Background OpenSAFE and ALARMS Implementation Conclusion Extensible and Scalable Network Monitoring Using OpenSAFE Jeffrey R. Ballard Ian Rae Aditya Akella Jeffrey R. Ballard, Ian Rae, Aditya Akella Extensible and Scalable Network Monitoring Using OpenSAFE
Background OpenSAFE and ALARMS Implementation Conclusion Outline 1 Background Network monitoring How monitoring is done today 2 OpenSAFE and ALARMS OpenSAFE ALARMS Rule Aggregation Distribution 3 Implementation Mapping to OpenFlow Switch Example 4 Conclusion Jeffrey R. Ballard, Ian Rae, Aditya Akella Extensible and Scalable Network Monitoring Using OpenSAFE Related Work
Background OpenSAFE and ALARMS Network monitoring Implementation How monitoring is done today Conclusion Motivation We want to monitor the network. Specifically, we want to allow administrators to easily : • collect network usage statistics • detect intrusions • provide forensic evidence Jeffrey R. Ballard, Ian Rae, Aditya Akella Extensible and Scalable Network Monitoring Using OpenSAFE
Background OpenSAFE and ALARMS Network monitoring Implementation How monitoring is done today Conclusion Challenges Middleboxes are commonly used, however, they present challenges. . . 1 Speed 2 Cost 3 Flexibility 1 Setup: rewire 2 Change: rewire 3 Add new middlebox: rewire . . . making them ill suited for network monitoring. Jeffrey R. Ballard, Ian Rae, Aditya Akella Extensible and Scalable Network Monitoring Using OpenSAFE
Background OpenSAFE and ALARMS Network monitoring Implementation How monitoring is done today Conclusion Example: College of Engineering Campus Connections to the College: Backbone Red links = 10 Gbps 2 x 10 Gbps links Routers White links = 1 Gbps 22 x 1 Gbps links Router 1 Router 2 x2 Building 1 Building 7 x5 x2 x2 x2 x2 x2 Building 2 Building 6 Building 3 Building 4 Building 5 Jeffrey R. Ballard, Ian Rae, Aditya Akella Extensible and Scalable Network Monitoring Using OpenSAFE
Background OpenSAFE and ALARMS Network monitoring Implementation How monitoring is done today Conclusion How do people actually do it? Mirror (or tap) an interesting network interface to another switch port, then listen to that port with something like Snort. Advantage over a middlebox: monitoring has no impact on the production traffic and routes. Disadvantages: the traffic can run you over, and it’s still hard to add new detectors. Jeffrey R. Ballard, Ian Rae, Aditya Akella Extensible and Scalable Network Monitoring Using OpenSAFE
Background OpenSAFE and ALARMS Network monitoring Implementation How monitoring is done today Conclusion What it looks like today Network A Network B Firewall Monitoring Device Network B Jeffrey R. Ballard, Ian Rae, Aditya Akella Extensible and Scalable Network Monitoring Using OpenSAFE
Background OpenSAFE and ALARMS Network monitoring Implementation How monitoring is done today Conclusion What we want to do Network A Monitoring Device 1 Network B Firewall Monitoring Programmable Device 2 Network Layer ... Monitoring Network B Device n Jeffrey R. Ballard, Ian Rae, Aditya Akella Extensible and Scalable Network Monitoring Using OpenSAFE
Background OpenSAFE OpenSAFE and ALARMS ALARMS Implementation Rule Aggregation Conclusion Distribution OpenSAFE OpenSAFE uses a programmable network fabric to. . . • Selectively match network flows • Arbitrarily direct network flows to other switch ports at line rate • Direct exceptions to a software component • Enable the use of commodity network hardware Jeffrey R. Ballard, Ian Rae, Aditya Akella Extensible and Scalable Network Monitoring Using OpenSAFE
Background OpenSAFE OpenSAFE and ALARMS ALARMS Implementation Rule Aggregation Conclusion Distribution Why not implement it in software? We could use something like Click to dynamically manage detectors. Major problem: software is not fast enough! Jeffrey R. Ballard, Ian Rae, Aditya Akella Extensible and Scalable Network Monitoring Using OpenSAFE
Background OpenSAFE OpenSAFE and ALARMS ALARMS Implementation Rule Aggregation Conclusion Distribution Solution: Hardware! Easiest: Custom ASICs 1 Expensive 2 Non-standard 3 Potentially hard to configure But we have something that can do this. . . Jeffrey R. Ballard, Ian Rae, Aditya Akella Extensible and Scalable Network Monitoring Using OpenSAFE
Background OpenSAFE OpenSAFE and ALARMS ALARMS Implementation Rule Aggregation Conclusion Distribution Programmable Network Fabric While OpenSAFE would be compatible with any programmable network fabric, we implemented OpenSAFE in OpenFlow since it is available today. The key elements are: 1 speed 2 heterogeneity 3 flexibility 4 cost Jeffrey R. Ballard, Ian Rae, Aditya Akella Extensible and Scalable Network Monitoring Using OpenSAFE
Background OpenSAFE OpenSAFE and ALARMS ALARMS Implementation Rule Aggregation Conclusion Distribution Example OpenSAFE Layout Network A OpenFlow Controller Snort Network B Firewall OpenFlow dSniff Decryption Network B Jeffrey R. Ballard, Ian Rae, Aditya Akella Extensible and Scalable Network Monitoring Using OpenSAFE
Background OpenSAFE OpenSAFE and ALARMS ALARMS Implementation Rule Aggregation Conclusion Distribution ALARMS ALARMS: A Language for Arbitrary Route Management for Security Basic building blocks are paths of: • Inputs: copy of traffic from a mirror switch port • Selects: restricts the set of traffic for this rule • Filters: pass the traffic through an application • Sinks: where to finally direct the traffic Combining these gives us a rich set of configurations. Jeffrey R. Ballard, Ian Rae, Aditya Akella Extensible and Scalable Network Monitoring Using OpenSAFE
Background OpenSAFE OpenSAFE and ALARMS ALARMS Implementation Rule Aggregation Conclusion Distribution Simple Example We will use the following example over the next few slides: TCP Mirror Counter Dump Port: 80 Take all TCP port 80 traffic, send it to a counter, and then send it to a machine running tcpdump . Jeffrey R. Ballard, Ian Rae, Aditya Akella Extensible and Scalable Network Monitoring Using OpenSAFE
Background OpenSAFE OpenSAFE and ALARMS ALARMS Implementation Rule Aggregation Conclusion Distribution Paths Filters Input Select Sinks A path is: A source switch port with selection criteria . . . which goes into zero or more filters . . . then out to one or more sinks Jeffrey R. Ballard, Ian Rae, Aditya Akella Extensible and Scalable Network Monitoring Using OpenSAFE
Background OpenSAFE OpenSAFE and ALARMS ALARMS Implementation Rule Aggregation Conclusion Distribution OpenSAFE Schematic OpenFlow Controller Sink 1 OpenFlow Input ... Switch Sink n ... Filter 1 Filter m Jeffrey R. Ballard, Ian Rae, Aditya Akella Extensible and Scalable Network Monitoring Using OpenSAFE
Background OpenSAFE OpenSAFE and ALARMS ALARMS Implementation Rule Aggregation Conclusion Distribution Policy naming In OpenSAFE all switch ports are named. Logically, ALARMS articulates paths of named switch ports. Jeffrey R. Ballard, Ian Rae, Aditya Akella Extensible and Scalable Network Monitoring Using OpenSAFE
Background OpenSAFE OpenSAFE and ALARMS ALARMS Implementation Rule Aggregation Conclusion Distribution Revisiting our example TCP Mirror Counter Dump Port: 80 . . . becomes . . . Port 80 Mirror Counter TCP Dump mirror[http] -> counter -> tcpdump; Jeffrey R. Ballard, Ian Rae, Aditya Akella Extensible and Scalable Network Monitoring Using OpenSAFE
Background OpenSAFE OpenSAFE and ALARMS ALARMS Implementation Rule Aggregation Conclusion Distribution Let’s get some more paths Mirror Port 80 Counter TCP Dump mirror[http] -> counter -> tcpdump; Jeffrey R. Ballard, Ian Rae, Aditya Akella Extensible and Scalable Network Monitoring Using OpenSAFE
Background OpenSAFE OpenSAFE and ALARMS ALARMS Implementation Rule Aggregation Conclusion Distribution Let’s get some more paths Mirror Port 80 Counter TCP Dump mirror[http] -> counter -> tcpdump; Port 443 Mirror Decryption Counter TCP Dump mirror[https] -> decrypt -> counter -> tcpdump; Jeffrey R. Ballard, Ian Rae, Aditya Akella Extensible and Scalable Network Monitoring Using OpenSAFE
Background OpenSAFE OpenSAFE and ALARMS ALARMS Implementation Rule Aggregation Conclusion Distribution Waypoints As more rules are added, often the rules follow the same paths making rule management difficult. Solution: Waypoint Waypoints are virtual destinations for paths. Jeffrey R. Ballard, Ian Rae, Aditya Akella Extensible and Scalable Network Monitoring Using OpenSAFE
Background OpenSAFE OpenSAFE and ALARMS ALARMS Implementation Rule Aggregation Conclusion Distribution Waypoint example Mirror Port 443 Decryption Web Counter TCP Dump Mirror Port 80 mirror[https] -> decrypt -> web; mirror[http] -> web; web -> counter -> tcpdump; Jeffrey R. Ballard, Ian Rae, Aditya Akella Extensible and Scalable Network Monitoring Using OpenSAFE
Background OpenSAFE OpenSAFE and ALARMS ALARMS Implementation Rule Aggregation Conclusion Distribution Multiple Destinations In ALARMS, multiple destinations are easy: TCP Dump 1 Mirror Port 80 TCP Dump 2 mirror[http] -> { ALL, tcpdump1, tcpdump2 } ; Jeffrey R. Ballard, Ian Rae, Aditya Akella Extensible and Scalable Network Monitoring Using OpenSAFE
Recommend
More recommend