The Bro Cluster The Bro Cluster

Similar documents
The Bro Network Intrusion Detection System

Seeking Visibility Into Network Activity for Security Analysis

The NIDS Cluster: Scalable, Stateful Network Intrusion Detection on Commodity Hardware

Exploiting Multi-Core Processors For Parallelizing Network Intrusion Prevention

Enhancing Byte-Level Network Intrusion Detection Signatures with Context

Network Security Today: Finding Complex Attacks at 100Gb/s

icast / TRUST Collaboration Year 2 - Kickoff Meeting

Operational Experiences With High-Volume Network Intrusion Detection

Bro: Actively defending so that you can do other stuff

Distributed Cooperative Security Monitoring

The Need for Collaboration between ISPs and P2P

The Need for Collaboration between ISPs and P2P

Securing CS-MARS C H A P T E R

Understanding Cisco Cybersecurity Fundamentals

Implementing Cisco Cybersecurity Operations

A First Look at Modern Enterprise Traffic

Network-Based Application Recognition

Fundamental Questions to Answer About Computer Networking, Jan 2009 Prof. Ying-Dar Lin,

Fundamentals of Computer Networking AE6382

Network Address Translation (NAT)

Security, Internet Access, and Communication Ports

CSE 565 Computer Security Fall 2018

A Graphical User Interface Framework for Detecting Intrusions using Bro IDS

Security, Internet Access, and Communication Ports

Security, Internet Access, and Communication Ports

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

CounterACT 7.0. Quick Installation Guide for a Single Virtual CounterACT Appliance

Detecting Network Intruders in Real Time

A Bro Primer. Presenter: Adam Pumphrey, Bricata

Malicious Activity and Risky Behavior in Residential Networks

NIP6000 Next-Generation Intrusion Prevention System

UTM. (Unified Threat Manager) Support for signatures from Snort VRT and Emerging Threat.

Venusense UTM Introduction

Modular Policy Framework. Class Maps SECTION 4. Advanced Configuration

Cisco Intrusion Prevention Solutions

Fundamentals of Network Security v1.1 Scope and Sequence

Corrigendum 3. Tender Number: 10/ dated

Network Security Platform Overview

Global Information Assurance Certification Paper

Cisco IPS AIM and IPS NME for Cisco 1841 and Cisco 2800 and 3800 Series Integrated Services Routers

Cisco ASA 5500 Series IPS Solution

Intrusion Detection and Prevention Release Notes

TCP, UDP Ports, and ICMP Message Types1

Cisco Security Monitoring, Analysis and Response System 4.2

Load Balancing Technology White Paper

McAfee Network Security Platform

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 12

10 Defense Mechanisms

Chapter 7. Network Intrusion Detection and Analysis. SeoulTech UCS Lab (Daming Wu)

Firepower Threat Defense Cluster for the Firepower 4100/9300

Identity Firewall. About the Identity Firewall

McAfee Network Security Platform 9.2

Enabling Science Through Cyber Security At 100G

Honeypot Hacker Tracking and Computer Forensics

McAfee Network Security Platform

Cisco Virtual Networking Solution for OpenStack

Information About NAT

Getting Started with Network Analysis Policies

Suricata Performance with a S like Security

Network Review TEJ4M. SBrace

Oracle E-Business Suite 11i with Cisco ACE Series Application Control Engine Deployment Guide, Version 1.0

CyberP3i Course Module Series

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

Introduction to Networking

Application Layer: OSI and TCP/IP Models

Fundamentals of Windows Server 2008 Network and Applications Infrastructure

Citrix NetScaler 10.5 Essentials for ACE Migration (CNS-208)

ngenius 5100 Packet Flow Switch

Network Security. Kitisak Jirawannakool Electronics Government Agency (public organisation)

Platform Settings for Firepower Threat Defense

Citrix NetScaler Traffic Management

GS-2610G L2+ Managed GbE Switch

McAfee Network Security Platform 9.1

ASA/PIX Security Appliance

FGS-2616X L2+ Managed GbE Fiber Switches

Foundations of Python

An Alert has Fired. Now What?

ngenius 5010 Packet Flow Switch

24-Port: 20 x (100/1000M) SFP + 4 x Combo (10/100/1000T or 100/1000M SFP)

Darknet Traffic Monitoring using Honeypot

Citrix NetScaler 10.5 Essentials and Networking (CNS-205)

Emerging Threat Intelligence using IDS/IPS. Chris Arman Kiloyan

ASA Access Control. Section 3

Event-Based Software-Defined Networking: Build a Secure Science DMZ

Cisco ISR G2 Management Overview

Network Security Platform 8.1

Snort: The World s Most Widely Deployed IPS Technology

Connection Logging. Introduction to Connection Logging

CounterACT 7.0 Single CounterACT Appliance

Broker. Matthias Vallentin UC Berkeley International Computer Science Institute (ICSI) BroCon '16

Chapter Three test. CompTIA Security+ SYO-401: Read each question carefully and select the best answer by circling it.

WLCG SOC Working Group

DDoS Protection in Backbone Networks

Systrome Next Gen Firewalls

EC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led

PSGS-2610F L2+ Managed GbE PoE Switch

Security, Internet Access, and Communication Ports

SOURCEFIRE 3D SYSTEM RELEASE NOTES

McAfee Network Security Platform Administration Course

Transcription:

The Bro Cluster The Bro Cluster Intrusion Detection at 10 Gig and A High-Performance beyond using the NIDS Bro Architecture IDS for the Lawrence Berkeley National Lab Robin International Computer Science Institute, & Internet2 2010 Spring Lawrence Member Berkeley Meeting National Lab

Agenda Cyber Security at the Lawrence Berkeley National Lab The Bro Network Intrusion Detection System Design of the Bro NIDS Philosophy Architecture Addressing the 10G Challenge with the Bro Cluster Architecture Prototypes Upcoming production setup Summary & Outlook

The Lawrence Berkeley National Laboratory (LBNL) LBNL Campus

Threat Landscape at LBNL LBNL conducts open, unclassified research Research is freely shared Collaborations around the world Wide range of research areas and very diverse user community Nanotech, Energy, Physics, Biology, Chemistry, Environmental, Computing Scientific facilities used by researchers around the world About 3,800 employees, and 10,000 computer systems Many users are transient and not employees Very liberal, default-allow security policy Characteristic challenge for many research environments What do you look for if everything is assumed to be ok?

Comprehensive Approach to Network Security Monitoring external activity In-depth inspection of all border traffic with the Bro NIDS Monitoring internal activity Border taps do not see everything (internal traffic, encrypted communication) Technology installed by the Cyber Security team throughout the Lab: Analyzing NetFlow collected from internal routers Monitoring unused subnets Monitoring ARP traffic Central, mandatory syslog ing for all Unix hosts (1.2GB/day) Instrumented SSH daemons Tool box for isolating hosts (external connectivity, null routing)

Monitoring the Lab s Border with the Bro NIDS Bro NIDS is deployed at the LBNL upstream router Sees every packet coming in or going out of the Lab Can actively block attackers (and does so for about 4000 addresses a day!) Internet 10 GE Tap Bro LBNL Network

The Bro Network Intrusion Detection System Bro has been continually under development at ICSI & LBNL by Vern Paxson since 1996 Open-source platform for in-depth monitoring on commodity hardware Used for production IDS operations throughout this timeframe Focus is on: Application-level semantic analysis (rather than analyzing individual packets) Tracking information over time Strong separation of mechanism and policy The core of the system is policy-neutral (no notion of good or bad ) Activity-based analysis model Operators program local policy using domain-specific language Bro logs all activity comprehensively

The Bro Network Intrusion Detection System (2) Bro s analysis model differs fundamentally from other NIDS Doesn t (primarily) rely on Snort-style signatures nor on anomaly detection Bro is specifically well-suited for scientific environments Extremely useful in networks with liberal ( default allow ) policies High-performance on commodity hardware Supports intrusion prevention schemes Open-source (BSD license) Developed at LBNL & the International Computer Science Institute It does however require some effort to use effectively Pretty complex, script-based system Requires understanding of the network No GUI, just ASCII logs,only partially documented Lacking resources to fully polish the system

The Bro Network Intrusion Detection System (3) Development is primarily driven by research However, our focus is on operational use; we invest much time into practical issues Goal is to bridge gap between research and operational deployment Bro has been in use operationally at LBNL for more than 10 years now

Architecture Policy Scripts Real-time notification Event Control Event Stream Packet Filter Filtered Packet Stream

Event-Engine Event-engine is written in C++ Performs policy-neutral analysis Turns low-level activity into high-level events Examples: connection_established, http_request Events are annotated with context (e.g., IP addresses, URL) Contains analyzers for >30 protocols, including ARP, IP, ICMP, TCP, UDP DCE-RPC, DNS, FTP, Finger, Gnutella, HTTP, IRC, Ident, NCP, NFS, NTP, NetBIOS, POP3, Portmapper, RPC, Rsh, Rlogin, SMB, SMTP, SSH, SSL, SunRPC, Telnet Analyzers generate ~300 events...

Policy Scripts Scripts process event stream, incorporating...... context from past events... site s local security policy Scripts take actions Recording activity to disk Generating alerts via syslog or mail Executing program as a form of response

Script Example: Tracking SSH Hosts global ssh_hosts: set[addr]; event connection_established(c: connection) { local responder = c$id$resp_h; # Responder s address local service = c$id$resp_p; # Responder s port if ( service!= 22/tcp ) return; # Not SSH. if ( responder in ssh_hosts ) return; # We already know this one. add ssh_hosts[responder]; # Found a new host. print "New SSH host found", responder; }

Expressing Policy Scripts are written in custom, domain-specific language Bro ships with 20K+ lines of script code Default scripts detect attacks & log activity extensively Language is Procedural Event-based Strongly typed Rich in types Usual script-language types, such as tables and sets Domain-specific types, such as addresses, ports, subnets Supporting state management (expiration, timers, etc.) Supporting communication with other Bro instances

Facing the 10G Challenge with Bro... NIDSs have reached their limits on commodity hardware Keep needing to do more analysis on more data at higher speeds Single PC just cannot cope with >=1GE packet streams Even before LBNL upgraded to 10G, it had a set of individual Bro boxes Key to overcoming current limits is parallel analysis Volume is high but composed of many independent tasks Need to exploit parallelism to cope with load To address this challenge, we built the Bro Cluster Allows us to continue operating the Bro NIDS on commodity hardware

Bro Cluster Approach Load-balancing approach: use many boxes instead of one Most NIDS provide support for multi-system setups However instances tend to work independent Central manager collects alerts of independent NIDS instances Aggregates results instead of correlating analysis The Bro cluster works transparently like a single NIDS Gives same results as single NIDS would if it could analyze all traffic No loss in detection accuracy Scalable to large number of nodes Single system for user interface (log aggregation, configuration changes)

Architecture Internet 10 GigE Tap LAN Manager Frontend Backend Backend Backend Proxy Proxy

Initial Prototype Cluster Setups Lawrence Berkeley National Laboratory 10 Gbps upstream link; 2 parallel clusters each consisting of 1 frontend, 10 backends University of California, Berkeley 2x1Gbps upstream links; 2 frontends, 6 backends (for only parts of the traffic) IEEE Supercomputing 2006 Conference s 1 Gbps backbone network 10 Gbps High Speed Bandwidth Challenge network Goal: Replace current operational security monitoring at LBNL We also plan to build a high-performance 10G research cluster at UCB

Cluster Components Backends Running Bro as their analysis engine Using essentially the same configuration as before, just on a slice of traffic Bro provides extensive communication facilities for sharing of low-level state Frontend Just mark an analysis variable as synchronized and its value will be propagated Distributes traffic across backends by rewriting MAC addresses Switch dispatches forwarded packets across the backends Initial prototype implementations Software based on open-source Click modular router platform (up to 2Gbps) Customized appliance implementing rewriting in hardware

cflow: A High-Performance Load-balancing Solution 10GE in/out Web & CLI Filtering capabilities

Cluster Manager Interactive interface for installation, configuration, tuning, logging,...

Summary LBNL faces rather unique security challenges Lab takes comprehensive approach to network security Picking components which work best for their particular scope Bro NIDS has been central part of the Lab s security for many years Highly flexible, activity-based system (rather than signatures) Open-source, actively maintained, and runs on commodity hardware Bro Cluster provides the Lab with head-room for the years to come Future Plans for Bro Developing a highly concurrent analysis model to exploit multi-core potential In-depth application analysis 100 Gig

Questions?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback