Intrusion Detection at 10 Gig and Beyond...
Time 04/28/10 03:00PM-04:00PM
The open-source Bro network intrusion detection system has been a cornerstone of cyber-security operations at the Lawrence Berkeley National Lab for years. Running on commodity hardware, the system is credited with countless attack detections and preventions. In this presentation we will present the "Bro Cluster", a load-balancing solution enabling the Lab and other sites to adapt their Bro-based monitoring to the challenges of in-depth, highly-stateful traffic inspection at 10G line-rate.
We will begin the presentation with a brief overview of the Bro system to provide some context for the remainder of the talk. We
will then introduce the cluster's basic architecture: a front-end system distributing traffic across a set of backend analysis systems running Bro and communicating via a set of state-correlation proxies; augmented with a manager system that provides the cluster's central administrative interface for installation, configuration, alerting, and maintenance. LBNL is now running a production-version of the cluster, and we will discuss its software and hardware components, including a 10G line-rate front-end component developed in cooperation with a Silicon Valley partner. We will conclude the talk with an outline of our future plans, both in terms of further extending the basic cluster setup but also addressing current work on porting the Bro system to multi-core platforms by restructuring its internals into a highly concurrent architecture.
Speaker Jim Mellander Lawrence Berkeley National Laboratory
Secondary tracks System and Network Security for Advanced Networks