OpenSAFE : Hardware-Based Network Monitoring Using Software Control

Administrators of today’s networks are highly interested in monitoring traffic for purposes of collecting statistics, detecting intrusions, and providing forensic evidence. Unfortunately, network size and complexity can make this a daunting task. Aside from the problems in analyzing the network traffic itself for this information—an extremely difficult task on its own—a more fundamental problem exists: how to direct the traffic for network analysis and measurement in a flexible, high performance manner. Current solutions fail to fully address the challenges of directing traffic for both onand off-path monitoring. In this paper, we propose OpenSAFE, a system for enabling the arbitrary direction of traffic for security monitoring applications at line rates. Flexible policies are specified in ALARMS, a flow specification language that greatly simplifies management of network monitoring appliances. Finally, we demonstrate our OpenSAFE implementation using both live network traffic and replayed traces. Analysis shows that our OpenSAFE implementation handles higher traffic volumes than our existing monitoring infrastructure.

[1]  Exploiting Commodity Multicore Systems for Network Traffic Analysis , 2009 .

[2]  Eddie Kohler,et al.  The Click modular router , 1999, SOSP.

[3]  Evangelos P. Markatos,et al.  Generating realistic workloads for network intrusion detection systems , 2004, WOSP '04.

[4]  Biswanath Mukherjee,et al.  DIDS (distributed intrusion detection system)—motivation, architecture, and an early prototype , 1997 .

[5]  S. Shenker,et al.  Ethane: taking control of the enterprise , 2007, SIGCOMM '07.

[6]  John W. Lockwood,et al.  Distributed Instrusion Prevention in Active and Extensible Networks , 2004, IWAN.

[7]  Eduardo Magaña Lizarrondo,et al.  Collecting packet traces at high speed , 2006 .

[8]  Evangelos P. Markatos,et al.  Performance analysis of content matching intrusion detection systems , 2004, 2004 International Symposium on Applications and the Internet. Proceedings..

[9]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[10]  Ion Stoica,et al.  A policy-aware switching layer for data centers , 2008, SIGCOMM '08.

[11]  Lambert Schaelicke,et al.  SPANIDS: a scalable network intrusion detection loadbalancer , 2005, CF '05.

[12]  Timothy L. Hinrichs Expressing and Enforcing Flow-Based Network Security Policies , 2008 .

[13]  Mark Handley,et al.  Flow processing and the rise of commodity network hardware , 2009, CCRV.

[14]  Martín Casado,et al.  NOX: towards an operating system for networks , 2008, CCRV.

[15]  Evangelos P. Markatos,et al.  An active splitter architecture for intrusion detection and prevention , 2006, IEEE Transactions on Dependable and Secure Computing.

[16]  Jason Lee,et al.  The NIDS Cluster: Scalable, Stateful Network Intrusion Detection on Commodity Hardware , 2007, RAID.

[17]  Christopher Krügel,et al.  Stateful intrusion detection for high-speed network's , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[18]  L. Deri Improving Passive Packet Capture : Beyond Device Polling , 2003 .

[19]  Katerina J. Argyraki,et al.  RouteBricks: exploiting parallelism to scale software routers , 2009, SOSP '09.