streamsleuth 100 gbe network packet processing appliance
TRANSCRIPT
Visit YouTube for a recorded version of this presentation by Craig Lund:
https://www.youtube.com/watch?v=lStqPHuYye4
Extended Version:https://www.youtube.com/watch?v=JBMezP15JO8
IntroducingStreamSleuth™
Revision 17
FPGA-Accelerated 100GbE Packet Processingwithout the hassle of FPGA programming
3
Special Handling Required
Danger100 GbE
4
• Just monitoring your network is challenging at 100 GbE.• You need to filter down to a reasonable level of “important” traffic.• The filters built into commodity switching and firewall hardware are
not sophisticated enough.• An implementation of the BPF/PCAP filter language running in
hardware at 100 GbE line rate is ideal.
Monitoring is Hard at 100 GbE
5
Software Defense is too Slow
• Software is too slow for attack mitigation at 100 GbE.• Commodity switching hardware may someday grow new features
to help your defense keep up, but not anytime soon.• Reconfigurable hardware (FPGA) gets us there now. It is already
used to block denial of service attacks crafted to get past commodity switches and firewalls.
6
What is it?
• A new FPGA platform that closely ties 100 GbE line-rate hardware acceleration into a high-end Xeon server.
• The FPGA is preconfigured to implement filtering, load balancing, and routing — the most challenging part is done!
• 1U appliance complete with web user interface, SNMP, RMON, etc.
To sleuth (pronounced slo͞oTH) means “to carry out a search or investigation in the manner of a detective.”
7
How does it work?
• Routing and filtering is via BPF/pcap filter language, which takes effect instantly in a terabit router inside the FPGA (not a separate ASIC). Filters/routes defined via web GUI or API.
• User-defined filters accept, drop, or reject each packet, like iptables but with full BPF at 100GbE.
• Load balance the filter outputs into a collection of ports or into multiple server cores.
• Packets can be routed to/from a CPU via an extreme bandwidth, low latency, standard DPDK interface into a loop heat pipe (LHP) cooled, E5 class server inside the same box (PCIe Gen3 x16). Users can supply software C or Python—the “active” side of active monitor or firewall.
8
• Security Operations Centers inside sophisticated data centers that need tools to stop zero-day attacks
• Network Operations Centers inside those same data centers looking for more flexible 100 GbE visibility
• VARs & OEMs
• Government lawful intercept
Designed for: Network engineers focused on network security or visibility
9
• Packet Broker with exceptional filtering capability
• Active Monitor
• Supplemental Firewall
• Packet Generator for network testing
• Network Sensor that provides flow data
Users can use StreamSleuth to create their own:
10
Two 100 GbE Ports (two others not used):Attach to a passive 100 GbE tap or deploy the box in-line as a supplemental firewall
Twenty 10 GbE Ports:Wrap one back to your switch for an active monitor. Dedicate one to PTP if you need accurate timestamps
1 GbE monitor port:For configuration, command & control (two others for user applications)
11
Example of the User Interface
12
Use Mode #1Network Sensor/Monitor
100G tap
Firewall
Switch
Datacenter
Unique benefits:More sophisticated filtering capability than packet brokers based on switch ASICsEmbedded server for flow tracking
10G monitor ports
Alerts to SOC
Security Appliances
100G
ISP
13
Use Mode #2Active Monitor
100G tap
There’s an Intel Xeon E5-class server inside StreamSleuth that allows the network broker to become an active monitor (injecting packets).
Connect to datacenter switch to inject packet back
Xeon E5 server inside
StreamSleuth
Filter, Hash, RoutePCIe x16
Inject packets back into network
Firewall
Switch10G monitor ports if needed
ISP
100G
14
Use Mode #3Supplemental Firewall
100G tap
Switch
10G monitor ports if needed
100G
Firewall
Any existing network monitoring or security infrastructure
ISP
15
Dual, Redundant Power Supplies
BittWare XUPP3R PCIe board featuring Xilinx UltraScale+ FPGA • Pre-programmed for StreamSleuth • Attached by a riser to server MB
Liquid cooled, C612 single socket motherboard, will accept any E5 v4 (Broadwell) – up to 12 cores
20 SFP+ cages on an expansion board attached to the FPGA
8 slots for hot-swappable SATA/SAS flash drives
100GPort 1
100GPort 2
RMON stats
RMON stats
Time Stamp
Time Stamp
10GPort 5
10GPort 24
PCAP Filter Blocks
(adds routing tags to
packets)
Load Balancing
(hash tags)
SlicingRMON stats
E5 v4 ServerIntel Xeon CPU
(optional additional user applications)
1GMgmt. Port
SlicingRMON stats
DMAs to Host
Egress Router
(based on tags)
Monitor Ports
CPU PortsBittWare FPGA Board
Programming/Control Port
Four DPDK Queue Pairs(over PCIe Gen3 x16)
20 4Twenty 10 GbESFP+ cages
Two 100 GbEQSFP28 cages
(two others not used)
17
• PCAP Filter Syntax at http://www.tcpdump.org/manpages/pcap-filter.7.txt
• The DPDK website is www.dpdk.org• YouTube hosts many DPDK introductory presentations• Contact BittWare sales www.bittware.net
For More Information