Enhancing Network Security with Software-Defined Snort and OpenFlow
SOFTWARE
DEFINED SNORT
WITH BARNYARD
and PULLEDPORK
for NIDPS.
Hello!
Arun Samuel
Solution Advisor – Cyber Risk Advisory – Deloitte USI
External Researcher – UMD
Associate – NCDRC
Lead - National Information Security Council
2
Brief Defn:
●
SDN and OpenFlow
●
Mininet and Controller
●
Snort and dependencies
●
Defender’s Mechanisms
●
Vendor & OEM Controls
●
End Goals & Future Scope
3
Architecture View
The Flow
SDN and OpenFlow:
Using a management switch to decouple the planes and program the network traffic / data transmission.
Open-Flow manages the flow control in SDN and that specifies how the controller and the switches
communicate.
Mininet:
Mininet
is a network emulator which creates a network of virtual hosts, interfaces and links.
Mininet
hosts
run standard Linux network software. A simple ping from h1 to h2 with the virtual interface during the
transmission. We will be creating a network environment with OVS.
Floodlight / RYU:
Floodlight is an SDN controller. It is an apache-licenced Open-source works with both NBI and SBO.
Module applications runs long with the controller.
6
Snort:
Intrusion Detection Engine that works on a single-threaded application.
Barnyard:
Barnyard2 is an open-source interpreter for Snort’s output plugin. It would read files from its front end
that snort generates. Limited database support. Three modes of transmission: Batch, Continual and
Continual with bookmarking. Its primary use is allowing Snort to write to disk in an efficient manner and
leaving the task of parsing binary data into various formats to a separate process that will not cause Snort
to miss network traffic.
7
PulledPork:
As we need to update the snort rules frequently based on the public repository or a zero day that may arise,
We could use pulledpork scripts for implementing and updating those in the clients and server side. It will
give the stability to make the rule effective that pulls, and it will detect the snort based on the binary
format. In other words, it’s a rule manager for snort in-short .
Open vSwitch:
The main purpose of Open vSwitch is to provide a switching stack for hardware virtualization
environments, while supporting multiple protocols and standards used in computer networks.
Open vSwitch can operate both as a software-based network switch running within the virtual
machine (VM) hypervisors, and as the control stack for dedicated switching hardware
8
Defender’s Mechanism:
9
●
Customization – Control Plane
●
Customization – Data Plane
Customization – Control Plane ( Switch way)
Mininet with a Controller
Types of Control
The way of learning switch algorithm at each hop
10
Customization – Control Plane ( Firewall way)
Same as Switch
Source MAC Address – Rule addition
Requirements to fulfil
Cache Decisions at Layer 2
Turn your switch to firewall
OSGi Interface & Life of a Packet
11
Customization – Data Plane
Not flexible as software
Speed and run in parallel with existing protocols
Custom software
Custom hardware
Intel DPDK & Optimization Matters
12
Vendors and OEMs:
Volumetric
Protocol
Application
Custom Insertions
13
End Goals and Future Scope :
14
Without Manual Intervention
DDoS Defensive Integrations
Unified Security Products for Infrastructure
15
Thanks!
Q & A
You can find me at:
arunthelegion
arun-samuel-94351956
Explore the implementation of Snort, Barnyard, and PulledPork within a Software-Defined Network framework using OpenFlow technology. Learn how these tools enhance network security through intrusion detection engines, rule management, and network traffic control mechanisms. Dive into the architecture, mechanisms, and future scope of this innovative network security approach.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
SOFTWARE DEFINED SNORT WITH BARNYARD and PULLEDPORK for NIDPS.
Hello! Arun Samuel Solution Advisor Cyber Risk Advisory Deloitte USI External Researcher UMD Associate NCDRC Lead - National Information Security Council 2
Brief Defn: SDN and OpenFlow Mininet and Controller Snort and dependencies Defender s Mechanisms Vendor & OEM Controls End Goals & Future Scope 3
Architecture View The Flow
SDN andOpenFlow: Usingamanagementswitch to decouplethe planesandprogramthe network traffic/ data transmission. Open-Flow manages the flow control in SDN and that specifies how the controller and the switches communicate. Mininet: Mininet is a network emulator which creates a network of virtual hosts, interfaces and links. Mininet hosts run standard Linux network software. A simple ping from h1 to h2 with the virtual interface during the transmission.We willbecreatinganetwork environmentwith OVS. Floodlight/ RYU: Floodlight is an SDN controller. It is an apache-licenced Open-source works with both NBI and SBO. Module applicationsrunslongwith the controller. 6
Snort: Intrusion DetectionEnginethat worksonasingle-threadedapplication. Barnyard: Barnyard2 is an open-source interpreter for Snort s output plugin. It would read files from its front end that snort generates. Limited database support. Three modes of transmission: Batch, Continual and Continual with bookmarking. Its primary use is allowing Snort to write to disk in an efficient manner and leaving the task of parsing binary data into variousformats to a separate process that will not cause Snort to missnetwork traffic. 7
PulledPork: Aswe needto update the snort rules frequently based onthe publicrepository ora zero day thatmayarise, We could use pulledpork scripts for implementing and updating those in the clients and server side. It will give the stability to make the rule effective that pulls, and it will detect the snort based on the binary format.Inother words,it sarule managerforsnort in-short . OpenvSwitch: The main purpose of Open vSwitch is to provide a switching stack for hardware virtualization environments,while supporting multiple protocolsandstandards usedincomputernetworks. Open vSwitch can operate both as a software-based network switch running within the virtual machine(VM) hypervisors,andasthe controlstack fordedicated switching hardware 8
Defenders Mechanism: Customization Control Plane Customization Data Plane 9
Customization Control Plane ( Switch way) Mininet with aController Types ofControl The wayoflearningswitch algorithmateachhop 10
Customization Control Plane ( Firewall way) SameasSwitch SourceMAC Address Ruleaddition Requirementsto fulfil CacheDecisionsatLayer2 Turn yourswitch to firewall OSGiInterface &LifeofaPacket 11
Customization Data Plane Notflexibleassoftware Speed andruninparallelwith existingprotocols Custom software Custom hardware IntelDPDK& Optimization Matters 12
Vendors and OEMs: Volumetric Protocol Application Custom Insertions 13
End Goals and Future Scope : Without ManualIntervention DDoS DefensiveIntegrations Unified SecurityProducts forInfrastructure 14
Thanks! Q & A You can find me at: arunthelegion arun-samuel-94351956 15
