Learn how 100 GbE networks are a different animal than previous speeds, and how StreamSleuth uses the power of FPGAs to solve this issue--without requiring user FPGA programming!
Sign up to learn more at BittWare.net
1. Visit YouTube for a recorded version
of this presentation by Craig Lund:
https://www.youtube.com/watch?v=lStqPHuYye4
Extended Version:
https://www.youtube.com/watch?v=JBMezP15JO8
4. 4
• Just monitoring your network is challenging at 100 GbE.
• You need to filter down to a reasonable level of “important” traffic.
• The filters built into commodity switching and firewall hardware are
not sophisticated enough.
• An implementation of the BPF/PCAP filter language running in
hardware at 100 GbE line rate is ideal.
Monitoring is Hard at 100 GbE
5. 5
Software Defense is too Slow
• Software is too slow for attack mitigation at 100 GbE.
• Commodity switching hardware may someday grow new features
to help your defense keep up, but not anytime soon.
• Reconfigurable hardware (FPGA) gets us there now. It is already
used to block denial of service attacks crafted to get past
commodity switches and firewalls.
6. 6
What is it?
• A new FPGA platform that closely ties 100 GbE line-rate hardware
acceleration into a high-end Xeon server.
• The FPGA is preconfigured to implement filtering, load balancing, and
routing — the most challenging part is done!
• 1U appliance complete with web user interface, SNMP, RMON, etc.
To sleuth (pronounced slo͞ oTH) means “to carry out a search or investigation in the manner of a detective.”
7. 7
How does it work?
• Routing and filtering is via BPF/pcap filter language, which takes effect instantly in a terabit
router inside the FPGA (not a separate ASIC). Filters/routes defined via web GUI or API.
• User-defined filters accept, drop, or reject each packet,
like iptables but with full BPF at 100GbE.
• Load balance the filter outputs into a collection of ports or into multiple server cores.
• Packets can be routed to/from a CPU via an extreme bandwidth, low latency, standard
DPDK interface into a loop heat pipe (LHP) cooled, E5 class server inside the same box
(PCIe Gen3 x16). Users can supply software C or Python—the “active” side of active
monitor or firewall.
8. 8
• Security Operations Centers inside sophisticated
data centers that need tools to stop zero-day attacks
• Network Operations Centers inside those same data
centers looking for more flexible 100 GbE visibility
• VARs & OEMs
• Government lawful intercept
Designed for: Network engineers focused
on network security or visibility
9. 9
• Packet Broker with exceptional filtering capability
• Active Monitor
• Supplemental Firewall
• Packet Generator for network testing
• Network Sensor that provides flow data
Users can use StreamSleuth
to create their own:
10. 10
Two 100 GbE Ports (two others not used):
Attach to a passive 100 GbE tap or deploy the box
in-line as a supplemental firewall
Twenty 10 GbE Ports:
Wrap one back to your switch for an
active monitor. Dedicate one to PTP if
you need accurate timestamps
1 GbE monitor port:
For configuration, command &
control (two others for user
applications)
12. 12
Use Mode #1
Network Sensor/Monitor
100G tap
Firewall
Switch
Datacenter
Unique benefits:
More sophisticated filtering capability than
packet brokers based on switch ASICs
Embedded server for flow tracking
10G monitor ports
Alerts to SOC
Security Appliances
100G
ISP
13. 13
Use Mode #2
Active Monitor
100G tap
There’s an Intel Xeon E5-class server inside
StreamSleuth that allows the network broker to
become an active monitor (injecting packets).
Connect to datacenter
switch to inject packet back
Xeon E5 server
inside StreamSleuth
Filter, Hash, Route
PCIe x16
Inject packets
back into
network
Firewall
Switch
10G monitor ports if needed
ISP
100G
14. 14
Use Mode #3
Supplemental Firewall
100G tap
Switch
10G monitor
ports if needed
100G
Firewall
Any existing network
monitoring or security
infrastructure
ISP
15. 15
Dual, Redundant
Power Supplies
BittWare XUPP3R PCIe board
featuring Xilinx UltraScale+ FPGA
• Pre-programmed for StreamSleuth
• Attached by a riser to server MB
Liquid cooled, C612 single socket
motherboard, will accept any E5 v4
(Broadwell) – up to 12 cores
20 SFP+ cages on an expansion
board attached to the FPGA
8 slots for hot-swappable
SATA/SAS flash drives
16. 100G
Port 1
100G
Port 2
RMON
stats
RMON
stats
Time
Stamp
Time
Stamp
10G
Port 5
10G
Port 24
PCAP
Filter Blocks
(adds routing
tags to
packets)
Load
Balancing
(hash tags)
Slicing
RMON
stats
E5 v4 Server
Intel Xeon CPU
(optional additional user
applications)
1G
Mgmt. Port
Slicing
RMON
stats
DMAs to
Host
Egress Router
(based on tags)
Monitor
Ports
CPU
PortsBittWare FPGA Board
Programming/
Control Port
Four DPDK Queue Pairs
(over PCIe Gen3 x16)
20 4
Twenty 10 GbE
SFP+ cages
Two 100 GbE
QSFP28 cages
(two others not used)
17. 17
• PCAP Filter Syntax at
http://www.tcpdump.org/manpages/pcap-filter.7.txt
• The DPDK website is www.dpdk.org
• YouTube hosts many DPDK introductory presentations
• Contact BittWare sales www.bittware.net
For More Information