Page 39 - Publication6
P. 39
ports. You can then configure these switches to make So now we�re receiving millions of packets per second
copies of every packet, and shoot those copies to the spread across many server cores into large buffers awaiting
spanning ports. analysis. So what�s next� Now you need a deep packet
inspection tool. Several options exist, rules based
applications like Snort or Suricata are common, but a
script-based solution called Bro Network Security is
gaining traction.
Bro provides multi-level deep packet inspection to glean
useful data from individual packets, and associated data
flows. When Bro is configured, and launched on the
capture server or VM, you can pass it the number of huge
in memory buffers used for capture, and the flow-hashing
algorithm utilized by SCP. Bro will then handle all the deep
packet inspection, and, if properly configured, it will
provide real time network visibility and situational
awareness to what is taking place inside your network.
This is not to say it will be a catch all, and alert you to every
malicious or deceitful transaction on your network, but it
will provide a greater level of visibility to what is happening
than anything you�re likely doing today. For a more
persistent and in-depth analysis Bro can then feed its
output, and logs, into an analytics engine such as Splunk.
Splunk can then provide another alerting layer by looking
The key here is SCP, which is a high performance packet at trends over time.
capture driver for Flareon adapters, furthermore if you are
Summarizing The Project
using a 10GbE server adapter that supports the Precision
To have a comprehensive enterprise wide security solution
Time Protocol (PTP), SCP will timestamp every packet
to detect data leakage or highlight internal threats you'll
with an accuracy of 50 nanoseconds from the time of
need to build a capture layer into your infrastructure that
intercept. Finally, SCP is designed to support application
aligns with both your physical and virtual server
clustering so multiple receive rings can be setup and bound
deployments. This layer needs to be performance tuned
to many cores on your server, then receive flow-hashing to
with the appropriate level of deep packet inspection that
enable new packets to be steered by flow consistently to the
aligns with the security needs of your businesses. To do this
same cores. This flow steering ensures that the analysis sees
requires new capture server hardware, adjustments to your
all the packets for every network flow. SCP can also
existing network switches, or the installation of fiber taps
aggregate multiple physical ports into the capture process
for capture.
so a single server could capture traffic from multiple
spanning ports or optical taps.
Next you�ll need a software layer to do packet inspection.
Then you�ll need a keen understanding of how to translate
CYBER DEFENSE MAGAZINE - ANNUAL EDITION 3
