[f-nsp] slightly OT question

[Wilbur Smith]

David,

Any specific Brocade/Foundry hardware you are thinking of using? Most of
our hardware won’t perform the deep packet inspection part (with the
exception of the ADX), but it can help provide data for a 3rd party
device/solution.

His is a very non-inclusive list from what Ive worked with:

- All of our devices can export sFLow data. While this won’t provide info
on what is inside of the datagram, the header info it does provide can
allow IDS systems to pinpoint infected hosts. You may need to convert the
sFlow data to Pcap format. Some open source tools exist for this, but can
do this on the fly in IronView and Brocade Network Advisor. I’ve used this
in parallel with Snort’s open source solution with good results.

- Many of our older switches allow you to “disable mac-learning”. This is
also called transparent vlan flooding on our newer boxes; it allows a L2
switch to replicate packets without impacting the CPU; a bit like a mirror
or span port but more scalable. This can be used as a L2 tap to push data
into an IDS sensor.

- The newer method of doing this is called Telemetry. In later version of
code on the MLX, you can create a PBR ACL to target specific traffic types
or hosts. Then you enable the “telemetry” function on the MLX, instead of
redirecting the traffic though, the router will make a second copy of any
data matching the ACL and forward it to a destination you choose. This
function is leveraging the same hardware that replicates multicast traffic
on the MLX (except we tweaked the code to work for this edge case), so it
isn’t limited by CPU. This is used by some service providers and it scales
up to our 100G ports.

The best real-world example of this was for SCinet at the SC13 (Super
Computing show) show in Denver last month. We used the above telemetry
solution over a 100G link to push a copy of the traffic to a Metaflow IDS
box. The Metaflow appliance then analyzed the traffic on the fly looking
for malicious activity. This system actually found some malicious traffic.

Turns out the university students that were participating in a competition
had brought their own personal laptops and connected then to Scinet. The
metaflow box identified that most of the laptops had a few separate
viruses and trojans running on their laptops. As for disabling their
access to the network, we didn’t set that up. Normally, you would have the
IDS appliance send an SNMP Set to disable the network port, append a null
route ACL to black-hole the traffic, or use a NAC system to deny a DJCP
address. 

I’m not an expert on the security end, so I’m sure others are doing more
than what I described. I believe we also have some features built into the
ServerIron hardware to block malicious traffic, but I haven’t had a chance
to work on that. 

Hope this gives you some ideas to play with.

Wilbur


On 12/10/13, 1:02 PM, "David Miller" <dmiller at metheus.org> wrote:

>Apologies for a somewhat OT question.
>
>
>Is anyone using any brocade equipment as a firewall/load balancer that
>does adaptive packet filtering?
>
>The two capabilities I’m most interested in are the ability to detect and
>block an attack, and the ability to check incoming packets for viral
>signatures.  It seems to me that last one must be quite a hit on
>performance.
>
>If anyone is using any non-brocade gear for those specific functions, I’d
>be interested in hearing about those too.
>
>Lastly, any input on real-world functionality of such a device would be
>welcome.
>
>TIA,
>
>— David
>_______________________________________________
>foundry-nsp mailing list
>foundry-nsp at puck.nether.net
>http://puck.nether.net/mailman/listinfo/foundry-nsp