Hardware acceleration enhancing network security Petr Kaštovský kastovsky@invea-tech.com High-Speed Networking Technology Partner
Threats Number of attacks grows together with damage caused Source: McAfee Threats Report: Fourth Quarter 2011 According to Czech National Security Authority Internet became critical infrastructure Drawbridge that can not be raised 6.4.2012 Hardware acceleration enhancing network security 2/14
Traffic growth Ethernet standards 1 GE 1998 10 GE 2002 100 GE 2010 We are either looking for needle in (petabyte) hay sack or trying to take a drink from fire hydrant. 6.4.2012 Hardware acceleration enhancing network security 3/14
Challenges, requirements Network monitoring has to cope with deployment in core network (visibility) high bandwidth and line utilization new link layer technologies (10G, 40G, 100G Ethernet) growing number of end users and devices (targets) While it is necessary to adapt to evolving network environment (IPv4, IPv6,...) detect all known and zero day threats maintain reasonable CAPEX & OPEX 6.4.2012 Hardware acceleration enhancing network security 4/14
Security tools Commodity hardware + Cheap and flexible - Limited I/O performance Dedicated equipment + High I/O performance - Expensive, limited flexibility Hardware acceleration for commodity hardware + High I/O performance + Reasonable price + Flexible 6.4.2012 Hardware acceleration enhancing network security 5/14
Embedded tools Real world example (billing is not security!) 6.4.2012 Hardware acceleration enhancing network security 6/14
Pre-processing Reduce working data set as soon as possible Less data to take care of Less privacy issues Different kinds of pre-processing Processed packets [%] 100 90 80 70 60 50 40 30 20 IPFIX 10 NIC 0 64 264 464 664 864 1064 1264 1464 Packet length [B] Filtration of specific service or user data/ packets (VoIP analysis, BotNet detection) Traffic features extraction (Packet header fields, alarms, scores) 6.4.2012 Hardware acceleration enhancing network security 7/14
Divide & conquer Network traffic composed of different flows (parallel) Multicore CPUs, dedicated memory controllers (NUMA) Intelligent data distribution is the key Common feature, typically flow-aware, configurable # of cores Arrival period Free CPU time 3GHz CPU instructions 1 67ns 30ns 90 8 536ns 500ns 1500 6.4.2012 Hardware acceleration enhancing network security 8/14
Synchronization World wide resources used for attacks Hard to correlate data without synchronization Different solutions for synchronization GPS, CDMA, PTP COMBO card + GPS synchronization approx. 2us deviation from global time 6.4.2012 Hardware acceleration enhancing network security 9/14
Platform example Hardware accelerator (CPU, NP, ASIC, GPGPU, FPGA) PCI-Express card Multiple queues Intelligent data distribution Commodity server CPU NUMA architecture Core level parallelism On-chip PCI-Express interface (Intel SB) Optimized software Network stack bypass Zero copy data access 6.4.2012 Hardware acceleration enhancing network security 10/14
Performance 6.4.2012 Hardware acceleration enhancing network security 11/14
Hardware acceleration Lifesaver in data deluge High-precision security analysis (no drops) Support for different scenarios/use cases Detection of events and NetFlow collection Filtering of service and trace recording Suitable for the most demanding applications National level security Evidence collection according to warrants Great flexibility and savings Reuse of software components, time-critical part in hardware 6.4.2012 Hardware acceleration enhancing network security 12/14
40G and beyond 40G and 100G Ethernet standard ratified June 2010 Initial adoption in core network elements New model of hardware acceleration card Computational resources (FPGA) Supported interfaces (4x10G, 40G, 100G) PCI-Express up to 16x gen 2 seamless application upgrade Hardware accelerated filtration Even more important for high-bandwidth links Data reduction with guaranteed performance and precise timestamps 6.4.2012 Hardware acceleration enhancing network security 13/14
Contacts High-Speed Networking Technology Partner Petr Kaštovský kastovsky@invea-tech.com INVEA-TECH a.s. U Vodárny 2965/2 616 00 Brno www.invea-tech.com 6.4.2012 Hardware acceleration enhancing network security 14/14