SlideShare a Scribd company logo

Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CON 2018

Download as PPTX, PDF
44CON, profile picture
44CON

This document discusses the capabilities of SmartNICs and how they can address challenges in modern data centers. It describes how SmartNICs can offload processing tasks from servers to improve efficiency. It also explains how SmartNICs provide security benefits through isolation and embedded computing functions. The document provides examples of how SmartNICs can implement network functions like firewalls through open virtual switch software and customized packet processing rules. It suggests SmartNICs could potentially access host memory to gain visibility into the server for monitoring and security applications while running analysis functions in an isolated trusted domain on the SmartNIC.

Technology
1 of 26
Downloaded 43 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
1© 2018 Mellanox Technologies SmartNICs ..are awesome!
2© 2018 Mellanox Technologies Agenda  Data center trends  Enter the SmartNIC  The SmartNIC data center  Beyond the network
3© 2018 Mellanox Technologies The Compute Problem  Everything is getting closer to the data  “Smart edge, dumb pipe”  Infrastructure and appliances both are virtualized onto servers  Higher network speeds + more network infrastructure on host == severely decreased software efficiency You don’t want to hear more about this, right?
4© 2018 Mellanox Technologies The Attack Surface Problem  Services consolidate on the same host  User applications, infrastructure, data plane services all sharing the same resources  Lots of software running with escalated privileges  Traditional trust domains are now squashed together Host-based security is…oh boy…
5© 2018 Mellanox Technologies 1988 Ping Pong Virus Stateful Firewall 1990 1994 Application Layer Firewalls Microsoft Windows 98 1999 Software Security Goes Mainstream 2000 The Year of the Worm 2012 Sandboxing 2013 Next Generation Endpoint Packet Filters Microsoft Windows 95 1995 1998 Network Intrusion Detection Stuxnet 2010 2017 WannaCry Petya 2018 Meltdown Spectre 2014 SSLv3 Protocol Vulnerability and POODLE attack TLS 1.3 DNS Cache Poisoning GNU Bash Remote Code Execution Vulnerability OpenSSL Heartbleed Conficker Worm 2015 Venom 2008 The Morris Worm 2005 Advanced Persistent Threats (APT) 2006 SSL is Invented 30 Years of Total Host Failures "I think a lot of people think the nation states, they're running on this engine of zero-days. You go out with your master skeleton key and unlock the door and you're in. It's not that. Take these big, corporate networks, these large networks, any large network -- I will tell you that persistence and focus will get you in, will achieve that exploitation, without the zero-days.” - Rob Joyce, TAO @ NSA
6© 2018 Mellanox Technologies (With strict power consumption restrictions) A SmartNIC is a computer
7© 2018 Mellanox Technologies The “must-haves” SmartNIC at its core  High speed networking performance  Robust and useful accelerators and offloads  Supports networking virtualization and scaling  Security and trust bonuses  Software flexibility  Management infrastructure
8© 2018 Mellanox Technologies SmartNIC at a glance
9© 2018 Mellanox Technologies SmartNIC Isolation
10© 2018 Mellanox Technologies Embedded compute physical function – override host PF + VF config VFs share hardware resources SRIOV == 0 hypervisor involvement Host bypass Data protection between guests Near bare metal performance “host” physical function allocates VFs as it normally would SmartNIC Isolation
11© 2018 Mellanox Technologies Hardware offload Data-plane Programming
12© 2018 Mellanox Technologies PEP PDP Additional PEPs Policy Enforcement Point Data-plane Programming
13© 2018 Mellanox Technologies Data-plane Policy 1 2 3Miss in the offloaded switch Packet -> Software Program flow into switch
14© 2018 Mellanox Technologies Policy Enforcement
15© 2018 Mellanox Technologies Enforcing policy checklist… Policy Management  Authenticate the policy  Program the flow tables  Exchange information between SmartNICs  Identify where applications are running  Program packet engine software  Create tunnels  Track sessions/flows
16© 2018 Mellanox Technologies Programming for Solutions  Major options  Embedded compute as control plane (isolated modification of hardware NFV)  OVS based solutions  DPDK etc  Appliance-in-the-wire (nginx, for example)  Linux kernel networking config  Or….  Anything at all??  Linux applications that free up host CPU cycles or require greater isolation
17© 2018 Mellanox Technologies Simple SmartNIC Firewall ovs-vsctlshow 12ed5b74-1521-4ba9-8b0d-45f88fe25cc7 Bridge"br0" Port"rep0-0" Interface"rep0-0" Port"enp3s0f0" Interface"enp3s0f0" Port"enp3s0f1" Interface"enp3s0f1" Port"rep1-0" Interface"rep1-0" Port"br0" Interface"br0" type:internal ovs_version:"2.9.1"
18© 2018 Mellanox Technologies Simple SmartNIC Firewall ovs-ofctldel-flowsbr0 wire=`ovs-vsctlget Interfaceenp3s0f0ofport` host=`ovs-vsctlget Interfacerep0-0ofport` ovs-ofctladd-flowbr0table=0,priority=1,action=drop ovs-ofctladd-flowbr0table=0,priority=10,arp,action=normal ovs-ofctladd-flowbr0table=0,priority=100,ip,ct_state=-trk,action="ct(table=1)" ovs-ofctladd-flowbr0 priority=50,table=1,in_port=$host,udp,tcp_dst=53,ct_state=+trk+new, action="ct(commit),normal" ovs-ofctladd-flowbr0 priority=50,table=1,in_port=$wire,ip,ct_state=+trk+est,action=normal ovs-ofctladd-flowbr0 priority=50,table=1,in_port=$host,ip,ct_state=+trk+est,action=normal ovs-ofctladd-flowbr0priority=40,table=1,action=drop
19© 2018 Mellanox Technologies Simple SmartNIC Firewall  Open SSH to host  Allow outbound traffic ovs-ofctladd-flowbr0 priority=50,table=1,in_port=$wire,tcp,tcp_dst=22,ct_state=+trk+new, action="ct(commit),normal" ovs-ofctladd-flowbr0 priority=50,table=1,in_port=$host,tcp,ct_state=+trk+new, action="ct(commit),normal" ovs-ofctladd-flowbr0 priority=50,table=1,in_port=$host,udp,ct_state=+trk+new, action="ct(commit),normal" ovs-ofctladd-flowbr0 priority=50,table=1,in_port=$host,icmp,ct_state=+trk+new, action="ct(commit),normal"
20© 2018 Mellanox Technologies Isolated and Embedded Functions  Use OVS to switch between host VFs, physical ports, and embedded applications  Full use of flow table criteria and software for matching  Application can be anything!
21© 2018 Mellanox Technologies Isolated and Embedded Functions iplink addveth1 typeveth peer name veth2 ovs-vsctladd-portbr0veth1 ovs-vsctlshow 12ed5b74-1521-4ba9-8b0d-45f88fe25cc7 Bridge"br0" Port"rep0-0" Interface"rep0-0" Port"veth1" Interface"veth1" Port"enp3s0f0" Interface"enp3s0f0" Port"enp3s0f1" Interface"enp3s0f1" Port"rep1-0" Interface"rep1-0" Port"br0" Interface"br0" type:internal ovs_version:"2.9.1"
22© 2018 Mellanox Technologies A Second Look…  Use OVS + kernel networking stack to build transparent IPsec tunnels  (Transparent to the host, that is)  Steps:  Create OVS bridge  Create veth pair for the tunnel & add to OVS  Enable IP forwarding  Add gw IP to veth tail  Add OF rule to forward packets into the tunnel  Add linux route to forward from kernel to veth  IKE!  Manage the tunnel… How can we improve this…
23© 2018 Mellanox Technologies What if we had host information…  SmartNIC is a PCIe device…it can access host memory  …..all of it!  Silence alarm bells for a moment  SmartNIC has embedded compute to parse that memory…  SmartNIC has accelerators to RDMA between two systems….  Embedded compute and host are two systems!  SmartNIC has processing accelerators on the embedded compute… Let’s put it all together!
24© 2018 Mellanox Technologies Host introspection via SmartNIC Hardware-based accelerators used to speed lookup and data analysis (Regular Expression, hardware address translation, SHA) Leverages hardware DMA engines for secure memory acquisition. No dependence on runtime software at host Rapid interval based reads to selective memory regions to determine activity in real-time Reconstruct data structures to analyze process lists, vtable modifications, and other information Analysis running in an isolated trust domain Network traffic inspection
25© 2018 Mellanox Technologies Demo!
26© 2018 Mellanox Technologies Thank You

More Related Content

PPT
PROVINCES OF REGION 3 - ANNE
Anne Elmido
 
PPT
C A R Presentation Wagan Bellosillo S A L O Y
Dale Robert B. Caoili
 
PPTX
Rehiyon 9 Quiz
Mavict Obar
 
PDF
Enabling Applications to Exploit SmartNICs and FPGAs
inside-BigData.com
 
PDF
OCP U.S. Summit 2017 Presentation
Netronome
 
PDF
Platforms for Accelerating the Software Defined and Virtual Infrastructure
6WIND
 
PPTX
Erez Cohen & Aviram Bar Haim, Mellanox - Enhancing Your OpenStack Cloud With ...
Cloud Native Day Tel Aviv
 
PDF
Advanced Networking: The Critical Path for HPC, Cloud, Machine Learning and more
inside-BigData.com
 
PROVINCES OF REGION 3 - ANNE
Anne Elmido
 
C A R Presentation Wagan Bellosillo S A L O Y
Dale Robert B. Caoili
 
Rehiyon 9 Quiz
Mavict Obar
 
Enabling Applications to Exploit SmartNICs and FPGAs
inside-BigData.com
 
OCP U.S. Summit 2017 Presentation
Netronome
 
Platforms for Accelerating the Software Defined and Virtual Infrastructure
6WIND
 
Erez Cohen & Aviram Bar Haim, Mellanox - Enhancing Your OpenStack Cloud With ...
Cloud Native Day Tel Aviv
 
Advanced Networking: The Critical Path for HPC, Cloud, Machine Learning and more
inside-BigData.com
 

Similar to Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CON 2018 (20)

PPTX
Icccn 1.0
Gary Berger
 
PPTX
Software-Defined Networking , Survey of HotSDN 2012
Jason TC HOU (侯宗成)
 
PDF
Windows Server 2012 Hyper-V Networking Evolved
Microsoft TechNet - Belgium and Luxembourg
 
PPTX
Nfv compute domain
sidneel
 
PPTX
Hyper-V Networking
Paulo Freitas
 
PDF
Netsoft19 Keynote: Fluid Network Planes
Christian Esteve Rothenberg
 
PDF
ODSA Use Case - SmartNIC
ODSA Workgroup
 
PPTX
10. Lec X- SDN.pptx
DanishMahmood23
 
PPTX
bruce-sdn.pptx
Sameer Ali
 
PDF
Net1674 final emea
VMworld
 
PDF
Open coud networking at full speed - Avi Alkobi
OpenInfra Days Poland 2019
 
PDF
Host Data Plane Acceleration: SmartNIC Deployment Models
Netronome
 
PDF
Interconnect your future
inside-BigData.com
 
PDF
Building the SD-Branch using uCPE
Michelle Holley
 
PDF
Some Musings on OpenFlow and SDN for Enterprise Networks
Open Networking Summits
 
PDF
Mellanox OpenPOWER features
Ganesan Narayanasamy
 
PDF
Overview of HPC Interconnects
inside-BigData.com
 
PDF
ODSA Proof of Concept SmartNIC Speeds & Feeds
ODSA Workgroup
 
PDF
VMworld 2014: Advanced Topics & Future Directions in Network Virtualization w...
VMworld
 
PDF
OpenNebula - Mellanox Considerations for Smart Cloud
OpenNebula Project
 
Icccn 1.0
Gary Berger
 
Software-Defined Networking , Survey of HotSDN 2012
Jason TC HOU (侯宗成)
 
Windows Server 2012 Hyper-V Networking Evolved
Microsoft TechNet - Belgium and Luxembourg
 
Nfv compute domain
sidneel
 
Hyper-V Networking
Paulo Freitas
 
Netsoft19 Keynote: Fluid Network Planes
Christian Esteve Rothenberg
 
ODSA Use Case - SmartNIC
ODSA Workgroup
 
10. Lec X- SDN.pptx
DanishMahmood23
 
bruce-sdn.pptx
Sameer Ali
 
Net1674 final emea
VMworld
 
Open coud networking at full speed - Avi Alkobi
OpenInfra Days Poland 2019
 
Host Data Plane Acceleration: SmartNIC Deployment Models
Netronome
 
Interconnect your future
inside-BigData.com
 
Building the SD-Branch using uCPE
Michelle Holley
 
Some Musings on OpenFlow and SDN for Enterprise Networks
Open Networking Summits
 
Mellanox OpenPOWER features
Ganesan Narayanasamy
 
Overview of HPC Interconnects
inside-BigData.com
 
ODSA Proof of Concept SmartNIC Speeds & Feeds
ODSA Workgroup
 
VMworld 2014: Advanced Topics & Future Directions in Network Virtualization w...
VMworld
 
OpenNebula - Mellanox Considerations for Smart Cloud
OpenNebula Project
 
Ad

More from 44CON (20)

ODP
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
44CON
 
PPTX
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
44CON
 
PDF
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
44CON
 
PDF
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
44CON
 
PDF
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
44CON
 
PDF
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
44CON
 
PDF
Pwning the 44CON Nerf Tank
44CON
 
PDF
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
44CON
 
PDF
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON
 
PDF
44CON London 2015 - Is there an EFI monster inside your apple?
44CON
 
PPTX
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON
 
PPTX
44CON London 2015 - How to drive a malware analyst crazy
44CON
 
PDF
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON
 
PDF
44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON
 
PDF
44CON London 2015 - Software Defined Networking (SDN) Security
44CON
 
PDF
44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON
 
PDF
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON
 
PDF
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON
 
PDF
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON
 
PDF
44CON London 2015 - reverse reverse engineering
44CON
 
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
44CON
 
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
44CON
 
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
44CON
 
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
44CON
 
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
44CON
 
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
44CON
 
Pwning the 44CON Nerf Tank
44CON
 
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
44CON
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON
 
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON
 
44CON London 2015 - How to drive a malware analyst crazy
44CON
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON
 
44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON
 
44CON London 2015 - Software Defined Networking (SDN) Security
44CON
 
44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON
 
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON
 
44CON London 2015 - reverse reverse engineering
44CON
 
Ad

Recently uploaded (20)

PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Encapsulation theory and applications.pdf
gurumoop
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
KodekX | Application Modernization Development
KodekX
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Approach and Philosophy of On baking technology
30anthuong17
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
Cloud computing and distributed systems.
kkkkkhan
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 

Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CON 2018

  • 1. 1© 2018 Mellanox Technologies SmartNICs ..are awesome!
  • 2. 2© 2018 Mellanox Technologies Agenda  Data center trends  Enter the SmartNIC  The SmartNIC data center  Beyond the network
  • 3. 3© 2018 Mellanox Technologies The Compute Problem  Everything is getting closer to the data  “Smart edge, dumb pipe”  Infrastructure and appliances both are virtualized onto servers  Higher network speeds + more network infrastructure on host == severely decreased software efficiency You don’t want to hear more about this, right?
  • 4. 4© 2018 Mellanox Technologies The Attack Surface Problem  Services consolidate on the same host  User applications, infrastructure, data plane services all sharing the same resources  Lots of software running with escalated privileges  Traditional trust domains are now squashed together Host-based security is…oh boy…
  • 5. 5© 2018 Mellanox Technologies 1988 Ping Pong Virus Stateful Firewall 1990 1994 Application Layer Firewalls Microsoft Windows 98 1999 Software Security Goes Mainstream 2000 The Year of the Worm 2012 Sandboxing 2013 Next Generation Endpoint Packet Filters Microsoft Windows 95 1995 1998 Network Intrusion Detection Stuxnet 2010 2017 WannaCry Petya 2018 Meltdown Spectre 2014 SSLv3 Protocol Vulnerability and POODLE attack TLS 1.3 DNS Cache Poisoning GNU Bash Remote Code Execution Vulnerability OpenSSL Heartbleed Conficker Worm 2015 Venom 2008 The Morris Worm 2005 Advanced Persistent Threats (APT) 2006 SSL is Invented 30 Years of Total Host Failures "I think a lot of people think the nation states, they're running on this engine of zero-days. You go out with your master skeleton key and unlock the door and you're in. It's not that. Take these big, corporate networks, these large networks, any large network -- I will tell you that persistence and focus will get you in, will achieve that exploitation, without the zero-days.” - Rob Joyce, TAO @ NSA
  • 6. 6© 2018 Mellanox Technologies (With strict power consumption restrictions) A SmartNIC is a computer
  • 7. 7© 2018 Mellanox Technologies The “must-haves” SmartNIC at its core  High speed networking performance  Robust and useful accelerators and offloads  Supports networking virtualization and scaling  Security and trust bonuses  Software flexibility  Management infrastructure
  • 8. 8© 2018 Mellanox Technologies SmartNIC at a glance
  • 9. 9© 2018 Mellanox Technologies SmartNIC Isolation
  • 10. 10© 2018 Mellanox Technologies Embedded compute physical function – override host PF + VF config VFs share hardware resources SRIOV == 0 hypervisor involvement Host bypass Data protection between guests Near bare metal performance “host” physical function allocates VFs as it normally would SmartNIC Isolation
  • 11. 11© 2018 Mellanox Technologies Hardware offload Data-plane Programming
  • 12. 12© 2018 Mellanox Technologies PEP PDP Additional PEPs Policy Enforcement Point Data-plane Programming
  • 13. 13© 2018 Mellanox Technologies Data-plane Policy 1 2 3Miss in the offloaded switch Packet -> Software Program flow into switch
  • 14. 14© 2018 Mellanox Technologies Policy Enforcement
  • 15. 15© 2018 Mellanox Technologies Enforcing policy checklist… Policy Management  Authenticate the policy  Program the flow tables  Exchange information between SmartNICs  Identify where applications are running  Program packet engine software  Create tunnels  Track sessions/flows
  • 16. 16© 2018 Mellanox Technologies Programming for Solutions  Major options  Embedded compute as control plane (isolated modification of hardware NFV)  OVS based solutions  DPDK etc  Appliance-in-the-wire (nginx, for example)  Linux kernel networking config  Or….  Anything at all??  Linux applications that free up host CPU cycles or require greater isolation
  • 17. 17© 2018 Mellanox Technologies Simple SmartNIC Firewall ovs-vsctlshow 12ed5b74-1521-4ba9-8b0d-45f88fe25cc7 Bridge"br0" Port"rep0-0" Interface"rep0-0" Port"enp3s0f0" Interface"enp3s0f0" Port"enp3s0f1" Interface"enp3s0f1" Port"rep1-0" Interface"rep1-0" Port"br0" Interface"br0" type:internal ovs_version:"2.9.1"
  • 18. 18© 2018 Mellanox Technologies Simple SmartNIC Firewall ovs-ofctldel-flowsbr0 wire=`ovs-vsctlget Interfaceenp3s0f0ofport` host=`ovs-vsctlget Interfacerep0-0ofport` ovs-ofctladd-flowbr0table=0,priority=1,action=drop ovs-ofctladd-flowbr0table=0,priority=10,arp,action=normal ovs-ofctladd-flowbr0table=0,priority=100,ip,ct_state=-trk,action="ct(table=1)" ovs-ofctladd-flowbr0 priority=50,table=1,in_port=$host,udp,tcp_dst=53,ct_state=+trk+new, action="ct(commit),normal" ovs-ofctladd-flowbr0 priority=50,table=1,in_port=$wire,ip,ct_state=+trk+est,action=normal ovs-ofctladd-flowbr0 priority=50,table=1,in_port=$host,ip,ct_state=+trk+est,action=normal ovs-ofctladd-flowbr0priority=40,table=1,action=drop
  • 19. 19© 2018 Mellanox Technologies Simple SmartNIC Firewall  Open SSH to host  Allow outbound traffic ovs-ofctladd-flowbr0 priority=50,table=1,in_port=$wire,tcp,tcp_dst=22,ct_state=+trk+new, action="ct(commit),normal" ovs-ofctladd-flowbr0 priority=50,table=1,in_port=$host,tcp,ct_state=+trk+new, action="ct(commit),normal" ovs-ofctladd-flowbr0 priority=50,table=1,in_port=$host,udp,ct_state=+trk+new, action="ct(commit),normal" ovs-ofctladd-flowbr0 priority=50,table=1,in_port=$host,icmp,ct_state=+trk+new, action="ct(commit),normal"
  • 20. 20© 2018 Mellanox Technologies Isolated and Embedded Functions  Use OVS to switch between host VFs, physical ports, and embedded applications  Full use of flow table criteria and software for matching  Application can be anything!
  • 21. 21© 2018 Mellanox Technologies Isolated and Embedded Functions iplink addveth1 typeveth peer name veth2 ovs-vsctladd-portbr0veth1 ovs-vsctlshow 12ed5b74-1521-4ba9-8b0d-45f88fe25cc7 Bridge"br0" Port"rep0-0" Interface"rep0-0" Port"veth1" Interface"veth1" Port"enp3s0f0" Interface"enp3s0f0" Port"enp3s0f1" Interface"enp3s0f1" Port"rep1-0" Interface"rep1-0" Port"br0" Interface"br0" type:internal ovs_version:"2.9.1"
  • 22. 22© 2018 Mellanox Technologies A Second Look…  Use OVS + kernel networking stack to build transparent IPsec tunnels  (Transparent to the host, that is)  Steps:  Create OVS bridge  Create veth pair for the tunnel & add to OVS  Enable IP forwarding  Add gw IP to veth tail  Add OF rule to forward packets into the tunnel  Add linux route to forward from kernel to veth  IKE!  Manage the tunnel… How can we improve this…
  • 23. 23© 2018 Mellanox Technologies What if we had host information…  SmartNIC is a PCIe device…it can access host memory  …..all of it!  Silence alarm bells for a moment  SmartNIC has embedded compute to parse that memory…  SmartNIC has accelerators to RDMA between two systems….  Embedded compute and host are two systems!  SmartNIC has processing accelerators on the embedded compute… Let’s put it all together!
  • 24. 24© 2018 Mellanox Technologies Host introspection via SmartNIC Hardware-based accelerators used to speed lookup and data analysis (Regular Expression, hardware address translation, SHA) Leverages hardware DMA engines for secure memory acquisition. No dependence on runtime software at host Rapid interval based reads to selective memory regions to determine activity in real-time Reconstruct data structures to analyze process lists, vtable modifications, and other information Analysis running in an isolated trust domain Network traffic inspection
  • 25. 25© 2018 Mellanox Technologies Demo!
  • 26. 26© 2018 Mellanox Technologies Thank You