[Discussion] Features - Designing for Scaleability

Martin Holste mcholste at gmail.com
Tue Dec 9 00:57:34 UTC 2008


Essentially, yes, but I think that "protocol" might sound a bit more
daunting than the task really would be.  I think "method" may be a more
appropriate term.  A simple web server that responds to HTTP posts would be
good enough.  My implementation uses the XMLRPC::Lite Perl module, which
works perfectly to serialize and deserialize native Perl structures, making
the actual transport completely transparent from hub to spoke.

On Wed, Dec 3, 2008 at 4:40 PM, Matt Jonkman <jonkman at jonkmans.com> wrote:

> So you're thinking the tool should have it's own management protocol to
> a central hub built in. To allow sensors to be relatively autonomous,
> pulling config and reporting data through a single protocol?
>
> Matt
>
> Martin Holste wrote:
> > John,
> >
> > I think you've hit on some key points here.  I manage about a dozen
> > sensors, and there is a definite line that is crossed somewhere around a
> > half-dozen servers where managing the configuration and health of the
> > boxes requires some power tools.  I prefer Nagios for general system
> > health monitoring, so that has never been an issue.  Conversely, it has
> > been an incredible challenge to manage rules and granular Snort
> > performance on many boxes with multiple Snort instances.  I've taken the
> > route you have with many home-grown scripts, etc., but there's always
> > something new that comes out with Snort making the management
> > difficult.  Specifically, dealing with SO rules throws a huge wrench in
> > the works when dealing with mixed architectures.
> >
> > My strategy thus far has been to have my sensors completely self
> > contained and manage them centrally using a home-grown system written in
> > Perl to make generic queries and issue commands.  The databases which
> > Snort writes to are on the box (performance really isn't impacted at all
> > by doing this).  The Perl agent receives queries like "get all alerts in
> > last X minutes," or "add this rule to the running configuration," or
> > "calculate stats for Mbps and alerts per second for last 1000 ticks."
> > The key is that since all the data is on the sensor, it scales very
> > well.  The central Perl client can then parallelize queries so all
> > sensors can search at the same time much faster than if all the alerts
> > were located in one central database.  Since everything goes through the
> > central management client, it can easily log all the actions (and even
> > queries) which are run for audit/change management purposes.
> >
> > For encryption, I run everything through OpenVPN.  This works really
> > well, especially for debugging, since it is much easier to tcpdump a
> > tunnel interface than get a hook into a TLS socket.
> >
> > I'm working on a 2.0 version of this architecture which will be entirely
> > asynchronous, so that the sensors can alert the central management hub
> > on predetermined criteria.
> >
> > For truly large deployments, I think you're right that a parent-child
> > setup might be necessary.  An exploration of peer-to-peer techniques
> > might be an interesting, but I think that for simplicity, a tree
> > hierarchy would make the most sense.  That is, a "hub" may have X number
> > of servers assigned to it, and a hub higher up the tree would be able to
> > ask hubs to delegate queries down the hierarchy.  It would be
> > interesting to see if there would be performance gains versus attempting
> > parallelized queries over thousands of sensors from just one hub.  My
> > thinking is that some of the sensors could also function as hubs.
> >
> > I think that we need to remember that the vast majority of users do not
> > deploy more than a few sensors, so we need to guard against spending too
> > much devel time on features that will only serve a small percentage of
> > the community.  That said, audit, change management, archiving, and
> > other management features are things that benefit everyone.  As long as
> > we keep it all modular, users can mix and match to get the features they
> > require.
> >
> > --Martin
> >
> > On Tue, Nov 18, 2008 at 12:47 PM, John Pritchard
> > <john.r.pritchard at gmail.com <mailto:john.r.pritchard at gmail.com>> wrote:
> >
> >     Team,
> >
> >     My apologies if I've missed this being covered previously. Or, if the
> >     Bro framework already takes some of these things into consideration.
> >
> >     I'd like to suggest that we take very large deployments into
> >     consideration when designing our solution. The kind of problems you
> >     encounter when managing an infrastructure with a handful or even a
> >     dozen different IDS sensors is very different than trying to
> >     efficiently and consistently manage infrastructures with larger
> >     footprints (e.g. > 100+ sensors).
> >
> >     A couple of suggestions to help our design address these potential
> >     deployment and management scenarios:
> >
> >     1) Centralized sensor and policy management platform (or framework)
> >     --> Such a solution may be restricted to a single centralized server
> >     or multiple servers.
> >     --> Might be a parent -> child relationship among configuration
> >     servers to segregate business units, or simply replication among
> >     servers for disaster recovery / business continuity purposes
> >     --> efficient, repeatable, and audit-able methodology for making
> >     changes to both individual sensors as well as pre-defined groups of
> >     sensors (e.g. dmz sensors, dns sensors, development lab sensors,
> >     etc...)
> >     --> My experience to date has been performing these kind of tasks
> with
> >     home-grown scripts, ssh, scp, audit logs, etc... However, it would be
> >     nice to find something a little more mature for this project.
> >
> >     I have not used it, but there is a project called "Puppet" that looks
> >     like it might be a good candidate for trying to develop a framework
> >     along these lines:
> >     http://reductivelabs.com/trac/puppet/wiki/PuppetIntroduction
> >
> >
> >     2) Centralized sensor and policy monitoring platform (or framework)
> >     --> This is similar to the "management framework" concept, but the
> >     focus is more on device health monitoring... and possibly policy
> >     integrity monitoring...
> >     --> For this piece, I'm thinking of something that provides functions
> >     such as looking at memory utilization, cpu utilization, hard-drive
> >     space, network interface stats... and other "bits" such as dates and
> >     checksums for critical configuration files changed (e.g. detection
> >     policies, tuning policies, variable definitions, etc)...
> >
> >     There are a number of open-source enterprise monitoring utilities out
> >     there. Here's one I've been playing with recently:
> >     http://www.zabbix.com/
> >
> >
> >     3) Distributed Data Repositories
> >     I know we briefly touched on the database stuff when talking about
> >     schema design. I just wanted to add a plug for a couple of things
> >     here:
> >     --> encrypted communication channels (sensor -> DB or sensor ->
> sensor)
> >     --> ability to simultaneously log to 2 or more data repositories
> >
> >     I strongly agree with the concept of designing modular solutions. So,
> >     these kind of features can be "bolted on" if they were required.
> >
> >     Look forward to everyone's thoughts on how we can most effectively
> >     tackle problems of scale for large deployments.
> >
> >     Cheers, John
> >     _______________________________________________
> >     Discussion mailing list
> >     Discussion at openinfosecfoundation.org
> >     <mailto:Discussion at openinfosecfoundation.org>
> >     http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
> >
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Discussion mailing list
> > Discussion at openinfosecfoundation.org
> > http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
>
> --
> --------------------------------------------
> Matthew Jonkman
> Emerging Threats
> Phone 765-429-0398
> Fax 312-264-0205
> http://www.emergingthreats.net
> --------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/discussion/attachments/20081208/74bba3e0/attachment-0002.html>


More information about the Discussion mailing list