Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)

8/11/2019 Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)

http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 1/75

Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose

Vincent StofferCyber Security Engineer

EDUCAUSE Security

Professionals Conference

May 7th, 2014

UNIVERSITY OF

CALIFORNIA



!

Intro / overview!

The problem! Monitoring pipeline!

Device roundup and review!

Output & analysis! Discussion / Questions

Agenda

SPC 2014



Lawrence Berkeley National Laboratory

!

Located in Berkeley, CA!

"Bringing science solutions to the world"! Unclassified DoE research facility

operated by University of California! Function much like a research university

Overview

SPC 2014



SPC 2014



!

~5000 users ~10,000 hosts!

Distributed computing resources!

Many guests and visitors!

Open network to enable

collaboration and research

Computing overview

SPC 2014



Orders of magnitude changes in

network speeds/bandwidth createbig issues for network monitoring

What’s driving these changes?

The (scaling) problem

SPC 2014



!

Explosion of data (both scientific

and commercial)!

Science DMZ!

Network redesign

Berkeley Lab forcing factors

SPC 2014


http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 9/75SPC 2014Courtesy Greg Bell, ESnet


http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 10/75SPC 2014Courtesy Greg Bell, ESnet



Courtesy Greg Bell, ESnet



!

Same data explosion everywhereo

Big data in all its formso

Mobile, internet of things!

Research networks!

Outgrowing capacity and olderhardware

General forcing factors

SPC 2014



!

10M to 100M!

<1G to 1G!

1G to 10G!

10G to 40G/100G

These transitions mean changingmore than network equipment!

All of that means transitions

SPC 2014



! Inputo

Tappingo Aggregation & Load-balancingo Filtering

!

Outputo Analysis toolso Packet captureo Filtering

Monitoring Pipeline

SPC 2014



Where and how to tap?!

Need visibility at bordero

Inside and Outside

!

Key protected network segmentso

Proxies, Load balancers, VPN,DNS, “Crown Jewels”

Tapping

SPC 2014



!

Preference for passive tapso

no losso

no traffic interruptiono

no reliance on network gear!

But" o

many taps needed ($)o

aggregation, filtering, dedupe

Passive tap vs. span port

SPC 2014



!

Filter at the source!

Aggregation of links!

Multiple outputs!

Media conversion!

Cost effectiveThe right answer depends on your

environment

Span ports work well too!

SPC 2014



!

Commercialappliance vendorso

High performance

o

Custom ASICso Flexibleo

High cost per port

Aggregation/load balancing

SPC 2014



!

Commodity network vendors!

SDN/Openflow or tapaggregation code (distribution,telemetry, DANZ, etc.)

!

Lower cost per port!

Massively scalable

The new hope...delivered!

SPC 2014



For < 1G

!

Where we started

(early 1990s)o

Single tapso

Span portso

Single analysis machineo

Maybe some simple filtering

SPC 2014



It’s really this easy...

Portland ISSA 2014



For < 1G cont’d

!

Solved problem

!

Modern hardware very capable!

For load-balancing/aggregationpurchase commodity or roll yourown (PBR, LAGs)

SPC 2014


http://slidepdf.com/reader/full/scaling-up-your-network-monitoring-from-the-garden-hose-to-the-fire-hose-236664465 23/75SPC 2014

Scaling beyond 1G



For 1-10G

!

Mostly a solved problem

!

Load-balancing/aggregation:appliance or network vendor

! Analysis needs a cluster orpurposed boxes

!

Separation of duties

! More careful tuning/filtering SPC 2014



1-10G Berkeley Lab approach

!

Aggregate 1G/10G links (cVue)

!

Some filtering!

Output 10G to single servers

!

Output 10G to clusters:previously hardware load-balancers 10G-1G, now mostly

cluster in a box SPC 2014



1-10G Berkeley Lab approachcont’d

!

Purposed analysis machines

o

wireless, SMTP, VPN, etc.!

Internal cluster

o

Collect important internal nets!

Time Machine

SPC 2014



SPC 2014



Everything running smooth

!

Average traffic 1-3 Gbps

!

Peaks to 6-7 Gbps!

There will always be someamount of packet loss, try tominimize

!

Then...

SPC 2014



Recent LBLnet redesign

!

100G

!

Science DMZ!

Redundant border routers

!

New distribution layer routers

!

All dual connected

SPC 2014



New monitoring diagram

SPC 2014



!

Dozens of taps for internal nets

!

Multiple inputs (1,10,100G)!

Many outputs, unfiltered/filteredin different ways

!

Output groups needed

Moving from duplication toaggregation

SPC 2014



!

Filtering at ingress & egress

!

Port speed agnostic!

Aggregation, symmetric load-balancing with 5 tuple (minimum)

!

No oversubscription limits!

API for dynamic filtering/shunting

Device wish list

SPC 2014



!

Filtering for arbitrary IP headers /

TCP flags!

Every port can be input/output!

Create port groups!

Send output to load-balancedgroups and single ports

!

IPv6 support

Device wish list cont’d

SPC 2014



!

Commercial / Appliance

!

Commodity network (proprietary /hybrid)

!

Commodity network + SDN!

Roll your own

Monitoring device options

SPC 2014



!

Commercial load-balancer /

aggregation switch / networkpacket broker / splitter /distribution / visibility device /

whatchamacallit

Commercial / Appliance

SPC 2014



!

Gigamon

!

cPacket!

VSS!

Endace

!

IXIA/Anue/Netoptics!

Apcon!

Others?

Appliance vendor roundup

SPC 2014



!

Full featured 10G offering

!

Using for many years at BerkeleyLab

!

100G PoC at NERSC

!

Very flexible, high performance!

High cost

cPacket

SPC 2014



!

CLI and GUI

!

Excellent filtering!

SPIFEE (distributed DPI)!

Our reference index

cPacket cont’d

SPC 2014



!

EndaceAccess

!

100G appliance evaluated at theLab

!

100G in -> 12x10G out

!

Nice form factor!

1 device for each direction

Endace

SPC 2014



!

Does MAC rewriting and load

balancing!

GUI only for basic config!

Limited filtering

!

Ultimately our requirementschanged (no 10G in)

Endace cont’d

SPC 2014



SPC 2014



!

Arista

!

Brocade!

Cisco

Network vendors

SPC 2014



!

7150 models

!

“TapAgg” mode separatelylicensed

!

100G?

!

Openflow/SDN support

Arista

SPC 2014



SPC 2014



!

Just bought a 24 port 7150

!

More focus on the feature set!

Covers most of the wish list!

Functional GUI

!

Bash shell, python!

API

Arista @ Berkeley Lab

SPC 2014



!

IPv6 filtering not yet implemented

!

Flexible I/O and filtering!

100G solutions still emergingo

2 devices neededo

100G optics just becomingavailable

Arista @ Berkeley Lab cont’d

SPC 2014



!

“Telemetry” native feature

!

100G ready (LR-4)!

Certainly a feature of a switch,not an appliance

!

Openflow/SDN support alsohybrid mode

Brocade

SPC 2014



!

100G eval at the Lab

!

It mostly does what we want!

Configuration is network centric!

No GUI

!

3 VLAN tags!

Filtering limitations!

Single box

Brocade @ Berkeley Lab

SPC 2014



!

Openflow support is ??? (OpFlex:

An open source approach), but!

Newly emerging feature set withNexus switches + Openflow

(Monitor manager)!

Cost could be competitive

Cisco

SPC 2014



!

Not tested yet

!

Hoping to try on Arista / Brocade!

IU’s Flowscale!

Newer apps

!

Advantages over native featuresets?

SDN / Openflow

SPC 2014



For >10G

!

Not a solved problem!

!

40G or 100G?o

40G gear more available

o

100G still ~$20k pertransceiver (LR-4)

!

Advanced clustering for tools

! New tools and techniques SPC 2014



SPC 2014



!

Filtering

!

Analysis toolso

Broo

Snort / Suricata

!

Packet captureo

Time Machineo

Moloch

Output

SPC 2014



!

Elephant flows

o

Control traffico

Exclusions (IP pairs, netblocks,ports/protocols)

!

Research networks / affiliates

!

Resnet?

Filtering

SPC 2014



!

Dynamic

o

via Bro, IDSo

near real time

o

via API (Arista) or scripting

o

holy grail

Filtering cont’d

SPC 2014



Not your typical IDS/IPS

!

A monitoring platformo

A standalone network monitoro

A programmable framework

o

An ecosystem

What is Bro? www.bro.org

SPC 2014

! %& (



!"# %&'(#")



Bro platform

IntrusionDetection

Programming Language

Packet Processing

VulnMgmt

File Analysis

LogRecording

CustomLogic

Standard Library

Network Traffic

Apps

BroPlatform

Tap

SPC 2014



!

Clustering a fundamental part of

Bro!

Manager, workers, proxies!

Hardware or “cluster in a box”

o

(PFring/DNA, Myri10G)

Bro cluster

SPC 2014



SPC 2014



!

Capable of handling multi-gigabitbandwidth loads

!

Network cards really matter

!

Tune ruleset for your needs!

Separate and filter

Snort / Suricata

SPC 2014



!

pf_ring (LibDNA, zero copy)

o

direct memory access tonetwork hardware

o

high throughput

o

supports multiple tools

Network cards - Intel

SPC 2014



!

Sniffer10G

o

Support for Linux, FreeBSDo

Myricom 10G cards only

o

Supports only one tool(multiple should be coming)

o

Company/IP in some flux

Network cards - Myricon

SPC 2014



!

Creates pcap files with indexes

!

Killer feature: "connection cutoff"!

Cutoffs defined per port!

Assumption: interesting stuff in

the first N bits

Time Machine

SPC 2014



!

Index and search PCAPs

!

Elasticsearch based!

Can be used for full packet!

Also can be a poor man’s SEIM

!

IPv4 only right now!

Active development

Moloch

SPC 2014



Thank you!

[email protected] or

[email protected]

Questions / Discussion

SPC 2014



Arista - http://www.aristanetworks.com/en/products/eos/danzcPacket - http://cpacket.com/products/cvu/Brocade - http://www.brocade.com/solutions-technology/service-

provider/network-visibility/index.pageEndace - http://www.emulex.com/products/network-visibility-products-

and-services/10040g-network-visibility-headends/features/Cisco - http://www.cisco.com/c/en/us/products/collateral/cloud-systems-

management/extensible-network-controller-xnc/solution-overview-c22-729753.html

Bro - http://bro.org/TM - http://www.bro.org/community/time-machine.htmlMoloch - https://github.com/aol/molochpf_ring - http://www.ntop.org/products/pf_ring/Myricom - https://www myricom com/software/sniffer10g html

References

Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)

Documents

Transcript of Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose (236664465)