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application Transport Network Link Physical CSE 461 University of Washington 2 Security Threats Security is like performance Means many things

374 views • 13 slides
Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application Transport Network Link Physical CSE 461 University of Washington 2 Security Threats Security is like performance Means many things

932 views • 55 slides
Network Security Where we are in the Course Security crosses all layers Applicatjon

Network Security Where we are in the Course Security crosses all layers Applicatjon

Network Security Where we are in the Course Security crosses all layers Applicatjon Transport Network Link Physical CSE 461 University of Washington 2 Security Threats Security is like performance Means many things

1.12k views • 92 slides
CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks (or: How to

CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks (or: How to

CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks (or: How to Provide Security Monitoring as a Service in Clouds?) Seungwon Shin Guofei Gu SUCCESS Lab SUCCESS Lab Texas A&amp;M University Texas A&amp;M

314 views • 6 slides
Internet of things: Next evolution of the Internet Cisco blog quotes: The number of devices

Internet of things: Next evolution of the Internet Cisco blog quotes: The number of devices

6PANview : A Network Monitoring System for the Internet of Things 23-August-2011 Lohith Y S, Brinda M C, Anand SVR, Malati Hegde Department of ECE Indian Institute of Science Bangalore Funded by DIT, Government of India Internet of

520 views • 20 slides
Monitoring backbone networks Manuel ubredu , Valeriu Vraciu RoEduNet Chiinu , September

Monitoring backbone networks Manuel ubredu , Valeriu Vraciu RoEduNet Chiinu , September

R O E N M A N I A N D U C A T I O N E T W O R K Ro Net Edu Monitoring backbone networks Manuel ubredu , Valeriu Vraciu RoEduNet Chiinu , September 9, 2014 Agenda Why ? What ? How ? Tools ? Facts !

423 views • 20 slides
SMARTxAC SMARTxAC Collaboration agreement started on July 2003 h UPC (Technical University of

SMARTxAC SMARTxAC Collaboration agreement started on July 2003 h UPC (Technical University of

SMARTxAC: Traffic Monitoring and Analysis System for high-speed links Pere Barlet Josep Sol-Pareta Jordi Domingo-Pascual Advanced Broadband Communications Center (CCABA) {pbarlet, pareta, jordid}@ac.upc.es Technical University

561 views • 23 slides
Broadband microfoundations: the need for traffic data the need for traffic data Steven Bauer

Broadband microfoundations: the need for traffic data the need for traffic data Steven Bauer

Broadband microfoundations: the need for traffic data the need for traffic data Steven Bauer Advanced Network Architecture Group CSAIL, MIT The problem Major of stakeholders have little visibility into what is happening with traffic on a

471 views • 20 slides
Urban Green House Gas emissions monitoring in Davos, Switzerland T. Lauvaux, K.J. Davis, S.

Urban Green House Gas emissions monitoring in Davos, Switzerland T. Lauvaux, K.J. Davis, S.

Urban Green House Gas emissions monitoring in Davos, Switzerland T. Lauvaux, K.J. Davis, S. Richardson, N.M. Miles, G. Jacobson, E. Crosson, C. Sweeney, P. DeCola, A. Bals, A. Deng, G.-P. Calonder, M. Ruesch, M. Lehning Photograph by Fabrice

477 views • 14 slides
Advancing ATM Research &amp; Development in the Asia Pacific - Spotlight on ATMRI Thursday 01

Advancing ATM Research &amp; Development in the Asia Pacific - Spotlight on ATMRI Thursday 01

Regional Focus Advancing ATM Research &amp; Development in the Asia Pacific - Spotlight on ATMRI Thursday 01 October 2020 09:00 11:00 CET Moderator Mr. Hai Eng Chiang Director Asia Pacific Affairs CANSO Regional Focus Advancing ATM

1.07k views • 75 slides
TransactionManagementOverview Chapter16

TransactionManagementOverview Chapter16

TransactionManagementOverview Chapter16 DatabaseManagementSystems3ed,R.RamakrishnanandJ.Gehrke 1 Transactions

419 views • 5 slides
Dissecting Transactional Executions in Haskell Cristian Perfumo +* , Nehir Sonmez +* , Adrian

Dissecting Transactional Executions in Haskell Cristian Perfumo +* , Nehir Sonmez +* , Adrian

Dissecting Transactional Executions in Haskell Cristian Perfumo +* , Nehir Sonmez +* , Adrian Cristal + , Osman S. Unsal + , Mateo Valero +* , Tim Harris # + Barcelona Supercomputing Center * Computer Architecture Department, UPC, Barcelona, Spain

450 views • 16 slides

More recommend