High-Performance Network Security Monitoring at the Lawrence Berkeley National Lab: Strategies for Monitoring External and Internal Activity
Time 10/09/07 08:45AM-10:00AM
The LBNL campus has implemented a variety of systems to monitor and
detect intrusions. This presentation will illustrate how these
individual components add up to provide extensive, high-performance
monitoring of both external and internal network traffic.
The presentation will focus on the Bro NIDS, a powerful open-source
network intrusion detection system and traffic analysis framework.
Bro is LBNL's primary tool for monitoring the lab's 10G upstream
link for security breaches. It is credited with countless attack
detections and preventions, many of which would likely have gone
undetected by more popular intrusion detection systems. We will
start by giving an overview of Bro's philosophy and architecture,
focusing on its ability to analyze high-volume network streams on a
rich semantic level. We will then present a set of recent
advancements of the system, such as the "Bro Cluster" and "dynamic
protocol detection". The Bro Cluster is an adaptation of Bro to a
cluster of commodity PCs that enables Bro to scale easily and
incrementally as traffic volumes increase beyond what a single host
can monitor. Dynamic protocol detection refers to Bro's ability to
identify the protocol of a given stream regardless of port number,
and then perform protocol-specific analysis.
Supplementing the Bro setup, the LBNL campus has also implemented
systems to detect intrusions that are only visible by instrumenting
the internal infrastructure, such as illegitimate activity over
encrypted SSH connections. These systems leverage a variety of
technologies including NetFlow, Syslog, DHCP and others. We will
conclude the presentation with an overview of this setup, which has
proven to be a powerful and effective countermeasure to attacks
opaque to traditional packet monitors.
Speaker Robin Sommer Lawrence Berkeley National Laboratory
Secondary tracks System and Network Security for Advanced Networks