managing bro deployments at scale using devops
play

Managing Bro Deployments at Scale Using DevOps Technologies Ed - PowerPoint PPT Presentation

Nov 07, 2022 •242 likes •510 views

Managing Bro Deployments at Scale Using DevOps Technologies Ed Sealing Daniel Lohin 2015 Berkley Labs 100G Bro Cluster 56 Node Bro Cluster Paper: http://go.lbl.gov/100g 10/22/2018 Come on, this cant be THAT hard CONCEPT: -

  1. Managing Bro Deployments at Scale Using DevOps Technologies Ed Sealing Daniel Lohin

  2. 2015 Berkley Labs 100G Bro Cluster 56 Node Bro Cluster Paper: http://go.lbl.gov/100g 10/22/2018

  3. “Come on, this can’t be THAT hard…” CONCEPT: - Build Once, deploy anywhere - Multi-Tenancy with resource segregation - Shared Rules across mass cluster Query / / V Vis isula laiz ize - Shared Resources across different tools IDS Ap App Event Storage / Processing Inc ncident nt Managem emen ent IPS A App Ful ull-PCA CAP App Kibana na App Layer Google Stenographer Networking Layer SR - IOV MULT LTUS Orchestration Layer Virtualization Layer Hardware Layer Bare Metal Bare Metal Bare Metal Bare Metal Horizontal Scalability 10/22/2018

  4. Our journey to enlightenment Dec 2016- Summer 2017- Summer 2018- Can we put Bro Can we Can we in a container automate automate a and get decent deployment? scalable performance? deployment? 10/22/2018

  5. Why Containers and not VMs? • Lightweight, stand-alone software that includes system tools, system libraries executable package. • Packaged software for development, shipment as well as deployment • Containers share the machine’s OS kernel • Containers are isolated using namespaces • PID • Networking • Mount Points • UID/GID • Limit processors and memory • And more! 10/22/2018

  6. DevOps Principals Self-Service Configuration Incremental Automated Provisioning Testing DevOps Automated Continuous Release Build Management Continuous Continuous Delivery Integration 10/22/2018 6

  7. Phase 1: Containerized Sensors perform? • Chose two open-source network sensors (Bro & Suricata) and build DockerFiles for them • https://github.com/sealingtech/EDCOP-BRO • https://github.com/sealingtech/EDCOP-SURICATA • What is the performance impact of running inside of a container? • https://www.bro.org/bro4pros2017/Sealing_Multi_Bro4Pros2017.pdf • This image can be deployed again and again on different systems • A lot of time was spent solving - How do we best get traffic to it? 10/22/2018

  8. Networking options we tried Option Description Downside? Host Networking Give a container access to all Network isolation is gone. networking on the physical host Container has complete control over all host networking. MacVLAN/MacVTAP Build to a physical interface and Performance overhead then connect a virtual interface to that bridge OpenVswitch Build an openvswitch bridge and Performance overhead and more then create an interface with ovs- complication docker SR-IOV Create a virtual NIC (called a Virtual Hardware dependent on this Function) inside of the network feature card 10/22/2018

  9. Lessons learned • Hardware still matters… We still need to worry about IRQs, CPU pinning, NUMA nodes and all those other complicated things • Containers are great for when you need to build an application on a single host, but what happens when you need to scale out to multiple hosts? • We still didn’t have integration with a larger architecture figured out (i.e. Bro feeding a Logging solution)… we needed more…. • Github or it didn’t happen! https://github.com/sealingtech/bro- docker 10/22/2018

  10. Multi-stage containers Build Container Final image Step 1. Install all build tools (GCC, Make, Step 1. Install packages only need to run Bro bro-pkg, etc) Step 2. Copy final output of Bro from the Step 2. Build Bro build container Step 3. Build all Bro Packages Step 3. Throw away the build container Step 4. Start up the final image • Bro can be built to get better performance • Some Bro-packages require build tools • Allows for containers to be smaller and prevents you from having to clean up! https://github.com/dlohin/EDCOP-BRO/blob/master/container/Dockerfile 10/22/2018

  11. Phase 1 Progress Self-Service Configuration Incremental Automated Testing Provisioning DevOps Automated Continuous Release Build Management Continuous Continuous Delivery Integration 10/22/2018 11

  12. Phase 2: Automate an infrastructure around Bro • Question: Now that we have a portable container, can we automatically deploy infrastructure around it? • Answer: Yes! Our original proof-of-concept utilized Rancher to deploy Kubernetes and Bro. Rancher Pros and Cons Pros: Cons: - Automatic infrastructure setup - Limited customization - Simple, easy to use - Cluster management was a pain - Variety of orchestrations supported - Rely entirely on Rancher - Could connect multiple nodes now! - Required use of host networking 10/22/2018

  13. Proof of concept design 10/22/2018 13

  14. Lessons learned • We were getting closer, but Rancher was designed to be flexible not customizable. • The overlay network that Rancher used was a little interesting • Rancher was used to deploy Kubernetes, I call this rancher- caption.. It is two container management solutions on top of one another • NOTE: Rancher has changed a lot with 2.0, so I can’t say if it has gotten better. They have moved to a more native Kubernetes platform 10/22/2018

  15. Phase 2 Progress Self-Service Configuration Incremental Automated Provisioning Testing DevOps Automated Continuous Release Build Management Continuous Continuous Delivery Integration 10/22/2018 15

  16. Phase 3: Build a scalable, customizable architecture • We have containerized Bro and other sensors as well as the architecture around it • Requirements • Need to be able to scale out, add more computers and applications can scale out accordingly • Traffic needs to be load balanced to allow sensors to scale • Services need to be customizable by end users • Ability to utilize DevOps best practices 10/22/2018

  17. What it looks like… 10/22/2018

  18. Problem 1: Multi-NIC containers Node 1 Node 2 Node 3 Logstash Kafka Event Network (Calico) • By default, Kubernetes assumes you will have one BRO Pod BRO Pod BRO Pod network interface per pod • Multus (an Intel project) allows multiple ETHs per pod Data Collection Network (SR-IOV) on different networks vlan 100 vlan 100 vlan 100 10/22/2018

  19. Traffic Acquisition 10/22/2018 Sealing Technologies, Inc. Private/Proprietary

  20. Jenkins Auto-Build of Bro using HELM 10/22/2018

  21. Deployment Options 10/22/2018

  22. Compute resource management 10/22/2018

  23. Phase 3 Progress Self-Service Configuration Automated Incremental Testing Provisioning Tools are integrated together EDCOP uses industry EDCOP uses automated build Tools are version controlled, through code to work Tools are delivered to users Changes are frequent, but standard containerization processes using Docker, Helm tracked and can be updated together in the development smaller. Dev, test and pre- through the use of central and Infrastructure as Code and Jenkins for managing the EDCOP marketplace gives or rolled back rapidly. process, not tacked on. prod are identical. Versions repositories, these (IaC) concepts to automate Configuration Management full lifecycle of software to DCO a way to deploy and Automated Sensors immediately begin can be rapidly rolled back in repositories can be shared the deployment of software Continuous Release and Information Assurance is allow us to build and deploy manage tools sending data to the data with other members of the situations where there are Build and integrate with the Management rapidly with each change of built into the development layer, dashboards and DCO community errors networking, storage and software. process analytics can be applied compute Continuous Continuous Delivery Integration 10/22/2018 23

  24. Various iterations of testing 10/22/2018

  25. Lessons learned • The Kubernetes community is moving incredibly quickly, every week there is some new cool way to do things… you can get caught chasing technology • Designing an infrastructure around Kubernetes is a change in thinking. You learn to treat applications as temporary • Stateless apps are a lot easier to handle then stateful apps • Bro works great inside of Kubernetes you just need to plan 10/22/2018

  26. Show me the Github!! • Website: https://edcop.io • EDCOP Deployment Platform: https://github.com/sealingtech/EDCOP • BRO: https://github.com/sealingtech/EDCOP-BRO • All the other components are in seperare repos, just look for EDCOP-<tool name> here: https://github.com/sealingtech/ • Contact us: • ed.sealing@sealingtech.com • daniel.lohin@sealingtech.com 10/22/2018

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Managing Custom Plugin Deployments at Scale WPCampus 2019 Matt Fields (he/him) @0x6d617474

Managing Custom Plugin Deployments at Scale WPCampus 2019 Matt Fields (he/him) @0x6d617474

Managing Custom Plugin Deployments at Scale WPCampus 2019 Matt Fields (he/him) @0x6d617474 mafields@ncsu.edu About Myself - Systems Programmer at NC State University - Engineering - Started as a student web developer in 2009 - Full time

481 views • 23 slides
THE DEVOPS OPPORTUNITY: BALANCING SECURITY AND VELOCITY INSIGHTS FROM RED HAT/CYBERARK

THE DEVOPS OPPORTUNITY: BALANCING SECURITY AND VELOCITY INSIGHTS FROM RED HAT/CYBERARK

THE DEVOPS OPPORTUNITY: BALANCING SECURITY AND VELOCITY INSIGHTS FROM RED HAT/CYBERARK DEPLOYMENTS AT SCALE Joe Garcia, CISSP - Principal Engineer, DevOps Security joe.garcia@cyberark.com @Joe_Garcia David Federlein Joe Garcia Likes Coffee

565 views • 7 slides
Information-Centric IoT Platforms for City-Scale Deployments Jiachen Chen WINLAB, Rutgers

Information-Centric IoT Platforms for City-Scale Deployments Jiachen Chen WINLAB, Rutgers

Information-Centric IoT Platforms for City-Scale Deployments Jiachen Chen WINLAB, Rutgers University, NJ, USA Email: jiachen@winlab.Rutgers.edu Information-Centric IoT Platforms for City-Scale Deployments 1 Dec. 2, 2016 Internet-of- Things

224 views • 9 slides
Conducting large-scale active and passive measurements of SSH deployments Oliver Gasser Master

Conducting large-scale active and passive measurements of SSH deployments Oliver Gasser Master

Conducting large-scale active and passive measurements of SSH deployments Oliver Gasser Master Thesis Advisor: Ralph Holz Chair for Network Architectures and Services Faculty of Computer Science Technische Universit at M unchen June

594 views • 17 slides
Making the Enterprise Agile Applying DevOps and Agile Principles at Scale

Making the Enterprise Agile Applying DevOps and Agile Principles at Scale

Making the Enterprise Agile Applying DevOps and Agile Principles at Scale Gary Gruver September 3, 2014 - FW no longer a bottleneck for the business - Development costs reduced from $100M/yr. to $55M/yr. - ~140%

545 views • 25 slides
But what if I Youre not need to scale to a Netflix! million... E1M7: Monitoring E1M6:

But what if I Youre not need to scale to a Netflix! million... E1M7: Monitoring E1M6:

But what if I Youre not need to scale to a Netflix! million... E1M7: Monitoring E1M6: DevOps E1M5: Training E1M4: Production Workload E1M3: CI/CD E1M2: Managing Environments E1M1: Independent Delivery Legacy Legacy DB Exporter

695 views • 30 slides
Leading the Transformation Applying Agile and DevOps Principles at Scale Gary Gruver FW no

Leading the Transformation Applying Agile and DevOps Principles at Scale Gary Gruver FW no

Leading the Transformation Applying Agile and DevOps Principles at Scale Gary Gruver FW no longer a bottleneck for the business Development costs reduced from $100M/yr. to $55M/yr. 140% increase in the number of products

822 views • 37 slides
DEVOPS AT SCALE VICTOR GAJENDRAN VICE PRESIDENT, TECHOPS PLATFORM JAN 2016 @VICTORGAJENDRAN 1

DEVOPS AT SCALE VICTOR GAJENDRAN VICE PRESIDENT, TECHOPS PLATFORM JAN 2016 @VICTORGAJENDRAN 1

DEVOPS AT SCALE VICTOR GAJENDRAN VICE PRESIDENT, TECHOPS PLATFORM JAN 2016 @VICTORGAJENDRAN 1 LESSONS LEARNED BY DOING DEVOPS AT SCALE VICTOR GAJENDRAN VICE PRESIDENT, TECHOPS PLATFORM JAN 2016 @VICTORGAJENDRAN 2 AGENDA Set the stage

875 views • 63 slides
DevOps &amp; AWS Chris Econn Head of DevOps CorpInfo | AWS Premier Partner DevOps Bill of Rights

DevOps &amp; AWS Chris Econn Head of DevOps CorpInfo | AWS Premier Partner DevOps Bill of Rights

DevOps &amp; AWS Chris Econn Head of DevOps CorpInfo | AWS Premier Partner DevOps Bill of Rights How to use CI/CD to safeguard personal liberties within your organization LA AWS Users Meetup Group

614 views • 30 slides
Highly available cross-region deployments with Kubernetes Bastian Hofmann @BastianHofmann

Highly available cross-region deployments with Kubernetes Bastian Hofmann @BastianHofmann

Highly available cross-region deployments with Kubernetes Bastian Hofmann @BastianHofmann Container orchestration platform Deploy, run and scale your services in isolated containers No vendor lock in Standardized APIs Runs on Your laptop

2.39k views • 139 slides
Dev &quot;Programming&quot; Ops for DevOps Success Damon Edwards @damonedwards dev2ops.org

Dev &quot;Programming&quot; Ops for DevOps Success Damon Edwards @damonedwards dev2ops.org

Dev &quot;Programming&quot; Ops for DevOps Success Damon Edwards @damonedwards dev2ops.org DevOps Cafe Disclosure: DevOps (to me) Disclosure: DevOps (to me) DevOps is not a specific methodology or prescriptive steps only achievable

1.94k views • 154 slides
DevOps Arthur Clune University of York Its not the 90s any more Infrastructure practices

DevOps Arthur Clune University of York Its not the 90s any more Infrastructure practices

DevOps Arthur Clune University of York Its not the 90s any more Infrastructure practices havent changed enough . How fast can you click? The CLI doesnt scale -- Greg Ferro 2500:1 Server:admin ratio for cloud providers

567 views • 32 slides
We Inflicted DevOps on Our Business- Now What? Presented

We Inflicted DevOps on Our Business- Now What? Presented

AT24 Collaborative Agile &amp; DevOps Sessions Thursday, November 7th, 2019 3:30 PM We Inflicted DevOps on Our Business- Now What?

112 views • 8 slides
Trends in Agile Development Kent Beck Three Rivers Institute Development Trends Deployments

Trends in Agile Development Kent Beck Three Rivers Institute Development Trends Deployments

Trends in Agile Development Kent Beck Three Rivers Institute Development Trends Deployments Tests Co-location Complexity Scale Business Trends Accountability Oregon Health Sciences University publishes death rates

545 views • 13 slides
The New Era of Integrated Software Delivery with DevOps Plan and Measure DevOps Sujatha (Suj)

The New Era of Integrated Software Delivery with DevOps Plan and Measure DevOps Sujatha (Suj)

The New Era of Integrated Software Delivery with DevOps Plan and Measure DevOps Sujatha (Suj) Perepa Monitor Continuous Develop innovation, and Optimize and Test feedback and Software IT Architect improvements Release and Deploy IBM

309 views • 19 slides
Managing very large-scale tes0ng procedures with R VJ

Managing very large-scale tes0ng procedures with R VJ

Managing very large-scale tes0ng procedures with R VJ Carey DSC 2014, Bressanone Task: gene0cs of gene expression 10 6 features x 10 9 variants

114 views • 10 slides
DevOps: Where is My PodPod Hello! I am smalltown MaiCoin Site Reliability Engineer Taipei

DevOps: Where is My PodPod Hello! I am smalltown MaiCoin Site Reliability Engineer Taipei

DevOps: Where is My PodPod Hello! I am smalltown MaiCoin Site Reliability Engineer Taipei HashiCorp UG Organizer AWS UG Taiwan Staff Pets vs Cattle GUI Driven API Driven Ticket Based Self Service Hand Crafted

689 views • 47 slides
Action recognition in videos Cordelia Schmid Action recognition - goal Short actions, i.e.

Action recognition in videos Cordelia Schmid Action recognition - goal Short actions, i.e.

Action recognition in videos Cordelia Schmid Action recognition - goal Short actions, i.e. drinking, sit down Drinking Sitting down Coffee &amp; Cigarettes dataset Hollywood dataset Action recognition - goal Activities/events, i.e.

274 views • 13 slides
Learning Scheduling Algorithms for Data Processing Clusters Hongzi Mao, Malte Schwarzkopf,

Learning Scheduling Algorithms for Data Processing Clusters Hongzi Mao, Malte Schwarzkopf,

Learning Scheduling Algorithms for Data Processing Clusters Hongzi Mao, Malte Schwarzkopf, Shaileshh Bojja Venkatakrishnan, Zili Meng, Mohammad Alizadeh Mot Motivation on Scheduling is a fundamental task in computer systems Cluster

601 views • 34 slides
Fail Better: Radical Ideas from the Practice of Cloud Computing Tom Limoncelli Stack Overflow

Fail Better: Radical Ideas from the Practice of Cloud Computing Tom Limoncelli Stack Overflow

Fail Better: Radical Ideas from the Practice of Cloud Computing Tom Limoncelli Stack Overflow ACM Highlights Learning Center tools for professional development: http: / / learning.acm.org 4,500+ trusted technical books and videos by O

1.52k views • 100 slides
WOMBAT: towards a Worldwide Observatory of Malicious Behaviors and Attack Threats Fabien Pouget

WOMBAT: towards a Worldwide Observatory of Malicious Behaviors and Attack Threats Fabien Pouget

WOMBAT: towards a Worldwide Observatory of Malicious Behaviors and Attack Threats Fabien Pouget Institut Eurcom January 24th 2006 TF-CSIRT 2006 Observations There is a lack of valid and available data The understanding of Internet

778 views • 49 slides
Frontier and Squid for same data access by many jobs Dave Dykstra dwd@fnal.gov OSG Users'

Frontier and Squid for same data access by many jobs Dave Dykstra dwd@fnal.gov OSG Users'

Frontier and Squid for same data access by many jobs Dave Dykstra dwd@fnal.gov OSG Users' meeting 27 July 2007 The problem Some applications need to get the same data to many jobs on a compute cluster Inefficient or impractical to initially

609 views • 11 slides
High performance, power-efficient DSPs based on the TI C64x Sridhar Rajagopal, Joseph R.

High performance, power-efficient DSPs based on the TI C64x Sridhar Rajagopal, Joseph R.

High performance, power-efficient DSPs based on the TI C64x Sridhar Rajagopal, Joseph R. Cavallaro, Scott Rixner Rice University {sridhar,cavallar,rixner}@rice.edu RICE UNIVERSITY Recent (2003) Research Results Stream-based programmable

500 views • 38 slides
Scale-out your Tier-Based Systems in 3 steps Using Spring Nati Shalom CTO GigaSpaces Agenda

Scale-out your Tier-Based Systems in 3 steps Using Spring Nati Shalom CTO GigaSpaces Agenda

Scale-out your Tier-Based Systems in 3 steps Using Spring Nati Shalom CTO GigaSpaces Agenda Drivers for scalability Tier based approach and its inherent bottlenecks A three-steps approach for achieving scalability

746 views • 25 slides

More recommend