IDS/IPS Acceleration


Modern intrusion prevention/detections systems such as Snort, Suricata and Bro are CPU bound. It means that these tools need to exploit all the available CPU cycles in order to operate at line rate. For this reason it is important to preserve CPU cycles while capturing/transmitting packets, and also distribute the load across all the available CPU cores in order to maximize the performance. This is usually called packet steering, and it is the ability to distribute packet traffic across CPU cores based on specific policies.

PF_RING supports all those features:

  • DNA and PF_RING-aware drivers allow applications to attach not just to the whole device (as Linux and all other OSs do) but to a physical RX queue. For instance you can attach your IDS instance to eth1@5 for receiving packets only from the queue 6 (queue numbers start from zero) of eth1. This means that you can bind your IDS to individual cores and queues (i.e. you bind RX queue 0 to core 0, RX queue 1 to core 1, and so on…). The result is that each code is (mostly) independent from all the other cores and thus that scalability is maximized.
  • Using Intel 10 Gbit (82599 and i540) NICs you can, by means of the PF_RING-aware ixgbe driver, to filter packets on the NIC, in hardware, without any assistance from the CPU. So that you can decide to activate your IDS/IPS only on selected traffic flows, or to drop unwanted traffic as it enters the NIC, and not on the IDS as usually happens.PF_RING has been working with IDS/IPS since very long time. For instance Suricata is sitting on top of PF_RING since its first release. Many users are deploying their IDS on top of PF_RING, also exploiting the PF_RING clustering facilities that allow packets to be shared across all available instances.

Snort


As snort is probably the most popular IDS/IPS around, we have decided to support this large user community by creating a PF_RING DAQ (Data AcQuisition Library) module, that you can find on PF_RING’s SVN. Thanks to this module you can run snort on IPS (inline)/IDS mode at maximum speed, in particular on top of PF_RING DNA.

Beside this major speed bump, one great advantage is that snort is now a first class citizen that drives the network. It means that whenever a packet is processed, snort tells PF_RING DAQ a verdict. Beside simple pass/drop, it can say white/black-list. This means that snort has decided that the specific flow to which the packet belongs is good (white list) or bad (black list). Using this feedback, the PF_RING DAQ module creates (positive/negative) filtering rules inside PF_RING (and if you have network adapters with hardware packet filtering they are also instructed) that will prevent future packets belonging to this flow to hit snort. As you can imagine this improves the overall performance even further. Not to mention that in case snort detects a serious security issue or even worse a DoS, it can be blocked right in the NIC without putting further pressure on the server where snort is active.

Snort users can also benefit of DNA  speed when using Snort, one of the most popular IDS/IPS. The native PF_RING DNA DAQ (Snort Data AcQuisition) library is from 20% to 50% faster than the standard PF_RING DAQ part of PF_RING, and it can operate in both IPS and IDS mode.

You can get PF_RING DNA DAQ on the ntop shop site for a little fee that allows us to maintain and develop the code. Universities and research institutions can contact us to get it at no cost.