Saturday, July 14, 2012

Security Garlic: A Preview of Coming Attractions

Upon discovering the wonders of PF_RING with DNA, OpenvSwitch L4-hashed port-mirroring, Intel® VT-d / SR-IOVKVM with VirtIO, and Security Onion, I just knew that these incredibly powerful tools belonged together.


So I'd say this a very early Alpha-stage implementation of what I'm looking to accomplish and document, but I have high hopes for success. The goal is to use the PF_RING DNA drivers (and possibly vPF_RING) to perform transport-layer 5-tuple hashing and load-balancing in hardware, and then hand off the resulting pieces to a team of virtualized network inspection engines for deeper analysis. On the right hardware (modern higher-end Intel NICs), DNA and SR-IOV allow us to perform all this work using Zero-Copy Direct Memory Access, eliminating the need to burn CPU cycles simply to handle interrupts from your NIC. That means more horsepower to inspect all those packets.

UPDATE: I've discovered that OpenvSwitch's L4-hashing mechanism for load-balancing currently only works when LACP is enabled on a bonded link. LACP breaks the technique I'm employing here because it requires that all of the composite members of the port-channel be connected to the same endpoint device. I may have to write some patches for OpenvSwitch to get this working the way I'd like... in the meantime this is still doable with PF_RING.

UPDATE 2: I may have spoken too soon. Perhaps this has already been addressed: http://openvswitch.org/pipermail/dev/2011-May/008934.html


Here's how it works, elegantly illustrated by Luca Deri:


On platforms not supported by PF_RING, we can use OpenvSwitch to perform the hashing, load-balancing, and port-mirroring functions in software. Then, we can use KVM's para-virtualized VirtIO drivers for disk and network connectivity to minimize the overhead induced by all this extra packet-wrangling that we're now doing in software.


I'm calling the project Security Garlic, in keeping with Doug Burks's metaphor of wrapping a giant pile of industrial-strength open-source security tools into a single, easy-to-install distribution. The analogy reminds me of the dichotomy of Onion Routing vs. Garlic Routing. Both involve using layers of security, but just like real onions and garlic, the latter method combines and compartmentalizes things a bit more. In that regard, I believe that this approach can offer greater flexibility and scalability than running software like Security Onion on bare-metal.


Here's a screenshot of six SO Sensors and one SO Server, all running inside KVM on an Ubuntu 12.04 LTS machine powered by a six-core Xeon® E5-1650 processor and an Intel® I350 NIC:

I'll post more as this experiment progresses, but so far the results are quite promising...

No comments:

Post a Comment